Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-204DomainsImplement Azure security
AZ-204Free — No Signup

Implement Azure security

Practice AZ-204 Implement Azure security questions with full explanations on every answer.

178questions

Start practicing

Implement Azure security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

AZ-204 Domains

Develop Azure compute solutionsDevelop for Azure storageImplement Azure securityConnect to and consume Azure services and third-party servicesMonitor, troubleshoot, and optimize Azure solutions

Practice Implement Azure security questions

10Q20Q30Q50Q

All AZ-204 Implement Azure security questions (178)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

You have multiple Azure virtual machines that need to access the same Azure Key Vault to retrieve certificates. You want to minimize administrative overhead while ensuring each VM can authenticate without managing credentials. Which identity type should you use?

2

A developer accidentally deleted a secret from Azure Key Vault. Soft-delete is enabled with a retention period of 90 days. After 60 days, you attempt to recover the secret. What should you do?

3

A company stores sensitive data in an Azure Storage account. They need to restrict access based on the client's IP address and require that clients use a valid SAS token. Which mechanism should they use?

4

You are developing an application that stores user secrets. You need to ensure that the secrets are encrypted at rest and rotated automatically. Which Azure service should you integrate?

5

You have an Azure Function app that needs to retrieve a secret from Azure Key Vault at runtime. You want to avoid storing any credentials in code or configuration. Which mechanism should you use?

6

A developer deleted a secret from Azure Key Vault with soft-delete and purge protection enabled (retention 90 days). After 50 days, the secret is needed again. What is the correct recovery method?

7

A developer needs to grant an Azure Function read access to secrets in Azure Key Vault without storing any credentials in the function code or configuration. Which approach should they use?

8

A company has an Azure Storage account that stores sensitive data. They need to ensure that all access to the storage account is secured using Microsoft Entra ID authentication and that no storage account keys are used. Which configuration should be applied to enforce this?

9

A company stores secrets (e.g., connection strings) in Azure Key Vault and needs them automatically rotated every 90 days. Which solution should they implement?

10

Your company uses Azure Key Vault to store secrets. You need to ensure that if a secret is deleted, it can be recovered within 30 days. Which Key Vault feature should you enable?

11

Your company stores sensitive documents in an Azure Storage account. You need to ensure that only authorized Microsoft Entra ID users can read the documents, and that shared keys (account access keys) cannot be used. Which two steps must you take? (Choose the most appropriate single answer that describes the combined action.)

12

You deploy a web application in Azure App Service. You need to authenticate users via Microsoft Entra ID (Microsoft Entra ID) with minimal custom code. Which App Service feature should you configure?

13

Your company stores API keys and connection strings in Azure Key Vault. You need to grant an Azure Function read access to these secrets using the principle of least privilege. Which identity type should you assign to the Function App?

14

You are developing an Azure Function that reads secrets from Azure Key Vault. The function must not use any static credentials in configuration files. You need to authenticate to Key Vault using the function's own identity. Which Azure service feature should you enable?

15

Your company stores customer payment data in an Azure SQL Database. You need to ensure that only the application's managed identity can access the database, and no SQL logins or passwords are used. Which authentication method should you configure?

16

Your company uses Azure Key Vault to manage encryption keys for data at rest in Azure Storage. You need to ensure that the storage account uses a customer-managed key (CMK) stored in Key Vault. Additionally, you need to periodically rotate the key automatically. Which configuration should you implement?

17

Your company uses Azure App Service to host a web application. You need to allow only authenticated users from your Microsoft Entra ID tenant to access the app, without writing any authentication code. Which feature should you configure?

18

Your company stores secrets in Azure Key Vault. You need to ensure that when a secret is disabled, it does not become accessible to applications that already have a cached copy. Which additional step must you take?

19

You are developing a web API that must authenticate requests using Microsoft Entra ID (Microsoft Entra ID) and OAuth 2.0 bearer tokens. You want to validate the token in your API code. Which library should you use?

20

You are developing a web API hosted on Azure App Service. The API must authenticate requests using Microsoft Entra ID OAuth 2.0 bearer tokens. You want to validate the token in your ASP.NET Core API code with minimal custom validation logic. Which library should you use?

21

Your company uses Azure Key Vault to store secrets. You need to ensure that only a specific Microsoft Entra ID application can read a particular secret, while other applications are denied access. You want to apply the principle of least privilege. Which access control method should you configure?

22

You need to restrict access to an Azure Storage account so that only a specific subnet of a virtual network can access the data. Additionally, you need to allow management access from the Azure portal (e.g., to view containers). Which configuration should you apply?

23

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not present in Microsoft Entra ID. The role mappings are dynamic and stored in an application database. How should you implement authorization?

24

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The API needs to call a downstream API (also secured by Microsoft Entra ID) on behalf of the signed-in user (On-Behalf-Of flow). You have already configured the web API to authenticate users with Microsoft.Identity.Web. How should you implement the token acquisition for the downstream API?

25

You are developing an ASP.NET Core web API that is hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You want to avoid storing any credentials in the application code or configuration. Which approach should you use?

26

You are designing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not defined in Microsoft Entra ID app roles or groups. The role mappings are dynamic and stored in an application database. How should you implement authorization in the API?

27

You are developing an ASP.NET Core web app that uses Azure SQL Database. The SQL connection string contains a password that must be rotated every 30 days. The app runs on Azure App Service. You want to store the connection string securely and enable automatic rotation without redeploying the app. Which approach should you use?

28

You are using Azure API Management (APIM) to expose a REST API. The backend API requires mutual TLS (client certificate) for authentication. The client certificate is stored in Azure Key Vault. You need to configure APIM to use this certificate when calling the backend, without exposing the certificate contents in the policy files. Which APIM feature and policy should you use?

29

You are developing an ASP.NET Core web API hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You have enabled a system-assigned managed identity for the App Service. Which code should you use to create the Key Vault SecretClient?

30

You have an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault. You need to grant the app the minimum required permissions to access the secret. Which RBAC role should you assign to the managed identity at the Key Vault scope?

31

You deploy an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault to connect to a third-party service. You want to grant the minimum required permissions to the managed identity. Which Azure RBAC role should you assign to the managed identity at the Key Vault scope?

32

You are developing an ASP.NET Core web API that uses Microsoft Entra ID for authentication via Microsoft.Identity.Web. The application needs to authorize actions based on custom roles such as "Editor" and "Reviewer". These roles are not defined in Microsoft Entra ID app roles or directory roles; instead, they are stored in an application database and can be assigned dynamically by administrators. You need to implement authorization with minimal impact on performance and without modifying the application's authentication flow. Which approach should you use?

33

Your company has an application running on Azure Virtual Machines that needs to access secrets in Azure Key Vault. You want to restrict network access to the Key Vault so that only the virtual network/subnet containing the VMs can reach it. You also want to ensure that the solution works with the least management overhead. Which configuration should you use?

34

Your company has several Azure subscriptions, and you need to create a custom role that allows security engineers to start and stop Azure virtual machines but not delete them or modify their network interfaces. The role must be scoped to a specific resource group. How should you define this custom role?

35

You have an Azure App Service web app that uses a system-assigned managed identity. The web app needs to authenticate to an Azure SQL Database to read and write data. You want to use the managed identity to avoid storing credentials in connection strings. Which steps are required to configure this access?

36

You are building a web application that uses Microsoft Entra ID for authentication. The application needs to call Microsoft Graph API to read user profiles and send emails on behalf of the signed-in user. You want to ensure that the user's consent is obtained only once and that the application can refresh tokens silently. Which OAuth 2.0 flow should you implement?

37

You have an Azure App Service that uses a system-assigned managed identity. You need to grant it permission to read a secret from Azure Key Vault. Which RBAC role should you assign at the Key Vault scope?

38

You need to create a custom RBAC role that allows a security group to start and stop Azure virtual machines in a specific resource group, but not delete them or modify their network interfaces. Which set of actions should you include in the role definition?

39

You have an Azure App Service web app with a system-assigned managed identity. You need to grant it permission to read secrets from an Azure Key Vault. Which RBAC role should you assign to the managed identity at the Key Vault scope?

40

You are developing an API that uses managed identity to access Azure Key Vault. The API runs in an Azure App Service with system-assigned managed identity enabled. You need to retrieve a secret value. Which API endpoint should your code call?

41

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?

42

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

43

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used?

44

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request?

45

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required?

46

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

47

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The design must avoid adding custom operational scripts.

48

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The design must avoid adding custom operational scripts.

49

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The design must avoid adding custom operational scripts.

50

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

51

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The architecture review board prefers a managed AWS-native control.

52

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The architecture review board prefers a managed AWS-native control.

53

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The architecture review board prefers a managed AWS-native control.

54

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

55

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The team wants the control to be enforceable during normal operations.

56

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The team wants the control to be enforceable during normal operations.

57

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The team wants the control to be enforceable during normal operations.

58

The team is writing an Azure Function that needs to retrieve secrets from Azure Key Vault at runtime. The security policy prohibits storing client secrets, connection strings, or certificates in application settings or source code. What is the recommended approach?

59

Multiple teams need different levels of access to the same Azure Key Vault: the DevOps team needs to create and rotate secrets, the application team needs read-only secret access, and the auditing team needs list-only access. The security team wants audit logs of all access decisions and the ability to manage permissions through a single system. What access model should the developer recommend?

60

A background data pipeline runs on a schedule and must read user profile data from Microsoft Graph. No user is present during execution. The service authenticates to Microsoft Entra ID and calls the Graph API. Which permission type and OAuth 2.0 flow are correct for this scenario?

61

External partners are given Shared Access Signatures to upload product images to a specific Blob Storage container named 'images'. A partner reports accidentally uploading files to the 'contracts' container, which should not be accessible. What is the most likely configuration mistake?

62

Twenty Azure Functions across different teams all need read access to the same Azure Cosmos DB account. The security team wants to revoke or modify this access for all twenty functions at once without visiting each Function App individually. What managed identity design satisfies this requirement?

63

Arrange the steps to create and use a shared access signature (SAS) for an Azure Storage blob in the correct order.

64

Arrange the steps to implement Azure Key Vault for storing and retrieving secrets in an application in the correct order.

65

Match each Azure authentication mechanism to its description.

66

Match each Azure compute service to its execution model.

67

You are developing a web app that uses Azure AD B2C for customer identity. The app must allow users to sign in with their social media accounts like Facebook and Google. Which Azure AD B2C policy type should you configure?

68

You are implementing a microservices solution on Azure Kubernetes Service (AKS). You need to securely store and retrieve connection strings to a database without hardcoding them in the application code. The solution should automatically rotate secrets every 90 days. What should you use?

69

Your company uses Azure DevOps for CI/CD. The security team requires that all pull request (PR) merges to the main branch be signed with a valid code signing certificate to ensure code integrity. Which Azure DevOps feature should you enforce?

70

You are developing an API that processes sensitive personal data. The API is exposed via Azure API Management (APIM). You need to ensure that only authorized applications can call the API, and you want to validate the token at the APIM gateway without modifying the backend code. What is the most efficient approach?

71

You have an Azure Storage account that hosts blobs for a public website. You need to grant a partner application read-only access to a specific container for 24 hours without using a storage account key. What should you create?

72

Your company uses Microsoft Sentinel for security information and event management (SIEM). You need to detect and automatically respond to a potential credential theft attack where an anomalous number of failed logins are followed by a successful login from a different geographic location. Which Microsoft Sentinel feature should you use?

73

You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function must use a managed identity to authenticate to the Service Bus to avoid managing secrets. Which configuration step is essential for this setup?

74

You need to restrict access to an Azure web app so that only traffic from a specific virtual network (VNet) can reach it. The web app is already deployed. What should you configure on the web app?

75

Your organization uses Azure Policy to enforce compliance. You need to ensure that all Azure SQL databases have Advanced Data Security (ADS) enabled. What type of Azure Policy effect should you use to automatically enable ADS if it is not already enabled?

76

Your company is deploying a multi-tier application on Azure. The application consists of a web front end, an API layer, and a database. You need to ensure secure communication between tiers. Which TWO actions should you take? (Choose two.)

77

You need to design a solution to securely store and access secrets (e.g., API keys, connection strings) for a set of Azure Functions. The solution must minimize administrative overhead and avoid storing secrets in code or configuration files. Which THREE should you include? (Choose three.)

78

Your company wants to implement a zero-trust security model for its Azure resources. Which THREE practices should you adopt? (Choose three.)

79

Refer to the exhibit. You have an Azure Policy definition as shown. Your team creates a storage account with network rules set to 'Deny' by default, and then adds an IP rule to allow traffic from a specific IP range. What compliance state will this storage account be reported as?

80

Refer to the exhibit. You are creating a custom Azure RBAC role. You assign this role to a user for the Production resource group. The user needs to read the contents of a blob in a container. Which permission is necessary for the user to list the container's blobs?

81

Refer to the exhibit. You are using Azure CLI to list blobs in a container. The command fails with an authorization error. The storage account has firewall rules enabled, and you are running the CLI from a machine that is not on the allowed network list. What is the most likely cause of the failure?

82

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to call a downstream API on behalf of the signed-in user. Which OAuth 2.0 flow should you implement?

83

Your Azure App Service app must access Azure Key Vault secrets without storing credentials in code. Which service should you use to manage identities?

84

You need to restrict access to an Azure Storage blob container so that only users from your Microsoft Entra tenant can read blobs, and deny all other access including anonymous traffic. What should you configure?

85

You are deploying a sensitive application on Azure Kubernetes Service (AKS). You need to ensure that secrets, such as database connection strings, are encrypted at rest and in transit, and that the cluster has no static credentials. Which feature should you enable?

86

Your company uses Azure API Management to expose APIs to external partners. You need to validate that each incoming request includes a valid JSON Web Token (JWT) issued by your Microsoft Entra ID tenant, and reject requests without valid tokens. What should you configure?

87

You are developing a serverless function using Azure Functions that needs to write logs to a Log Analytics workspace. The function uses a managed identity. Which RBAC role should you assign to the function's managed identity?

88

Your organization has a custom application that stores customer data in Azure Cosmos DB. You need to encrypt the data at rest using a customer-managed key stored in Azure Key Vault. Which type of Cosmos DB encryption should you configure?

89

You are designing a solution for a multi-tenant SaaS application where each tenant's data is stored in separate Azure SQL databases. You need to ensure that no tenant can access another tenant's database, even if the application is compromised. What should you implement?

90

Your Azure Logic App needs to send emails using Microsoft Graph API on behalf of the signed-in user. The user is authenticated with Microsoft Entra ID. Which authentication method should you use in the Logic App?

91

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster that runs a critical workload? (Choose two.)

92

Which THREE components are required to implement Azure AD B2C custom policies for sign-up and sign-in? (Choose three.)

93

Which TWO services can be used to manage secrets and certificates for applications running on Azure? (Choose two.)

94

Refer to the exhibit. You are reviewing an Azure Policy definition. When applied to a subscription, what is the effect of this policy?

95

Refer to the exhibit. An administrator runs this Azure CLI command. What is the result?

96

Refer to the exhibit. You created a custom RBAC role definition. A user assigned this role at the subscription scope. What can the user do?

97

Your web app running on Azure App Service requires access to a storage account using managed identity. You enable the system-assigned managed identity on the App Service and assign the 'Storage Blob Data Contributor' role at the storage account scope. However, the app receives 403 errors when trying to read blobs. What is the most likely cause?

98

You are designing a solution for a healthcare application that stores patient data in Azure Cosmos DB. The data must be encrypted at rest using a customer-managed key stored in Azure Key Vault. You need to ensure that the key can be rotated without downtime. Which approach should you recommend?

99

You are deploying a function app that processes sensitive data. You need to ensure that all function app secrets (e.g., connection strings) are stored securely and automatically rotated. Which service should you use?

100

Your API is secured using Azure AD (now Microsoft Entra ID) tokens. You need to validate the token in your custom code. Which library should you use to validate the token's signature, issuer, and audience?

101

You have a multi-tenant application that uses Azure AD (Microsoft Entra ID) for authentication. You want to allow only specific tenants to access your app. What is the recommended approach?

102

Your application uses Azure Key Vault to store secrets. You need to ensure that the application can access secrets without storing any credentials in the application code or configuration files. What should you use?

103

You are developing a serverless API using Azure Functions. The API should only be accessible from a specific virtual network. You need to configure network security. What should you do?

104

Your application uses Azure Key Vault to store cryptographic keys used for signing. You need to ensure that the keys can be used by multiple applications, but only one application should be able to delete the key. What should you do?

105

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. You want to minimize code changes. Which feature should you use?

106

Which TWO of the following are valid ways to authenticate an Azure function to an Azure SQL database using managed identity?

107

Which THREE permissions should be granted to an application's managed identity to allow it to read secrets from Azure Key Vault and use them to access Azure Storage?

108

Which TWO of the following are benefits of using Azure Key Vault to store application secrets?

109

Refer to the exhibit. You are deploying an ARM template that assigns the 'Storage Blob Data Contributor' role to the managed identity of an App Service named 'myapp' at the storage account 'mystorageacct' scope. The deployment fails with an error that 'principalId' is null. What is the most likely cause?

110

Refer to the exhibit. You run the Azure CLI command to store a secret in Key Vault. Later, you run 'az keyvault secret show --vault-name myvault --name MySecret'. What will be displayed?

111

Refer to the exhibit. You deploy this ARM template to an App Service named 'myapp'. After deployment, users report they are able to access the app without being prompted to log in. What is the most likely reason?

112

A company stores sensitive data in Azure Blob Storage. They require that all access to the storage account be authenticated via Microsoft Entra ID and that users must have the 'Storage Blob Data Reader' role assigned. A developer reports being unable to read blobs using the Azure portal despite having the role assigned. What is the most likely cause?

113

You are configuring an Azure App Service web app to authenticate users with Microsoft Entra ID. You need to ensure that only users from your organization's tenant can access the app. Which setting should you configure?

114

A company uses Azure API Management (APIM) to expose APIs to external partners. They want to validate JSON Web Tokens (JWTs) from partners' Microsoft Entra ID tenants before requests reach the backend. The solution must support multiple partner tenants and minimize latency. What should you implement?

115

You are developing a serverless application using Azure Functions that processes sensitive data. The function needs to access Azure Key Vault to retrieve a secret. You want to use managed identity for authentication. What should you do first?

116

A company uses Azure SQL Database and needs to encrypt sensitive columns (e.g., credit card numbers) at rest and in transit, with the ability to allow specific applications to decrypt. They want to manage encryption keys centrally in Azure Key Vault and avoid managing certificates. Which technology should they use?

117

You are deploying an Azure Kubernetes Service (AKS) cluster. You need to ensure that pods can access Azure resources (e.g., Azure Storage) using a managed identity without storing credentials. What should you configure?

118

Your organization uses Azure Key Vault to store secrets. Developers need to retrieve secrets during application runtime. You want to minimize latency and avoid network overhead. Which approach should you recommend?

119

You are designing a solution that uses Azure Event Hubs to ingest telemetry data. The data must be encrypted at rest and in transit. Additionally, you need to ensure that only authorized applications can publish messages to the event hub. Which combination of features should you use?

120

A company uses Azure Logic Apps to orchestrate workflows that process sensitive data. They need to ensure that workflow runs are logged and auditable, and that the logs are tamper-proof. Which Azure service should they use?

121

Which TWO actions should you take to secure an Azure Function app that is triggered by an HTTP request? (Choose two.)

122

Which THREE measures can you use to protect data at rest in Azure Cosmos DB? (Choose three.)

123

Which TWO methods can you use to authenticate an Azure App Service web app to Azure SQL Database without storing credentials in code? (Choose two.)

124

Refer to the exhibit. You have a custom RBAC role definition. A user assigned this role reports they can read, write, and delete blobs, but cannot list the containers in the storage account. What is the most likely reason?

125

Refer to the exhibit. You run the Azure CLI command to retrieve a secret from Azure Key Vault. The output shows the secret metadata but not the secret value. The command returns without error. What is the most likely cause?

126

Refer to the exhibit. You deploy an Azure Storage account using the ARM template snippet. A developer reports that they cannot connect to the storage account from their machine with IP 10.0.0.5, even though they have the proper RBAC role. What is the most likely reason?

127

A company stores secrets in Azure Key Vault. Developers need to retrieve secrets from a web app without storing connection strings in code. Which authentication method should the web app use?

128

You are developing a microservices application. Each microservice must authenticate to Azure SQL Database using its own identity. You need to minimize credential management overhead. What should you use?

129

Your application uses Azure Key Vault to store cryptographic keys. You need to ensure that keys are automatically rotated every 90 days without any manual intervention. Which Key Vault feature should you configure?

130

You are building an API that needs to validate JWT tokens issued by Microsoft Entra ID. The API is registered as an application in Entra ID. Which endpoint should the API use to obtain the signing keys?

131

You have an Azure Storage account with a blob container. You need to grant a user read-only access to a specific blob for 24 hours without requiring them to authenticate with Microsoft Entra ID. What should you use?

132

Your application runs on Azure Kubernetes Service (AKS). It needs to access Azure Key Vault secrets. You want to avoid using a service principal. Which solution should you implement?

133

You need to secure a web API that is called from a single-page application (SPA). The API uses Microsoft Entra ID for authentication. Which OAuth 2.0 flow should the SPA use?

134

Your company uses Microsoft Defender for Cloud. You need to receive alerts when a user modifies a Key Vault access policy. What should you configure?

135

Your application uses Azure Functions and needs to authenticate to a downstream API using OAuth 2.0. The function app uses a system-assigned managed identity. Which token endpoint should the function app call to get a token for the downstream API?

136

You need to secure access to an Azure Storage account that contains sensitive data. Which TWO of the following are recommended best practices?

137

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. Which THREE components must be configured in the App Service authentication settings?

138

You are designing a solution to store application secrets. You need to ensure that secrets are encrypted at rest and access is audited. Which TWO Azure services should you use?

139

Refer to the exhibit. You are configuring a Key Vault key using an ARM template. What does this configuration achieve?

140

Refer to the exhibit. You create a custom RBAC role with the shown permissions. You assign this role to a user at the resource group scope. What can the user do?

141

Refer to the exhibit. You run the Azure CLI command shown. What is the result?

142

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to access the Microsoft Graph API to read user profiles. Which type of permission should you request in the app registration to ensure the app can read profiles without user interaction?

143

You are configuring a managed identity for an Azure App Service to access Azure Key Vault. The identity has been assigned, but the app receives a 403 Forbidden when trying to retrieve a secret. What is the most likely cause?

144

You need to secure access to an Azure Storage account that hosts sensitive data. The requirement is to restrict access to only requests originating from a specific virtual network. Which feature should you configure?

145

Your application uses Azure App Configuration with Microsoft Entra ID authentication. You want to ensure that only authorized services can read configuration values. What is the recommended approach?

146

You are deploying a containerized application to Azure Kubernetes Service (AKS). The application needs to access Azure SQL Database securely. Which approach should you use to avoid storing credentials in the container image?

147

You need to ensure that an Azure Functions app can access a blob in Azure Storage using its system-assigned managed identity. What should you do first?

148

You are designing a solution where an Azure Logic App needs to send emails via Microsoft Graph. The Logic App should authenticate without user interaction. What authentication method should you use?

149

You are developing a .NET Core API that uses Azure AD for authentication. You want to restrict access to specific claims. Which middleware component should you use to check claims?

150

You need to ensure that secrets stored in Azure Key Vault are automatically rotated every 90 days. Which feature should you configure?

151

A company uses Azure App Service to host a web application. They need to ensure that only authenticated users from their Microsoft Entra ID tenant can access the app. They also want to prevent unauthenticated requests from reaching the app code. Which configuration should they implement?

152

You are developing a serverless function app that processes credit card payments. The function app must securely store the payment gateway API key. Which Azure service should you use to store the key?

153

A company has an Azure Kubernetes Service (AKS) cluster. They want to ensure that pods can securely access Azure SQL Database without using connection strings or secrets. The solution must use the principle of least privilege. What should they implement?

154

You are developing an ASP.NET Core web app that will be deployed to Azure App Service. The app needs to authenticate users from a Microsoft Entra ID tenant. You want to minimize development effort and rely on platform features. What should you do?

155

A company uses Azure Blob Storage to store sensitive documents. They want to ensure that data is encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data immediately if a security breach is detected. Which feature should they enable?

156

You are developing an API that will be hosted on Azure API Management (APIM). The API must be accessible only to clients that present a valid JSON Web Token (JWT) issued by Microsoft Entra ID. Which APIM policy should you use to validate the JWT?

157

A company is building a microservices application on Azure Container Instances. Each microservice needs to authenticate to Azure Key Vault to retrieve secrets. They want to avoid storing any credentials in the container images or environment variables. What should they do?

158

You are deploying a web app to Azure App Service that must use a custom domain with TLS/SSL. You have purchased an SSL certificate from a third-party CA. How should you upload and bind the certificate to the custom domain?

159

Which TWO actions should you take to securely store and access secrets for a legacy application that cannot be modified? The application runs on an Azure Virtual Machine and needs to read a database connection string. The solution must use Azure Key Vault and adhere to the principle of least privilege.

160

Which THREE of the following are valid ways to authenticate an Azure Function to an Azure SQL Database using managed identities?

161

Which THREE of the following are true regarding Microsoft Entra ID authentication for Azure Storage?

162

Refer to the exhibit. You are deploying an Azure Key Vault using this ARM template. Your team plans to use RBAC to manage access. The vault must be accessible from Azure services (e.g., Azure VMs) without public IP addresses. After deployment, a developer reports that they cannot access secrets from a VM in the same region, even though the VM has a managed identity with the Key Vault Secrets User role. What is the most likely cause?

163

You are a developer for a fintech company. Your application consists of multiple Azure Functions that process sensitive financial transactions. The functions need to access an Azure SQL Database and an Azure Storage account. Security requirements are: (1) No secrets or connection strings should be stored in application settings or code. (2) Access must be restricted to the specific resources each function needs. (3) All access must be audited. (4) The solution must support local development debugging. You have already enabled system-assigned managed identity for each function app. Which course of action should you take to meet the requirements?

164

You are developing a web application that will be deployed to Azure App Service. The application allows users to upload files, which are stored in Azure Blob Storage. You need to ensure that only authenticated users can upload files and that each user can only see their own files. You plan to use shared access signatures (SAS) for secure access. The application uses Microsoft Entra ID for authentication. You want to generate SAS tokens on the server after the user authenticates. Which approach should you use?

165

You are deploying a multi-tier application: a frontend web app (Azure App Service) that calls a backend API (another Azure App Service). Both apps use Microsoft Entra ID for authentication. The frontend needs to authenticate to the backend on behalf of the signed-in user. You need to configure the OAuth 2.0 flow correctly. You have already registered both applications in Microsoft Entra ID. Which configuration should you apply?

166

A company deploys an Azure App Service web app that stores sensitive data in Azure Blob Storage. The security team requires that all access to the blob storage must be authenticated and authorized via Microsoft Entra ID, and that no anonymous access is permitted. The web app must also be able to access the storage using its managed identity. Which configuration should the company implement?

167

A healthcare organization uses Azure API Management (APIM) to expose FHIR APIs to external partners. The FHIR backend is an Azure API for FHIR that requires OAuth 2.0 tokens from Microsoft Entra ID. APIM must validate tokens before forwarding requests to the backend. The organization also needs to rate-limit requests per subscription key and log all requests to Azure Monitor for audit. Which combination of APIM policies should be implemented?

168

A company is designing a secure microservices architecture on Azure Kubernetes Service (AKS). The security requirements include: encrypting secrets at rest and in transit, rotating secrets automatically, and avoiding hard-coded credentials in application code. Which THREE solutions should the company use? (Choose three.)

169

A company uses Azure Functions to process sensitive customer data. The functions are triggered by Service Bus messages. The security requirements mandate that all function code must be encrypted in transit and at rest, and that access to the function must be authenticated using Microsoft Entra ID. Which TWO configurations should be implemented? (Choose two.)

170

You are a developer for a startup that is building a real-time chat application on Azure. The application uses Azure Web PubSub to broadcast messages to clients. The security team requires that only authenticated users can connect to the Web PubSub service. You plan to use Microsoft Entra ID for authentication. The application backend is an Azure Function that generates access tokens. What is the correct course of action to secure the Web PubSub service?

171

A retail company uses Azure Logic Apps to integrate with third-party APIs. One Logic App sends purchase orders to a supplier's HTTP endpoint. The supplier requires that the request include an OAuth 2.0 access token obtained from their authorization server. The company wants to manage the client credentials (client ID and client secret) securely and rotate them automatically. The Logic App must also log all requests for auditing. What should you do?

172

A financial services company uses Azure Container Instances (ACI) to run batch processing jobs. Each job processes sensitive financial data and must use a custom container image stored in Azure Container Registry (ACR). The security requirements are: the ACI container must authenticate to ACR using a managed identity, the container must run as a non-root user, and all secrets must be injected via environment variables from Azure Key Vault using the managed identity. The ACI instance must also be deployed into a virtual network (VNet) to restrict network access. What configuration should you use?

173

You are deploying a web app on Azure App Service that stores secrets in Azure Key Vault. The app uses managed identity to access Key Vault. During testing, you get a 403 Forbidden error when the app tries to read a secret. What is the most likely cause?

174

Your company uses Microsoft Entra ID for identity management. You need to ensure that users accessing a line-of-business application from unmanaged devices must complete a multi-factor authentication (MFA) challenge. What should you configure?

175

You are developing a serverless application using Azure Functions that processes sensitive data. The function is triggered by an Azure Storage queue. You need to ensure that data in transit between the function and the storage account is encrypted using a customer-managed key (CMK) and that the storage account's firewall only allows access from the function's virtual network. Which two actions should you take? (Choose two.)

176

You are designing a solution to store secrets for a microservices application running on Azure Kubernetes Service (AKS). The secrets must be automatically rotated and remain available if the Key Vault is temporarily unavailable. Which TWO options meet the requirements?

177

You are reviewing an ARM template that deploys a network security group (NSG) for a web application. The exhibit shows the security rules. The web application runs on port 443. You need to ensure that HTTPS traffic from the internet can reach the web servers. What is the issue with the current configuration?

178

You are a security engineer for a large enterprise that uses Microsoft Entra ID. The company deploys a custom web application in Azure that authenticates users via the OAuth 2.0 authorization code flow with PKCE. The application is registered in Microsoft Entra ID. Recently, security auditors discovered that a compromised client secret was used to obtain tokens without user consent. You must update the application registration to prevent this type of attack. The application should still work with the authorization code flow and PKCE. You need to ensure that only interactive user authentication can obtain tokens, and that client secrets cannot be used to request tokens directly. Which option meets these requirements?

Practice all 178 Implement Azure security questions

Other AZ-204 exam domains

Develop Azure compute solutionsDevelop for Azure storageConnect to and consume Azure services and third-party servicesMonitor, troubleshoot, and optimize Azure solutions

Frequently asked questions

What does the Implement Azure security domain cover on the AZ-204 exam?

The Implement Azure security domain covers the key concepts tested in this area of the AZ-204 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all AZ-204 domains — no account required.

How many Implement Azure security questions are in the AZ-204 question bank?

The Courseiva AZ-204 question bank contains 178 questions in the Implement Azure security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Implement Azure security for AZ-204?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Implement Azure security questions for AZ-204?

Yes — the session launcher on this page draws questions exclusively from the Implement Azure security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your AZ-204 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-104AZ-400AZ-900