Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Implement Azure security practice sets

AZ-204 Implement Azure security • Complete Question Bank

AZ-204 Implement Azure security — All Questions With Answers

Complete AZ-204 Implement Azure security question bank — all 0 questions with answers and detailed explanations.

178
Questions
Free
No signup
Certifications/AZ-204/Practice Test/Implement Azure security/All Questions
Question 1mediummultiple choice
Read the full Implement security explanation →

You have multiple Azure virtual machines that need to access the same Azure Key Vault to retrieve certificates. You want to minimize administrative overhead while ensuring each VM can authenticate without managing credentials. Which identity type should you use?

Question 2hardmultiple choice
Read the full Implement security explanation →

A developer accidentally deleted a secret from Azure Key Vault. Soft-delete is enabled with a retention period of 90 days. After 60 days, you attempt to recover the secret. What should you do?

Question 3mediummultiple choice
Read the full Implement security explanation →

A company stores sensitive data in an Azure Storage account. They need to restrict access based on the client's IP address and require that clients use a valid SAS token. Which mechanism should they use?

Question 4easymultiple choice
Read the full Implement security explanation →

You are developing an application that stores user secrets. You need to ensure that the secrets are encrypted at rest and rotated automatically. Which Azure service should you integrate?

Question 5easymultiple choice
Read the full Implement security explanation →

You have an Azure Function app that needs to retrieve a secret from Azure Key Vault at runtime. You want to avoid storing any credentials in code or configuration. Which mechanism should you use?

Question 6hardmultiple choice
Read the full Implement security explanation →

A developer deleted a secret from Azure Key Vault with soft-delete and purge protection enabled (retention 90 days). After 50 days, the secret is needed again. What is the correct recovery method?

Question 7mediummultiple choice
Read the full Implement security explanation →

A developer needs to grant an Azure Function read access to secrets in Azure Key Vault without storing any credentials in the function code or configuration. Which approach should they use?

Question 8hardmultiple choice
Read the full Implement security explanation →

A company has an Azure Storage account that stores sensitive data. They need to ensure that all access to the storage account is secured using Microsoft Entra ID authentication and that no storage account keys are used. Which configuration should be applied to enforce this?

Question 9mediummultiple choice
Read the full Implement security explanation →

A company stores secrets (e.g., connection strings) in Azure Key Vault and needs them automatically rotated every 90 days. Which solution should they implement?

Question 10easymultiple choice
Read the full Implement security explanation →

Your company uses Azure Key Vault to store secrets. You need to ensure that if a secret is deleted, it can be recovered within 30 days. Which Key Vault feature should you enable?

Question 11hardmulti select
Read the full Implement security explanation →

Your company stores sensitive documents in an Azure Storage account. You need to ensure that only authorized Microsoft Entra ID users can read the documents, and that shared keys (account access keys) cannot be used. Which two steps must you take? (Choose the most appropriate single answer that describes the combined action.)

Question 12mediummultiple choice
Read the full Implement security explanation →

You deploy a web application in Azure App Service. You need to authenticate users via Microsoft Entra ID (Microsoft Entra ID) with minimal custom code. Which App Service feature should you configure?

Question 13easymultiple choice
Read the full Implement security explanation →

Your company stores API keys and connection strings in Azure Key Vault. You need to grant an Azure Function read access to these secrets using the principle of least privilege. Which identity type should you assign to the Function App?

Question 14mediummultiple choice
Read the full Implement security explanation →

You are developing an Azure Function that reads secrets from Azure Key Vault. The function must not use any static credentials in configuration files. You need to authenticate to Key Vault using the function's own identity. Which Azure service feature should you enable?

Question 15easymultiple choice
Read the full Implement security explanation →

Your company stores customer payment data in an Azure SQL Database. You need to ensure that only the application's managed identity can access the database, and no SQL logins or passwords are used. Which authentication method should you configure?

Question 16mediummultiple choice
Read the full Implement security explanation →

Your company uses Azure Key Vault to manage encryption keys for data at rest in Azure Storage. You need to ensure that the storage account uses a customer-managed key (CMK) stored in Key Vault. Additionally, you need to periodically rotate the key automatically. Which configuration should you implement?

Question 17mediummultiple choice
Read the full Implement security explanation →

Your company uses Azure App Service to host a web application. You need to allow only authenticated users from your Microsoft Entra ID tenant to access the app, without writing any authentication code. Which feature should you configure?

Question 18mediummultiple choice
Read the full Implement security explanation →

Your company stores secrets in Azure Key Vault. You need to ensure that when a secret is disabled, it does not become accessible to applications that already have a cached copy. Which additional step must you take?

Question 19hardmultiple choice
Read the full Implement security explanation →

You are developing a web API that must authenticate requests using Microsoft Entra ID (Microsoft Entra ID) and OAuth 2.0 bearer tokens. You want to validate the token in your API code. Which library should you use?

Question 20hardmultiple choice
Read the full Implement security explanation →

You are developing a web API hosted on Azure App Service. The API must authenticate requests using Microsoft Entra ID OAuth 2.0 bearer tokens. You want to validate the token in your ASP.NET Core API code with minimal custom validation logic. Which library should you use?

Question 21mediummultiple choice
Read the full Implement security explanation →

Your company uses Azure Key Vault to store secrets. You need to ensure that only a specific Microsoft Entra ID application can read a particular secret, while other applications are denied access. You want to apply the principle of least privilege. Which access control method should you configure?

Question 22mediummultiple choice
Review the full subnetting walkthrough →

You need to restrict access to an Azure Storage account so that only a specific subnet of a virtual network can access the data. Additionally, you need to allow management access from the Azure portal (e.g., to view containers). Which configuration should you apply?

Question 23hardmultiple choice
Read the full Implement security explanation →

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not present in Microsoft Entra ID. The role mappings are dynamic and stored in an application database. How should you implement authorization?

Question 24hardmultiple choice
Read the full Implement security explanation →

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The API needs to call a downstream API (also secured by Microsoft Entra ID) on behalf of the signed-in user (On-Behalf-Of flow). You have already configured the web API to authenticate users with Microsoft.Identity.Web. How should you implement the token acquisition for the downstream API?

Question 25mediummultiple choice
Read the full Implement security explanation →

You are developing an ASP.NET Core web API that is hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You want to avoid storing any credentials in the application code or configuration. Which approach should you use?

Question 26hardmultiple choice
Read the full Implement security explanation →

You are designing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not defined in Microsoft Entra ID app roles or groups. The role mappings are dynamic and stored in an application database. How should you implement authorization in the API?

Question 27mediummultiple choice
Read the full Implement security explanation →

You are developing an ASP.NET Core web app that uses Azure SQL Database. The SQL connection string contains a password that must be rotated every 30 days. The app runs on Azure App Service. You want to store the connection string securely and enable automatic rotation without redeploying the app. Which approach should you use?

Question 28hardmultiple choice
Study the full multicast explanation →

You are using Azure API Management (APIM) to expose a REST API. The backend API requires mutual TLS (client certificate) for authentication. The client certificate is stored in Azure Key Vault. You need to configure APIM to use this certificate when calling the backend, without exposing the certificate contents in the policy files. Which APIM feature and policy should you use?

Question 29mediummultiple choice
Read the full Implement security explanation →

You are developing an ASP.NET Core web API hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You have enabled a system-assigned managed identity for the App Service. Which code should you use to create the Key Vault SecretClient?

Question 30mediummultiple choice
Read the full Implement security explanation →

You have an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault. You need to grant the app the minimum required permissions to access the secret. Which RBAC role should you assign to the managed identity at the Key Vault scope?

Question 31mediummultiple choice
Read the full Implement security explanation →

You deploy an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault to connect to a third-party service. You want to grant the minimum required permissions to the managed identity. Which Azure RBAC role should you assign to the managed identity at the Key Vault scope?

Question 32hardmultiple choice
Read the full Implement security explanation →

You are developing an ASP.NET Core web API that uses Microsoft Entra ID for authentication via Microsoft.Identity.Web. The application needs to authorize actions based on custom roles such as "Editor" and "Reviewer". These roles are not defined in Microsoft Entra ID app roles or directory roles; instead, they are stored in an application database and can be assigned dynamically by administrators. You need to implement authorization with minimal impact on performance and without modifying the application's authentication flow. Which approach should you use?

Question 33mediummultiple choice
Review the full subnetting walkthrough →

Your company has an application running on Azure Virtual Machines that needs to access secrets in Azure Key Vault. You want to restrict network access to the Key Vault so that only the virtual network/subnet containing the VMs can reach it. You also want to ensure that the solution works with the least management overhead. Which configuration should you use?

Question 34hardmultiple choice
Read the full Implement security explanation →

Your company has several Azure subscriptions, and you need to create a custom role that allows security engineers to start and stop Azure virtual machines but not delete them or modify their network interfaces. The role must be scoped to a specific resource group. How should you define this custom role?

Question 35mediummultiple choice
Read the full Implement security explanation →

You have an Azure App Service web app that uses a system-assigned managed identity. The web app needs to authenticate to an Azure SQL Database to read and write data. You want to use the managed identity to avoid storing credentials in connection strings. Which steps are required to configure this access?

Question 36hardmultiple choice
Read the full Implement security explanation →

You are building a web application that uses Microsoft Entra ID for authentication. The application needs to call Microsoft Graph API to read user profiles and send emails on behalf of the signed-in user. You want to ensure that the user's consent is obtained only once and that the application can refresh tokens silently. Which OAuth 2.0 flow should you implement?

Question 37mediummultiple choice
Read the full Implement security explanation →

You have an Azure App Service that uses a system-assigned managed identity. You need to grant it permission to read a secret from Azure Key Vault. Which RBAC role should you assign at the Key Vault scope?

Question 38hardmultiple choice
Read the full Implement security explanation →

You need to create a custom RBAC role that allows a security group to start and stop Azure virtual machines in a specific resource group, but not delete them or modify their network interfaces. Which set of actions should you include in the role definition?

Question 39easymultiple choice
Read the full Implement security explanation →

You have an Azure App Service web app with a system-assigned managed identity. You need to grant it permission to read secrets from an Azure Key Vault. Which RBAC role should you assign to the managed identity at the Key Vault scope?

Question 40mediummultiple choice
Read the full Implement security explanation →

You are developing an API that uses managed identity to access Azure Key Vault. The API runs in an Azure App Service with system-assigned managed identity enabled. You need to retrieve a secret value. Which API endpoint should your code call?

Question 41mediummultiple choice
Read the full Implement security explanation →

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?

Question 42mediummultiple choice
Read the full Implement security explanation →

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

Question 43hardmultiple choice
Read the full Implement security explanation →

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used?

Question 44hardmulti select
Read the full Implement security explanation →

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request?

Question 45mediummultiple choice
Read the full Implement security explanation →

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required?

Question 46mediummultiple choice
Read the full Implement security explanation →

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used?

Question 47hardmultiple choice
Read the full Implement security explanation →

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The design must avoid adding custom operational scripts.

Question 48hardmulti select
Read the full Implement security explanation →

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The design must avoid adding custom operational scripts.

Question 49mediummultiple choice
Read the full Implement security explanation →

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The design must avoid adding custom operational scripts.

Question 50mediummultiple choice
Read the full Implement security explanation →

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

Question 51hardmultiple choice
Read the full NAT/PAT explanation →

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The architecture review board prefers a managed AWS-native control.

Question 52hardmulti select
Read the full NAT/PAT explanation →

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The architecture review board prefers a managed AWS-native control.

Question 53mediummultiple choice
Read the full NAT/PAT explanation →

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The architecture review board prefers a managed AWS-native control.

Question 54mediummultiple choice
Read the full Implement security explanation →

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

Question 55hardmultiple choice
Read the full Implement security explanation →

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The team wants the control to be enforceable during normal operations.

Question 56hardmulti select
Read the full Implement security explanation →

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The team wants the control to be enforceable during normal operations.

Question 57mediummultiple choice
Read the full Implement security explanation →

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The team wants the control to be enforceable during normal operations.

Question 58easymultiple choice
Read the full Implement security explanation →

The team is writing an Azure Function that needs to retrieve secrets from Azure Key Vault at runtime. The security policy prohibits storing client secrets, connection strings, or certificates in application settings or source code. What is the recommended approach?

Question 59mediummultiple choice
Read the full Implement security explanation →

Multiple teams need different levels of access to the same Azure Key Vault: the DevOps team needs to create and rotate secrets, the application team needs read-only secret access, and the auditing team needs list-only access. The security team wants audit logs of all access decisions and the ability to manage permissions through a single system. What access model should the developer recommend?

Question 60hardmultiple choice
Read the full Implement security explanation →

A background data pipeline runs on a schedule and must read user profile data from Microsoft Graph. No user is present during execution. The service authenticates to Microsoft Entra ID and calls the Graph API. Which permission type and OAuth 2.0 flow are correct for this scenario?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

External partners are given Shared Access Signatures to upload product images to a specific Blob Storage container named 'images'. A partner reports accidentally uploading files to the 'contracts' container, which should not be accessible. What is the most likely configuration mistake?

Question 62mediummultiple choice
Read the full Implement security explanation →

Twenty Azure Functions across different teams all need read access to the same Azure Cosmos DB account. The security team wants to revoke or modify this access for all twenty functions at once without visiting each Function App individually. What managed identity design satisfies this requirement?

Question 63mediumdrag order
Read the full NAT/PAT explanation →

Arrange the steps to create and use a shared access signature (SAS) for an Azure Storage blob in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 64mediumdrag order
Read the full Implement security explanation →

Arrange the steps to implement Azure Key Vault for storing and retrieving secrets in an application in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 65mediummatching
Read the full Implement security explanation →

Match each Azure authentication mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated identity for Azure resources without secrets

Identity for applications to access Azure resources

Delegated access token with limited permissions

Identity service for customer-facing applications

Question 66mediummatching
Read the full Implement security explanation →

Match each Azure compute service to its execution model.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IaaS with full OS control

PaaS for web and API apps

Serverless event-driven compute

Managed job scheduling for parallel workloads

Question 67easymultiple choice
Read the full Implement security explanation →

You are developing a web app that uses Azure AD B2C for customer identity. The app must allow users to sign in with their social media accounts like Facebook and Google. Which Azure AD B2C policy type should you configure?

Question 68mediummultiple choice
Read the full Implement security explanation →

You are implementing a microservices solution on Azure Kubernetes Service (AKS). You need to securely store and retrieve connection strings to a database without hardcoding them in the application code. The solution should automatically rotate secrets every 90 days. What should you use?

Question 69hardmultiple choice
Read the full Implement security explanation →

Your company uses Azure DevOps for CI/CD. The security team requires that all pull request (PR) merges to the main branch be signed with a valid code signing certificate to ensure code integrity. Which Azure DevOps feature should you enforce?

Question 70mediummultiple choice
Study the full multicast explanation →

You are developing an API that processes sensitive personal data. The API is exposed via Azure API Management (APIM). You need to ensure that only authorized applications can call the API, and you want to validate the token at the APIM gateway without modifying the backend code. What is the most efficient approach?

Question 71easymultiple choice
Read the full Implement security explanation →

You have an Azure Storage account that hosts blobs for a public website. You need to grant a partner application read-only access to a specific container for 24 hours without using a storage account key. What should you create?

Question 72hardmultiple choice
Read the full Implement security explanation →

Your company uses Microsoft Sentinel for security information and event management (SIEM). You need to detect and automatically respond to a potential credential theft attack where an anomalous number of failed logins are followed by a successful login from a different geographic location. Which Microsoft Sentinel feature should you use?

Question 73mediummultiple choice
Read the full Implement security explanation →

You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function must use a managed identity to authenticate to the Service Bus to avoid managing secrets. Which configuration step is essential for this setup?

Question 74easymultiple choice
Read the full Implement security explanation →

You need to restrict access to an Azure web app so that only traffic from a specific virtual network (VNet) can reach it. The web app is already deployed. What should you configure on the web app?

Question 75mediummultiple choice
Read the full Implement security explanation →

Your organization uses Azure Policy to enforce compliance. You need to ensure that all Azure SQL databases have Advanced Data Security (ADS) enabled. What type of Azure Policy effect should you use to automatically enable ADS if it is not already enabled?

Question 76hardmulti select
Read the full Implement security explanation →

Your company is deploying a multi-tier application on Azure. The application consists of a web front end, an API layer, and a database. You need to ensure secure communication between tiers. Which TWO actions should you take? (Choose two.)

Question 77mediummulti select
Read the full Implement security explanation →

You need to design a solution to securely store and access secrets (e.g., API keys, connection strings) for a set of Azure Functions. The solution must minimize administrative overhead and avoid storing secrets in code or configuration files. Which THREE should you include? (Choose three.)

Question 78easymulti select
Read the full Implement security explanation →

Your company wants to implement a zero-trust security model for its Azure resources. Which THREE practices should you adopt? (Choose three.)

Question 79mediummultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You have an Azure Policy definition as shown. Your team creates a storage account with network rules set to 'Deny' by default, and then adds an IP rule to allow traffic from a specific IP range. What compliance state will this storage account be reported as?

Exhibit

{
  "type": "Microsoft.Authorization/policyDefinitions",
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
            "equals": "Allow"
          }
        ]
      },
      "then": {
        "effect": "Audit"
      }
    }
  }
}
Question 80hardmultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You are creating a custom Azure RBAC role. You assign this role to a user for the Production resource group. The user needs to read the contents of a blob in a container. Which permission is necessary for the user to list the container's blobs?

Exhibit

{
  "roleName": "Custom Storage Blob Data Reader",
  "assignableScopes": ["/subscriptions/12345-.../resourceGroups/ProdRG"],
  "permissions": [
    {
      "actions": ["Microsoft.Storage/storageAccounts/blobServices/containers/read"],
      "notActions": [],
      "dataActions": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"],
      "notDataActions": []
    }
  ]
}
Question 81easymultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You are using Azure CLI to list blobs in a container. The command fails with an authorization error. The storage account has firewall rules enabled, and you are running the CLI from a machine that is not on the allowed network list. What is the most likely cause of the failure?

Network Topology
az storage blob listaccount-name mystorageaccountcontainer-name mycontainerquery "[].name"
Question 82mediummultiple choice
Read the full Implement security explanation →

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to call a downstream API on behalf of the signed-in user. Which OAuth 2.0 flow should you implement?

Question 83easymultiple choice
Read the full Implement security explanation →

Your Azure App Service app must access Azure Key Vault secrets without storing credentials in code. Which service should you use to manage identities?

Question 84hardmultiple choice
Read the full Implement security explanation →

You need to restrict access to an Azure Storage blob container so that only users from your Microsoft Entra tenant can read blobs, and deny all other access including anonymous traffic. What should you configure?

Question 85easymultiple choice
Read the full Implement security explanation →

You are deploying a sensitive application on Azure Kubernetes Service (AKS). You need to ensure that secrets, such as database connection strings, are encrypted at rest and in transit, and that the cluster has no static credentials. Which feature should you enable?

Question 86hardmultiple choice
Read the full Implement security explanation →

Your company uses Azure API Management to expose APIs to external partners. You need to validate that each incoming request includes a valid JSON Web Token (JWT) issued by your Microsoft Entra ID tenant, and reject requests without valid tokens. What should you configure?

Question 87mediummultiple choice
Read the full Implement security explanation →

You are developing a serverless function using Azure Functions that needs to write logs to a Log Analytics workspace. The function uses a managed identity. Which RBAC role should you assign to the function's managed identity?

Question 88easymultiple choice
Read the full Implement security explanation →

Your organization has a custom application that stores customer data in Azure Cosmos DB. You need to encrypt the data at rest using a customer-managed key stored in Azure Key Vault. Which type of Cosmos DB encryption should you configure?

Question 89hardmultiple choice
Read the full Implement security explanation →

You are designing a solution for a multi-tenant SaaS application where each tenant's data is stored in separate Azure SQL databases. You need to ensure that no tenant can access another tenant's database, even if the application is compromised. What should you implement?

Question 90mediummultiple choice
Read the full Implement security explanation →

Your Azure Logic App needs to send emails using Microsoft Graph API on behalf of the signed-in user. The user is authenticated with Microsoft Entra ID. Which authentication method should you use in the Logic App?

Question 91hardmulti select
Read the full Implement security explanation →

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster that runs a critical workload? (Choose two.)

Question 92mediummulti select
Read the full Implement security explanation →

Which THREE components are required to implement Azure AD B2C custom policies for sign-up and sign-in? (Choose three.)

Question 93hardmulti select
Read the full Implement security explanation →

Which TWO services can be used to manage secrets and certificates for applications running on Azure? (Choose two.)

Question 94mediummultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition. When applied to a subscription, what is the effect of this policy?

Exhibit

{
  "properties": {
    "mode": "Indexed",
    "parameters": {
      "allowedLocations": {
        "type": "array",
        "defaultValue": [
          "eastus",
          "westus"
        ]
      }
    },
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": "[parameters('allowedLocations')]"
        }
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 95hardmultiple choice
Read the full Implement security explanation →

Refer to the exhibit. An administrator runs this Azure CLI command. What is the result?

Network Topology
az role assignment createassignee "00000000-0000-0000-0000-000000000001"role "Reader"scope "/subscriptions/00000000-0000-0000-0000-000000000002/resourceGroups/ProdRG"
Question 96easymultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You created a custom RBAC role definition. A user assigned this role at the subscription scope. What can the user do?

Exhibit

{
  "type": "Microsoft.Authorization/roleDefinitions",
  "properties": {
    "roleName": "Custom SQL DB Reader",
    "description": "Read-only access to Azure SQL Database",
    "permissions": [
      {
        "actions": [
          "Microsoft.Sql/servers/databases/read"
        ],
        "notActions": []
      }
    ],
    "assignableScopes": [
      "/subscriptions/12345678-1234-1234-1234-123456789abc"
    ]
  }
}
Question 97mediummultiple choice
Read the full Implement security explanation →

Your web app running on Azure App Service requires access to a storage account using managed identity. You enable the system-assigned managed identity on the App Service and assign the 'Storage Blob Data Contributor' role at the storage account scope. However, the app receives 403 errors when trying to read blobs. What is the most likely cause?

Question 98hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a solution for a healthcare application that stores patient data in Azure Cosmos DB. The data must be encrypted at rest using a customer-managed key stored in Azure Key Vault. You need to ensure that the key can be rotated without downtime. Which approach should you recommend?

Question 99easymultiple choice
Read the full Implement security explanation →

You are deploying a function app that processes sensitive data. You need to ensure that all function app secrets (e.g., connection strings) are stored securely and automatically rotated. Which service should you use?

Question 100mediummultiple choice
Read the full NAT/PAT explanation →

Your API is secured using Azure AD (now Microsoft Entra ID) tokens. You need to validate the token in your custom code. Which library should you use to validate the token's signature, issuer, and audience?

Question 101hardmultiple choice
Read the full Implement security explanation →

You have a multi-tenant application that uses Azure AD (Microsoft Entra ID) for authentication. You want to allow only specific tenants to access your app. What is the recommended approach?

Question 102easymultiple choice
Read the full Implement security explanation →

Your application uses Azure Key Vault to store secrets. You need to ensure that the application can access secrets without storing any credentials in the application code or configuration files. What should you use?

Question 103mediummultiple choice
Read the full Implement security explanation →

You are developing a serverless API using Azure Functions. The API should only be accessible from a specific virtual network. You need to configure network security. What should you do?

Question 104hardmultiple choice
Read the full Implement security explanation →

Your application uses Azure Key Vault to store cryptographic keys used for signing. You need to ensure that the keys can be used by multiple applications, but only one application should be able to delete the key. What should you do?

Question 105easymultiple choice
Read the full Implement security explanation →

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. You want to minimize code changes. Which feature should you use?

Question 106mediummulti select
Read the full Implement security explanation →

Which TWO of the following are valid ways to authenticate an Azure function to an Azure SQL database using managed identity?

Question 107hardmulti select
Read the full Implement security explanation →

Which THREE permissions should be granted to an application's managed identity to allow it to read secrets from Azure Key Vault and use them to access Azure Storage?

Question 108easymulti select
Read the full Implement security explanation →

Which TWO of the following are benefits of using Azure Key Vault to store application secrets?

Question 109hardmultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You are deploying an ARM template that assigns the 'Storage Blob Data Contributor' role to the managed identity of an App Service named 'myapp' at the storage account 'mystorageacct' scope. The deployment fails with an error that 'principalId' is null. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
    "type": "Microsoft.Authorization/roleAssignments",
    "apiVersion": "2022-04-01",
    "name": "[guid(resourceGroup().id, 'Storage Blob Data Contributor')]",
    "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
        "principalId": "[reference(resourceId('Microsoft.Web/sites', 'myapp'), '2022-03-01', 'Full').identity.principalId]",
        "scope": "[resourceId('Microsoft.Storage/storageAccounts', 'mystorageacct')]"
    }
}
Question 110easymultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You run the Azure CLI command to store a secret in Key Vault. Later, you run 'az keyvault secret show --vault-name myvault --name MySecret'. What will be displayed?

Network Topology
az keyvault secret setvault-name myvaultname MySecretvalue "P@ssw0rd123"Refer to the exhibit.
Question 111mediummultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You deploy this ARM template to an App Service named 'myapp'. After deployment, users report they are able to access the app without being prompted to log in. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.Web/sites/config",
  "apiVersion": "2022-03-01",
  "name": "[concat(parameters('siteName'), '/authsettingsV2')]",
  "properties": {
    "platform": {
      "enabled": true
    },
    "globalValidation": {
      "requireAuthentication": true,
      "unauthenticatedClientAction": "RedirectToLoginPage"
    },
    "identityProviders": {
      "azureActiveDirectory": {
        "enabled": true,
        "registration": {
          "openIdIssuer": "https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0",
          "clientId": "11111111-1111-1111-1111-111111111111"
        }
      }
    }
  }
}
Question 112mediummultiple choice
Read the full Implement security explanation →

A company stores sensitive data in Azure Blob Storage. They require that all access to the storage account be authenticated via Microsoft Entra ID and that users must have the 'Storage Blob Data Reader' role assigned. A developer reports being unable to read blobs using the Azure portal despite having the role assigned. What is the most likely cause?

Question 113easymultiple choice
Read the full Implement security explanation →

You are configuring an Azure App Service web app to authenticate users with Microsoft Entra ID. You need to ensure that only users from your organization's tenant can access the app. Which setting should you configure?

Question 114hardmultiple choice
Study the full multicast explanation →

A company uses Azure API Management (APIM) to expose APIs to external partners. They want to validate JSON Web Tokens (JWTs) from partners' Microsoft Entra ID tenants before requests reach the backend. The solution must support multiple partner tenants and minimize latency. What should you implement?

Question 115mediummultiple choice
Read the full Implement security explanation →

You are developing a serverless application using Azure Functions that processes sensitive data. The function needs to access Azure Key Vault to retrieve a secret. You want to use managed identity for authentication. What should you do first?

Question 116hardmultiple choice
Read the full Implement security explanation →

A company uses Azure SQL Database and needs to encrypt sensitive columns (e.g., credit card numbers) at rest and in transit, with the ability to allow specific applications to decrypt. They want to manage encryption keys centrally in Azure Key Vault and avoid managing certificates. Which technology should they use?

Question 117easymultiple choice
Read the full Implement security explanation →

You are deploying an Azure Kubernetes Service (AKS) cluster. You need to ensure that pods can access Azure resources (e.g., Azure Storage) using a managed identity without storing credentials. What should you configure?

Question 118mediummultiple choice
Read the full Implement security explanation →

Your organization uses Azure Key Vault to store secrets. Developers need to retrieve secrets during application runtime. You want to minimize latency and avoid network overhead. Which approach should you recommend?

Question 119hardmultiple choice
Read the full network assurance explanation →

You are designing a solution that uses Azure Event Hubs to ingest telemetry data. The data must be encrypted at rest and in transit. Additionally, you need to ensure that only authorized applications can publish messages to the event hub. Which combination of features should you use?

Question 120mediummultiple choice
Read the full Implement security explanation →

A company uses Azure Logic Apps to orchestrate workflows that process sensitive data. They need to ensure that workflow runs are logged and auditable, and that the logs are tamper-proof. Which Azure service should they use?

Question 121mediummulti select
Read the full Implement security explanation →

Which TWO actions should you take to secure an Azure Function app that is triggered by an HTTP request? (Choose two.)

Question 122hardmulti select
Read the full Implement security explanation →

Which THREE measures can you use to protect data at rest in Azure Cosmos DB? (Choose three.)

Question 123easymulti select
Read the full Implement security explanation →

Which TWO methods can you use to authenticate an Azure App Service web app to Azure SQL Database without storing credentials in code? (Choose two.)

Question 124easymultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You have a custom RBAC role definition. A user assigned this role reports they can read, write, and delete blobs, but cannot list the containers in the storage account. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "Custom Storage Blob Contributor",
  "properties": {
    "roleName": "Custom Storage Blob Contributor",
    "description": "Grants full access to storage blob containers and data",
    "type": "CustomRole",
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
          "Microsoft.Storage/storageAccounts/blobServices/containers/write",
          "Microsoft.Storage/storageAccounts/blobServices/containers/delete"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
        ],
        "notDataActions": []
      }
    ],
    "assignableScopes": [
      "/subscriptions/12345678-1234-1234-1234-123456789abc"
    ]
  }
}
Question 125hardmultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You run the Azure CLI command to retrieve a secret from Azure Key Vault. The output shows the secret metadata but not the secret value. The command returns without error. What is the most likely cause?

Network Topology
az keyvault secret showvault-name myKVname MySecretRefer to the exhibit."attributes": {"created": "2023-01-01T00:00:00Z","enabled": true,"expires": null,"notBefore": null,"recoveryLevel": "Recoverable+Purgeable","updated": "2023-01-01T00:00:00Z"},"contentType": "text/plain","id": "https://myKV.vault.azure.net/secrets/MySecret/abc123","kid": null,"managed": null,"name": "MySecret","tags": {}
Question 126mediummultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You deploy an Azure Storage account using the ARM template snippet. A developer reports that they cannot connect to the storage account from their machine with IP 10.0.0.5, even though they have the proper RBAC role. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "mystorageaccount",
  "location": "eastus",
  "kind": "StorageV2",
  "sku": {
    "name": "Standard_LRS"
  },
  "properties": {
    "minimumTlsVersion": "TLS1_2",
    "supportsHttpsTrafficOnly": true,
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Deny",
      "ipRules": [
        {
          "value": "192.168.1.0/24",
          "action": "Allow"
        }
      ],
      "virtualNetworkRules": []
    }
  }
}
Question 127easymultiple choice
Read the full Implement security explanation →

A company stores secrets in Azure Key Vault. Developers need to retrieve secrets from a web app without storing connection strings in code. Which authentication method should the web app use?

Question 128mediummultiple choice
Read the full Implement security explanation →

You are developing a microservices application. Each microservice must authenticate to Azure SQL Database using its own identity. You need to minimize credential management overhead. What should you use?

Question 129hardmultiple choice
Read the full Implement security explanation →

Your application uses Azure Key Vault to store cryptographic keys. You need to ensure that keys are automatically rotated every 90 days without any manual intervention. Which Key Vault feature should you configure?

Question 130easymultiple choice
Read the full Implement security explanation →

You are building an API that needs to validate JWT tokens issued by Microsoft Entra ID. The API is registered as an application in Entra ID. Which endpoint should the API use to obtain the signing keys?

Question 131mediummultiple choice
Read the full Implement security explanation →

You have an Azure Storage account with a blob container. You need to grant a user read-only access to a specific blob for 24 hours without requiring them to authenticate with Microsoft Entra ID. What should you use?

Question 132hardmultiple choice
Read the full Implement security explanation →

Your application runs on Azure Kubernetes Service (AKS). It needs to access Azure Key Vault secrets. You want to avoid using a service principal. Which solution should you implement?

Question 133easymultiple choice
Read the full Implement security explanation →

You need to secure a web API that is called from a single-page application (SPA). The API uses Microsoft Entra ID for authentication. Which OAuth 2.0 flow should the SPA use?

Question 134mediummultiple choice
Read the full Implement security explanation →

Your company uses Microsoft Defender for Cloud. You need to receive alerts when a user modifies a Key Vault access policy. What should you configure?

Question 135hardmultiple choice
Read the full Implement security explanation →

Your application uses Azure Functions and needs to authenticate to a downstream API using OAuth 2.0. The function app uses a system-assigned managed identity. Which token endpoint should the function app call to get a token for the downstream API?

Question 136mediummulti select
Read the full Implement security explanation →

You need to secure access to an Azure Storage account that contains sensitive data. Which TWO of the following are recommended best practices?

Question 137hardmulti select
Read the full Implement security explanation →

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. Which THREE components must be configured in the App Service authentication settings?

Question 138easymulti select
Read the full Implement security explanation →

You are designing a solution to store application secrets. You need to ensure that secrets are encrypted at rest and access is audited. Which TWO Azure services should you use?

Question 139mediummultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You are configuring a Key Vault key using an ARM template. What does this configuration achieve?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "keyType": "RSA",
    "keySize": 2048,
    "keyOps": ["encrypt", "decrypt"],
    "rotationPolicy": {
      "lifetimeActions": [
        {
          "trigger": {
            "timeAfterCreate": "P90D"
          },
          "action": {
            "type": "Rotate"
          }
        }
      ]
    }
  }
}
Question 140hardmultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You create a custom RBAC role with the shown permissions. You assign this role to a user at the resource group scope. What can the user do?

Exhibit

Refer to the exhibit.
{
  "roleName": "CustomRole",
  "actions": [
    "Microsoft.KeyVault/vaults/read",
    "Microsoft.KeyVault/vaults/secrets/read"
  ],
  "notActions": [],
  "assignableScopes": ["/subscriptions/sub1/resourceGroups/rg1"]
}
Question 141easymultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You run the Azure CLI command shown. What is the result?

Network Topology
az keyvault secret setvault-name MyVaultname MySecretvalue "P@ssw0rd!"Refer to the exhibit.
Question 142mediummultiple choice
Read the full Implement security explanation →

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to access the Microsoft Graph API to read user profiles. Which type of permission should you request in the app registration to ensure the app can read profiles without user interaction?

Question 143hardmultiple choice
Read the full Implement security explanation →

You are configuring a managed identity for an Azure App Service to access Azure Key Vault. The identity has been assigned, but the app receives a 403 Forbidden when trying to retrieve a secret. What is the most likely cause?

Question 144easymultiple choice
Read the full NAT/PAT explanation →

You need to secure access to an Azure Storage account that hosts sensitive data. The requirement is to restrict access to only requests originating from a specific virtual network. Which feature should you configure?

Question 145mediummultiple choice
Read the full Implement security explanation →

Your application uses Azure App Configuration with Microsoft Entra ID authentication. You want to ensure that only authorized services can read configuration values. What is the recommended approach?

Question 146hardmultiple choice
Read the full Implement security explanation →

You are deploying a containerized application to Azure Kubernetes Service (AKS). The application needs to access Azure SQL Database securely. Which approach should you use to avoid storing credentials in the container image?

Question 147easymultiple choice
Read the full Implement security explanation →

You need to ensure that an Azure Functions app can access a blob in Azure Storage using its system-assigned managed identity. What should you do first?

Question 148mediummultiple choice
Read the full Implement security explanation →

You are designing a solution where an Azure Logic App needs to send emails via Microsoft Graph. The Logic App should authenticate without user interaction. What authentication method should you use?

Question 149hardmultiple choice
Read the full Implement security explanation →

You are developing a .NET Core API that uses Azure AD for authentication. You want to restrict access to specific claims. Which middleware component should you use to check claims?

Question 150easymultiple choice
Read the full Implement security explanation →

You need to ensure that secrets stored in Azure Key Vault are automatically rotated every 90 days. Which feature should you configure?

Question 151mediummultiple choice
Read the full Implement security explanation →

A company uses Azure App Service to host a web application. They need to ensure that only authenticated users from their Microsoft Entra ID tenant can access the app. They also want to prevent unauthenticated requests from reaching the app code. Which configuration should they implement?

Question 152mediummultiple choice
Read the full Implement security explanation →

You are developing a serverless function app that processes credit card payments. The function app must securely store the payment gateway API key. Which Azure service should you use to store the key?

Question 153hardmultiple choice
Read the full Implement security explanation →

A company has an Azure Kubernetes Service (AKS) cluster. They want to ensure that pods can securely access Azure SQL Database without using connection strings or secrets. The solution must use the principle of least privilege. What should they implement?

Question 154easymultiple choice
Read the full Implement security explanation →

You are developing an ASP.NET Core web app that will be deployed to Azure App Service. The app needs to authenticate users from a Microsoft Entra ID tenant. You want to minimize development effort and rely on platform features. What should you do?

Question 155mediummultiple choice
Read the full Implement security explanation →

A company uses Azure Blob Storage to store sensitive documents. They want to ensure that data is encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data immediately if a security breach is detected. Which feature should they enable?

Question 156easymultiple choice
Study the full multicast explanation →

You are developing an API that will be hosted on Azure API Management (APIM). The API must be accessible only to clients that present a valid JSON Web Token (JWT) issued by Microsoft Entra ID. Which APIM policy should you use to validate the JWT?

Question 157hardmultiple choice
Read the full Implement security explanation →

A company is building a microservices application on Azure Container Instances. Each microservice needs to authenticate to Azure Key Vault to retrieve secrets. They want to avoid storing any credentials in the container images or environment variables. What should they do?

Question 158mediummultiple choice
Read the full Implement security explanation →

You are deploying a web app to Azure App Service that must use a custom domain with TLS/SSL. You have purchased an SSL certificate from a third-party CA. How should you upload and bind the certificate to the custom domain?

Question 159hardmulti select
Read the full Implement security explanation →

Which TWO actions should you take to securely store and access secrets for a legacy application that cannot be modified? The application runs on an Azure Virtual Machine and needs to read a database connection string. The solution must use Azure Key Vault and adhere to the principle of least privilege.

Question 160mediummulti select
Read the full Implement security explanation →

Which THREE of the following are valid ways to authenticate an Azure Function to an Azure SQL Database using managed identities?

Question 161hardmulti select
Read the full Implement security explanation →

Which THREE of the following are true regarding Microsoft Entra ID authentication for Azure Storage?

Question 162mediummultiple choice
Read the full Implement security explanation →

Refer to the exhibit. You are deploying an Azure Key Vault using this ARM template. Your team plans to use RBAC to manage access. The vault must be accessible from Azure services (e.g., Azure VMs) without public IP addresses. After deployment, a developer reports that they cannot access secrets from a VM in the same region, even though the VM has a managed identity with the Key Vault Secrets User role. What is the most likely cause?

Exhibit

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2022-07-01",
  "properties": {
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "tenantId": "[subscription().tenantId]",
    "accessPolicies": [],
    "enabledForDeployment": false,
    "enabledForDiskEncryption": false,
    "enabledForTemplateDeployment": false,
    "enableSoftDelete": true,
    "softDeleteRetentionInDays": 90,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices",
      "ipRules": [],
      "virtualNetworkRules": []
    }
  }
}
Question 163hardmultiple choice
Read the full Implement security explanation →

You are a developer for a fintech company. Your application consists of multiple Azure Functions that process sensitive financial transactions. The functions need to access an Azure SQL Database and an Azure Storage account. Security requirements are: (1) No secrets or connection strings should be stored in application settings or code. (2) Access must be restricted to the specific resources each function needs. (3) All access must be audited. (4) The solution must support local development debugging. You have already enabled system-assigned managed identity for each function app. Which course of action should you take to meet the requirements?

Question 164mediummultiple choice
Read the full NAT/PAT explanation →

You are developing a web application that will be deployed to Azure App Service. The application allows users to upload files, which are stored in Azure Blob Storage. You need to ensure that only authenticated users can upload files and that each user can only see their own files. You plan to use shared access signatures (SAS) for secure access. The application uses Microsoft Entra ID for authentication. You want to generate SAS tokens on the server after the user authenticates. Which approach should you use?

Question 165easymultiple choice
Read the full Implement security explanation →

You are deploying a multi-tier application: a frontend web app (Azure App Service) that calls a backend API (another Azure App Service). Both apps use Microsoft Entra ID for authentication. The frontend needs to authenticate to the backend on behalf of the signed-in user. You need to configure the OAuth 2.0 flow correctly. You have already registered both applications in Microsoft Entra ID. Which configuration should you apply?

Question 166mediummultiple choice
Read the full Implement security explanation →

A company deploys an Azure App Service web app that stores sensitive data in Azure Blob Storage. The security team requires that all access to the blob storage must be authenticated and authorized via Microsoft Entra ID, and that no anonymous access is permitted. The web app must also be able to access the storage using its managed identity. Which configuration should the company implement?

Question 167hardmultiple choice
Study the full multicast explanation →

A healthcare organization uses Azure API Management (APIM) to expose FHIR APIs to external partners. The FHIR backend is an Azure API for FHIR that requires OAuth 2.0 tokens from Microsoft Entra ID. APIM must validate tokens before forwarding requests to the backend. The organization also needs to rate-limit requests per subscription key and log all requests to Azure Monitor for audit. Which combination of APIM policies should be implemented?

Question 168mediummulti select
Read the full Implement security explanation →

A company is designing a secure microservices architecture on Azure Kubernetes Service (AKS). The security requirements include: encrypting secrets at rest and in transit, rotating secrets automatically, and avoiding hard-coded credentials in application code. Which THREE solutions should the company use? (Choose three.)

Question 169hardmulti select
Read the full Implement security explanation →

A company uses Azure Functions to process sensitive customer data. The functions are triggered by Service Bus messages. The security requirements mandate that all function code must be encrypted in transit and at rest, and that access to the function must be authenticated using Microsoft Entra ID. Which TWO configurations should be implemented? (Choose two.)

Question 170easymultiple choice
Read the full Implement security explanation →

You are a developer for a startup that is building a real-time chat application on Azure. The application uses Azure Web PubSub to broadcast messages to clients. The security team requires that only authenticated users can connect to the Web PubSub service. You plan to use Microsoft Entra ID for authentication. The application backend is an Azure Function that generates access tokens. What is the correct course of action to secure the Web PubSub service?

Question 171mediummultiple choice
Read the full Implement security explanation →

A retail company uses Azure Logic Apps to integrate with third-party APIs. One Logic App sends purchase orders to a supplier's HTTP endpoint. The supplier requires that the request include an OAuth 2.0 access token obtained from their authorization server. The company wants to manage the client credentials (client ID and client secret) securely and rotate them automatically. The Logic App must also log all requests for auditing. What should you do?

Question 172hardmultiple choice
Read the full Implement security explanation →

A financial services company uses Azure Container Instances (ACI) to run batch processing jobs. Each job processes sensitive financial data and must use a custom container image stored in Azure Container Registry (ACR). The security requirements are: the ACI container must authenticate to ACR using a managed identity, the container must run as a non-root user, and all secrets must be injected via environment variables from Azure Key Vault using the managed identity. The ACI instance must also be deployed into a virtual network (VNet) to restrict network access. What configuration should you use?

Question 173easymultiple choice
Read the full Implement security explanation →

You are deploying a web app on Azure App Service that stores secrets in Azure Key Vault. The app uses managed identity to access Key Vault. During testing, you get a 403 Forbidden error when the app tries to read a secret. What is the most likely cause?

Question 174mediummultiple choice
Read the full Implement security explanation →

Your company uses Microsoft Entra ID for identity management. You need to ensure that users accessing a line-of-business application from unmanaged devices must complete a multi-factor authentication (MFA) challenge. What should you configure?

Question 175hardmulti select
Read the full Implement security explanation →

You are developing a serverless application using Azure Functions that processes sensitive data. The function is triggered by an Azure Storage queue. You need to ensure that data in transit between the function and the storage account is encrypted using a customer-managed key (CMK) and that the storage account's firewall only allows access from the function's virtual network. Which two actions should you take? (Choose two.)

Question 176mediummulti select
Read the full Implement security explanation →

You are designing a solution to store secrets for a microservices application running on Azure Kubernetes Service (AKS). The secrets must be automatically rotated and remain available if the Key Vault is temporarily unavailable. Which TWO options meet the requirements?

Question 177hardmultiple choice
Read the full Implement security explanation →

You are reviewing an ARM template that deploys a network security group (NSG) for a web application. The exhibit shows the security rules. The web application runs on port 443. You need to ensure that HTTPS traffic from the internet can reach the web servers. What is the issue with the current configuration?

Exhibit

Refer to the exhibit.
{
  "type": "Microsoft.Network/networkSecurityGroups",
  "apiVersion": "2023-11-01",
  "name": "nsg-app",
  "properties": {
    "securityRules": [
      {
        "name": "AllowSSH",
        "properties": {
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "destinationPortRange": "22",
          "sourceAddressPrefix": "VirtualNetwork",
          "destinationAddressPrefix": "*",
          "access": "Allow",
          "priority": 100,
          "direction": "Inbound"
        }
      },
      {
        "name": "DenyAll",
        "properties": {
          "protocol": "*",
          "sourcePortRange": "*",
          "destinationPortRange": "*",
          "sourceAddressPrefix": "*",
          "destinationAddressPrefix": "*",
          "access": "Deny",
          "priority": 200,
          "direction": "Inbound"
        }
      }
    ]
  }
}
Question 178hardmultiple choice
Read the full Implement security explanation →

You are a security engineer for a large enterprise that uses Microsoft Entra ID. The company deploys a custom web application in Azure that authenticates users via the OAuth 2.0 authorization code flow with PKCE. The application is registered in Microsoft Entra ID. Recently, security auditors discovered that a compromised client secret was used to obtain tokens without user consent. You must update the application registration to prevent this type of attack. The application should still work with the authorization code flow and PKCE. You need to ensure that only interactive user authentication can obtain tokens, and that client secrets cannot be used to request tokens directly. Which option meets these requirements?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

AZ-204 Practice Test 1 — 10 Questions→AZ-204 Practice Test 2 — 10 Questions→AZ-204 Practice Test 3 — 10 Questions→AZ-204 Practice Test 4 — 10 Questions→AZ-204 Practice Test 5 — 10 Questions→AZ-204 Practice Exam 1 — 20 Questions→AZ-204 Practice Exam 2 — 20 Questions→AZ-204 Practice Exam 3 — 20 Questions→AZ-204 Practice Exam 4 — 20 Questions→Free AZ-204 Practice Test 1 — 30 Questions→Free AZ-204 Practice Test 2 — 30 Questions→Free AZ-204 Practice Test 3 — 30 Questions→AZ-204 Practice Questions 1 — 50 Questions→AZ-204 Practice Questions 2 — 50 Questions→AZ-204 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Develop Azure compute solutionsDevelop for Azure storageImplement Azure securityConnect to and consume Azure services and third-party servicesMonitor, troubleshoot, and optimize Azure solutions

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Implement Azure security setsAll Implement Azure security questionsAZ-204 Practice Hub