What Is Azure App Configuration? Security Definition
Also known as: Azure App Configuration, AZ-204, Azure configuration management, feature flags Azure, App Configuration vs Key Vault
On This Page
Quick Definition
Azure App Configuration is a cloud service that stores settings for your applications — like database connection strings, API keys, or feature toggles — all in one central place. Instead of hardcoding these values in your code or configuration files, you keep them in the service and your app fetches them when needed. This means you can change a setting at any time without rebuilding, redeploying, or restarting your application. It is especially useful when you run multiple versions of an app or when you need different settings for development, testing, and production environments.
Must Know for Exams
For the AZ-204 Developing Solutions for Microsoft Azure certification exam, Azure App Configuration is a frequently tested topic. The exam objectives explicitly cover implementing Azure App Configuration, including creating configuration stores, managing feature flags, and integrating with applications using the SDK. You will likely encounter questions that test your understanding of the difference between Azure App Configuration and Azure Key Vault — a common point of confusion.
The exam expects you to know that App Configuration is for general application settings and feature flags, while Key Vault is for storing secrets like passwords and certificates. Another key exam area is connection methods: you must understand that applications can connect using connection strings (recommended for development) or managed identities (recommended for production for better security). The exam also tests configuration refresh patterns — you need to know how to configure automatic refresh using polling or Event Grid, and that refresh intervals can be set using the SetDependency method in the configuration builder.
Feature flags are another major exam topic. You should understand the structure of a feature flag (ID, enabled state, filters for percentage rollout or targeting), and how to define them using Azure App Configuration or directly in code. The exam may present scenario questions where you need to decide whether to use App Configuration, Key Vault, or both.
For example, a scenario might describe an application that needs a connection string that changes frequently and also a database password. The correct answer often involves storing the connection string (non-sensitive) in App Configuration and storing a reference to the password in Key Vault, which App Configuration can retrieve securely. Additionally, the exam covers snapshots for point-in-time configuration archives and soft-delete protection.
You should be ready for questions that ask about pricing tiers (free and standard) and the maximum store sizes. Finally, the exam tests integration with other Azure services like App Service, Functions, and Kubernetes. Knowing that App Configuration can be used with dynamic configuration in Azure App Service without restarting the application is a common correct answer.
Simple Meaning
Think of Azure App Configuration like a central bulletin board for your application. Imagine you manage a large office building with many rooms, each room representing a different part of your software application — one room handles user logins, another processes payments, a third manages inventory. In each room, there are signs and instructions telling the workers what to do.
For example, a sign might say "Database password is X" or "Enable new checkout feature". Now, if you wanted to change the database password or turn off the new checkout feature, you would normally have to go into each room, rewrite the sign, and then ask all the workers to read the new sign. In software terms, that means editing configuration files, rebuilding the application, redeploying it, and sometimes restarting servers — a slow and error-prone process.
Azure App Configuration changes this by putting all those signs and instructions onto a single, central bulletin board that every room can see instantly. When you update the bulletin board, every part of your application gets the new information immediately, without needing to rebuild or restart anything. The bulletin board also supports versioning — you can see what the signs said yesterday, and if something breaks, you can roll back to an earlier version.
It also allows you to create different bulletin boards for different floors — for example, one for the development floor, one for testing, and one for production — so you can test changes safely before rolling them out to everyone. This central board uses labels and tags to organize settings, making it easy to find the right one. It also includes feature flags, which are like switches on the board that let you turn features on or off instantly — perfect for controlling new features during a rollout.
Azure App Configuration is built to work with Azure's security system, so you can control exactly who reads or writes to the bulletin board using role-based access control. This whole setup makes managing application settings faster, safer, and much more flexible than traditional methods.
Full Technical Definition
Azure App Configuration is a fully managed Azure service that provides a centralized repository for configuration data and feature flags. It is designed to support dynamic updates, version control, and secure access for cloud-native applications, particularly microservices-based architectures. The service stores configuration key-value pairs, where each key can be associated with a value, a label (for environment or version differentiation), and content type (e.g., application/json for complex objects).
Under the hood, Azure App Configuration uses a REST API (Representational State Transfer Application Programming Interface) and a dedicated SDK (Software Development Kit) for popular programming languages including .NET, Java, Python, Node.js, and others. Applications connect to the service using a connection string or managed identity — Azure's secure authentication mechanism — to retrieve configuration data at startup and optionally at runtime through polling or event-driven updates. The service supports real-time configuration refresh without restarting the application, using the Azure Event Grid or polling intervals (default every 30 seconds but configurable).
Key technical components include key-value stores with implicit or explicit hierarchical key structures (for example, using a colon delimiter like "AppName:Database:ConnectionString"), labels for segmenting configurations (e.g., "Development", "Staging", "Production"), and snapshots for point-in-time configuration archives. Feature flags are a special type of key-value pair where the value is a JSON object that defines the flag's state, filters (for percentage rollout or user targeting), and conditions.
Real IT environments use Azure App Configuration to decouple configuration from code. For instance, in a microservices deployment with AKS (Azure Kubernetes Service), each microservice can fetch its specific configuration from a shared App Configuration store, reducing duplication and ensuring consistency. The service integrates with Azure Key Vault for storing sensitive values like passwords — App Configuration can hold a reference to a Key Vault secret, and the application retrieves the actual secret securely at runtime.
Security is enforced through Azure RBAC (Role-Based Access Control), with built-in roles like "App Configuration Data Owner" and "App Configuration Data Reader". Data is encrypted at rest and in transit using TLS (Transport Layer Security). The service also offers soft-delete protection so that accidentally deleted stores can be recovered within a retention period. For exam purposes, know that Azure App Configuration is optimal for configuration that changes frequently and needs to be shared across multiple application instances, while Azure Key Vault is better for secrets that must be encrypted and access-controlled tightly.
Real-Life Example
Imagine you are the operations manager of a large airport. The airport has dozens of departure screens, announcement systems, and check-in counters spread across multiple terminals. Each screen must display the correct flight information — gate numbers, delays, cancellations, boarding times.
In the old way of doing things, an airport employee would have to walk to each screen, open a panel, and manually update a paper schedule inside the screen. If a flight gate changed at the last minute, it would take hours to update every screen, and some might be missed, causing passenger confusion. Now, imagine a central control room with a single digital display board.
All the departure screens are connected wirelessly to this central board. When the control room updates a flight's gate number on the central board, every departure screen across the airport updates instantly, without anyone needing to visit each screen. This is exactly how Azure App Configuration works.
The central display board is the App Configuration store. The departure screens are parts of your application — web servers, mobile app backends, worker processes. The flight information is configuration data like database connection strings, API endpoints, or feature flags.
When you update a setting in the App Configuration store, all parts of your application that read from that store immediately see the new value. The airport also has different schedules for weekdays versus weekends — that is like using labels ("Weekday" and "Weekend") to serve different configurations depending on the context. The control room can also test a new departure board layout on just one screen before rolling it out to all terminals — that is exactly like using feature flags to gradually release a new feature to a subset of users.
And if a mistake happens, the control room can revert the central board to a previous version — that is the versioning and rollback capability in Azure App Configuration. This analogy shows how a single, authoritative source of configuration reduces errors, speeds up changes, and gives you fine-grained control over your software environment.
Why This Term Matters
In real IT work, managing application configuration is a persistent challenge, especially as systems grow larger and more distributed. Traditionally, configuration values like database connection strings, API keys, logging levels, and feature toggles were stored in configuration files (like appsettings.json, web.
config, or environment variables) that were deployed alongside the application code. This approach creates several practical problems. First, any configuration change requires a full code deployment cycle — modify the file, rebuild the application, test it, redeploy it — which is slow and risky.
Second, sensitive data like passwords or API keys could accidentally be committed to source control repositories, creating security vulnerabilities. Third, different environments (development, staging, production) require separate configuration files, and keeping them in sync is error-prone. Fourth, when running multiple instances of an application — for example, dozens of microservices in a Kubernetes cluster — updating every instance's configuration manually is impractical.
Azure App Configuration solves all these problems by providing a single, secure, version-controlled, and dynamically updatable store for configuration. IT professionals use it to implement practices like canary releases (rolling out a feature to 5% of users) and A/B testing (showing different versions to different user groups) through feature flags. It also integrates with Azure Policy and monitoring tools, so you can audit who changed what configuration and when.
For DevOps teams, using Azure App Configuration is a core part of a modern, cloud-native approach. It reduces deployment frequency because you can change settings without redeploying code. It improves security because sensitive references can point to Azure Key Vault.
It increases reliability because you can roll back a bad configuration instantly. And it simplifies multi-environment management because you use labels to separate configurations, rather than maintaining separate files. For system administrators and cloud architects, understanding Azure App Configuration is essential for building scalable, maintainable, and secure applications in Azure.
How It Appears in Exam Questions
In the AZ-204 exam, Azure App Configuration appears in several types of questions. Scenario-based questions are the most common. For example, you might read a scenario where a company has a web application that runs on multiple Azure App Service instances.
The operations team needs to change a database connection string for all instances at once without redeploying the code. The correct answer will involve using Azure App Configuration with a managed identity to connect all instances to a central store. Another typical scenario involves a company rolling out a new payment feature.
They want to enable it for only 10% of users initially, then gradually increase the percentage. The solution will involve creating a feature flag in Azure App Configuration with a percentage filter. Configuration questions test your ability to set up the service correctly.
For instance, you might be asked which method is best to connect an Azure Function to App Configuration in production. The correct answer is to use a system-assigned managed identity rather than a connection string, because managed identities avoid storing credentials in code or configuration files. Troubleshooting questions might present a situation where an application is not receiving updated configuration values after changes are made in App Configuration.
Common causes include the application using cached values (no refresh configured), incorrect polling interval settings (default is 30 seconds, not instant), or the application not calling the refresh method at appropriate intervals. Architectural questions ask you to choose between App Configuration and Key Vault for specific requirements. For example, you might be asked to design a solution that stores a feature flag and a database password.
The correct approach is to store the feature flag in App Configuration and store the password in Key Vault, then reference the Key Vault secret from App Configuration. Integration questions test your knowledge of how App Configuration works with other Azure services. You could be asked how to enable dynamic configuration for an Azure App Service web app.
The answer involves adding the Microsoft.Extensions.Configuration.AzureAppConfiguration NuGet package and configuring the builder to use the App Configuration store. Finally, questions on snapshots appear: you might need to know that snapshots allow you to capture a point-in-time set of key-values and label them, which is useful for deploying known-good configurations.
Understanding these question patterns will help you prepare effectively for exam scenarios.
Practise Azure App Configuration Questions
Test your understanding with exam-style practice questions.
Example Scenario
A company called EcoRide builds a mobile application that allows users to rent electric scooters. The application consists of a mobile app for users, a web API (Application Programming Interface) hosted in Azure App Service, and a background worker process that processes ride data. The development team frequently needs to adjust settings such as the pricing per minute, the maximum allowed speed, the list of cities where scooters are available, and a feature flag for a new "scooter reservation" feature they are testing.
Currently, these settings are hardcoded in configuration files within each component. Whenever they need to change the pricing, they must update the configuration file, rebuild the entire solution, run tests, and redeploy all components to Azure. This process takes one hour and requires coordinating with the operations team.
EcoRide decides to use Azure App Configuration to solve this. They create a single App Configuration store in their Azure subscription. They add the pricing per minute as a key-value pair, the maximum speed as another key-value pair, and the list of supported cities as a JSON array.
They create a feature flag for the "scooter reservation" feature. The web API and the background worker are then modified to read these values from the App Configuration store at startup. They also enable dynamic refresh so that when a value changes in the store, the application picks it up within 30 seconds without any downtime.
Now, when the business team decides to increase the pricing during a holiday, the developer simply updates the value in the App Configuration portal. Within half a minute, all running instances of the web API and the worker process begin using the new pricing. The feature flag allows them to enable the scooter reservation feature for only their internal testers by adding a user group filter.
This scenario demonstrates how Azure App Configuration streamlines configuration management, reduces deployment frequency, and enables safe, gradual feature rollouts.
Common Mistakes
Thinking Azure App Configuration is the same as Azure Key Vault because both store configuration and secrets.
Azure App Configuration is designed for general application settings and feature flags, not for highly sensitive secrets like passwords, connection strings with embedded credentials, or certificates. Azure Key Vault is the correct service for securely storing and managing secrets. App Configuration can reference a secret stored in Key Vault, but it should not store secrets directly.
Use Azure App Configuration for non-secret configuration values (like API base URLs, feature flags, logging levels) and use Azure Key Vault for secrets. If you need both, use App Configuration to store a reference to the Key Vault secret.
Not configuring refresh intervals and expecting changes to take effect instantly without any code changes.
Azure App Configuration does not automatically push changes to an application unless the application is set up to watch for changes. By default, an application reads configuration once at startup. To get updates, you must configure a refresh mechanism using the SDK (e.g., ConfigureRefresh with a key sentinel) and call the TryRefreshAsync method in your application logic periodically.
In your application startup code, use the .AddAzureAppConfiguration() method and chain .ConfigureRefresh() to specify a sentinel key. Then, in your application's middleware or background task, call await configurationRefresher.TryRefreshAsync() regularly (e.g., on each request).
Using connection strings in production instead of managed identities for authentication.
Connection strings contain a static access key that, if leaked, grants full access to the App Configuration store. In production environments, using managed identities (such as system-assigned or user-assigned managed identities for Azure resources like App Service or Functions) is more secure because there are no static credentials to manage or expose.
For development or local testing, connection strings are acceptable. For production workloads running in Azure, always enable managed identity for the application resource (e.g., App Service) and grant it the "App Configuration Data Reader" role. Use the ManagedIdentityCredential or DefaultAzureCredential from the Azure Identity SDK to authenticate.
Confusing feature flags in Azure App Configuration with built-in feature management in ASP.NET Core without understanding the difference in storage and management.
You can define feature flags directly in code using the Microsoft.FeatureManagement library, but that couples the flag to the codebase. Azure App Configuration provides a centralized, version-controlled, UI-managed store for feature flags that can be updated without touching code. Many learners think they must choose one or the other, but they work together: App Configuration stores the flags, and the FeatureManagement library reads them.
Use Azure App Configuration as the backend store for feature flags. Define the flags in the App Configuration portal with filters (percentage, user groups, time windows). Then use the Microsoft.FeatureManagement library in your application to read those flags from App Configuration and use them in your code with if statements or action filters.
Assuming that keys in Azure App Configuration are case-sensitive and that changing the case will cause no issues.
Azure App Configuration keys are case-sensitive by default. This means "Database:ConnectionString" and "database:connectionstring" are treated as two different keys. This can lead to unexpected behavior if you are not careful about consistent casing, especially when importing configuration from different environments that may use inconsistent casing.
Always use a consistent casing convention for your keys, such as PascalCase or camelCase, and enforce it across your team. Use the Azure portal or CLI to audit key names. If migrating from a case-insensitive configuration system like environment variables, be aware that App Configuration is case-sensitive.
Exam Trap — Don't Get Fooled
A question describes an application that needs to store a database connection string that includes a password. The options include storing it in Azure App Configuration, Azure Key Vault, or both. Many learners choose "Store it in Azure App Configuration" because they know App Configuration can store connection strings.
Always ask yourself: does this value contain a secret (password, API key, certificate thumbprint)? If yes, it belongs in Azure Key Vault. Use Azure App Configuration for non-secret configuration like a connection string without credentials (e.
g., a server name and database name). Then use a reference to the secret in Key Vault. In the exam, look for the option that combines both: store the non-secret in App Configuration and the password in Key Vault, then reference the Key Vault secret from App Configuration.
Commonly Confused With
Azure Key Vault is a secure store for secrets, keys, and certificates, with strong encryption and access policies. Azure App Configuration is for general application settings (connection strings without passwords, feature flags, API base URLs) and does not provide the same level of secret protection. App Configuration can reference a Key Vault secret, but it should not store secrets itself.
Store your database server name and database name in App Configuration, but store the actual database password in Key Vault. Then use a reference from App Configuration to Key Vault so your application retrieves both.
Azure App Service has a built-in Application Settings blade where you can define key-value pairs for your web app. These are similar but are tied to a single App Service instance. Azure App Configuration is a separate, centralized service that can be shared across multiple apps, functions, and containers, with features like versioning, labeling, and feature flags not available in App Service settings.
If you have three App Service instances that need the same pricing configuration, use App Configuration once and reference it from each instance rather than duplicating the settings in each App Service's Application Settings.
Azure Functions has its own Application Settings inside the Function App, similar to App Service. While convenient, these settings are per-function-app and do not offer centralized management, versioning, or feature flag capabilities. Azure App Configuration provides those extras and can be used by Functions by adding the appropriate NuGet package.
Use Azure Functions for its built-in settings if you have only one function app and simple settings. Use Azure App Configuration when you have multiple function apps, microservices, or you need dynamic updates and feature flags.
Azure Event Grid is an event routing service that can notify applications when configuration changes happen in App Configuration. They are different services that can work together: App Configuration stores the data, Event Grid can send events to your app when that data changes so you can refresh configuration reactively instead of polling.
Use App Configuration to store a feature flag. Use Event Grid to send an event to a webhook in your application whenever that feature flag changes, so the application updates the flag's state immediately without waiting for a polling interval.
Step-by-Step Breakdown
Step 1: Create an Azure App Configuration Store
First, navigate to the Azure portal and create a new App Configuration resource. You choose a name (globally unique), a region, and a pricing tier (Free or Standard). The Free tier is ideal for development and learning; it includes up to 10,000 key-values and 10,000 feature flags. The Standard tier offers more capacity, a higher request limit, and a 99.9% SLA. Once created, you have a centralized repository ready to hold your settings.
Step 2: Add Key-Value Pairs and Feature Flags
Inside the App Configuration store, you create key-value pairs for your settings. For example, create a key named "EcoRide:PricingPerMinute" with a value of "0.15". You can also add a label like "Development" or "Production" to separate environment-specific values. For feature flags, you create a new feature flag resource, give it a name like "NewReservationFeature", and set its initial state (enabled or disabled). You can also add filters for percentage rollouts, user targeting, or time windows.
Step 3: Secure Access with Managed Identity and Roles
In a production environment, you should not use connection strings directly in your application code because they contain a static access key. Instead, enable a system-assigned or user-assigned managed identity on the Azure resource that runs your application (like App Service, Azure Functions, or an Azure VM). Then, in the App Configuration store's Access Control (IAM) blade, assign the "App Configuration Data Reader" role to that managed identity. This allows the application to read configuration values without storing any credentials.
Step 4: Configure the Application to Connect to the Store
In your application's startup code (e.g., Program.cs for .NET applications), you add the Azure App Configuration provider. For a .NET application, you call builder.Configuration.AddAzureAppConfiguration(options => ...) and pass the connection string or a managed identity credential. You also configure a refresh mechanism by specifying a sentinel key — a key that you will update whenever you want to force all other keys to refresh. Then you register the configuration refresher as a singleton service so you can call it in your middleware or background tasks.
Step 5: Implement Dynamic Refresh in Application Logic
To make your application pick up configuration changes without restarting, you must call the TryRefreshAsync method at appropriate points. A common approach is to add middleware that calls TryRefreshAsync on every incoming HTTP request. Alternatively, you can set up a background service that calls it every few seconds. The refresh method checks if the sentinel key has changed (by inspecting its ETag) and, if so, reloads all related key-values from the store. This ensures your application uses the latest configuration within a short delay.
Step 6: Use Feature Flags in Application Code
After setting up App Configuration, you integrate the Microsoft.FeatureManagement library. In your code, you inject the IFeatureManager interface and use it to check if a feature is enabled before running conditional logic. For example, you can wrap the new reservation feature in an if (await featureManager.IsEnabledAsync("NewReservationFeature")) block. This enables you to turn features on or off from the portal without redeploying code. You can also use action filters for MVC controllers to control entire endpoints.
Step 7: Monitor, Audit, and Rollback Changes
Azure App Configuration provides a built-in change history for key-values, allowing you to see who changed what and when. If a change causes issues, you can restore a previous version of a key-value by viewing its history and selecting the version you want to revert to. You can also export configuration snapshots, which are point-in-time backups of your entire configuration store. Use Azure Monitor and diagnostic logs to track usage, request failures, and performance metrics.
Practical Mini-Lesson
Azure App Configuration is a service that every Azure developer should understand deeply, especially those targeting the AZ-204 exam. In practice, it transforms how you manage application settings across environments. The core concept is decoupling configuration from code — a principle of modern application design.
Instead of embedding values like database names, API endpoints, logging levels, and feature toggles into your code or config files, you store them in a centralized, version-controlled, and dynamically updatable store. This has immediate benefits: you can change any setting without rebuilding or redeploying your application, reducing deployment frequency from daily to weekly or even monthly for configuration-only changes. To use Azure App Configuration in practice, you start by creating a store in the Azure portal or via ARM templates or Bicep for infrastructure-as-code.
You then populate it with key-values. It is crucial to design a key hierarchy that is meaningful and scalable. A common pattern uses a colon (:) as a delimiter to create hierarchical namespaces, such as "MyApp:Database:ServerName" and "MyApp:Database:DatabaseName".
This makes it easy to fetch related settings in groups. Labels are another important organizational tool. You can label all keys for development as "Dev" and for production as "Prod", allowing your application to read only the appropriate set based on its environment.
This eliminates the need for multiple configuration files. Feature flags deserve special attention because they enable powerful deployment strategies like canary releases and A/B testing. In practice, you define a feature flag in App Configuration with a name and initial state.
You can then add filters: percentage filters for gradual rollout (e.g., 10% of all users), user group filters (for internal testers), or time window filters (for timed feature releases).
Your application code uses the Microsoft.FeatureManagement library's IFeatureManager to check these flags. This library also supports telemetry integration so you can see how many users see each feature.
The refresh mechanism is a common source of confusion. By default, the application reads configuration once at startup. To pick up changes, you must configure refresh with a sentinel key.
The sentinel key is a special key that you update whenever you make batch changes. The application polls the store for changes to the sentinel key's ETag. If the sentinel changed, it reloads all other keys that are part of that refresh group.
You set the polling interval, but the default is 30 seconds, which is acceptable for most scenarios. Another important practice: always use managed identity in production. Connection strings with access keys are easy to set up in development but are static credentials that must be rotated.
Managed identity eliminates that problem entirely. For the exam, remember that App Configuration supports storing up to 1 MB per key-value in the Standard tier and that you can use soft-delete to recover accidentally deleted stores within 7 days. Also note the integration with Azure Policy for auditing.
A final practical tip: always test your refresh mechanism by changing a value in the portal and verifying that your application picks it up without restarting. This is a common exam scenario question. By mastering these practical details, you will be ready for both the exam and real-world development.
Memory Tip
Think of Azure App Configuration as the "remote control" for your application settings: you press a button (update a key), and your app reacts (refreshes) without you having to move from your seat (no redeploy).
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
AZ-204AZ-204 →Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
What is the difference between Azure App Configuration and Azure Key Vault?
Azure App Configuration stores general application settings and feature flags, while Azure Key Vault securely stores secrets like passwords, API keys, and certificates. App Configuration can reference a secret in Key Vault, but you should never store actual secrets directly in App Configuration.
Do I have to restart my application after changing a value in Azure App Configuration?
No, you do not have to restart if you configure dynamic refresh. Your application must call the TryRefreshAsync method periodically (e.g., on each request) to pick up changes. By default, it checks for changes every 30 seconds, but you can configure the interval.
Can I use Azure App Configuration with a non-Azure application?
Yes, you can use it from any application that can make HTTP requests, because the service exposes a REST API. However, the easiest integration is with .NET, Java, Python, and Node.js through the official SDKs. You will need the connection string or a managed identity to authenticate.
How do I organize settings for different environments like dev, test, and production?
Use labels. Create the same key names for each environment but apply a label like 'Development', 'Staging', or 'Production'. In your application, specify the label to use based on the environment (e.g., via an environment variable). This keeps your store clean and avoids duplication.
What is a feature flag and how do I use it in Azure App Configuration?
A feature flag is a toggle that lets you enable or disable a feature without deploying new code. In Azure App Configuration, you create a feature flag resource, set its state (on/off), and optionally add filters for gradual rollout. You check the flag in your code using the Microsoft.FeatureManagement library.
Is there a free tier for Azure App Configuration?
Yes, there is a Free tier that includes up to 10,000 stored key-values and 10,000 stored feature flags, with a request limit of 1,000 requests per day. It is suitable for development and small-scale testing. The Standard tier has higher limits and a 99.9% SLA.
Can I recover an accidentally deleted App Configuration store?
Yes, if you enable soft-delete (which is on by default), you can recover a deleted store within 7 days. The store is not permanently deleted immediately, allowing you to restore it along with its data. After 7 days, it is permanently removed.
How does Azure App Configuration handle highly sensitive data like connection strings with passwords?
Azure App Configuration should not store sensitive data directly. Instead, you use a Key Vault reference. You store the password in Azure Key Vault, and then in App Configuration, you store a reference like "{Uri: https://myvault.vault.azure.net/secrets/dbpassword }". At runtime, App Configuration retrieves the actual secret from Key Vault and provides it to your application.
Summary
Azure App Configuration is a fully managed Azure service that provides a centralized, secure, and dynamically updatable repository for application settings and feature flags. It allows developers to separate configuration from code, enabling changes to be made without rebuilding, redeploying, or restarting applications. This service is especially valuable in cloud-native architectures with microservices, multiple environments, or frequent configuration updates.
For the AZ-204 exam, you need to understand the core concepts: creating stores, adding key-values and feature flags, connecting applications via connection strings or managed identities, implementing dynamic refresh, and distinguishing App Configuration from Azure Key Vault. Common exam traps include confusing App Configuration with Key Vault, failing to configure refresh, and using connection strings in production. Practical skills like setting up feature filters for gradual rollouts, using labels for environment separation, and implementing refresh with a sentinel key are essential.
By mastering Azure App Configuration, you gain a powerful tool for building more flexible, maintainable, and secure Azure applications. Remember the memory tip: think of it as a remote control for your app's settings — update in one place, and your app reacts without needing a restart or redeploy. Use the service for non-secret configuration and feature flags, and pair it with Azure Key Vault for secrets.