Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 175

997 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQeasy

You are deploying an Azure Kubernetes Service (AKS) cluster. You need to ensure that pods can access Azure resources (e.g., Azure Storage) using a managed identity without storing credentials. What should you configure?

A.Use Azure AD Workload Identity for Kubernetes (or aad-pod-identity) to assign managed identities to pods.
B.Configure Azure AD integration on the AKS cluster for user authentication.
C.Create a service principal and distribute its secret to pods as a Kubernetes secret.
D.Enable managed identity on the AKS cluster and use cluster-level identity.
AnswerA

This allows pods to authenticate to Azure services without secrets.

Why this answer

Option C is correct because AKS can use pod-managed identities (via aad-pod-identity or Workload Identity) to assign managed identities to pods. Option A is wrong because AKS does not have a built-in managed identity for pods; it's for the cluster. Option B is wrong because service principals require secret management.

Option D is wrong because Azure AD integration is for user authentication, not pod identity.

2
MCQhard

You are developing a serverless application using Azure Functions that processes order messages from an Azure Service Bus queue. Each order message is approximately 64 KB in size. The function must process messages in order and exactly once. The current implementation uses a Service Bus trigger with batch processing enabled. You notice that occasionally duplicate messages are processed. You need to ensure exactly-once processing while maintaining message ordering. What should you do?

A.Disable batch processing in the function trigger and process messages one at a time.
B.Enable sessions on the Service Bus queue and update the function trigger to use sessions.
C.Increase the lock duration on the Service Bus queue to 5 minutes.
D.Set the maxDeliveryCount property on the queue to 1.
AnswerB

Sessions ensure ordered and exactly-once processing within a session.

Why this answer

Option B is correct because enabling sessions on the Service Bus queue and using a session-enabled trigger guarantees message ordering and exactly-once processing. Sessions group related messages into a logical sequence, and the Service Bus trigger locks the entire session, ensuring that messages within a session are processed in order and that no other consumer can process the same session concurrently. This prevents duplicate processing while maintaining the required ordering.

Exam trap

The trap here is that candidates often confuse disabling batch processing or increasing lock duration with solving duplicate processing, but these do not address the root cause of duplicate deliveries; only session-based or duplicate detection mechanisms guarantee exactly-once processing with ordering.

How to eliminate wrong answers

Option A is wrong because disabling batch processing only processes messages one at a time but does not prevent duplicates; the trigger can still receive the same message multiple times if the lock expires or if there is a transient failure. Option C is wrong because increasing the lock duration only gives more time to process a message before the lock expires, but it does not prevent duplicate deliveries caused by other factors like receiver crashes or competing consumers. Option D is wrong because setting maxDeliveryCount to 1 will cause the message to be dead-lettered after the first failed delivery attempt, but it does not prevent duplicates from being delivered in the first place; duplicate detection requires a different mechanism like sessions or duplicate detection history.

3
MCQmedium

A company stores sensitive data in Azure Blob Storage. They require that all access to the storage account be authenticated via Microsoft Entra ID and that users must have the 'Storage Blob Data Reader' role assigned. A developer reports being unable to read blobs using the Azure portal despite having the role assigned. What is the most likely cause?

A.The storage account firewall is blocking the user's IP address.
B.The user does not have the Azure RBAC Reader role on the storage account's resource group to view the storage account in the portal.
C.The storage account is using a system-assigned managed identity for authentication.
D.The role is assigned at the storage account scope but the user is trying to access a different storage account.
AnswerB

The portal requires Reader role to list resources, in addition to data permissions.

Why this answer

Option D is correct because the Azure portal uses both the control plane (RBAC) and data plane permissions; even with Storage Blob Data Reader, if the user lacks a Reader role at the subscription or resource group level, they cannot navigate to the storage account. Option A is wrong because managed identity is not involved. Option B is wrong because firewall settings would affect all users.

Option C is wrong because the role assignment is correct.

4
MCQmedium

You are developing an Azure Logic App that processes files from an FTP server. The workflow must run every 10 minutes and process only new files. You need to ensure that files are not processed more than once. What should you use?

A.Use the FTP trigger 'When a file is added' with a recurrence of 10 minutes.
B.Use the 'When a file is added' trigger and store processed file names in a SQL database.
C.Use the FTP trigger 'When a file is added or modified' with a recurrence of 10 minutes.
D.Use the Sliding Window trigger and set the window size to 10 minutes.
AnswerC

This trigger supports deduplication by tracking file timestamps.

Why this answer

Option C is correct because the 'When a file is added or modified' FTP trigger in Azure Logic Apps automatically tracks processed files using a built-in 'trigger state' mechanism. When combined with a recurrence schedule (e.g., every 10 minutes), it ensures that only new or modified files since the last run are processed, preventing duplicate processing without external state management.

Exam trap

The trap here is that candidates often assume a simple 'When a file is added' trigger with a recurrence is sufficient, but they overlook that the 'or modified' variant is required to leverage the built-in deduplication state, while the plain 'added' trigger lacks this tracking and can cause reprocessing.

How to eliminate wrong answers

Option A is wrong because the 'When a file is added' trigger does not inherently track which files have already been processed; it can reprocess files if the trigger runs again without state persistence. Option B is wrong because storing processed file names in a SQL database introduces unnecessary complexity and external dependencies; the built-in trigger state already handles deduplication. Option D is wrong because the Sliding Window trigger is designed for event-based triggers (e.g., Azure Service Bus, Event Hubs) and is not applicable to FTP triggers; it does not provide file-level deduplication.

5
MCQhard

A company uses Azure API Management to expose APIs. They need to enforce rate limiting per subscription key and also allow a burst of requests for a short period. Which policy should they apply?

A.limit-concurrency
B.rate-limit (per product)
C.rate-limit-by-key
D.rate-limit-by-ip
AnswerC

Limits per subscription key with burst support.

Why this answer

The rate-limit-by-key policy (option C) enforces rate limits per key with a burst window. Option A is per product, not per key. Option B is for IP addresses.

Option D is for concurrency, not rate.

6
MCQhard

You deploy a containerized application on Azure Container Instances (ACI). The application writes data that must persist across container restarts and be accessible from multiple instances. Which volume mount should you configure?

A.Azure Files share
B.emptyDir volume
C.Azure Disk
D.ConfigMap
AnswerA

Azure Files offers SMB shares that can be mounted as volumes in ACI, persisting data independent of the container lifecycle.

Why this answer

Azure Files shares provide a fully managed SMB file share in the cloud that can be mounted as a volume in Azure Container Instances. This allows data written by the container to persist across restarts and be accessed concurrently by multiple container instances, meeting the requirements for durability and shared access.

Exam trap

The trap here is confusing Azure Disk (which is block storage with ReadWriteOnce semantics) with Azure Files (which is file storage with ReadWriteMany semantics), leading candidates to choose Azure Disk for persistence without considering multi-instance access requirements.

How to eliminate wrong answers

Option B is wrong because an emptyDir volume is ephemeral and tied to the lifecycle of a pod; data is lost when the container restarts and cannot be shared across multiple instances. Option C is wrong because Azure Disk supports ReadWriteOnce access mode, meaning it can only be mounted by a single container instance at a time, not multiple instances concurrently. Option D is wrong because a ConfigMap is designed for injecting configuration data (e.g., environment variables, files) into containers, not for persistent storage of application data.

7
Multi-Selecteasy

You are developing an Azure App Service web app that must authenticate users via Microsoft Entra ID. Which TWO components are required to set up authentication?

Select 2 answers
A.A managed identity
B.Client ID and Client Secret
C.An App Registration in Microsoft Entra ID
D.An Azure AD B2C tenant
E.Azure Front Door
AnswersB, C

These are used in the OAuth2 flow to obtain tokens.

Why this answer

To authenticate users via Microsoft Entra ID in an Azure App Service web app, you must register the app in Entra ID (Option C) to establish an identity and configure authentication. The Client ID and Client Secret (Option B) are then used as credentials in the OAuth 2.0 authorization code flow to verify the app's identity and obtain tokens. These two components are mandatory for the standard OpenID Connect authentication flow.

Exam trap

The trap here is that candidates often confuse managed identities (used for Azure resource-to-resource authentication) with the credentials needed for user authentication, leading them to select Option A instead of the correct Client ID and Secret.

8
MCQhard

A Kubernetes-based image resize worker on AKS must pull images from Azure Container Registry without storing registry passwords in Kubernetes secrets. What should be used?

A.Store the ACR admin password in every deployment manifest
B.Attach the ACR to AKS or grant the kubelet managed identity AcrPull
C.Make the container registry public
D.Use an App Service deployment slot
AnswerB

AKS can authenticate to ACR through managed identity permissions such as AcrPull.

Why this answer

Option B is correct because attaching an ACR to an AKS cluster or granting the kubelet managed identity the AcrPull role eliminates the need to store registry passwords in Kubernetes secrets. This leverages Azure AD managed identities for secure, password-less authentication, where the AKS cluster's kubelet uses its managed identity to authenticate with ACR via Azure Resource Manager tokens. The AcrPull role assignment authorizes the identity to pull images, ensuring credentials are never exposed in manifests or secrets.

Exam trap

The trap here is that candidates may think storing credentials in Kubernetes secrets (option A) is acceptable, but the question explicitly forbids that, and they might overlook the managed identity integration as the secure, password-less alternative.

How to eliminate wrong answers

Option A is wrong because storing the ACR admin password in every deployment manifest violates security best practices by exposing static credentials in plaintext, and it requires manual rotation of passwords across all manifests. Option C is wrong because making the container registry public exposes all images to the internet without authentication, creating a severe security vulnerability and violating least-privilege principles. Option D is wrong because App Service deployment slots are a feature for staging and swapping deployments in Azure App Service, not for authenticating to ACR from AKS; they have no relevance to Kubernetes image pull authentication.

9
MCQhard

Your Azure App Service app uses SignalR Service to push real-time updates to clients. You notice that some clients are disconnected after 30 minutes of inactivity. What is the most likely cause and solution?

A.The app service plan is scaled down, causing idle connections to drop
B.The app service plan has an idle timeout of 30 minutes
C.The SignalR service is in serverless mode, which disconnects idle clients
D.The Azure SignalR Service has a default client timeout of 30 minutes; configure the ClientTimeout setting in the SignalR service
AnswerD

The default client timeout is 30 minutes; increasing it resolves disconnections.

Why this answer

Option B is correct because Azure SignalR Service has a default client timeout of 30 minutes; it can be increased. Option A is wrong because the default is 30 minutes. Option C is wrong because serverless mode does not affect timeout.

Option D is wrong because app service plan does not limit SignalR connections directly.

10
Drag & Dropmedium

Arrange the steps to implement Azure Functions with a Cosmos DB trigger in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create Cosmos DB, then Function App, add trigger binding, write code, test.

11
MCQhard

You are building a compliance solution that stores terabytes of data in Azure Blob Storage. Data is appended frequently and never modified. Regulatory requirements mandate that no data can be overwritten or deleted for 7 years. Which storage configuration should you enable?

A.Enable immutability policy (time-based retention)
B.Enable blob soft delete
C.Enable blob versioning
D.Enable change feed
AnswerA

Correct. A time-based retention policy makes blobs immutable for the specified duration (up to 7 years or more), meeting compliance requirements.

Why this answer

A is correct because a time-based retention policy under Azure Blob Storage immutability policy ensures that blobs cannot be overwritten or deleted for a specified duration (here, 7 years). This meets the regulatory requirement of write-once-read-many (WORM) compliance, and the policy is enforced at the storage container level, preventing any modifications or deletions even by the storage account owner.

Exam trap

The trap here is that candidates often confuse immutability policies with soft delete or versioning, thinking that preserving previous versions or recovering deleted blobs satisfies the 'no overwrite or delete' requirement, but only immutability policies provide a hard enforcement that prevents the operation from succeeding in the first place.

How to eliminate wrong answers

Option B is wrong because blob soft delete only protects against accidental deletion by retaining deleted blobs for a configurable retention period, but it does not prevent overwrites or provide a hard guarantee against deletion—data can still be permanently deleted before the soft-delete retention expires if the policy is changed. Option C is wrong because blob versioning preserves previous versions of a blob when it is overwritten or deleted, but it does not prevent overwrites or deletions from occurring; a user can still overwrite the current version, and the regulatory requirement mandates that no data can be overwritten or deleted at all. Option D is wrong because the change feed provides a transaction log of all changes to blobs in a container, but it does not enforce any retention or immutability—it only records events and does not prevent modifications or deletions.

12
MCQeasy

A company uses Azure Logic Apps to integrate with a third-party REST API. The API has a rate limit of 100 requests per minute. You need to ensure that the Logic App respects this limit. Which connector feature should you configure?

A.Retry policy.
B.Concurrency control.
C.Swagger connector.
D.API Management.
AnswerB

Correct. Concurrency control limits the number of in-flight requests, helping to stay within rate limits.

Why this answer

Concurrency control in Azure Logic Apps limits the number of concurrent runs of a workflow. By setting the concurrency limit to 1, you ensure that only one instance of the Logic App executes at a time, effectively serializing requests and preventing the app from exceeding the third-party API's rate limit of 100 requests per minute. This is the correct feature to throttle throughput to match external constraints.

Exam trap

The trap here is that candidates often confuse Retry policy (which handles failures after they occur) with concurrency control (which prevents the failures by limiting parallelism), leading them to select Retry policy as a proactive solution when it is actually reactive.

How to eliminate wrong answers

Option A is wrong because Retry policy handles transient failures (e.g., HTTP 429 or 5xx) by retrying failed requests, but it does not prevent the Logic App from sending too many requests in the first place; it only reacts after a limit is exceeded. Option C is wrong because a Swagger connector is used to import an OpenAPI definition for custom API integration, not to control request rate or concurrency. Option D is wrong because API Management is an external service that can enforce rate limits via policies, but it is not a feature of the Logic App connector itself; the question asks for a connector feature to configure within the Logic App.

13
Multi-Selecteasy

You are building a serverless API using Azure Functions. The API must be secured with OAuth 2.0 and must support both user authentication and application permissions. You need to configure the function app appropriately. Which TWO steps should you take?

Select 2 answers
A.Expose scopes and app roles in the Microsoft Entra ID app registration.
B.Use Azure AD v1.0 endpoints.
C.Configure authentication via the 'Authentication' blade in the portal.
D.Register the function app in Microsoft Entra ID.
E.Enable Azure App Service built-in authentication (EasyAuth).
AnswersA, D

Scopes for delegated permissions and app roles for application permissions are required.

Why this answer

Option A is correct because exposing scopes and app roles in the Microsoft Entra ID app registration is required to support both user authentication (via delegated permissions/scopes) and application permissions (via app roles). This allows the Azure Function to validate tokens for both user and application contexts using OAuth 2.0.

Exam trap

The trap here is that candidates often think enabling EasyAuth (Option E) alone is sufficient for OAuth 2.0 support, but it only handles token validation and does not configure the required scopes and app roles in the app registration.

14
MCQmedium

You are using Azure Event Grid to respond to blob storage events (blob created). You need to ensure that only JPEG image files trigger a function for processing, while other files are ignored. The number of files is high, and you want to minimize cost and latency. How should you filter events?

A.Create the function to check the blob extension at the start of the function code and return early if it's not a JPEG.
B.Configure Advanced Filters on the Event Grid subscription with a 'subjectEndsWith' condition set to '.jpg' or '.jpeg'.
C.Create separate event subscriptions for each file extension and point them to different functions.
D.Use Event Hubs capture to filter files before sending events.
AnswerB

Advanced filters allow you to specify conditions on event properties. By using 'subjectEndsWith' for both .jpg and .jpeg, Event Grid will only deliver events that match, preventing unnecessary function invocations.

Why this answer

Option B is correct because Azure Event Grid supports advanced filtering on event properties, including 'subjectEndsWith', which allows you to filter events at the service level before they are delivered to the endpoint. This ensures that only blob creation events for files ending with '.jpg' or '.jpeg' trigger the function, reducing unnecessary invocations, cost, and latency. By filtering at the Event Grid level, you avoid processing unwanted events entirely, which is more efficient than filtering within the function code.

Exam trap

The trap here is that candidates often default to filtering inside the function code (Option A) because it seems simpler, but they overlook that Event Grid's advanced filtering can prevent the function from being triggered at all, which is the key to minimizing cost and latency in high-volume scenarios.

How to eliminate wrong answers

Option A is wrong because it requires the function to be invoked for every blob creation event, including non-JPEG files, which increases cost and latency due to unnecessary function executions; this approach does not minimize cost or latency as required. Option C is wrong because creating separate event subscriptions for each file extension increases management complexity and does not provide a cost or latency benefit over a single subscription with advanced filters; it also requires multiple functions or routing logic. Option D is wrong because Event Hubs capture is designed for data ingestion and storage, not for real-time event filtering; it adds unnecessary complexity and latency compared to Event Grid's built-in filtering capabilities.

15
MCQhard

You need to store a large (terabytes) append-only dataset for compliance purposes. The data must be immutable to prevent tampering after writes. You also want to minimize storage cost and achieve high write throughput. Which Azure Storage solution should you use?

A.Azure Blob Storage with Append Blobs and an immutable blob policy
B.Azure Data Lake Storage Gen2 with Append Blobs and immutability
C.Azure Files with immutable shares
D.Azure NetApp Files with immutability
AnswerA

Correct. Append Blobs are ideal for append operations, and immutability provides tamper-proof storage. Cost-effective for high-volume writes.

Why this answer

Azure Blob Storage with Append Blobs and an immutable blob policy is correct because Append Blobs are optimized for append-only operations (e.g., logging, audit trails) and support high write throughput. Immutable blob policies (WORM – Write Once, Read Many) enforce data immutability at the blob level, preventing modification or deletion during the retention period, which meets compliance requirements. This combination minimizes storage cost by using the cool or archive tier for Append Blobs, while still achieving the required write performance.

Exam trap

The trap here is that candidates often confuse Azure Data Lake Storage Gen2 (which is just Blob Storage with a hierarchical namespace) as having separate immutability features, but immutability is a Blob Storage capability that works identically on Data Lake Storage Gen2; however, the question's append-only requirement is best met by Append Blobs in standard Blob Storage, not by adding the hierarchical namespace overhead of Data Lake Storage Gen2.

How to eliminate wrong answers

Option B is wrong because Azure Data Lake Storage Gen2 is built on Blob Storage and supports Append Blobs, but it does not natively offer immutable blob policies; immutability is a Blob Storage feature, not a Data Lake Storage Gen2 feature, and using Data Lake Storage Gen2 would add unnecessary complexity and cost for a simple append-only compliance scenario. Option C is wrong because Azure Files with immutable shares is designed for SMB file shares and does not support append-only operations or high write throughput at the terabyte scale; it is optimized for shared file access, not streaming append workloads. Option D is wrong because Azure NetApp Files is a high-performance file service for NFS/SMB workloads, not designed for append-only blob storage; it lacks native append-blob semantics and immutable blob policies, and its cost is significantly higher for large-scale compliance data.

16
MCQhard

Trey Research uses Azure Service Bus for messaging between microservices. One microservice written in Node.js needs to send messages to a queue. The team wants to use managed identity to authenticate to Service Bus. The microservice runs in an Azure Container Instance (ACI) with a user-assigned managed identity. The identity has been granted 'Sender' role on the Service Bus namespace. The team uses the @azure/service-bus SDK. Which code snippet should the developer use to create a ServiceBusClient?

A.const { ServiceBusClient } = require('@azure/service-bus'); const { InteractiveBrowserCredential } = require('@azure/identity'); const credential = new InteractiveBrowserCredential(); const sbClient = new ServiceBusClient('<namespace>.servicebus.windows.net', credential);
B.const { ServiceBusClient } = require('@azure/service-bus'); const { DefaultAzureCredential } = require('@azure/identity'); const credential = new DefaultAzureCredential(); const sbClient = new ServiceBusClient('<namespace>.servicebus.windows.net', credential);
C.const { ServiceBusClient } = require('@azure/service-bus'); const { ManagedIdentityCredential } = require('@azure/identity'); const credential = new ManagedIdentityCredential('<client-id>'); const sbClient = new ServiceBusClient('<namespace>.servicebus.windows.net', credential);
D.const { ServiceBusClient } = require('@azure/service-bus'); const sbClient = new ServiceBusClient('<connection-string>');
AnswerB

Correct: DefaultAzureCredential works with user-assigned MI if environment variable set.

Why this answer

Use DefaultAzureCredential which will use the user-assigned managed identity if the environment variable AZURE_CLIENT_ID is set to the identity's client ID. Option A is correct. Option B uses ManagedIdentityCredential but requires explicit client ID.

Option C uses connection string. Option D uses InteractiveBrowserCredential, not for server scenarios.

17
MCQeasy

Your Azure App Service app must access Azure Key Vault secrets without storing credentials in code. Which service should you use to manage identities?

A.Service principal with client secret
B.Managed identity
C.Storage account access key
D.Client certificate
AnswerB

Managed identities eliminate the need for credentials.

Why this answer

Option B is correct because managed identities provide an automatically managed identity for Azure resources to access Key Vault securely. Option A is wrong because service principals require manual credential management. Option C is wrong because certificates still require storage.

Option D is wrong because shared access keys are for storage, not Key Vault.

18
MCQmedium

You develop an Azure Function app that processes orders. The function must write order status updates to a database. You need to ensure that if the function fails after writing to the database, the order is not lost and can be retried. Which pattern should you implement?

A.Use a Durable Functions orchestration
B.Use a retry policy in the function code
C.Enable function-level exception handling
D.Use an Azure Storage Queue for the function input
AnswerA

Durable Functions allow you to define an orchestrator that coordinates activities, provides retry, and handles failures atomically.

Why this answer

Option A is correct because Durable Functions orchestrations provide built-in support for reliable execution and automatic retry on failure. By using an orchestration, you can write the order status to the database as an activity function, and if the function fails after the write, the orchestration can replay from the last checkpoint, ensuring the order is not lost and can be retried without duplicating the write.

Exam trap

The trap here is that candidates often confuse a simple retry policy (Option B) with the durable checkpointing and replay mechanism, not realizing that a retry policy alone cannot prevent duplicate writes or recover from failures that occur after a side effect has been committed.

How to eliminate wrong answers

Option B is wrong because a retry policy in the function code only retries the current invocation; if the failure occurs after the database write, the retry would re-execute the entire function, potentially causing duplicate writes or inconsistent state. Option C is wrong because enabling function-level exception handling merely catches errors but does not provide a mechanism to replay or retry the operation from a known safe point, so the order could be lost if the function fails after the database write. Option D is wrong because using an Azure Storage Queue for input only decouples the trigger but does not inherently provide checkpointing or replay capabilities; the function would still need to manage its own retry and idempotency logic to avoid losing the order.

19
Multi-Selecthard

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. Which THREE components must be configured in the App Service authentication settings?

Select 3 answers
A.Client ID
B.Allowed token audiences
C.Issuer URL
D.Client secret
E.Tenant ID
AnswersA, B, C

Required to identify the application.

Why this answer

Option A is correct because the client ID identifies the application to Entra ID. Option B is correct because the issuer URL tells App Service where to validate tokens. Option D is correct because allowed token audiences ensure the token is intended for this app.

Option C is wrong because client secret is optional for some flows. Option E is wrong because tenant ID is part of the issuer URL.

20
Multi-Selecthard

You are designing a serverless application using Azure Functions that needs to read from an Azure Storage Blob, process the data, and write to Azure Cosmos DB. Which THREE bindings are required?

Select 3 answers
A.HTTP trigger
B.Cosmos DB input binding
C.Blob input binding
D.Cosmos DB output binding
E.Timer trigger
AnswersA, C, D

Triggers the function execution.

Why this answer

The HTTP trigger is correct because the question describes a serverless application that needs to be invoked to read from Blob Storage, process data, and write to Cosmos DB. An HTTP trigger allows the function to be started via an HTTP request, which is the typical entry point for such event-driven processing. Without a trigger, the function cannot execute; the HTTP trigger provides the necessary invocation mechanism.

Exam trap

The trap here is that candidates often confuse input bindings with output bindings, mistakenly thinking a Cosmos DB input binding is needed to read data, when in fact the data source is Blob Storage and only an output binding to Cosmos DB is required.

21
MCQeasy

You have an Azure App Service web app with a system-assigned managed identity. You need to grant it permission to read secrets from an Azure Key Vault. Which RBAC role should you assign to the managed identity at the Key Vault scope?

A.Key Vault Secrets User
B.Key Vault Reader
C.Key Vault Crypto User
D.Contributor
AnswerA

This role allows reading secret contents, which is exactly what you need.

Why this answer

The system-assigned managed identity needs to read secrets from Key Vault. The 'Key Vault Secrets User' role grants exactly that permission — it allows the identity to perform secret read operations (Get, List) on the secrets in the vault. This is the correct RBAC role for read-only access to secrets, as opposed to keys or certificates.

Exam trap

The trap here is that candidates often confuse 'Key Vault Reader' (which only reads vault metadata, not secrets) with the actual data-plane role needed for secret access, or they mistakenly choose a broad role like 'Contributor' thinking it includes secret read permissions.

How to eliminate wrong answers

Option B is wrong because 'Key Vault Reader' only allows listing and reading the metadata of the vault itself (e.g., vault properties, tags), not the actual secret values. Option C is wrong because 'Key Vault Crypto User' grants permissions for cryptographic operations on keys (e.g., encrypt, decrypt, sign, verify), not for reading secrets. Option D is wrong because 'Contributor' is a general Azure RBAC role that grants full management access to the Key Vault resource (including creating/deleting vaults and changing access policies), which is far more permissive than needed and violates the principle of least privilege.

22
MCQeasy

You manage a web application on Azure App Service. You need to monitor its availability from multiple geographic locations, checking that the homepage loads and returns HTTP 200 within 5 seconds. You want an alert if any location fails. Which type of Application Insights test should you create?

A.Availability test (URL ping test)
B.Multi-step web test
C.Standard test
D.Custom metric test
AnswerA

A URL ping test from multiple locations checks the HTTP status and response time, meeting the requirement.

Why this answer

A URL ping test is the correct choice because it is the simplest availability test in Application Insights, designed to check that a single URL returns an HTTP 200 response within a specified timeout (here, 5 seconds). It can be configured to run from multiple geographic locations, and you can set an alert to fire if any location reports a failure, meeting the requirement exactly.

Exam trap

The trap here is that candidates may confuse the 'standard test' (which is a newer, feature-rich availability test) with the simpler 'URL ping test', but the question explicitly asks for the simplest test that meets the basic HTTP 200 and timeout requirements, making the URL ping test the correct answer.

How to eliminate wrong answers

Option B is wrong because a multi-step web test is used for validating a sequence of user actions (e.g., login, navigate, submit) across multiple URLs, not for a single homepage check. Option C is wrong because a standard test is a newer, more advanced availability test that supports SSL certificate validation and request headers, but it is not the simplest option for a basic HTTP 200 check and is not required here. Option D is wrong because a custom metric test is not a type of availability test; it is used to send custom metrics to Application Insights via the TrackMetric API, not for monitoring URL availability from multiple locations.

23
MCQeasy

A developer needs to store a large number of binary files (images) that are accessed frequently from a web app. Which Azure storage solution is most cost-effective?

A.Azure Queue Storage
B.Azure Files
C.Azure Blob Storage
D.Azure Cosmos DB
AnswerC

Blob Storage is designed for large-scale unstructured data and is cost-effective for images.

Why this answer

Option A is correct because Blob Storage is optimized for storing large amounts of unstructured data like images. Option B (Azure Files) is for file shares; Option C (Cosmos DB) is a database; Option D (Queue Storage) is for messages.

24
MCQeasy

You are building a serverless API using Azure Functions. The API must authenticate requests using Microsoft Entra ID. You need to restrict access to users from a specific Microsoft Entra tenant only. What should you configure in the function app?

A.Set the 'Allowed Token Audiences' to the application ID.
B.Enable 'Require Authentication' and set the action to 'Login with Microsoft Entra ID'.
C.Set the 'Client ID' to the application ID.
D.Set the 'Issuer URL' to the specific tenant's endpoint.
AnswerD

The issuer URL validation restricts tokens to a specific tenant.

Why this answer

Option D is correct because setting the 'Issuer URL' to the specific tenant's endpoint (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0) tells Azure Functions to validate that the token was issued by that exact tenant. This restricts access to users from that tenant only, as tokens from other tenants will fail issuer validation.

Exam trap

The trap here is that candidates confuse 'Client ID' (which identifies the app) or 'Allowed Token Audiences' (which validates the audience) with tenant restriction, but only the Issuer URL enforces which tenant's tokens are accepted.

How to eliminate wrong answers

Option A is wrong because 'Allowed Token Audiences' validates that the token is intended for your application (audience claim), not the tenant; it does not restrict which tenant issued the token. Option B is wrong because enabling 'Require Authentication' with 'Login with Microsoft Entra ID' simply enforces authentication but does not restrict to a specific tenant; it allows any Microsoft Entra ID tenant by default. Option C is wrong because setting the 'Client ID' identifies your application to the identity provider, but does not enforce tenant restriction; it is used for audience validation, not issuer validation.

25
MCQmedium

Your Azure web app is running in a production environment. Users report that the app is slow. You need to identify the root cause without impacting production traffic. Which approach should you use?

A.Enable Application Insights Profiler
B.Enable Application Insights sampling at 100%
C.Run a load test in a staging slot
D.Review server logs in the web app
AnswerA

Correct. Profiler runs with low overhead and captures detailed traces, allowing you to pinpoint slow dependencies or code paths in production.

Why this answer

Application Insights Profiler provides detailed, per-request performance traces that pinpoint which code paths are consuming the most time, enabling root cause analysis of slow responses without altering production traffic. Unlike sampling or logs, Profiler captures execution data on-demand or automatically with minimal overhead, making it ideal for diagnosing latency issues in a live environment.

Exam trap

The trap here is that candidates often confuse high-level monitoring (logs, metrics) with diagnostic profiling, assuming that more data (100% sampling) or separate testing (staging slot) will solve the problem, when in fact Profiler is the only tool designed for low-overhead, code-level latency analysis in production.

How to eliminate wrong answers

Option B is wrong because enabling sampling at 100% would capture every telemetry event, significantly increasing data volume and cost, and could impact app performance due to the overhead of transmitting all telemetry, which defeats the goal of not affecting production traffic. Option C is wrong because running a load test in a staging slot tests synthetic traffic, not the actual production workload causing user-reported slowness, so it cannot identify the real root cause. Option D is wrong because reviewing server logs provides high-level error and request counts but lacks the granular, code-level timing details needed to pinpoint specific slow code paths, making it insufficient for root cause analysis of performance issues.

26
MCQmedium

You manage a set of APIs using Azure API Management (APIM). One backend API requires an API key passed in the 'X-API-Key' header. The API key is stored securely in a named value in APIM. You need to configure APIM to add this header to all requests to that backend without exposing the key to API consumers. Which policy should you add to the inbound processing for that API?

A.set-backend-service
B.set-header
C.authentication-basic
D.validate-jwt
AnswerB

The set-header policy can add the X-API-Key header with the value from a named value, keeping the key secure and hidden from consumers.

Why this answer

The 'set-header' policy in Azure API Management allows you to add, modify, or remove HTTP headers on requests or responses. By placing this policy in the inbound processing section, you can inject the 'X-API-Key' header with the value retrieved from a named value (using the '{{NamedValue}}' syntax) without exposing the key to API consumers, as the policy executes on the gateway side.

Exam trap

The trap here is that candidates often confuse 'set-header' with 'authentication-basic' because both deal with adding authentication-related headers, but 'authentication-basic' specifically encodes credentials in Base64 and is intended for HTTP Basic Auth, not for arbitrary API key headers.

How to eliminate wrong answers

Option A is wrong because 'set-backend-service' is used to change the backend service URL for the request, not to manipulate headers. Option C is wrong because 'authentication-basic' is used to add a Basic Authentication header (username:password encoded in Base64) to the backend request, which is not the same as adding a custom API key header. Option D is wrong because 'validate-jwt' is used to enforce the existence and validity of a JSON Web Token (JWT) in the request, not to add a header.

27
MCQmedium

You are building a mobile app backend using Azure Functions. The function must send push notifications to devices using the Notification Hubs service. You need to authenticate the function to Notification Hubs using the principle of least privilege. What should you use?

A.Store the Notification Hubs connection string in Application Settings.
B.Use a managed identity assigned to the Function App to access Notification Hubs.
C.Create a shared access signature (SAS) token for the Notification Hub.
D.Use Microsoft Entra ID OAuth 2.0 client credentials flow.
AnswerB

Managed identity allows the function to authenticate without secrets, and roles can be assigned with fine-grained permissions, achieving least privilege.

Why this answer

Option B is correct because using a managed identity assigned to the Function App allows it to authenticate to Azure Notification Hubs without storing any credentials in code or configuration. This follows the principle of least privilege by granting only the necessary permissions (e.g., via Azure RBAC role assignments like 'Notification Hubs Data Sender') and eliminates the risk of connection string leakage. Managed identities are the recommended approach for Azure services to securely access other Azure resources.

Exam trap

The trap here is that candidates often confuse managed identities with SAS tokens or connection strings, thinking any form of shared secret is acceptable, but the principle of least privilege demands a secretless, identity-based approach that only managed identities provide.

How to eliminate wrong answers

Option A is wrong because storing the Notification Hubs connection string in Application Settings still exposes a shared secret that grants broad permissions (e.g., manage, send, listen) and violates the principle of least privilege; it also requires manual rotation and management. Option C is wrong because creating a SAS token for the Notification Hub still relies on a shared key and does not leverage Azure RBAC; SAS tokens are typically used for fine-grained access but still embed a secret and require secure distribution. Option D is wrong because Microsoft Entra ID OAuth 2.0 client credentials flow is used for service-to-service authentication with an app registration and client secret, which still requires managing a secret and does not provide the zero-secret, identity-based access that managed identities offer.

28
MCQmedium

You have an Azure Function app that uses a Service Bus queue trigger. The function processes messages, but sometimes it takes longer than 5 minutes to process a single message. You notice that the message is processed multiple times. What is the most likely cause?

A.The function's timeout is set to 5 minutes
B.The lock duration on the queue is shorter than the processing time
C.The maxDeliveryCount is set too high
D.The queue has sessions enabled
AnswerB

Correct: When the lock expires, another consumer can process the same message.

Why this answer

Option D is correct because the default lock duration for Service Bus queues is 60 seconds, and if processing takes longer, the lock is lost and the message becomes visible again, leading to duplicate processing. Option A is wrong because maxDeliveryCount is for poison messages. Option B is wrong because sessions are not related.

Option C is wrong because the function's timeout does not affect the lock.

29
Multi-Selecthard

Which THREE actions should be taken to secure an Azure App Service web app that accesses an Azure SQL Database? (Choose three.)

Select 3 answers
A.Store the connection string in App Service application settings.
B.Enable Managed Identity for the App Service.
C.Use Azure Key Vault to store secrets and reference them from the app.
D.Configure Azure SQL Database firewall to allow Azure services.
E.Disable TLS 1.2 on the App Service.
AnswersB, C, D

Allows identity-based authentication without secrets.

Why this answer

Enable Managed Identity (A), configure firewall (C), and use Azure Key Vault (E) are security best practices. Use connection strings in app settings (B) is less secure. Disable TLS (D) is insecure.

30
MCQhard

You are creating an Azure function that uses an output binding to write messages to an Azure Storage Queue. The function must ensure that messages are not lost if the function fails after writing to the queue. Which approach should you use?

A.Use a separate queue client SDK to write messages and handle errors manually.
B.Write to the queue directly in the function code and rely on the function's retry policy.
C.Use a durable function to orchestrate the writing and processing.
D.Use the queue output binding with a queue trigger input binding in the same function.
AnswerD

This ensures transactional consistency.

Why this answer

Option D is correct because using a queue output binding with a queue trigger input binding in the same function ensures that the message is only written to the queue after the function execution completes successfully. If the function fails after the write, the output binding automatically rolls back the write, preventing message loss. This is achieved through the Azure Functions runtime's transactional behavior with storage bindings.

Exam trap

The trap here is that candidates often assume direct SDK calls or retry policies provide sufficient reliability, but they overlook the atomic write guarantee that only output bindings with a trigger input binding provide in Azure Functions.

How to eliminate wrong answers

Option A is wrong because using a separate queue client SDK bypasses the built-in transactional guarantees of Azure Functions bindings, requiring manual error handling and risking message loss if the function fails after the SDK write. Option B is wrong because writing directly to the queue in function code and relying on the function's retry policy does not guarantee atomicity; if the function fails after the write, the message is already in the queue and cannot be rolled back. Option C is wrong because durable functions are designed for complex orchestration and state management, not for ensuring atomic message writes to a queue; they add unnecessary complexity and do not solve the specific transactional requirement.

31
MCQmedium

You are deploying a web app to Azure App Service that must use a custom domain with TLS/SSL. You have purchased an SSL certificate from a third-party CA. How should you upload and bind the certificate to the custom domain?

A.Place the certificate files in the wwwroot folder of the app and configure the web.config.
B.Import the certificate into Azure Key Vault and reference it from App Service.
C.Upload the .cer file to the App Service and let Azure generate the private key.
D.Upload the .pfx file to the App Service TLS/SSL settings and bind it to the custom domain.
AnswerD

The .pfx format includes the private key, which is required for TLS binding.

Why this answer

Option A is correct because App Service requires the certificate to be uploaded as a .pfx file with the private key. Option B is wrong because .cer files do not contain the private key. Option C is wrong because you should not upload to the custom domain folder.

Option D is wrong because Key Vault integration is optional but not required.

32
MCQhard

You are designing a solution that uses Azure Functions to process events from Azure Event Hubs. The function must process events in order and exactly once per partition. What should you do?

A.Enable session state in the function app.
B.Use a Service Bus queue trigger with a singleton lock.
C.Disable checkpointing to ensure no duplicates.
D.Use the Event Hubs trigger for Azure Functions with default configuration.
AnswerD

Event Hubs trigger processes events in order per partition and uses checkpointing for exactly-once.

Why this answer

The Event Hubs trigger for Azure Functions, by default, processes events in order and exactly once per partition. It uses checkpointing to track the offset of the last successfully processed event, ensuring that each event is processed only once and in sequence within a partition. This default behavior aligns with the requirement without needing additional configuration.

Exam trap

The trap here is that candidates may think they need to manually configure session state or disable checkpointing to achieve ordering and exactly-once processing, but the default Event Hubs trigger already handles this via partition-based ordering and checkpointing.

How to eliminate wrong answers

Option A is wrong because session state is a feature of Service Bus, not Event Hubs; it enables ordered processing of messages in a session, but Event Hubs partitions inherently provide ordering without session state. Option B is wrong because a Service Bus queue trigger with a singleton lock would not process events from Event Hubs; it is designed for Service Bus queues and does not support Event Hubs partitions or checkpointing. Option C is wrong because disabling checkpointing would cause the function to reprocess events from the beginning each time, leading to duplicates and loss of ordering, which contradicts the 'exactly once' requirement.

33
MCQhard

A company uses Azure Service Bus for messaging between microservices. They need to ensure that messages are processed in order within a partition. Which feature should they enable?

A.Duplicate detection
B.Partitioning
C.Sessions
D.Dead-letter queue
AnswerC

Sessions guarantee FIFO order within a session.

Why this answer

Sessions in Service Bus enable ordered processing of messages within a session. Option B is wrong because partitioning distributes messages across partitions, not order. Option C is wrong because duplicate detection prevents duplicates but does not guarantee order.

Option D is wrong because dead-lettering is for undelivered messages.

34
Multi-Selecteasy

Which TWO methods can you use to authenticate an Azure App Service web app to Azure SQL Database without storing credentials in code? (Choose two.)

Select 2 answers
A.Store the SQL connection string in Azure Key Vault and use a Key Vault reference in the app settings.
B.Enable a system-assigned managed identity on the App Service and grant it access to the database.
C.Use a connection string with a SQL username and password.
D.Use a service principal with a client secret stored in app settings.
E.Use a client certificate installed on the App Service.
AnswersA, B

Credentials are retrieved securely at runtime.

Why this answer

Options B and D are correct. Managed identity allows the app to authenticate without credentials. Azure Key Vault can store credentials and the app retrieves them at runtime.

Option A is wrong because connection strings with passwords expose credentials. Option C is wrong because service principal with client secret requires storing the secret. Option E is wrong because certificate authentication requires certificate management.

35
MCQmedium

Your company uses Microsoft Defender for Cloud. You need to receive alerts when a user modifies a Key Vault access policy. What should you configure?

A.Create an Azure Policy to audit access policy changes
B.Configure Microsoft Sentinel to monitor Key Vault
C.Enable Key Vault logging and query logs
D.Set up an activity log alert on the Key Vault
AnswerD

Activity log alerts trigger on specific operations like write to access policy.

Why this answer

Azure Policy can audit or enforce specific configurations, but for real-time alerts, you should use Azure Monitor alerts on activity log events. Option A is wrong because Azure Policy can be used to audit but not to alert in real-time. Option B is wrong because Key Vault logging is for audit, not real-time alerts.

Option C is wrong because Microsoft Sentinel is a SIEM that can ingest logs but is not the simplest solution for alerting on activity log events.

36
MCQmedium

You are building a serverless application that processes images uploaded to an Azure Blob Storage container. When a new blob is added, an Azure Function (PowerShell) is triggered to generate a thumbnail and store it in a different container. The function must run with the least privilege necessary. The function uses a managed identity assigned to the function app. You need to grant the function access to read blobs from the source container and write blobs to the destination container. The storage account already has a private endpoint configured. What is the correct way to assign permissions?

A.Generate a SAS token for the source container with read permission and for the destination container with write permission, and store them in Key Vault for the function to retrieve.
B.Add the function app's managed identity to the storage account's Access Control (IAM) with the 'Storage Blob Data Owner' role on the entire storage account.
C.Add the function app's managed identity to the source container's Access Control (IAM) with the 'Storage Blob Data Reader' role, and to the destination container with the 'Storage Blob Data Contributor' role.
D.Use the storage account connection string in the function app settings and access the blobs using the connection string.
AnswerC

This grants exactly the needed permissions on each container.

Why this answer

Option C is correct because it uses Azure RBAC roles scoped to individual containers, granting the function app's managed identity exactly the permissions needed: 'Storage Blob Data Reader' for reading from the source container and 'Storage Blob Data Contributor' for writing to the destination container. This follows the principle of least privilege, avoids over-permissioning, and works seamlessly with private endpoints since RBAC does not depend on network paths.

Exam trap

The trap here is that candidates often choose the overly broad 'Storage Blob Data Owner' role (Option B) because they think it's simpler, but the question explicitly requires 'least privilege necessary,' making container-scoped roles the correct answer.

How to eliminate wrong answers

Option A is wrong because generating SAS tokens and storing them in Key Vault introduces unnecessary complexity and secret management overhead, and SAS tokens can be leaked or expire; managed identity with RBAC is simpler and more secure. Option B is wrong because assigning the 'Storage Blob Data Owner' role on the entire storage account grants far more permissions than needed (including full control over all containers and data), violating the least privilege requirement. Option D is wrong because using a storage account connection string embeds a shared key in the function app settings, which is a security risk (key exposure) and does not leverage managed identity; it also bypasses the private endpoint's network isolation benefits.

37
MCQmedium

An application calls a Event Grid event stream through HTTP. The developer must implement retries without overwhelming the remote system during partial outages. Which retry pattern is best?

A.Immediate infinite retries
B.Retry only after restarting the application
C.Disable all timeout settings
D.Exponential backoff with jitter and a maximum retry limit
AnswerD

Backoff with jitter reduces retry storms and gives the remote service time to recover.

Why this answer

Exponential backoff with jitter and a maximum retry limit is the best pattern because it prevents overwhelming the Event Grid endpoint during partial outages by progressively increasing wait times between retries, while jitter randomizes those intervals to avoid thundering herd problems. The maximum retry limit ensures the system does not retry indefinitely, aligning with Event Grid's own retry policy (which uses exponential backoff up to 30 minutes and a max of 30 retries for HTTP 5xx errors). This balances resilience with resource protection.

Exam trap

The trap here is that candidates may think immediate retries or disabling timeouts are acceptable for reliability, but Azure explicitly recommends exponential backoff with jitter and a cap to protect both the client and the service from overload during outages.

How to eliminate wrong answers

Option A is wrong because immediate infinite retries would flood the Event Grid endpoint with requests during an outage, likely causing a thundering herd problem and potentially triggering rate limiting or denial-of-service conditions. Option B is wrong because retrying only after restarting the application introduces unnecessary downtime and fails to handle transient failures gracefully, as Event Grid expects clients to retry with backoff for HTTP 429 or 5xx responses. Option C is wrong because disabling all timeout settings removes critical safeguards, risking indefinite hangs and resource exhaustion, and does not address retry logic or backoff behavior.

38
MCQhard

Your company uses Azure API Management to expose APIs to external partners. You need to validate that each incoming request includes a valid JSON Web Token (JWT) issued by your Microsoft Entra ID tenant, and reject requests without valid tokens. What should you configure?

A.Configure an OAuth 2.0 authorization server in API Management
B.Require a subscription key for each API
C.Use an IP access restriction policy
D.Add a validate-jwt policy in the inbound processing policy
AnswerD

The validate-jwt policy validates the JWT token and rejects invalid or missing tokens.

Why this answer

Option D is correct because a validate-jwt policy in the inbound processing pipeline checks the token before the request reaches the backend. Option A is wrong because OAuth 2.0 authorization server doesn't validate tokens per request. Option B is wrong because subscription keys are not tokens.

Option C is wrong because IP filtering does not validate tokens.

39
Multi-Selectmedium

Which TWO services can be used to implement serverless event-driven architectures in Azure? (Choose 2)

Select 2 answers
A.Azure Batch
B.Azure Logic Apps
C.Azure Kubernetes Service
D.Azure App Service
E.Azure Functions
AnswersB, E

Logic Apps provides serverless workflow automation triggered by events.

Why this answer

Option A is correct because Azure Functions is a serverless compute service. Option C is correct because Azure Logic Apps provides serverless workflow automation. Option B is incorrect because Azure App Service is a platform for hosting web apps, not event-driven.

Option D is incorrect because Azure Kubernetes Service is container orchestration, not serverless. Option E is incorrect because Azure Batch is for batch computing, not event-driven.

40
MCQhard

You have an Azure App Service web app that uses Azure SQL Database. The connection string is stored in Azure Key Vault. You need to automatically rotate the database password every 30 days without app downtime. Which solution should you implement?

A.Store the connection string as a Key Vault reference in App Service application settings and use Key Vault's auto-rotation.
B.Use Azure CLI to update the connection string in App Service settings.
C.Use Managed Identity to access SQL Database instead of a password.
D.Update the connection string in the application code and redeploy.
AnswerA

Key Vault reference updates automatically without restart.

Why this answer

Option D is correct because storing the connection string as a Key Vault reference in App Service configuration allows automatic rotation without restart. Option A is wrong because updating the connection string in code requires redeployment. Option B is wrong because updating App Service settings via CLI does not support automatic rotation.

Option C is wrong because using Managed Identity avoids passwords but does not rotate them; it's a better approach but the question specifically asks for password rotation without downtime.

41
MCQeasy

Refer to the exhibit. You have a custom RBAC role definition. A user assigned this role reports they can read, write, and delete blobs, but cannot list the containers in the storage account. What is the most likely reason?

A.The role does not grant delete permissions on containers.
B.The role lacks dataActions for reading blobs.
C.The user does not have the Reader role on the storage account to navigate in the Azure portal.
D.The role does not include the action to list containers.
AnswerC

Portal requires Reader role to list resources.

Why this answer

Option C is correct because the role includes container read permission (Microsoft.Storage/storageAccounts/blobServices/containers/read) which allows listing containers. However, the user may not have the Reader role at the storage account level to see the storage account in the portal. Option A is wrong because dataActions for blobs are included.

Option B is wrong because the role includes delete for containers and blobs. Option D is wrong because the actions include container read.

42
MCQmedium

Refer to the exhibit. An Azure OpenAI Service account is deployed with this ARM template. After deployment, a developer tries to call the OpenAI endpoint from an Azure App Service that has no public IP. The request is blocked. What change should be made to allow access?

A.Add a service tag for App Service in the ipRules.
B.Configure a private endpoint for the OpenAI account.
C.Change the defaultAction to Allow.
D.Add the App Service's outbound IP address to the ipRules.
AnswerB

Private endpoint allows secure access from Azure services via Microsoft backbone.

Why this answer

The network ACLs only allow a specific IP range. To allow an Azure service without a public IP, you should use a private endpoint (option D). Option A is correct but not listed; option B: changing defaultAction to Allow would allow all traffic, which is insecure.

Option C: adding the App Service's outbound IP is not reliable due to dynamic IPs. Option D is the best practice.

43
MCQhard

A company uses Azure API Management (APIM) to expose a set of REST APIs. A new requirement mandates that all API calls must be throttled per user based on usage tiers (Free, Basic, Premium). User identity is provided via a JWT token. Which policy should the developer configure in APIM to enforce this throttling?

A.rate-limit policy
B.rate-limit-by-key policy
C.quota-by-key policy
D.IP-based throttling
AnswerB

rate-limit-by-key can throttle based on a key extracted from JWT claims, enabling per-user throttling.

Why this answer

Option B is correct because the rate-limit-by-key policy can throttle calls based on a key extracted from the JWT claim (e.g., subscription tier). Option A is incorrect because rate-limit policy applies globally, not per user. Option C is incorrect because quota-by-key limits total calls over a period, not rate.

Option D is incorrect because IP-based throttling does not consider user identity.

44
Multi-Selecthard

Which THREE are best practices for implementing an API using Azure API Management? (Choose three.)

Select 3 answers
A.Use policies to enforce throttling and quotas.
B.Implement caching policies to reduce backend load.
C.Use subscription keys for client authentication and rate limiting.
D.Use the Consumption tier for production APIs with custom domains.
E.Expose the backend service URLs directly to clients.
AnswersA, B, C

Policies allow you to control usage limits.

Why this answer

Options A, C, and D are correct. Use subscription keys to authenticate and rate-limit clients. Implement caching to reduce backend load and improve response times.

Use policies to enforce throttling and quotas. Option B is wrong because exposing internal service URLs directly bypasses API Management's security and management features. Option E is wrong because the consumption tier does not support custom domains; for custom domains, you need a higher tier.

45
MCQhard

Refer to the exhibit. You are reviewing a role assignment for a managed identity. The JSON shows the role and scope. What access does this assignment grant?

A.Full management access to the storage account.
B.Read access to all containers in the storage account.
C.Read, write, and delete access to blobs in container c1.
D.Read-only access to blobs in container c1.
AnswerC

Storage Blob Data Contributor grants these permissions at container scope.

Why this answer

The role assignment grants the 'Storage Blob Data Contributor' role at the scope of container 'c1'. This role provides read, write, and delete access to blob data within that specific container, but not management operations on the storage account itself. Option C correctly identifies this level of access.

Exam trap

The trap here is that candidates confuse the 'Storage Blob Data Contributor' role with read-only access (Option D) or assume it applies to the entire storage account (Option B), missing the critical scope restriction to container 'c1'.

How to eliminate wrong answers

Option A is wrong because 'Storage Blob Data Contributor' does not grant management access to the storage account (e.g., configuring firewall rules or changing replication); that requires roles like 'Contributor' or 'Owner' at the storage account scope. Option B is wrong because the scope is limited to container 'c1', not all containers in the storage account, and the role allows write/delete operations, not just read. Option D is wrong because the role includes write and delete permissions, not read-only access.

46
MCQmedium

You are building an application that subscribes to an Azure Event Grid topic using a custom webhook endpoint. The endpoint is a web API hosted on Azure App Service. You need to ensure that only Event Grid can invoke your webhook endpoint, preventing unauthorized requests. What should you implement in your webhook endpoint?

A.IP address filtering to allow only the Azure Event Grid service tag
B.Validate the Aeg-SasKey header against a shared secret known to Event Grid
C.Require a client certificate that you upload to Event Grid
D.Use an OAuth 2.0 token from Microsoft Entra ID
AnswerB

Event Grid includes the Aeg-SasKey header in every delivery, and your endpoint can verify it using the access key from the subscription to confirm the sender.

Why this answer

Option B is correct because Event Grid sends an Aeg-SasKey header with each request to a custom webhook endpoint. By validating this header against a pre-configured shared secret (the same key used when creating the event subscription), the endpoint can confirm that the request originated from Event Grid. This prevents unauthorized actors from invoking the webhook, as they would not possess the shared secret.

Exam trap

The trap here is that candidates often assume IP whitelisting (Option A) is sufficient for security, but Event Grid's outbound IPs are not static or documented for custom webhooks, making this approach unreliable and unsupported.

How to eliminate wrong answers

Option A is wrong because IP address filtering using the Azure Event Grid service tag is not supported for custom webhook endpoints; Event Grid's outbound IP addresses can vary and are not published as a stable service tag for inbound validation. Option C is wrong because Event Grid does not support uploading client certificates for authentication to custom webhook endpoints; client certificate authentication is not a feature of Event Grid's webhook delivery. Option D is wrong because OAuth 2.0 tokens from Microsoft Entra ID are not natively supported by Event Grid for authenticating to custom webhook endpoints; Event Grid uses its own shared access signature (SAS) mechanism via the Aeg-SasKey header.

47
MCQmedium

A web app experiences intermittent high latency. You discover that the Azure SQL database is experiencing a high number of connection timeouts. The application uses Entity Framework Core with the default connection pooling settings. You need to improve database connection reliability without changing the application code. What should you do?

A.Set the Minimum Pool Size to 10 in the connection string.
B.Increase the maximum pool size in the connection string.
C.Set the Connection Lifetime to 300 seconds.
D.Enable Multipool in the connection string.
AnswerA

A minimum pool size ensures a baseline of connections is always open, reducing initial connection delays.

Why this answer

Setting the Minimum Pool Size to 10 pre-creates a baseline of open connections in the pool, reducing the frequency of new connection creations during traffic spikes. This mitigates intermittent connection timeouts caused by the default pool starting empty and struggling to keep up with demand under high latency. Since the application uses Entity Framework Core with default pooling, this change is applied via the connection string without modifying code.

Exam trap

The trap here is that candidates often assume increasing the maximum pool size solves all connection issues, but the real problem is the delay in creating new connections from an empty pool, which is addressed by setting a minimum pool size.

How to eliminate wrong answers

Option B is wrong because increasing the maximum pool size only raises the cap on concurrent connections, but the intermittent timeouts are due to connections being created too slowly under load, not because the pool is full. Option C is wrong because setting Connection Lifetime to 300 seconds causes connections to be recycled after 5 minutes, which can actually increase churn and timeout risk during high latency, not improve reliability. Option D is wrong because 'Multipool' is not a valid connection string keyword in SQL Server or Entity Framework Core; it is a fabricated term.

48
MCQmedium

A web app running on Azure App Service must integrate with Microsoft Graph API to read user profiles. The app is registered in Microsoft Entra ID and uses the OAuth 2.0 authorization code flow. However, after deployment, the app fails to acquire tokens. What is the most likely cause?

A.The API permission for User.Read is not granted
B.The app is using the client credentials flow instead of authorization code flow
C.The redirect URI is not configured in the app registration
D.The client secret is expired
AnswerC

The reply URL must match exactly for the authorization code flow to complete.

Why this answer

Option C is correct because redirect URIs must be registered in the app registration to match the application's reply URL. Option A is wrong because the client secret is correct. Option B is wrong because API permissions are granted.

Option D is wrong because the app uses authorization code flow, not client credentials.

49
MCQeasy

A company uses Azure Functions to process messages from Azure Service Bus. The function needs to scale out during high load. Which consumption plan should you choose to enable automatic scaling?

A.Logic Apps plan
B.Premium plan
C.Consumption plan
D.App Service plan
AnswerC

Consumption plan automatically scales based on demand, ideal for event-driven workloads.

Why this answer

The Consumption plan automatically scales based on the number of incoming messages. Option A is wrong because App Service plan requires manual scaling. Option B is wrong because Premium plan also scales but has additional features; however, the question asks for automatic scaling, which both achieve, but Consumption is the simplest.

Option D is wrong because Logic Apps is a different service.

50
MCQhard

You are designing a solution for a multi-tenant SaaS application where each tenant's data is stored in separate Azure SQL databases. You need to ensure that no tenant can access another tenant's database, even if the application is compromised. What should you implement?

A.Configure a server-level firewall rule for each tenant's IP range
B.Assign each tenant a managed identity with a dedicated SQL login and database-level permissions
C.Implement connection pooling with a single identity
D.Use a single database-level login and row-level security (RLS) to filter data
AnswerB

This ensures each tenant can only access their own database.

Why this answer

Option D is correct because using a per-tenant managed identity with a separate SQL login and database-level permissions ensures isolation. Option A is wrong because a single identity with row-level security is vulnerable if the app is compromised. Option B is wrong because connection pooling does not enforce isolation.

Option C is wrong because server-level firewall does not prevent app-layer attacks.

51
MCQmedium

You are monitoring an Azure Web App using Application Insights. You need to track the duration and status code of an external API call made by the app. Which Application Insights feature should you use?

A.Built-in request telemetry (server-side requests)
B.Dependency tracking feature
C.Custom events (TrackEvent)
D.Page view tracking
AnswerB

Dependency tracking automatically captures outbound HTTP calls (and other dependencies like databases) with duration, result code, and exception details.

Why this answer

Dependency tracking in Application Insights is specifically designed to monitor calls made by your application to external services, such as APIs, databases, or HTTP endpoints. It automatically captures the duration, success/failure status, and response code of outbound HTTP requests, making it the correct choice for tracking an external API call's duration and status code.

Exam trap

The trap here is that candidates confuse 'request telemetry' (incoming calls to the app) with 'dependency telemetry' (outgoing calls from the app), leading them to incorrectly select built-in request telemetry for monitoring external API calls.

How to eliminate wrong answers

Option A is wrong because built-in request telemetry (server-side requests) tracks incoming HTTP requests to your web app, not outbound calls to external APIs. Option C is wrong because custom events (TrackEvent) are used for logging custom business events or user actions, not for automatically capturing the duration and status code of HTTP calls. Option D is wrong because page view tracking monitors client-side page loads and user navigation, not server-side outbound API call metrics.

52
MCQhard

You are building a web application that uses Microsoft Entra ID for authentication. The application needs to call Microsoft Graph API to read user profiles and send emails on behalf of the signed-in user. You want to ensure that the user's consent is obtained only once and that the application can refresh tokens silently. Which OAuth 2.0 flow should you implement?

A.OAuth 2.0 Client Credentials flow.
B.OAuth 2.0 Implicit Grant flow.
C.OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange).
D.OAuth 2.0 Resource Owner Password Credentials (ROPC) flow.
AnswerC

This flow is secure for web apps, provides refresh tokens for silent renewal, and obtains user consent during the initial authentication. It is the recommended flow by Microsoft for web applications calling APIs on behalf of users.

Why this answer

The Authorization Code flow with PKCE is the recommended OAuth 2.0 flow for public client applications (like single-page apps or mobile apps) that need delegated access to Microsoft Graph. It allows the application to obtain an authorization code, exchange it for an access token and a refresh token, and use the refresh token to silently acquire new tokens without requiring the user to re-consent. This flow ensures that user consent is obtained only once and supports silent token refresh, meeting the requirements.

Exam trap

The trap here is that candidates often confuse the Client Credentials flow (which is for app-only access) with delegated user scenarios, or they mistakenly think the Implicit Grant flow is still acceptable for modern apps, ignoring the fact that it lacks refresh token support and is deprecated by Microsoft.

How to eliminate wrong answers

Option A is wrong because the Client Credentials flow is used for server-to-server (daemon) scenarios where no user is involved, so it cannot obtain consent from a signed-in user or send emails on behalf of the user. Option B is wrong because the Implicit Grant flow is deprecated and does not support refresh tokens, making silent token refresh impossible; it also exposes tokens in the URL, posing security risks. Option D is wrong because the Resource Owner Password Credentials flow requires the user to provide their credentials directly to the application, which is not recommended for modern applications due to security concerns and does not support refresh tokens for silent renewal in all scenarios.

53
MCQmedium

You are implementing an order processing system using Azure Durable Functions. The function must send notifications to multiple channels (email, SMS, push) in parallel and wait for all to complete before sending a confirmation. Which Durable Functions feature should you utilize?

A.Orchestration trigger with fan-out/fan-in pattern
B.Entity trigger
C.Activity trigger with retry policy
D.Timer trigger
AnswerA

Correct. The orchestrator can call multiple activity functions in parallel using Task.WhenAll, then aggregate results before proceeding.

Why this answer

The fan-out/fan-in pattern in Durable Functions allows you to invoke multiple activity functions in parallel (fan-out) and then wait for all of them to complete (fan-in) using `Task.WhenAll`. This is exactly what is needed to send notifications to email, SMS, and push simultaneously and then proceed only after all have finished, making option A correct.

Exam trap

The trap here is that candidates often confuse the fan-out/fan-in pattern with simple parallel execution using Entity triggers or assume that retry policies alone can coordinate multiple channels, but only the orchestration trigger with `Task.WhenAll` provides the required synchronization barrier.

How to eliminate wrong answers

Option B is wrong because Entity triggers are designed for managing stateful entities (like counters or actors) and are not suited for orchestrating parallel task execution with a completion barrier. Option C is wrong because an Activity trigger with retry policy handles individual task retries but cannot coordinate multiple parallel activities or wait for all to finish before proceeding. Option D is wrong because Timer triggers are for scheduled or periodic execution, not for orchestrating parallel workflows with a fan-in step.

54
Matchingmedium

Match each Azure DevOps component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Git repositories for source control

CI/CD for building and deploying code

Agile project management with Kanban boards

Package management for Maven, npm, NuGet

Why these pairings

Azure DevOps provides a suite of tools for the development lifecycle.

55
MCQeasy

A company uses Azure Functions with a consumption plan. The function processes messages from a queue. During peak hours, the function takes longer to execute, and some messages are processed twice. What is the most likely cause?

A.The function timeout is set too low.
B.The queue message visibility timeout is shorter than the function processing time.
C.The function uses blob output binding incorrectly.
D.The function app is using a premium plan instead of consumption.
AnswerB

Correct. If the visibility timeout expires, the message becomes visible again and can be processed by another instance, resulting in duplicates.

Why this answer

In Azure Functions with a consumption plan, the queue message visibility timeout determines how long a message is invisible to other consumers after being dequeued. If the function's processing time exceeds this visibility timeout, the message becomes visible again and can be picked up by another function instance, leading to duplicate processing. This is the most likely cause of messages being processed twice during peak hours when execution times increase.

Exam trap

The trap here is that candidates often confuse the function timeout (which terminates execution) with the queue visibility timeout (which controls message re-delivery), leading them to incorrectly select option A.

How to eliminate wrong answers

Option A is wrong because the function timeout (default 5 minutes for consumption plan) controls the maximum execution duration, not message visibility; a low timeout would cause the function to fail or be terminated, not duplicate processing. Option C is wrong because incorrect blob output binding would cause errors or missing data, not duplicate message processing. Option D is wrong because a premium plan provides dedicated instances and faster execution, which would reduce the likelihood of timeouts and duplicates, not cause them.

56
MCQmedium

You need to store large amounts of unstructured data (images and videos) that are accessed rarely (a few times per year) but must be available within minutes when requested. The data must be geo-redundant for disaster recovery. You want to minimize storage costs. Which storage tier and redundancy option should you choose?

A.Hot storage tier with geo-redundant storage (GRS)
B.Cool storage tier with geo-redundant storage (GRS)
C.Archive storage tier with read-access geo-redundant storage (RA-GRS)
D.Premium storage tier with local redundant storage (LRS)
AnswerB

Cool tier provides low storage cost for infrequently accessed data with immediate availability. GRS ensures geo-redundancy for disaster recovery at a moderate cost, meeting all requirements.

Why this answer

The Cool storage tier is designed for data that is infrequently accessed (a few times per year) and stored for at least 30 days, offering lower storage costs than Hot tier while still providing low-latency retrieval within minutes. Geo-redundant storage (GRS) replicates data to a paired secondary region, ensuring disaster recovery with geo-redundancy. This combination meets the requirements of rare access, minutes-availability, geo-redundancy, and minimal cost.

Exam trap

The trap here is that candidates often confuse the Archive tier's low storage cost with its high retrieval latency (hours), forgetting the requirement for data to be available within minutes, or they overlook that GRS is sufficient for geo-redundancy without needing read-access (RA-GRS).

How to eliminate wrong answers

Option A is wrong because the Hot storage tier has higher storage costs than Cool tier, making it suboptimal for rarely accessed data. Option C is wrong because the Archive storage tier has the lowest storage cost but retrieval times can take hours (up to 15 hours for standard priority), not minutes, and RA-GRS is unnecessary since read access is not required. Option D is wrong because Premium storage tier is optimized for low-latency, high-performance workloads (e.g., VMs, databases) and uses local redundant storage (LRS), which does not provide geo-redundancy for disaster recovery.

57
MCQeasy

Your company develops a multi-tenant SaaS application hosted on Azure Kubernetes Service (AKS). Each tenant has isolated compute resources. You need to ensure that no single tenant can consume all cluster resources and affect others. You also want to optimize resource utilization by packing pods efficiently. You evaluate the following approaches: A) Use namespace resource quotas per tenant and let the Kubernetes scheduler handle packing. B) Deploy each tenant to a separate AKS cluster. C) Use Azure Policy to enforce pod resource limits. D) Use a service mesh to control traffic between tenants. Which approach should you recommend?

A.Use namespace resource quotas per tenant and let the Kubernetes scheduler handle packing.
B.Use a service mesh to control traffic between tenants.
C.Use Azure Policy to enforce pod resource limits.
D.Deploy each tenant to a separate AKS cluster.
AnswerA

Isolates tenants and optimizes packing.

Why this answer

Option A is correct because namespace resource quotas per tenant provide hard limits on compute resources (CPU, memory) and object counts, preventing any single tenant from exhausting cluster resources. The Kubernetes scheduler then efficiently packs pods within those quotas, optimizing utilization without manual intervention. This approach balances isolation and resource efficiency in a multi-tenant AKS environment.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces pod-level limits) with namespace-level resource quotas, missing that quotas are the correct mechanism for tenant-level aggregate resource isolation in a shared cluster.

How to eliminate wrong answers

Option B is wrong because deploying each tenant to a separate AKS cluster increases operational complexity and cost, and does not optimize resource utilization—idle resources in one cluster cannot be shared with another. Option C is wrong because Azure Policy can enforce pod resource limits (e.g., via built-in policies like 'Kubernetes cluster containers should have CPU and memory resource limits defined'), but it does not provide tenant-level resource quotas or prevent a tenant from consuming all cluster resources across namespaces; it only ensures individual pods have limits, not aggregate tenant consumption. Option D is wrong because a service mesh (e.g., Istio, Linkerd) controls east-west traffic between services, not resource consumption or isolation; it addresses network segmentation and observability, not compute resource guarantees.

58
MCQmedium

You deploy a web application in Azure App Service. You need to authenticate users via Microsoft Entra ID (Microsoft Entra ID) with minimal custom code. Which App Service feature should you configure?

A.App Service Authentication (Easy Auth)
B.Microsoft Entra ID B2C
C.Application Gateway with WAF
D.App Service Managed Identity
AnswerA

Correct. App Service Authentication provides built-in authentication using Microsoft Entra ID with minimal configuration and no code changes.

Why this answer

App Service Authentication (also known as Easy Auth) is the correct choice because it provides a turnkey authentication layer that integrates directly with Microsoft Entra ID. It requires minimal custom code by handling the OAuth 2.0 authorization code flow, token validation, and session management at the App Service platform level, allowing you to simply configure the identity provider in the Azure portal.

Exam trap

The trap here is that candidates confuse Managed Identity (which is for server-to-server resource access) with user authentication, or they overcomplicate the solution by choosing B2C when the requirement is simply to authenticate against an existing Microsoft Entra ID tenant with minimal code.

How to eliminate wrong answers

Option B (Microsoft Entra ID B2C) is wrong because it is designed for customer-facing applications with external identity providers and social logins, not for authenticating users via an existing Microsoft Entra ID tenant with minimal code; it adds unnecessary complexity and custom policy configuration. Option C (Application Gateway with WAF) is wrong because it is a layer 7 load balancer and web application firewall that does not provide any authentication or token validation for Microsoft Entra ID; it focuses on traffic routing and security filtering, not identity. Option D (App Service Managed Identity) is wrong because it is used to grant the app itself an identity to securely access other Azure resources (e.g., Key Vault, Storage), not to authenticate external users; it does not handle user login or token issuance.

59
MCQmedium

You are developing a solution that uses Azure Container Registry (ACR) to store Docker images. You need to ensure that only authorized users can deploy images from ACR to an AKS cluster. What should you do?

A.Configure AKS RBAC to limit image pull permissions.
B.Use Kubernetes secrets to store ACR credentials.
C.Use the AKS cluster's managed identity with AcrPull role assignment.
D.Enable the admin account on ACR and use the credentials in AKS.
AnswerC

Managed identity provides secure access without secrets.

Why this answer

Option D is correct because using a managed identity for AKS and assigning AcrPull role on ACR provides secure, password-less authentication. Option A is wrong because admin account is not recommended. Option B is wrong because AKS cannot use username/password directly.

Option C is wrong because namespace roles do not control ACR access.

60
MCQmedium

You deploy the above policy to an Azure API Management API. What is the effect?

A.Limits the total bandwidth to 100 MB per 60 seconds.
B.Limits the API to 100 calls per 60 seconds from the backend.
C.Limits the API to 100 calls per 60 seconds per subscription key.
D.Limits the API to 100 calls per 60 seconds per client IP address.
AnswerC

rate-limit policy applies per subscription key.

Why this answer

Option B is correct. The policy limits calls to 100 per 60 seconds per subscription key. Option A is wrong because it applies per key, not per IP.

Option C is wrong because it limits calls, not bandwidth. Option D is wrong because the policy is inbound, not outbound.

61
MCQmedium

Your e-commerce application sends telemetry to Application Insights. You need to reduce ingestion costs while preserving the ability to detect trends in performance metrics. Which sampling type should you configure?

A.Fixed-rate sampling
B.Adaptive sampling
C.Ingestion sampling
D.Head-based sampling
AnswerB

Correct. Adaptive sampling dynamically adjusts to keep the telemetry volume within a budget while preserving statistical accuracy for trends.

Why this answer

Adaptive sampling is the correct choice because it automatically adjusts the volume of telemetry data collected based on the application's activity level, ensuring that performance trends are preserved while reducing ingestion costs. Unlike fixed-rate sampling, adaptive sampling dynamically increases or decreases the sampling rate to maintain a target volume, making it ideal for e-commerce applications with variable traffic patterns.

Exam trap

The trap here is that candidates often confuse 'adaptive sampling' with 'fixed-rate sampling' because both are head-based, but only adaptive sampling dynamically adjusts to reduce costs without losing trend visibility.

How to eliminate wrong answers

Option A is wrong because fixed-rate sampling applies a constant sampling percentage regardless of traffic volume, which can either over-sample during low activity (wasting cost) or under-sample during high activity (losing trend data). Option C is wrong because ingestion sampling occurs at the ingestion endpoint after telemetry is sent, meaning it does not reduce network bandwidth or storage costs at the source, and it cannot preserve trends as effectively as client-side sampling. Option D is wrong because head-based sampling is a general category that includes fixed-rate and adaptive sampling; it is not a specific sampling type, and the question asks for a specific configuration that reduces costs while preserving trends.

62
MCQeasy

You need to authenticate an Azure Function app to call Microsoft Graph API on behalf of the signed-in user. Which authentication flow should you use?

A.Device code flow
B.Client credentials flow
C.Implicit flow
D.Authorization code flow with PKCE
AnswerD

For user authentication, returns tokens.

Why this answer

Option C is correct because the authorization code flow is for apps that need to authenticate a user and get an access token for APIs like Graph. Option A is wrong because client credentials flow is for daemon apps without a user. Option B is wrong because device code flow is for devices without a browser.

Option D is wrong because implicit flow is deprecated.

63
Multi-Selecteasy

Which TWO services can be used to implement a pub/sub messaging pattern in Azure? (Choose two.)

Select 2 answers
A.Azure Logic Apps
B.Azure Service Bus topics
C.Azure Queue Storage
D.Azure Event Grid
E.Azure Data Lake Storage
AnswersB, D

Service Bus topics support pub/sub with multiple subscriptions.

Why this answer

Options A and D are correct. Azure Service Bus topics support pub/sub with multiple subscriptions. Azure Event Grid also supports pub/sub with multiple subscribers.

Option B is wrong because Azure Queue Storage is a point-to-point queue, not pub/sub. Option C is wrong because Azure Data Lake Storage is a storage service. Option E is wrong because Azure Logic Apps is an integration service, not a messaging service.

64
MCQhard

Your company is migrating a legacy on-premises .NET Framework 4.7.2 web application to Azure. The application uses session state stored in-memory and reads/writes to a local SQL Server database. The migration must minimize code changes, support auto-scaling, and handle session state across multiple instances. You plan to use Azure App Service with Windows OS. You need to recommend a solution for session state storage and database connectivity. Which option should you choose?

A.Use Azure Cache for Redis as the session state provider via the RedisSessionStateProvider NuGet package, and configure the database connection string in Azure App Service App Settings.
B.Store session state in Azure Table Storage using a custom session state provider, and use a connection string for Azure SQL Database.
C.Configure session state using Azure SQL Database with a session state database, and update the connection string in web.config.
D.Use App Service's built-in session state with ARR affinity and connect to Azure SQL Database using Managed Identity.
AnswerA

Redis session state provider is easy to configure, supports auto-scaling, and minimal code changes. Database connection string in App Settings allows easy configuration.

Why this answer

Option A is correct because Azure Cache for Redis provides a distributed, in-memory session state provider that supports session state sharing across multiple App Service instances without requiring code changes to the application logic. The RedisSessionStateProvider NuGet package is a drop-in replacement for the default in-memory provider, and configuring the database connection string in App Settings allows you to change the target without modifying web.config, minimizing migration effort.

Exam trap

The trap here is that candidates often confuse ARR affinity with a valid session state solution, not realizing that it prevents horizontal scaling by forcing requests to a single instance, which contradicts the auto-scaling requirement.

How to eliminate wrong answers

Option B is wrong because Azure Table Storage is a NoSQL key-value store that does not natively support session state expiration or locking, and implementing a custom provider would require significant code changes, contradicting the requirement to minimize code changes. Option C is wrong because using Azure SQL Database for session state introduces higher latency and cost compared to an in-memory cache, and it requires updating web.config rather than using App Settings, which is less flexible for auto-scaling scenarios. Option D is wrong because ARR affinity (sticky sessions) prevents true auto-scaling by pinning a user to a specific instance, and while Managed Identity is good for database connectivity, it does not solve the session state sharing problem across instances.

65
MCQmedium

Refer to the exhibit. You are deploying an Azure Key Vault using this ARM template. Your team plans to use RBAC to manage access. The vault must be accessible from Azure services (e.g., Azure VMs) without public IP addresses. After deployment, a developer reports that they cannot access secrets from a VM in the same region, even though the VM has a managed identity with the Key Vault Secrets User role. What is the most likely cause?

A.Soft delete is enabled, which prevents access to secrets until they are recovered.
B.The accessPolicies array is empty, so RBAC is not working.
C.The vault name is not unique and conflicts with another vault.
D.The vault's network ACLs block all traffic except from Azure services, but VMs are not considered Azure services.
AnswerD

VMs need to be added to virtual network rules or have a service endpoint.

Why this answer

Option B is correct because the network ACLs have defaultAction set to 'Deny' and only Azure services bypass (via 'AzureServices'), but VMs are not considered Azure services for bypass; they need a virtual network rule. Option A is wrong because RBAC is enabled and the role is assigned. Option C is wrong because soft delete is enabled and does not affect access.

Option D is wrong because the vault name is irrelevant.

66
Multi-Selecteasy

Your company is migrating a monolithic application to Azure. The application consists of several components that need to be deployed and scaled independently. You need to design a container orchestration solution. Which TWO services should you consider?

Select 2 answers
A.Azure Container Instances
B.Azure Container Apps
C.Azure Batch
D.Azure Service Fabric
E.Azure Kubernetes Service (AKS)
AnswersB, E

Serverless container orchestration with independent scaling.

Why this answer

Option A and D are correct because Azure Kubernetes Service (AKS) and Azure Container Apps are both managed container orchestration services that support independent scaling of components. Option B is wrong because Azure Container Instances is for running individual containers, not orchestration. Option C is wrong because Azure Service Fabric is also an orchestrator but is older and less relevant for new deployments; however, the question asks for two services, and AKS and Container Apps are the primary choices.

Option E is wrong because Azure Batch is for batch computing, not general orchestration.

67
MCQeasy

You are developing a web application that allows users to upload profile pictures to Azure Blob Storage. The application generates thumbnails using an Azure Function that is triggered by blob creation. You need to ensure that the function only processes image files and ignores other file types. What should you do?

A.Set the trigger's 'source' parameter to 'EventGrid' and filter events by the 'content-type' property.
B.Set the trigger's 'filter' property to '*.jpg,*.png'.
C.Implement the function without filtering and check the content type inside the function, ignoring non-image blobs.
D.Use the blob trigger with a path pattern like 'images/{name}.jpg' and 'images/{name}.png' and use the extension binding to filter.
AnswerD

You can create separate functions for each extension or use a pattern and check the extension in code.

Why this answer

Option D is correct because Azure Blob Storage triggers in Azure Functions support path patterns that filter on blob name extensions, such as 'images/{name}.jpg' and 'images/{name}.png'. This allows the function to only fire when a blob with a matching extension is created, effectively ignoring non-image files without any runtime code or additional services.

Exam trap

The trap here is that candidates often assume you must check the content type inside the function (Option C) because they think blob triggers cannot filter by extension, but Azure Functions actually support path pattern filtering on the trigger binding itself.

How to eliminate wrong answers

Option A is wrong because the 'source' parameter for EventGrid is not a standard property on a Blob trigger; EventGrid-based triggers use a separate EventGrid trigger type, and filtering by 'content-type' would require custom event filtering logic, not a simple parameter. Option B is wrong because the 'filter' property does not exist on a Blob trigger binding; the binding only supports path patterns with curly braces for name and extension, not a comma-separated list of extensions. Option C is wrong because while it would work functionally, it is not the recommended approach; the question asks what you 'should do' to ensure the function only processes image files, and using built-in path pattern filtering is more efficient and avoids unnecessary invocations.

68
MCQmedium

You are deploying a containerized application to Azure Container Instances. The container image is stored in a private Azure Container Registry (ACR). You need to ensure that ACI can pull the image without storing credentials in the container group definition. What should you use?

A.Enable managed identity for the container group and assign the AcrPull role.
B.Generate a SAS token for the ACR and use it in the image registry credential.
C.Create a service principal with AcrPull role and pass its credentials.
D.Use the ACR admin account and provide the credentials in the container group.
AnswerA

Managed identity avoids storing credentials.

Why this answer

Option D is correct because managed identity (system-assigned or user-assigned) allows ACI to authenticate to ACR without storing credentials, by granting the identity 'AcrPull' role. Option A is wrong because admin account requires username/password in the configuration. Option B is wrong because SAS tokens are not supported for ACR authentication in ACI.

Option C is wrong because service principal requires storing credentials in the container group.

69
Multi-Selecteasy

Which TWO Azure services can be used to store and manage secrets, such as API keys and connection strings? (Choose 2)

Select 2 answers
A.Azure Key Vault
B.Azure App Configuration
C.Azure Storage
D.Azure SQL Database
E.Azure Managed Identity
AnswersA, E

Key Vault securely stores secrets.

Why this answer

Option B is correct because Azure Key Vault is designed for secret storage. Option D is correct because Azure Managed Identity helps manage credentials without storing secrets. Option A is incorrect because Azure App Configuration is for configuration settings, not secrets.

Option C is incorrect because Azure Storage is for data storage. Option E is incorrect because Azure SQL Database is for relational data.

70
MCQeasy

You are using Application Insights to monitor a web application. You notice that a specific request is slow. You want to see the complete end-to-end transaction details, including all dependency calls and exceptions for that single request. Which feature should you use?

A.Metrics Explorer
B.Transaction Search (End-to-End Transaction Details)
C.Application Map
D.Live Metrics Stream
AnswerB

This feature provides a timeline view of every operation within a single request, helping pinpoint the cause of slowness.

Why this answer

Transaction Search (End-to-End Transaction Details) is the correct feature because it allows you to view the complete trace of a single request, including all dependency calls (e.g., SQL, HTTP, Azure services), exceptions, and logs associated with that specific operation. This is achieved by correlating telemetry using the operation_Id field, which groups all telemetry items from the same request into a single end-to-end view. Other features like Metrics Explorer or Application Map provide aggregated or topological views, not per-request drill-down.

Exam trap

The trap here is that candidates often confuse the aggregated monitoring features (Metrics Explorer, Application Map) with the diagnostic drill-down capability of Transaction Search, mistakenly believing that a high-level view can reveal per-request details.

How to eliminate wrong answers

Option A is wrong because Metrics Explorer provides aggregated, time-series metrics (e.g., average response time, request count) and cannot show individual request-level details or dependency call trees. Option C is wrong because Application Map offers a topological view of application components and their dependencies, but it does not provide per-request transaction details or exception traces. Option D is wrong because Live Metrics Stream shows real-time, near-instantaneous metrics (e.g., request rate, CPU usage) for monitoring live traffic, but it does not support querying historical or specific slow requests with full dependency and exception details.

71
MCQhard

Your company uses Azure API Management to expose APIs to external partners. You need to implement rate limiting per subscription key to prevent abuse, but you also want to allow burst traffic up to a certain limit. Which policy should you configure?

A.Add a 'quota-per-key' policy with a renewal period of 1 day.
B.Add a 'limit' policy with a condition on subscription key.
C.Add a 'rate-limit-by-key' policy with a counter key of 'subscription-key'.
D.Add a 'rate-limit' policy with a renewal period of 60 seconds and a burst count of 10.
AnswerD

rate-limit supports burst and per-key limits.

Why this answer

The rate-limit policy in Azure API Management enforces a fixed rate limit (e.g., 100 calls per minute) while also allowing a burst (e.g., 10 calls) over a short period. Option A is correct because rate-limit supports both renewal period and burst. Option B is incorrect because quota-per-key is for a total number of calls over a longer period (e.g., per day), not burst.

Option C is incorrect because rate-limit-by-key does not exist; the correct name is rate-limit. Option D is incorrect because the 'limit' policy is not a standard APIM policy for rate limiting.

72
MCQeasy

A web app needs to access Azure Key Vault secrets for database credentials. The app runs as a managed identity in Azure App Service. Which authentication method should be used to retrieve secrets without storing credentials in the app code?

A.Managed identity
B.Access key
C.Client certificate
D.Shared access signature (SAS) token
AnswerA

Provides an identity automatically managed by Azure, no credentials stored.

Why this answer

Managed identity (option A) allows the app to authenticate to Azure services without storing credentials. Access keys (B) are not recommended. Client certificate (C) requires certificate management.

SAS tokens (D) are for storage, not Key Vault.

73
MCQmedium

You need to restrict access to an Azure Storage account so that only a specific subnet of a virtual network can access the data. Additionally, you need to allow management access from the Azure portal (e.g., to view containers). Which configuration should you apply?

A.Configure IP firewall rules to allow the subnet IP range and add the Azure portal's public IP addresses.
B.Configure a service endpoint for Microsoft.Storage on the subnet and add a firewall rule to allow the subnet, then enable 'Allow trusted Microsoft services'.
C.Configure a private endpoint for the storage account and disable public network access.
D.Configure IP ACLs to allow the subnet and also allow all Azure services.
AnswerB

Service endpoint provides secure connectivity from the subnet. The trusted Microsoft services exception allows portal management while keeping the firewall restricted.

Why this answer

Option B is correct because configuring a service endpoint for Microsoft.Storage on the subnet ensures traffic from that subnet to the storage account stays within the Azure backbone, and the firewall rule restricts access to that subnet. Enabling 'Allow trusted Microsoft services' permits Azure portal management operations (e.g., listing containers) because the portal is a trusted service that bypasses the network rules for control-plane actions.

Exam trap

The trap here is that candidates often confuse 'Allow trusted Microsoft services' with 'Allow all Azure services' or assume that IP-based rules for the Azure portal are static, when in fact the portal uses dynamic IP ranges that are not suitable for firewall rules.

How to eliminate wrong answers

Option A is wrong because Azure portal does not have a fixed set of public IP addresses; they can change, making this approach unreliable and not a supported pattern for management access. Option C is wrong because a private endpoint with public network access disabled would block all internet-based access, including the Azure portal, preventing management from the portal entirely. Option D is wrong because 'Allow all Azure services' is a legacy setting that broadly permits traffic from any Azure service, not just the specific subnet, violating the requirement to restrict access to only that subnet.

74
Multi-Selecthard

An Azure Functions document rendering job processes Service Bus messages. The function sometimes fails after partially completing work. Which two practices improve correctness?

Select 2 answers
A.Use dead-letter handling for repeatedly failing messages
B.Make the handler idempotent
C.Disable retries for all messages
D.Store connection strings in source code
AnswersA, B

Dead-letter queues isolate messages that cannot be processed after retries.

Why this answer

Option A is correct because Azure Functions can use dead-letter queues (DLQ) to isolate messages that repeatedly fail processing, preventing them from blocking the queue and allowing investigation without data loss. Option B is correct because making the handler idempotent ensures that if a message is retried after a partial failure (e.g., the function crashes mid-execution), reprocessing the same message does not cause duplicate or inconsistent state, which is critical for correctness in a Service Bus triggered function.

Exam trap

The trap here is that candidates may think disabling retries (Option C) prevents duplicate processing, but they overlook that retries are essential for transient fault tolerance, and the correct approach is to combine idempotency with dead-letter handling for permanent failures.

75
MCQhard

You are reviewing the ARM template for an App Service. What is the effect of the 'alwaysOn' property set to true?

A.The app will enable health checks at /health.
B.The app will scale out to multiple instances automatically.
C.The app will stay loaded in memory to avoid cold starts.
D.The app will be redeployed whenever the code changes.
AnswerC

alwaysOn prevents the app from being unloaded.

Why this answer

Setting 'alwaysOn' to true in an Azure App Service ARM template ensures that the app is kept loaded in memory even when there is no incoming traffic. This prevents the app from being unloaded after a period of inactivity, which eliminates cold starts on subsequent requests. Cold starts occur when the app process is recycled or unloaded, causing a delay as the runtime and application code are reloaded.

Exam trap

The trap here is that candidates may confuse 'alwaysOn' with health checks or scaling features, as the name suggests constant availability, but it specifically addresses process idle behavior, not load balancing or monitoring.

How to eliminate wrong answers

Option A is wrong because health checks are configured separately via the 'healthCheckPath' property in the site config, not by the 'alwaysOn' property. Option B is wrong because automatic scaling is controlled by autoscale rules or scaling settings, not by the 'alwaysOn' property which only affects the app's in-memory state. Option D is wrong because redeployment on code changes is handled by deployment slots, continuous deployment pipelines, or triggers like webhooks, not by the 'alwaysOn' property.

Page 1 of 14

Page 2