Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 676750

997 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQhard

You are developing an application that uses Azure Queue Storage. The application processes messages and must ensure that a message is not lost if the processing fails. Which visibility timeout setting should you use?

A.Set a short visibility timeout like 30 seconds
B.Set visibility timeout to 1 hour
C.Set visibility timeout to infinite
D.Set visibility timeout to 0 seconds
AnswerA

Allows quick retry if processing fails.

Why this answer

Option A is correct because setting a short visibility timeout (e.g., 30 seconds) ensures that if message processing fails, the message becomes visible again quickly for retry, preventing permanent loss. Azure Queue Storage uses a visibility timeout to hide a dequeued message from other consumers; if the processing fails and the message is not deleted, it reappears after the timeout expires. A short timeout balances retry speed with processing time, avoiding indefinite hiding that could lead to message loss if the consumer crashes.

Exam trap

The trap here is that candidates may think a longer visibility timeout provides more safety, but it actually risks message loss by hiding the message indefinitely if the consumer fails, whereas a short timeout ensures quick retries and eventual processing.

How to eliminate wrong answers

Option B is wrong because a 1-hour visibility timeout would hide the message for too long, delaying retries and potentially causing message loss if the consumer crashes without deleting the message. Option C is wrong because an infinite visibility timeout (maximum 7 days) would permanently hide the message, effectively losing it if processing fails and the message is never deleted. Option D is wrong because a visibility timeout of 0 seconds makes the message immediately visible to other consumers, defeating the purpose of ensuring processing without loss and risking duplicate processing.

677
MCQhard

You are building a serverless application using Azure Functions. The function processes large CSV files uploaded to Azure Blob Storage. Each file can be up to 100 MB. The function must parse the file and insert each row into a SQL database. You need to minimize cold start latency and ensure the function can handle the processing within the default timeout. What should you do?

A.Use the Premium plan with pre-warmed instances.
B.Use a dedicated App Service plan with Always On enabled.
C.Use Durable Functions to split processing into smaller chunks.
D.Use the Consumption plan and increase the function timeout to 10 minutes.
AnswerB

Always On keeps the function warm, and the plan allows up to 230 seconds execution time.

Why this answer

Option B is correct because a Dedicated App Service plan with Always On enabled eliminates cold starts by keeping the function host loaded continuously, and it provides a default timeout of 30 minutes (configurable up to 230 minutes), which is sufficient for processing 100 MB CSV files. The Consumption plan has a default timeout of 5 minutes (max 10 minutes), which may not be enough for large file processing, and it suffers from cold starts. The Premium plan reduces cold starts with pre-warmed instances but is not necessary when a Dedicated plan with Always On is more cost-effective and meets the requirements.

Exam trap

The trap here is that candidates often assume the Premium plan with pre-warmed instances is the only way to eliminate cold starts, overlooking that a Dedicated App Service plan with Always On provides the same benefit with a longer default timeout and lower cost for predictable workloads.

How to eliminate wrong answers

Option A is wrong because the Premium plan with pre-warmed instances reduces cold starts but is not the most cost-effective choice when a Dedicated App Service plan with Always On can achieve the same goal with lower cost for predictable workloads. Option C is wrong because Durable Functions are designed for orchestrating long-running workflows and fan-out/fan-in patterns, not for directly solving cold start latency or extending the default timeout for a single function execution. Option D is wrong because the Consumption plan's maximum timeout is 10 minutes, which may still be insufficient for processing a 100 MB CSV file, and it does not address cold start latency.

678
Multi-Selectmedium

Which THREE actions should you take to securely access Azure Key Vault from an Azure App Service? (Choose three.)

Select 3 answers
A.Configure network restrictions on the Key Vault to allow only the App Service's outbound IP.
B.Grant the managed identity the 'Key Vault Secrets User' role.
C.Enable managed identity on the App Service.
D.Use DefaultAzureCredential in the application code.
E.Store the Key Vault URL and a client secret in App Service application settings.
AnswersB, C, D

This role allows reading secrets from Key Vault.

Why this answer

Options A, B, and D are correct. Enable managed identity on the App Service to authenticate without secrets. Grant the managed identity the Key Vault Secrets User role to read secrets.

Use the DefaultAzureCredential class in code to automatically use the managed identity. Option C is wrong because storing the connection string in app settings exposes the secret. Option E is wrong because network restrictions are not required for security; managed identity and RBAC are sufficient.

679
MCQmedium

You are reviewing an ARM template that deploys an Azure App Service. The template sets an app setting 'MyApiKey' that references a Key Vault secret. However, the deployment fails with an error that the app service cannot access the secret. What is the most likely cause?

A.The Key Vault reference syntax '@Microsoft.KeyVault(SecretUri=...)' is incorrect.
B.The ARM template cannot use Key Vault references in app settings.
C.The secret name in the URI does not match the actual secret name.
D.The App Service does not have a managed identity enabled and the Key Vault access policy is missing.
AnswerD

For Key Vault references to work, the App Service must have a managed identity with GET permission on the secret.

Why this answer

The Key Vault reference syntax is correct, but the App Service must have a managed identity and Key Vault access policy to read the secret. Option B is correct. Option A is incorrect because the syntax is valid; Option C is incorrect because ARM templates support Key Vault references; Option D is incorrect because the syntax is correct.

680
MCQmedium

A company is developing an application that processes orders. The application uses Azure Service Bus queues to decouple order submission from processing. During peak hours, some messages are not processed within the required time, causing order delays. The team needs to increase throughput without changing the existing message processing logic. What should they do?

A.Use Azure Event Hubs instead of Service Bus.
B.Increase the number of concurrent listeners on the queue.
C.Enable sessions on the queue to group related messages.
D.Increase the lock duration on messages.
AnswerB

More listeners allow parallel processing, increasing throughput.

Why this answer

Increasing the number of concurrent listeners (option C) allows more messages to be processed simultaneously, improving throughput without changes to processing logic. Option A adds sessions which require changes to consumer logic. Option B increases lock duration but not throughput.

Option D uses a different service that may not fit the architecture.

681
MCQmedium

You have an Azure Function app that processes messages from a Service Bus queue. Under high load, some messages are not processed within the expected time. You need to identify whether the function is throttling due to high CPU or due to a downstream dependency. Which Application Insights feature should you use?

A.Live Metrics Stream
B.Application Insights Profiler
C.Search
D.Application Map
AnswerD

Application Map visualizes components and dependencies, showing where delays occur.

Why this answer

Option C is correct because Application Map shows dependencies and their health, helping identify bottlenecks. Option A (Live Metrics) shows real-time data but not dependencies. Option B (Profiler) is for code-level performance.

Option D (Search) is for raw telemetry.

682
MCQeasy

The mobile app team needs to send push notifications to 10 million devices running both iOS and Android. On iOS, notifications go through Apple Push Notification service (APNs); on Android, through Firebase Cloud Messaging (FCM). The team wants a single Azure service that abstracts platform differences and scales without managing separate APNs and FCM integrations per platform. Which service should they use?

A.Azure Notification Hubs with APNs and FCM credentials configured in the hub namespace
B.Azure Service Bus with topics — one subscription per platform, each subscription delivering to APNs or FCM
C.Azure Event Grid with a custom endpoint handler per platform that calls APNs or FCM directly
D.Azure Communication Services email with HTML-formatted alerts sent to device email addresses
AnswerA

Notification Hubs is the Azure service designed for exactly this use case. Configure your APNs certificate and FCM server key once. The backend then calls Notification Hubs with a unified API, specifying templates or platform-specific payloads. The hub routes and delivers to the appropriate PNS for each device's platform.

Why this answer

Azure Notification Hubs is the correct choice because it is a fully managed push notification service designed to abstract platform-specific notification systems like APNs (iOS) and FCM (Android). By configuring the APNs and FCM credentials in the hub namespace, the team can send a single notification that is automatically routed to the correct platform service, scaling to millions of devices without managing separate integrations.

Exam trap

The trap here is that candidates may confuse Azure Service Bus or Event Grid as viable push notification services, but neither provides direct, platform-abstracted push notification delivery to mobile devices like Notification Hubs does.

How to eliminate wrong answers

Option B is wrong because Azure Service Bus Topics are a message broker for decoupling applications, not a push notification service; they lack native integration with APNs or FCM and cannot directly deliver push notifications to mobile devices. Option C is wrong because Azure Event Grid is an event routing service that requires custom endpoint handlers to call APNs or FCM, which defeats the purpose of abstracting platform differences and adds complexity. Option D is wrong because Azure Communication Services email is designed for sending emails, not push notifications, and cannot reach mobile devices via APNs or FCM.

683
MCQeasy

You are developing a web application that uses Azure Cosmos DB for NoSQL. You need to perform a point read by document ID and partition key. Which API method should you use to achieve the best performance and lowest cost?

A.Call ReadItemAsync with the partition key and document ID.
B.Call QueryAsync with a SQL query that filters by ID.
C.Call CreateItemAsync and check for conflict.
D.Call ReadManyAsync with a list of IDs.
AnswerA

Point read via ReadItemAsync is the most efficient.

Why this answer

Point reads in Cosmos DB are the most efficient way to retrieve a single document when you know both the partition key and the ID. Option A is correct because ReadItemAsync is designed for point reads and consumes minimal RUs. Option B is incorrect because QueryAsync with a filter requires a query execution, which is more expensive.

Option C is incorrect because ReadManyAsync is for reading multiple items by ID. Option D is incorrect because CreateItemAsync is for creating items, not reading.

684
MCQeasy

You need to upload a large file (500 MB) to Azure Blob Storage from a .NET application with high throughput and resilience to network interruptions. Which approach should you use?

A.Use the Azure Storage SDK for .NET with the UploadAsync method that automatically splits the file into blocks
B.Use HTTP PUT with the entire file in a single request
C.Use the Azure Portal to upload the file
D.Use AzCopy with a single command
AnswerA

The SDK's UploadAsync method handles block-level parallelism and retries, providing resilience and throughput.

Why this answer

Option A is correct because the Azure Storage SDK's UploadAsync method automatically uses block blob staging, splitting the 500 MB file into multiple blocks that are uploaded in parallel. This provides high throughput and resilience: if a network interruption occurs, only the failed blocks need to be retried, not the entire file. The SDK handles block management and final commit, making it ideal for large file uploads.

Exam trap

The trap here is that candidates may choose AzCopy (Option D) because it is a well-known high-performance tool, but the question explicitly requires a .NET application approach, making the SDK's UploadAsync the correct integrated solution.

How to eliminate wrong answers

Option B is wrong because HTTP PUT with the entire file in a single request is limited to 256 MB (or 64 MB for older API versions) and offers no retry granularity; a network interruption would require re-uploading the entire file. Option C is wrong because the Azure Portal upload is designed for small files (typically under 256 MB) and lacks programmatic control, parallelization, or resilience to interruptions. Option D is wrong because while AzCopy is a robust tool for bulk transfers, it is a command-line utility, not a .NET SDK approach; the question specifies using a .NET application, making AzCopy an external dependency rather than an integrated solution.

685
Multi-Selecthard

Which THREE of the following are true regarding Microsoft Entra ID authentication for Azure Storage?

Select 3 answers
A.SAS tokens are not supported when using Microsoft Entra ID authentication.
B.RBAC roles can be used to grant permissions to a user or service principal.
C.When Microsoft Entra ID authentication is enabled, Shared Key authorization is still allowed by default.
D.Managed identities can authenticate to Azure Storage without storing credentials.
E.The authentication process uses OAuth 2.0 access tokens.
AnswersB, D, E

RBAC roles control access to storage resources.

Why this answer

Options A, B, and D are correct. Option A is correct because RBAC roles like Storage Blob Data Contributor grant access to storage. Option B is correct because managed identities can be used for authentication.

Option D is correct because OAuth 2.0 access tokens are used. Option C is wrong because Shared Key authorization is disabled when only Microsoft Entra ID is allowed. Option E is wrong because SAS tokens can still be used even if Microsoft Entra ID is enabled, unless explicitly forbidden.

686
MCQeasy

You need to monitor the CPU and memory usage of an Azure Virtual Machine (VM) over the last 30 days. Which Azure service should you use?

A.Azure Service Health
B.Azure Advisor
C.Azure Monitor Metrics
D.Azure Log Analytics
AnswerC

Azure Monitor Metrics stores numerical performance data.

Why this answer

Option A is correct because Azure Monitor Metrics collects and stores performance counters like CPU and memory for Azure VMs. Option B is wrong because Azure Log Analytics works with logs, not metrics. Option C is wrong because Azure Service Health monitors Azure service outages, not VM performance.

Option D is wrong because Azure Advisor provides recommendations, not historical metrics.

687
Multi-Selecthard

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The team wants the control to be enforceable during normal operations.

Select 2 answers
A.Issuer and signature are valid for the trusted tenant
B.The user's display name is present
C.Token audience matches the API application ID URI or client ID
D.The token was sent in a query string
AnswersA, C

Issuer and signature validation confirms the token came from the expected identity provider.

Why this answer

Option A is correct because validating the issuer and signature ensures the JWT was issued by the trusted Microsoft Entra ID tenant and has not been tampered with. The issuer claim (iss) must match the tenant-specific issuer URL (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0), and the signature must be verified using the public keys from the OpenID Connect metadata endpoint. This is a fundamental security requirement for any API that accepts tokens from Entra ID.

Exam trap

The trap here is that candidates may think validating the user's display name (Option B) is necessary for authorization, but token validation is about verifying the token's authenticity and intended audience, not user attributes.

688
MCQmedium

You are developing a C# application that stores sensitive documents in Azure Blob Storage. The application needs to generate a time-limited shared access signature (SAS) that allows a client to only read and list blobs in a specific container. The SAS must be valid for exactly 1 hour from the current time. Which code snippet correctly creates the SAS? (Assume the BlobServiceClient and BlobContainerClient are properly initialized.)

A.var sasBuilder = new BlobSasBuilder { BlobContainerName = container.Name, Permissions = "rl", ExpiresOn = DateTimeOffset.UtcNow.AddHours(1) }; var sasUri = container.GenerateSasUri(sasBuilder);
B.var sasBuilder = new BlobSasBuilder { Permissions = "r", ExpiresOn = DateTimeOffset.UtcNow.AddHours(1) }; var sasUri = container.GenerateSasUri(sasBuilder);
C.var sasToken = container.GetSasToken(permissions: "rl", duration: TimeSpan.FromHours(1));
D.var sasBuilder = new BlobSasBuilder { Permissions = "rl", StartsOn = DateTimeOffset.UtcNow, ExpiresOn = DateTimeOffset.UtcNow.AddHours(1) }; var sasUri = container.GenerateSasUri(sasBuilder);
AnswerA

This correctly creates a BlobSasBuilder with permissions 'rl' (read and list) and an expiry of 1 hour. The GenerateSasUri method returns the URI with the SAS token.

Why this answer

Option A is correct because it creates a `BlobSasBuilder` with the container name, permissions set to "rl" (read and list), and an expiration time of exactly 1 hour from the current UTC time. The `GenerateSasUri` method then produces a SAS URI that grants the specified permissions for the container. This matches the requirement for a time-limited SAS that allows only read and list operations on blobs in the container.

Exam trap

The trap here is that candidates often think they must set `StartsOn` to the current time to make the SAS valid immediately, but Azure Storage automatically treats the SAS as valid from the time of generation if `StartsOn` is omitted, and including it can cause failures due to clock skew.

How to eliminate wrong answers

Option B is wrong because it sets permissions to "r" (read only) instead of "rl" (read and list), so it does not grant the required list permission. Option C is wrong because `GetSasToken` is not a valid method on `BlobContainerClient`; the correct approach is to use `BlobSasBuilder` and `GenerateSasUri`. Option D is wrong because it includes a `StartsOn` property set to the current time, which is unnecessary and can cause issues with clock skew; the SAS should start immediately without an explicit start time to avoid potential time synchronization problems.

689
MCQmedium

You deploy a container to Azure Container Instances (ACI). The container runs a background job that should automatically restart only if it exits with a non-zero exit code (i.e., crashes). You want to minimize costs. Which restart policy should you configure?

A.Set restart policy to Always and use a private container registry
B.Set restart policy to OnFailure and use a single container group
C.Set restart policy to Never and use a public container registry
D.Set restart policy to OnFailure and deploy in a virtual network
AnswerB

OnFailure restarts only on crashes, and a single container group is the simplest and lowest-cost configuration.

Why this answer

The OnFailure restart policy restarts the container only when it exits with a non-zero exit code, which matches the requirement to restart only on crashes. This policy minimizes costs because the container does not run continuously when it exits successfully, unlike the Always policy. Using a single container group is the simplest and most cost-effective deployment for a single background job.

Exam trap

The trap here is that candidates may confuse OnFailure with Always, thinking that any restart policy that restarts on failure must also restart on success, or they may over-engineer the solution by adding unnecessary features like a virtual network or private registry.

How to eliminate wrong answers

Option A is wrong because the Always restart policy restarts the container regardless of exit code, causing unnecessary runs and higher costs, and using a private container registry does not affect restart behavior. Option C is wrong because the Never restart policy does not restart the container at all, even on crashes, failing the requirement. Option D is wrong because deploying in a virtual network adds complexity and cost without any benefit for the restart policy requirement; the OnFailure policy itself is correct, but the virtual network is unnecessary and increases expenses.

690
MCQhard

You are running a containerized application on Azure Container Instances. The application requires a custom DNS server. How should you configure this?

A.Set the DNS server in the container's environment variables
B.Use the 'dnsConfig' property in the container group configuration
C.Set the restart policy to 'Always'
D.Configure the DNS server in the Dockerfile
AnswerB

dnsConfig sets custom DNS servers for the container group.

Why this answer

Azure Container Instances (ACI) supports custom DNS server configuration at the container group level via the 'dnsConfig' property in the deployment JSON or ARM template. This property allows you to specify an array of DNS server IP addresses and optional search domains, which are applied to all containers within the group. Environment variables cannot override DNS resolution, and the Dockerfile's DNS settings are ignored by ACI because the container group's network stack is managed by the Azure platform.

Exam trap

The trap here is that candidates assume DNS configuration can be set via environment variables or the Dockerfile, similar to how they might configure it in a standalone Docker environment, but ACI requires explicit container group-level network settings that override any container-level DNS directives.

How to eliminate wrong answers

Option A is wrong because environment variables are for runtime configuration (e.g., connection strings, feature flags) and have no effect on DNS resolution; ACI does not interpret any environment variable as a DNS server. Option C is wrong because the restart policy ('Always', 'OnFailure', 'Never') controls container restart behavior after exit, not network or DNS configuration. Option D is wrong because the Dockerfile's DNS settings (e.g., '--dns' in Docker build or 'dns' directive) are overridden by the container orchestrator; ACI uses its own network namespace and ignores Dockerfile-level DNS configuration.

691
MCQhard

Your company, Contoso Ltd., operates a global e-commerce platform. The platform stores product images in Azure Blob Storage. Currently, the images are stored in a single storage account in the West US region. The application uses HTTP to download images. Users in Europe report slow load times. You need to reduce latency for European users. The solution must minimize costs and administrative overhead. You also need to ensure that images are served over HTTPS. You have the following requirements: 1) Users in Europe must have low-latency access. 2) The solution must be cost-effective. 3) The solution must not require changes to the application code. 4) Images must be served over HTTPS. Which course of action should you recommend?

A.Use Azure Front Door with the storage account as a backend.
B.Create an Azure CDN profile and add a CDN endpoint that points to the storage account. Enable HTTPS on the CDN endpoint.
C.Create a secondary storage account in Europe and use asynchronous replication. Update the application to use the secondary endpoint for European users.
D.Enable geo-redundant storage (GRS) on the storage account.
AnswerB

CDN caches content at edge locations and supports HTTPS.

Why this answer

Option B is correct because Azure CDN provides a global, distributed network of edge servers that cache content closer to users, reducing latency for European users without requiring application code changes. Enabling HTTPS on the CDN endpoint ensures images are served securely over HTTPS, meeting the requirement. This solution is cost-effective as it uses a pay-as-you-go model and minimizes administrative overhead by leveraging a managed service.

Exam trap

The trap here is confusing Azure CDN with Azure Front Door or geo-replication, where candidates might think a global load balancer or storage replication is needed for latency reduction, but Azure CDN is the simplest and most cost-effective solution for static content caching without code changes.

How to eliminate wrong answers

Option A is wrong because Azure Front Door is primarily a global load balancer and application delivery controller optimized for HTTP/HTTPS traffic with advanced routing and WAF capabilities, but it is more expensive than Azure CDN for simple static content delivery and introduces unnecessary complexity for this use case. Option C is wrong because it requires application code changes to redirect European users to the secondary endpoint, violating the 'no changes to application code' requirement, and asynchronous replication adds cost and administrative overhead. Option D is wrong because geo-redundant storage (GRS) replicates data to a paired region for disaster recovery, not for low-latency content delivery; it does not serve content from the secondary region and does not provide HTTPS termination at the edge.

692
Multi-Selectmedium

You are designing a solution that processes orders from an e-commerce website. The solution must guarantee that each order is processed exactly once. Which TWO Azure services can you use to achieve this requirement?

Select 2 answers
A.Azure Service Bus
B.Azure Storage Queues
C.Azure Event Grid
D.Azure Cache for Redis
E.Azure Event Hubs
AnswersA, E

Service Bus supports duplicate detection for exactly-once.

Why this answer

Azure Service Bus queues support message sessions and duplicate detection to ensure exactly-once processing. Azure Event Hubs with consumer groups and checkpointing can also achieve exactly-once semantics when combined with idempotent processing. Option A is correct because Service Bus provides duplicate detection.

Option B is correct because Event Hubs with checkpointing can achieve exactly-once. Option C is incorrect because Azure Storage Queues do not guarantee exactly-once. Option D is incorrect because Event Grid offers at-least-once delivery.

Option E is incorrect because Azure Cache for Redis is not a messaging service.

693
Multi-Selecteasy

You are deploying a web app to Azure App Service. You need to enable continuous deployment from a GitHub repository. Which TWO actions are required?

Select 2 answers
A.Create a new App Service plan
B.Set up a build provider like GitHub Actions or Kudu
C.Configure the Deployment Center in the App Service to connect to GitHub
D.Enable Application Insights
E.Add a custom domain to the App Service
AnswersB, C

Build provider handles the build and deployment steps.

Why this answer

B is correct because to enable continuous deployment from GitHub, you need a build provider that compiles your code and deploys it to Azure App Service. GitHub Actions is a modern CI/CD solution that can build and deploy your application, while Kudu is the legacy deployment engine that can also handle build and sync operations. Without a build provider, the source code cannot be transformed into a runnable application on App Service.

Exam trap

The trap here is that candidates often think creating an App Service plan (Option A) is a required step for continuous deployment, but the plan is a separate prerequisite for hosting the web app, not for the deployment pipeline itself.

694
MCQmedium

A booking backend uses Azure Functions with HTTP triggers. The developer wants to reject unauthenticated calls before function code executes. Which feature should be configured?

A.Application Insights sampling
B.App Service Authentication / Easy Auth with Microsoft Entra ID
C.Deployment slots
D.Function timeout
AnswerB

Built-in authentication validates requests before they reach application code.

Why this answer

App Service Authentication (Easy Auth) with Microsoft Entra ID allows the developer to reject unauthenticated calls before the function code executes by configuring the 'Action to take when request is not authenticated' to 'Log in with Microsoft Entra ID' or 'Return HTTP 401 Unauthorized'. This is enforced at the App Service platform layer, meaning the function trigger code never runs for unauthenticated requests, which is exactly the requirement.

Exam trap

The trap here is that candidates may think authentication must be handled inside the function code using attributes like [Authorize] or manual token validation, overlooking the platform-level Easy Auth feature that rejects calls before any code runs.

How to eliminate wrong answers

Option A is wrong because Application Insights sampling is a telemetry feature that reduces the volume of data collected for monitoring and diagnostics; it has no capability to authenticate or reject HTTP requests. Option C is wrong because deployment slots are used for staging, swapping, and testing different versions of the function app; they do not provide any authentication or authorization mechanism. Option D is wrong because function timeout controls the maximum execution duration for a function (default 5 minutes for Consumption plan); it cannot reject unauthenticated calls before code execution.

695
MCQeasy

You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS termination. You need to configure these features. Which resource should you create alongside the container group?

A.Azure Front Door
B.Azure Application Gateway
C.Azure Container Registry
D.Azure DNS zone
AnswerB

Azure Application Gateway can terminate SSL, route traffic based on host names, and assign a custom domain to the container group.

Why this answer

Azure Application Gateway provides Layer 7 load balancing with SSL/TLS termination and custom domain support. By associating a custom domain with the Application Gateway's frontend IP and uploading an SSL certificate, you can terminate HTTPS connections at the gateway and forward traffic to the container group over HTTP. This meets the requirement without exposing the container group directly.

Exam trap

The trap here is that candidates often confuse Azure Front Door's global SSL termination with the regional, direct SSL termination needed for a single container group, or mistakenly think a DNS zone alone can handle SSL termination.

How to eliminate wrong answers

Option A is wrong because Azure Front Door is a global, anycast-based load balancer and CDN that terminates SSL at the edge, but it is designed for HTTP/S traffic distribution across regions, not for direct SSL termination and custom domain binding to a single container group in a specific region. Option C is wrong because Azure Container Registry is a private Docker registry for storing and managing container images; it does not provide networking features like custom domains or SSL termination. Option D is wrong because Azure DNS zone is used for hosting DNS records and resolving domain names to IP addresses, but it does not terminate SSL/TLS or route traffic to the container group; it only provides name resolution.

696
Multi-Selecthard

Which THREE factors should be considered when choosing between Azure Service Bus and Azure Event Hubs for a messaging solution? (Choose 3)

Select 3 answers
A.Event Hubs cannot be used with Apache Kafka client applications
B.Event Hubs is optimized for high-throughput telemetry ingestion
C.Service Bus supports topics and subscriptions for publish/subscribe patterns
D.Service Bus does not support the AMQP protocol
E.Both services can be used in a hybrid cloud architecture with on-premises systems
AnswersB, C, E

Event Hubs is designed for high-volume telemetry.

Why this answer

Options A, B, and D are correct: Service Bus supports topics and subscriptions for pub/sub, Event Hubs is optimized for high-throughput telemetry, and both can be used in hybrid architectures. Option C is incorrect because both services support AMQP. Option E is incorrect because both can be used with Kafka protocol, but Event Hubs has native Kafka support.

697
MCQhard

Refer to the exhibit. You are creating an Azure Service Bus queue using an ARM template. The requirement is that messages should be automatically dead-lettered after 3 failed delivery attempts. Does this configuration meet the requirement?

A.No, because lockDuration should be shorter
B.Yes, because defaultMessageTimeToLive ensures messages expire
C.No, because maxDeliveryCount should be 3
D.Yes, because maxDeliveryCount is set
AnswerC

To dead-letter after 3 attempts, maxDeliveryCount must be 3.

Why this answer

The queue has maxDeliveryCount set to 10, which means messages will be retried up to 10 times before dead-lettering. The requirement is 3 attempts, so this configuration does not meet the requirement. Option A is wrong because the maxDeliveryCount is 10.

Option B is correct. Option C is wrong because lockDuration does not affect delivery count. Option D is wrong because TTL is separate from delivery count.

698
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used? The architecture review board prefers a managed AWS-native control.

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish-subscribe pattern where multiple independent subscribers can process the same message. Subscribers can be added later without modifying the publisher, and each subscriber receives its own copy of the message through subscriptions. This matches the requirement for order events that must be processed by multiple independent subscribers.

Exam trap

The trap here is that candidates often confuse Azure Storage Queue (point-to-point) with Service Bus topics (pub-sub), failing to recognize that multiple independent subscribers require a topic-based pattern, not a queue.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policy is used to manage blob tiering and deletion based on age, not for messaging or event distribution. Option B is wrong because Azure Storage Queue implements a point-to-point queue pattern where a single consumer processes each message; it does not support multiple independent subscribers receiving the same message. Option C is wrong because Azure Cache for Redis list only provides a simple list data structure for FIFO operations, not a managed pub-sub messaging system with durable subscriptions and independent subscriber processing.

699
MCQmedium

You are developing a solution that uses Azure Container Instances to run a batch job. The job requires 8 GB of memory and 4 vCPUs. You need to minimize costs. Which container group configuration should you choose?

A.Linux containers split into two containers (4 GB each) in the same group
B.Linux container with 8 GB and 4 vCPUs in a single container group
C.Windows container with 8 GB memory and 4 vCPUs
D.Linux container with 8 GB and 4 vCPUs, but using two separate container groups
AnswerB

Linux is cheaper, single group minimizes overhead.

Why this answer

Option B is correct because Azure Container Instances bills per container group, not per container within the group. A single Linux container with 8 GB and 4 vCPUs in one container group meets the job's requirements with the lowest cost, as it avoids the overhead of multiple containers or groups. Splitting resources across containers or using separate groups would increase costs without benefit.

Exam trap

The trap here is that candidates may think splitting resources across multiple containers or groups reduces cost, but Azure bills per container group as a whole, so consolidating into a single group with the required resources is the most cost-effective approach.

How to eliminate wrong answers

Option A is wrong because splitting the job into two containers (4 GB each) in the same group does not reduce cost—the group still requires the sum of resources (8 GB, 4 vCPUs) and is billed as a single unit, so there is no savings. Option C is wrong because Windows containers in Azure Container Instances are more expensive than Linux containers for the same resource allocation, increasing cost without technical necessity. Option D is wrong because using two separate container groups incurs billing for each group independently, doubling the cost compared to a single group with the same total resources.

700
MCQmedium

A Cosmos DB container for session records receives hot-partition throttling because the partition key has only five possible values. What should the developer change? The design must avoid adding custom operational scripts.

A.Increase the default TTL
B.Enable analytical store only
C.Choose a partition key with higher cardinality and even request distribution
D.Use a stored procedure for every write
AnswerC

A good partition key spreads storage and throughput across logical partitions.

Why this answer

Option C is correct because hot-partition throttling occurs when a partition key has low cardinality (few distinct values), causing uneven request distribution and exceeding the physical partition's throughput limits. Choosing a partition key with higher cardinality and even request distribution spreads operations across more physical partitions, eliminating throttling without custom scripts.

Exam trap

The trap here is that candidates confuse throughput scaling mechanisms (TTL, analytical store, stored procedures) with partition key design, which is the only way to resolve hot-partition throttling without custom scripts.

How to eliminate wrong answers

Option A is wrong because increasing the default TTL only affects document expiration and deletion, not partition-level throughput or request distribution. Option B is wrong because enabling analytical store only adds a columnar store for analytical queries; it does not affect transactional request routing or partition key design. Option D is wrong because using a stored procedure for every write does not change the partition key or distribution; it still writes to the same logical partition, so throttling persists.

701
MCQmedium

You are developing a microservices application. Each microservice must authenticate to Azure SQL Database using its own identity. You need to minimize credential management overhead. What should you use?

A.System-assigned managed identities
B.User-assigned managed identities
C.Certificate-based authentication
D.Service principals with client secrets
AnswerA

Each Azure resource can have a system-assigned identity, providing a unique identity per microservice.

Why this answer

System-assigned managed identities are tied to the lifecycle of the Azure resource and are automatically created and deleted. They are ideal for each microservice to have its own identity without managing credentials. Option A is wrong because user-assigned managed identities are shared across resources, not per-service.

Option C is wrong because service principals require managing secrets. Option D is wrong because certificate-based authentication still requires certificate management.

702
MCQmedium

Refer to the exhibit. You deploy this ARM template to create an Azure App Service. After deployment, the application stops responding after a few minutes. The application is a .NET 6 web API that runs in a Linux container. What is the most likely cause?

A.The ARM template is missing the 'dependsOn' element.
B.The 'linuxFxVersion' is set incorrectly for .NET 6.
C.The 'alwaysOn' setting is enabled but the App Service plan is on a tier that does not support Always On.
D.The 'WEBSITE_RUN_FROM_PACKAGE' app setting is incorrectly set to '1'.
AnswerC

Free/Shared tiers ignore Always On; app may be unloaded.

Why this answer

Option B is correct. The template sets 'alwaysOn' to true, which keeps the app loaded even when idle. However, the Free and Shared pricing tiers do not support Always On; the feature is only available in Basic, Standard, Premium, and Isolated tiers.

If the hosting plan is on a tier that doesn't support Always On, the setting is ignored, but more importantly, the app might be recycled due to idle timeout. The app stops responding, indicating that the app pool recycles. Option A is wrong because 'WEBSITE_RUN_FROM_PACKAGE' is valid.

Option C is wrong because 'linuxFxVersion' is correct for .NET 6. Option D is wrong because the template is valid JSON.

703
MCQmedium

An App Service application uses a staging deployment slot connected to a staging database and a production slot connected to a production database. Both use an app setting called 'DbConnectionString'. After a slot swap, the production slot starts using the staging database connection string. What configuration change prevents this?

A.Mark the 'DbConnectionString' app setting as a deployment slot setting (sticky) so it remains bound to its slot across all swaps
B.Store the connection string in Azure Key Vault and reference it via a Key Vault reference in both slots
C.Use different app setting names for each slot (e.g., 'StagingDbConnectionString' and 'ProductionDbConnectionString') and swap code manually
D.Disable slot swaps and use a CI/CD pipeline to deploy directly to production instead
AnswerA

Sticky settings are slot-specific. When slots swap, the code moves but sticky settings stay with the slot they were defined in. The staging slot retains its staging DbConnectionString and the production slot retains its production DbConnectionString permanently, regardless of how many swaps occur.

Why this answer

Option A is correct because marking the 'DbConnectionString' app setting as a deployment slot setting (also called a sticky setting) ensures that the setting remains bound to its slot during a swap. When a slot swap occurs, Azure App Service automatically moves non-sticky app settings and connection strings to the target slot, but sticky settings are excluded from the swap and stay with their original slot. This prevents the production slot from accidentally picking up the staging database connection string after the swap.

Exam trap

The trap here is that candidates often think Key Vault references or different naming conventions solve the swap issue, but they overlook that the fundamental problem is the setting being non-sticky and moving with the swap, which only the 'deployment slot setting' flag can prevent.

How to eliminate wrong answers

Option B is wrong because storing the connection string in Azure Key Vault and referencing it via a Key Vault reference does not prevent the setting from being swapped; the reference itself is an app setting that is non-sticky by default and will move with the swap. Option C is wrong because using different app setting names for each slot and manually swapping code defeats the purpose of automated slot swaps and introduces human error; it does not leverage the built-in slot swap mechanism. Option D is wrong because disabling slot swaps and using a CI/CD pipeline to deploy directly to production avoids the issue but eliminates the benefits of slot swapping (e.g., zero-downtime deployment, easy rollback); it is a workaround, not a configuration change that prevents the problem.

704
MCQmedium

Backend APIs exposed through Azure API Management are consumed by multiple subscribers. The product owner wants to prevent any single subscriber from sending more than 100 requests per minute, while allowing subscribers with heavier plans to have higher limits configured separately. Which APIM policy implements per-subscriber rate limiting?

A.Apply the rate-limit-by-key policy using the subscription key as the counter key, with calls set to 100 and renewal-period to 60
B.Apply the quota policy to the product with a total of 100 calls per minute shared across all subscribers
C.Apply an ip-filter policy that blocks IP addresses making more than 100 requests per minute
D.Configure a backend circuit breaker policy to return cached responses after 100 calls
AnswerA

rate-limit-by-key with counter-key='@(context.Subscription.Id)' (or the subscription key header) creates a separate 100-calls/60-second counter per subscriber. When a subscriber's counter reaches 100, APIM returns 429 Too Many Requests for that subscriber while other subscribers continue at full rate.

Why this answer

Option A is correct because the `rate-limit-by-key` policy in Azure API Management enforces a per-key rate limit, and using the subscription key as the counter key ensures each subscriber is limited individually. The `calls` parameter set to 100 and `renewal-period` to 60 seconds matches the requirement of 100 requests per minute per subscriber, while allowing different limits for different plans by applying separate policies with different call counts.

Exam trap

The trap here is confusing the `quota` policy (which sets a total limit shared across all subscribers of a product) with the `rate-limit-by-key` policy (which enforces per-subscriber limits), leading candidates to pick Option B when they see 'product' and 'per minute' without recognizing the shared vs. individual distinction.

How to eliminate wrong answers

Option B is wrong because the `quota` policy applied to a product with 100 calls per minute shared across all subscribers enforces a total limit for the entire product, not per subscriber, so a single subscriber could consume all 100 calls and block others. Option C is wrong because the `ip-filter` policy blocks or allows traffic based on IP addresses, but it cannot track request counts per minute or differentiate between subscribers sharing the same IP (e.g., behind a NAT), and it does not provide rate limiting based on subscription keys. Option D is wrong because a backend circuit breaker policy is used to protect the backend from overload by returning cached responses after a failure threshold, not to limit client request rates; it does not track per-subscriber request counts or enforce rate limits.

705
MCQmedium

You are implementing a microservices solution on Azure Kubernetes Service (AKS). You need to securely store and retrieve connection strings to a database without hardcoding them in the application code. The solution should automatically rotate secrets every 90 days. What should you use?

A.Azure Key Vault with Key Vault Secrets Provider for AKS
B.Kubernetes Secrets with a CronJob to update them
C.Azure Managed Identity for the pod
D.Azure App Configuration with a managed identity
AnswerA

Key Vault provides secure storage and supports automatic rotation; the provider integrates with AKS.

Why this answer

Azure Key Vault with the Key Vault Secrets Provider for AKS allows mounting secrets as volumes, and Key Vault supports automatic rotation and versioning. Option A is correct because it integrates rotation. Option B lacks automatic rotation.

Option C is for non-Kubernetes environments. Option D is a service not a store.

706
MCQmedium

You are building an Azure Logic App that must consume messages from an Azure Service Bus queue. The queue messages are JSON payloads containing order information. The Logic App must process each message exactly once and in the order they are received. You need to configure the trigger in the Logic App. Which trigger type and property should you choose?

A.Use a Service Bus trigger with the 'PeekLock' mode and set the 'IsSessionsEnabled' property to false
B.Use a Service Bus trigger with the 'ReceiveAndDelete' mode
C.Use a Service Bus trigger with the 'PeekLock' mode and set the 'IsSessionsEnabled' property to true
D.Use an Event Grid trigger for Service Bus
AnswerC

Sessions provide FIFO order within a session, and PeekLock allows the Logic App to complete or abandon the message, ensuring exactly-once processing.

Why this answer

Option C is correct because Service Bus sessions provide first-in-first-out (FIFO) ordering and exactly-once processing. By enabling sessions (IsSessionsEnabled = true) and using PeekLock mode, the Logic App can lock a message while processing, ensuring it is not delivered to other consumers, and sessions guarantee that messages with the same session ID are processed in order. This meets the requirement of processing each message exactly once and in the order received.

Exam trap

The trap here is that candidates often assume PeekLock mode alone guarantees ordering, but without sessions, multiple concurrent trigger instances can pick up messages from the same queue out of order, breaking the FIFO requirement.

How to eliminate wrong answers

Option A is wrong because PeekLock mode without sessions (IsSessionsEnabled = false) does not guarantee message ordering; messages may be processed out of order if multiple triggers fire concurrently. Option B is wrong because ReceiveAndDelete mode removes the message from the queue immediately upon retrieval, making it impossible to retry processing on failure and violating exactly-once semantics. Option D is wrong because an Event Grid trigger for Service Bus is designed for event-driven notifications (e.g., when a queue has messages) but does not provide built-in ordering or exactly-once processing guarantees; it also introduces potential duplicate deliveries.

707
MCQeasy

You are building an Azure Logic App that must call an external REST API. The API requires an API key passed in the Authorization header. You need to store the API key securely and reference it in the Logic App without exposing it in the workflow definition. What should you do?

A.A
B.B
C.C
D.D
AnswerA

This approach securely stores the API key in Azure Key Vault and uses the Key Vault connector to retrieve it at runtime without exposing the key in the Logic App definition.

Why this answer

Option A is correct because Azure Logic Apps can securely reference API keys stored in Azure Key Vault using a managed identity. By configuring the Logic App with a system-assigned or user-assigned managed identity, you grant it access to retrieve the secret from Key Vault at runtime without hardcoding the key in the workflow definition or connection parameters. This approach ensures the API key is never exposed in the Logic App's JSON definition or source control.

Exam trap

The trap here is that candidates often confuse Azure App Configuration with Azure Key Vault, assuming App Configuration's encrypted storage is sufficient for secrets, but Key Vault is the only service designed for managing and auditing access to sensitive secrets like API keys.

How to eliminate wrong answers

Option B is wrong because storing the API key directly in the Logic App's connection parameters or workflow definition, even if marked as a secure string, still embeds the secret in the definition file and can be exposed through source control or runtime history. Option C is wrong because using an Azure App Configuration reference with a plain-text value does not provide encryption at rest or access control; it still requires the key to be stored in the configuration store without native secret management. Option D is wrong because passing the API key as a query parameter in the HTTP request URL exposes the secret in server logs, browser history, and network traces, violating security best practices.

708
MCQmedium

You are building an integration solution that connects an on-premises SQL Server database to Azure Data Factory. The on-premises network does not allow direct inbound connections from Azure. You need to securely transfer data from the database to Azure Blob Storage. Which data factory component should you use?

A.Self-hosted Integration Runtime
B.Azure Integration Runtime
C.Azure-SSIS Integration Runtime
D.Azure Data Lake Storage connector
AnswerA

Self-hosted IR runs on a local machine and can connect to on-premises SQL Server, sending data to Azure via outbound HTTPS, satisfying security requirements.

Why this answer

The Self-hosted Integration Runtime (SHIR) is required because the on-premises SQL Server database resides in a network that blocks direct inbound connections from Azure. SHIR acts as a bridge, running on a local machine or VM within the on-premises network, enabling Azure Data Factory to securely connect to the database via outbound HTTPS (port 443) or the Microsoft Service Bus. It handles data movement and transformation without exposing the on-premises network to inbound traffic.

Exam trap

The trap here is that candidates often confuse the Azure Integration Runtime (which works only for cloud-to-cloud scenarios) with the Self-hosted Integration Runtime, assuming Azure's built-in runtime can somehow tunnel into on-premises networks without explicit configuration.

How to eliminate wrong answers

Option B (Azure Integration Runtime) is wrong because it operates entirely within Azure's public cloud and cannot access on-premises resources behind a firewall that blocks inbound connections. Option C (Azure-SSIS Integration Runtime) is wrong because it is designed for lifting and shifting SQL Server Integration Services (SSIS) packages to Azure, not for direct data transfer between on-premises SQL Server and Azure Blob Storage via ADF pipelines. Option D (Azure Data Lake Storage connector) is wrong because it is a data sink or source connector, not a compute component for connectivity; it requires an Integration Runtime to actually move data.

709
Multi-Selecthard

You are deploying a critical application on Azure App Service. The application must be highly available across two Azure regions. You need to implement a disaster recovery strategy that meets the following requirements: automatic failover with minimal data loss, and the ability to test failover without affecting production. Which THREE actions should you perform?

Select 3 answers
A.Use deployment slots to test failover before making it active.
B.Configure the app to use active-passive database replication.
C.Configure Azure Traffic Manager with priority routing to fail over automatically.
D.Deploy both instances in the same App Service Plan.
E.Deploy the app to two Azure App Service instances in paired regions.
AnswersA, C, E

Slots allow you to swap and test without affecting production.

Why this answer

Option A is correct because deployment slots in Azure App Service allow you to create separate environments (e.g., staging) that can be swapped to production. This enables testing failover scenarios (like pointing Traffic Manager to the staging slot) without affecting the live production traffic, meeting the requirement for non-disruptive failover testing.

Exam trap

The trap here is that candidates often confuse deployment slots with actual cross-region failover, but slots are for in-place staging/testing within a single region, not for disaster recovery across regions—however, they are correctly used here to test the failover behavior before making it active.

710
Multi-Selectmedium

A developer needs to authenticate an Azure Function app to call Microsoft Graph API. Which THREE components are required?

Select 3 answers
A.Azure API Management
B.Microsoft Entra ID app registration
C.Azure SQL Database
D.Azure Key Vault
E.Azure Managed Identity
AnswersB, D, E

App registration defines permissions and authentication.

Why this answer

Option B is correct because an app registration in Microsoft Entra ID (formerly Azure AD) is required to define the application identity, configure API permissions for Microsoft Graph, and obtain a client ID and tenant ID. This registration is the foundation for OAuth 2.0 authentication flows, enabling the Azure Function to request an access token for Microsoft Graph.

Exam trap

The trap here is that candidates often think Azure API Management is needed to secure the outbound call, but it is only relevant for inbound API management, not for the Function app's own authentication to Microsoft Graph.

711
MCQeasy

You need to deploy a web app that uses Azure SQL Database. The connection string must be securely stored and automatically rotated without application downtime. What should you use?

A.Store the connection string as an environment variable in the App Service.
B.Store the connection string in a web.config file with encrypted configuration.
C.Store the connection string in Azure App Configuration and use a managed identity.
D.Store the connection string in Azure Key Vault and configure automatic rotation.
AnswerD

Key Vault provides rotation capabilities.

Why this answer

Azure Key Vault supports automatic rotation of secrets (e.g., SQL connection strings) via integration with Azure SQL. Option A is correct. Option B is incorrect because App Configuration does not natively rotate secrets.

Option C is incorrect because environment variables do not support rotation. Option D is incorrect because connection strings in web.config are not rotated automatically.

712
Multi-Selectmedium

You are designing a solution to store large amounts of log data that will be queried infrequently but must be retained for regulatory purposes for 7 years. The logs are append-only and do not need to be modified. You need to choose a cost-effective storage option. Which three Azure capabilities should you consider? (Choose three.)

Select 3 answers
A.Azure Blob Storage soft delete
B.Azure Blob Storage lifecycle management policy
C.Azure Blob Storage with Cool access tier
D.Azure Table Storage
E.Azure Blob Storage immutability policy
AnswersB, C, E

Lifecycle management can move data to Archive tier after a period to further reduce costs.

Why this answer

Azure Blob Storage with Cool or Archive access tier is cost-effective for infrequent access. Lifecycle management can automate tier transitions. Immutability policies ensure logs cannot be modified, meeting regulatory requirements.

Soft delete is for accidental deletion, not immutability.

713
MCQmedium

You are developing a serverless application using Azure Functions that processes sensitive data. The function needs to access Azure Key Vault to retrieve a secret. You want to use managed identity for authentication. What should you do first?

A.Enable the system-assigned managed identity on the function app and grant it the Key Vault Secrets User role.
B.Enable the system-assigned managed identity on the Key Vault.
C.Store the client ID and client secret of a service principal in the function app settings.
D.Create a user-assigned managed identity and assign it to the Key Vault.
AnswerA

This allows the function to authenticate to Key Vault without secrets.

Why this answer

Option D is correct because the function app must have a managed identity enabled, and then the identity needs to be granted permissions in Key Vault. Option A is wrong because managed identity does not use client secrets. Option B is wrong because the identity is assigned to the function app, not Key Vault.

Option C is wrong because enabling the identity in Key Vault is not possible.

714
MCQmedium

You need to diagnose a slow-performing Azure Function. Application Insights shows that the function's dependency calls to an external API take an unusually long time. Which Application Insights feature should you use to visualize the end-to-end request flow?

A.Metrics Explorer
B.Live Metrics Stream
C.Application Map
D.Smart Detection
AnswerC

Application Map visualizes the call flow between components and highlights performance issues, including slow dependencies.

Why this answer

Application Map is the correct feature because it provides a visual representation of the end-to-end request flow across distributed components, including dependency calls to external APIs. It shows the latency and failure rates for each dependency, allowing you to pinpoint where the slowdown occurs in the overall transaction.

Exam trap

The trap here is that candidates often confuse Live Metrics Stream (real-time monitoring) with Application Map (end-to-end flow visualization), or they think Metrics Explorer can trace individual requests when it only aggregates data over time.

How to eliminate wrong answers

Option A is wrong because Metrics Explorer is used to query and visualize aggregated metrics (e.g., request count, failure rate) over time, not to trace the flow of a single request through dependencies. Option B is wrong because Live Metrics Stream shows real-time telemetry (e.g., incoming requests, CPU usage) but does not provide a historical or dependency-level flow visualization. Option D is wrong because Smart Detection proactively identifies anomalies (e.g., sudden spikes in failures) using machine learning, but it does not offer a manual, interactive map of request paths.

715
MCQmedium

Refer to the exhibit. You are reviewing an ARM template for a storage account. A security audit requires that all storage accounts enforce TLS 1.2 or higher. Does this configuration meet the requirement?

A.No, because supportsHttpsTrafficOnly does not enforce TLS version
B.Yes, because minimumTlsVersion is set to TLS1_2
C.No, because minimumTlsVersion is not a valid property
D.No, because the property should be minimumTlsVersion: "1.2"
AnswerB

This property enforces the minimum TLS version.

Why this answer

The property 'minimumTlsVersion' is set to 'TLS1_2', which enforces TLS 1.2 as the minimum version. This meets the requirement. Option A is correct.

Option B is wrong because the property exists and is set correctly. Option C is wrong because the property is indeed supported for StorageV2. Option D is wrong because 'supportsHttpsTrafficOnly' is about HTTPS, not TLS version.

716
MCQeasy

Refer to the exhibit. A developer is creating an Azure Data Factory pipeline to copy data from Azure Blob Storage to Azure SQL Database. The pipeline fails with a timeout error when copying large files. Which action should the developer take to resolve the issue?

A.Change the source type to DelimitedTextSource
B.Enable Data Integration Units (DIU) to increase throughput
C.Increase the timeout value in the copy activity settings
D.Use a staging copy with Azure Data Lake Storage Gen2
AnswerC

Increasing timeout will allow larger files to complete.

Why this answer

Option D is correct because increasing the copy activity's timeout setting will allow more time for large files. Option A is incorrect because the source is already BlobSource. Option B is incorrect because the issue is timeout, not throughput.

Option C is incorrect because staging is not needed for this scenario.

717
MCQeasy

Your application running on Azure App Service is experiencing intermittent high latency. You have enabled Application Insights and noticed that the 'Server response time' metric spikes during peak hours. What is the most likely cause of this issue?

A.Auto-scaling is configured too aggressively.
B.The application is using regional failover, causing delays.
C.The App Service plan is under-provisioned and hitting CPU limits.
D.The application is using too much memory.
AnswerC

High CPU usage during peak hours causes increased response times.

Why this answer

Option B is correct because high CPU usage on the App Service plan during peak hours can cause increased response times. Option A is incorrect because low memory usage would not cause high latency. Option C is incorrect because auto-scaling typically reduces latency.

Option D is incorrect because regional failover does not cause intermittent spikes during regular peak hours.

718
Multi-Selectmedium

You are designing a data archiving solution for compliance. Data must be stored for 7 years, with immediate deletion prohibited until the retention period expires. The solution must minimize storage costs while ensuring data is not modifiable. Which THREE Azure features should you combine?

Select 3 answers
A.Azure Blob Storage
B.Immutable storage with time-based retention policy
C.Azure Files
D.Cool or Archive access tier
E.Azure Backup
AnswersA, B, D

Base storage for archiving data.

Why this answer

Azure Blob Storage is the correct foundational service because it supports immutable storage, which enforces a WORM (Write Once, Read Many) policy. This ensures data cannot be modified or deleted during the retention period, meeting compliance requirements. Combined with time-based retention policies and cool/archive tiers, it provides a cost-effective, unmodifiable archive solution.

Exam trap

The trap here is that candidates often confuse Azure Files or Azure Backup as viable archiving solutions, overlooking that only Blob Storage with immutable policies provides the WORM guarantee required for compliance-driven data retention.

719
MCQeasy

You want to ensure that data in an Azure Storage account is replicated across multiple Azure regions to protect against regional outages. Which replication option should you choose?

A.Geo-redundant storage (GRS)
B.Locally-redundant storage (LRS)
C.Read-access geo-redundant storage (RA-GRS)
D.Zone-redundant storage (ZRS)
AnswerA

GRS replicates to a secondary region.

Why this answer

Geo-redundant storage (GRS) replicates your data synchronously three times within a primary region using LRS, then asynchronously replicates to a secondary region hundreds of miles away. This ensures data survives a complete regional outage because the secondary copy is available for read or write access after a failover, meeting the requirement for cross-region protection.

Exam trap

The trap here is that candidates often choose RA-GRS because they think read access is required for disaster recovery, but the question only asks for replication to protect against regional outages, making GRS the correct choice without the extra read-access feature.

How to eliminate wrong answers

Option B (LRS) is wrong because it replicates data only within a single datacenter in one region, providing no protection against a regional outage. Option C (RA-GRS) is wrong because while it does replicate across regions like GRS, it additionally provides read access to the secondary region during normal operations, which is not required by the question—the question only asks for replication to protect against regional outages, not read access. Option D (ZRS) is wrong because it replicates data synchronously across three availability zones within a single region, protecting against zone-level failures but not against a full regional outage.

720
MCQmedium

Your company runs a critical web application on Azure App Service (Windows) that experiences intermittent high CPU usage. The application uses the Standard tier with auto-scaling based on CPU percentage. During auto-scale events, there is a delay of several minutes before new instances become available, causing temporary performance degradation. You need to reduce the latency of scaling out. What should you do?

A.Configure auto-scaling to use HTTP queue length as the metric.
B.Enable the 'Always On' setting in the App Service application settings.
C.Upgrade the App Service plan to the Premium tier.
D.Change the auto-scale metric to memory percentage instead of CPU.
AnswerB

Always On prevents the app from being unloaded, reducing cold start time.

Why this answer

The 'Always On' setting prevents the App Service from being unloaded after periods of inactivity, which reduces the cold-start latency when new instances are added during auto-scale events. Without 'Always On', idle instances may be recycled, causing delays of several minutes as the application re-initializes on new VMs.

Exam trap

The trap here is that candidates often assume upgrading the tier or changing the metric will solve scaling latency, but the real bottleneck is the cold-start time of the application itself, which 'Always On' directly mitigates.

How to eliminate wrong answers

Option A is wrong because HTTP queue length measures pending requests, not CPU usage, and does not address the latency of instance provisioning during scale-out. Option C is wrong because upgrading to Premium tier improves performance and features but does not directly reduce the delay in scaling out; the cold-start issue persists unless 'Always On' is enabled. Option D is wrong because changing the metric to memory percentage does not affect the time it takes for new instances to become available; it only changes the trigger for scaling.

721
Multi-Selecthard

Your company stores sensitive documents in an Azure Storage account. You need to ensure that only authorized Microsoft Entra ID users can read the documents, and that shared keys (account access keys) cannot be used. Which two steps must you take? (Choose the most appropriate single answer that describes the combined action.)

Select 2 answers
A.Disable shared key access and configure RBAC roles for Microsoft Entra ID users
B.Enable Microsoft Entra ID authentication and use SAS tokens with a stored access policy
C.Enable firewall and virtual network service endpoints, then assign RBAC roles
D.Use user-delegation SAS tokens and disable shared key access
AnswersA, D

Correct. Disabling shared key access prevents the use of account keys, and RBAC grants permissions to specific Microsoft Entra ID users, enforcing Microsoft Entra ID-only authentication.

Why this answer

Option A is correct because disabling shared key access on the Azure Storage account prevents the use of account access keys, which are shared secrets. Configuring Azure RBAC roles (e.g., Storage Blob Data Reader) for Microsoft Entra ID users ensures that only authenticated and authorized users can read the documents, enforcing identity-based access control as required.

Exam trap

The trap here is that candidates often think SAS tokens or user-delegation SAS alone satisfy the requirement, but they overlook the explicit need to disable shared key access to prevent the use of account keys.

722
MCQhard

You run the command above to create an Azure Container Instance. The container exits with a non-zero exit code. You need to check the logs to debug the issue. Which command should you use next?

A.az container attach --resource-group myRG --name mycontainer
B.az container logs --resource-group myRG --name mycontainer
C.az container exec --resource-group myRG --name mycontainer --exec-command /bin/sh
D.az container show --resource-group myRG --name mycontainer --query containers[0].instanceView.currentState.exitCode
AnswerB

This command retrieves the logs of the container, even after it has exited.

Why this answer

The correct command is `az container logs` because it retrieves the stdout and stderr logs from a container that has exited, which is essential for debugging exit code failures. Since the container has already exited with a non-zero exit code, you need to inspect its logged output to understand the cause of the failure, and this command directly fetches those logs without requiring an active container.

Exam trap

The trap here is that candidates confuse `az container attach` (for live streaming of a running container) with `az container logs` (for retrieving historical logs from a stopped container), leading them to choose option A even though the container has already exited.

How to eliminate wrong answers

Option A is wrong because `az container attach` attaches your local console to a running container's output streams, but it requires the container to be currently running; it will not work for an already exited container. Option C is wrong because `az container exec` executes a command in a running container, but it cannot be used if the container has exited, as there is no active process to attach to. Option D is wrong because `az container show` with the query for exit code only returns the numeric exit code (e.g., 1), which does not provide the detailed log output needed to debug the root cause of the failure.

723
MCQmedium

Your company stores backup files in an Azure Blob Storage account. These files are written once and then need to be retained for 7 years. During the first year, the files are accessed weekly. After the first year, they are accessed rarely (once per month). You want to minimize storage costs. Which combination of access tiers and lifecycle management should you apply?

A.Store in Hot tier and move to Cool after 1 year, then to Archive after 7 years.
B.Store in Cool tier and move to Archive after 1 year.
C.Store directly in Archive tier and rehydrate to Cool when needed for access.
D.Store in Hot tier and move to Archive after 90 days.
AnswerB

Correct. Cool tier is sufficient for weekly access in the first year, and then Archive provides the lowest cost for the remaining 6 years when access is rare. Lifecycle management can automate the transition.

Why this answer

Option B is correct because it minimizes costs by storing files in the Cool tier from the start (matching the initial weekly access pattern) and then moving them to the Archive tier after one year when access drops to monthly. The Cool tier offers lower storage cost than Hot for infrequent access, and the Archive tier provides the lowest storage cost for data that is rarely accessed and can tolerate a retrieval latency of up to 15 hours. This lifecycle policy aligns with the 7-year retention requirement without incurring unnecessary early deletion charges or rehydration costs.

Exam trap

The trap here is that candidates assume the Hot tier is always the best starting point for any access pattern, ignoring that Cool tier is cheaper for data accessed less than once a month, and that Archive tier is not suitable for data that requires regular access within the first year due to its high rehydration latency and cost.

How to eliminate wrong answers

Option A is wrong because moving files to the Archive tier after 7 years is unnecessary—the files are retained for exactly 7 years, so moving them to Archive at the end of retention provides no cost benefit and may incur deletion charges if deleted immediately. Option C is wrong because storing directly in the Archive tier would require rehydration (which can take up to 15 hours) for the weekly accesses during the first year, causing unacceptable latency and additional read/retrieval costs. Option D is wrong because moving files to the Archive tier after only 90 days ignores the first-year weekly access pattern, leading to frequent rehydration costs and latency; also, the Hot tier is more expensive than Cool for the initial storage.

724
MCQmedium

An Azure Function processes events from Event Hubs. You need to monitor the number of events that were successfully processed and those that were dropped due to processing errors. Which approach should you use?

A.Custom metrics in Application Insights.
B.Event Hubs metrics.
C.Stream Analytics job.
D.Log Analytics query on function logs.
AnswerA

Correct. You can use the Application Insights SDK to log custom events or metrics for processed and dropped events.

Why this answer

Custom metrics in Application Insights allow you to track business-specific counters like successfully processed events and dropped events directly from your Azure Function code. By using the `TelemetryClient.TrackMetric()` API within the function's event processing logic, you can increment counters for success and failure scenarios, giving you precise, real-time monitoring of processing outcomes. This approach is more granular than built-in metrics because it reflects your application's custom error handling, not just infrastructure-level throughput.

Exam trap

The trap here is that candidates confuse infrastructure-level metrics (Event Hubs metrics) with application-level custom metrics, assuming that monitoring the Event Hubs output automatically reflects function processing success, when in fact the function's own error handling must be instrumented separately.

How to eliminate wrong answers

Option B is wrong because Event Hubs metrics (e.g., incoming messages, outgoing messages, throttled requests) measure the throughput at the Event Hubs namespace level, not the success or failure of downstream processing in the Azure Function. Option C is wrong because Stream Analytics is a real-time analytics service for processing streaming data, not a monitoring tool for tracking custom application-level events like processed vs. dropped counts. Option D is wrong because Log Analytics queries on function logs can retrieve logged events, but they require parsing unstructured log text and lack the real-time, aggregated metric capabilities that custom metrics in Application Insights provide for dashboards and alerts.

725
MCQhard

Your company uses Azure File Sync to sync on-premises file shares to Azure Files. You notice that some files are not syncing to Azure. You need to diagnose the issue with minimal administrative effort. Which Azure service should you use?

A.Microsoft Sentinel
B.Azure Storage Insights
C.Azure Monitor
D.Azure Log Analytics
AnswerC

Provides built-in monitoring and diagnostics for File Sync.

Why this answer

Azure Monitor provides the Azure File Sync monitoring blade, which offers pre-built metrics and alerts for sync health, file-level errors, and sync session status. This allows you to diagnose sync failures with minimal administrative effort by directly viewing sync group health, per-server sync status, and error codes without needing to configure additional log queries or workbooks.

Exam trap

The trap here is that candidates confuse Azure Monitor (the overarching monitoring platform) with Azure Log Analytics (a component of Azure Monitor that requires manual query authoring), leading them to choose Log Analytics because they think they need to write custom queries, when in fact the pre-built Azure File Sync monitoring blade in Azure Monitor provides the quickest diagnosis path.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM (Security Information and Event Management) tool focused on security threat detection and response, not on diagnosing Azure File Sync sync issues. Option B is wrong because Azure Storage Insights provides monitoring for Azure Storage accounts (blobs, tables, queues) but does not include the Azure File Sync monitoring blade or sync-specific metrics. Option D is wrong because Azure Log Analytics is a log query and analysis service that requires you to write custom KQL queries to extract sync data, which involves more administrative effort than using the pre-built Azure Monitor sync monitoring blade.

726
MCQmedium

You are developing a solution that must encrypt data before it is sent to Azure Blob Storage. You need to manage encryption keys yourself using Azure Key Vault. Which approach should you use?

A.Use Azure Information Protection to encrypt the files.
B.Use Azure Disk Encryption for the storage account.
C.Implement client-side encryption using the Azure Storage SDK and store the encryption keys in Azure Key Vault.
D.Enable Azure Storage Service Encryption (SSE) with customer-managed keys.
AnswerC

Client-side encryption encrypts data before transmission.

Why this answer

Client-side encryption with the Azure Storage SDK allows you to encrypt data before it leaves your application, ensuring it is never transmitted or stored in plaintext. By storing the encryption keys in Azure Key Vault, you maintain full control over key management, which aligns with the requirement to manage encryption keys yourself.

Exam trap

The trap here is that candidates often confuse server-side encryption (SSE) with client-side encryption, assuming that SSE with customer-managed keys satisfies the requirement to encrypt data before sending, when in fact SSE only encrypts data at rest after it arrives at Azure.

How to eliminate wrong answers

Option A is wrong because Azure Information Protection is a classification and labeling solution for documents and emails, not a mechanism for encrypting data before sending to Blob Storage. Option B is wrong because Azure Disk Encryption is used to encrypt virtual machine disks, not data being uploaded to Blob Storage. Option D is wrong because Azure Storage Service Encryption (SSE) with customer-managed keys encrypts data at rest on the server side, but the data is still transmitted in plaintext to Azure; it does not meet the requirement to encrypt data before it is sent.

727
Multi-Selectmedium

Which TWO of the following are valid approaches to secure access to Azure Blob Storage?

Select 2 answers
A.Use a Shared Access Signature (SAS) token
B.Use Azure Front Door to restrict access
C.Assign RBAC roles like Storage Blob Data Contributor
D.Embed storage account keys in client code
E.Enable public blob access
AnswersA, C

Delegated, time-limited access.

Why this answer

A Shared Access Signature (SAS) token provides delegated, time-limited access to specific Azure Blob Storage resources without exposing the storage account key. It allows you to grant granular permissions (read, write, delete) and enforce constraints like IP restrictions and allowed protocols (HTTPS only). This is a secure, recommended approach for sharing access with clients or third parties.

Exam trap

The trap here is that candidates often confuse Azure Front Door's traffic routing and WAF capabilities with actual blob-level authentication, or they mistakenly believe embedding storage account keys is acceptable for client-side applications, ignoring the severe security implications.

728
MCQmedium

You have an Azure App Service web app that uses a system-assigned managed identity. The web app needs to authenticate to an Azure SQL Database to read and write data. You want to use the managed identity to avoid storing credentials in connection strings. Which steps are required to configure this access?

A.Assign the managed identity the 'SQL DB Contributor' RBAC role on the database, then use SQL authentication with the identity's client ID.
B.Create a contained database user in the SQL database mapped to the managed identity, grant required database roles, and use Microsoft Entra ID token-based authentication from the app.
C.Enable Microsoft Entra ID authentication on the SQL server, add the managed identity as an Microsoft Entra ID admin, and use integrated security in the connection string.
D.Configure the connection string with the managed identity's principal ID as the user ID and leave the password empty.
AnswerB

This is the correct procedure. The managed identity (an Microsoft Entra ID principal) must be added as a database user. The app then acquires an access token for Azure SQL Database using the managed identity and uses it to connect.

Why this answer

Option B is correct because to use a system-assigned managed identity with Azure SQL Database, you must create a contained database user mapped to the managed identity in the SQL database, grant it the necessary database roles (e.g., db_datareader, db_datawriter), and then acquire an access token for Microsoft Entra ID (formerly Azure AD) from the managed identity endpoint to authenticate. This token-based approach avoids storing credentials and leverages the managed identity's automatic credential rotation.

Exam trap

The trap here is that candidates confuse Azure RBAC roles (which manage control-plane access) with SQL database-level permissions (which manage data-plane access), leading them to incorrectly select Option A or C instead of understanding that a contained database user and token-based authentication are required.

How to eliminate wrong answers

Option A is wrong because 'SQL DB Contributor' is an Azure RBAC role that controls management-plane operations (e.g., creating databases), not data-plane access to read/write data; SQL authentication with the identity's client ID is not supported—managed identities use token-based authentication, not SQL authentication. Option C is wrong because adding the managed identity as an Entra ID admin grants server-level administrative privileges, which is overly permissive and not the recommended least-privilege approach; 'integrated security' is a Windows Authentication concept and does not apply to managed identities in Azure App Service. Option D is wrong because connection strings cannot use the managed identity's principal ID as a user ID with an empty password; managed identity authentication requires acquiring a token from the Azure Instance Metadata Service (IMDS) endpoint and passing it as a password in the connection string or using a token-based library like Microsoft.Data.SqlClient.

729
MCQmedium

Refer to the exhibit. You run the Azure CLI command shown for an Azure Function app. What is the effect of this setting?

A.The function app uses the latest runtime version.
B.Remote debugging is enabled for the function app.
C.The function app scales out to multiple instances.
D.The function app runs from a deployment package in Azure Storage.
AnswerD

This setting enables run-from-package mode.

Why this answer

The `--run-from-package` flag in the Azure CLI command `az functionapp config appsettings set` sets the `WEBSITE_RUN_FROM_PACKAGE` app setting to `1`. This configures the function app to run from a deployment package (a .zip file) stored in Azure Blob Storage, which improves cold-start performance and ensures all files are consistent across instances. Option D correctly identifies this behavior.

Exam trap

Microsoft often tests the distinction between app settings that affect runtime behavior (like `FUNCTIONS_EXTENSION_VERSION` for version control) versus those that affect deployment and file serving (like `WEBSITE_RUN_FROM_PACKAGE`), leading candidates to confuse `--run-from-package` with runtime version or scaling settings.

How to eliminate wrong answers

Option A is wrong because the `--run-from-package` setting does not control the runtime version; runtime version is managed via the `FUNCTIONS_EXTENSION_VERSION` app setting or the `--functions-version` parameter during creation. Option B is wrong because remote debugging is enabled by setting `WEBSITE_REMOTE_DEBUGGING_ENABLED` to `1` and specifying a debugger version, not by `--run-from-package`. Option C is wrong because scaling out to multiple instances is controlled by the function app's plan (e.g., Consumption, Premium, or App Service plan) and scaling rules, not by the `WEBSITE_RUN_FROM_PACKAGE` setting.

730
Multi-Selecthard

A document rendering job in Azure App Service must safely access Key Vault secrets without connection strings in configuration. Which two steps are required?

Select 2 answers
A.Enable a managed identity for the web app
B.Enable anonymous access on the vault
C.Grant the identity permission to read the required secrets
D.Store the Key Vault access key in app settings
AnswersA, C

A managed identity gives the app an Azure AD identity without stored credentials.

Why this answer

A managed identity provides an automatically managed Azure AD identity for the web app, eliminating the need to store credentials in code or configuration. By enabling a system-assigned or user-assigned managed identity, the App Service can authenticate to Azure Key Vault without any connection strings or secrets in app settings. This is the foundational step for secure, identity-based access to Key Vault.

Exam trap

The trap here is that candidates might think storing the Key Vault access key in app settings (Option D) is acceptable because it's 'in the portal,' but the question explicitly requires 'without connection strings in configuration,' and any key stored in app settings is still a connection string in configuration.

731
MCQeasy

A company uses Azure Functions to process orders. The function needs to read messages from an Azure Service Bus queue. Which binding should the developer configure in the function.json?

A.serviceBus
B.eventHubTrigger
C.queueTrigger
D.serviceBusTrigger
AnswerD

serviceBusTrigger is the correct binding for a function triggered by a Service Bus queue.

Why this answer

Option C is correct because the serviceBusTrigger binding is used to trigger a function when a message arrives in a Service Bus queue. Option A (serviceBus) is not a valid binding for Service Bus; Option B (queueTrigger) is for Storage queues; Option D (eventHubTrigger) is for Event Hubs.

732
MCQhard

You are developing an Azure Function that runs on a Consumption Plan. The function calls an external API that enforces a rate limit of 10 requests per second. When the function scales out to multiple instances, you must ensure the rate limit is not exceeded. Which pattern should you implement?

A.Use a singleton attribute on the function to ensure only one instance runs.
B.Use a static SemaphoreSlim in the function code to limit concurrent calls.
C.Configure the function's host.json to limit concurrency to 1.
D.Use a queue-based load leveling pattern with an Azure Storage Queue.
AnswerD

Messages are queued, and a function processes them at a controlled rate (e.g., using a timer or batching) to respect the API's rate limit, regardless of the number of instances.

Why this answer

Option D is correct because a queue-based load leveling pattern uses an Azure Storage Queue to buffer incoming requests, allowing the function to process them at a controlled rate. This decouples the function's scaling from the external API's rate limit, ensuring that even with multiple function instances, the total request rate does not exceed 10 requests per second. The queue acts as a buffer, and the function can be configured to dequeue and process messages at a fixed rate, effectively smoothing out spikes in demand.

Exam trap

The trap here is that candidates often confuse concurrency control within a single instance (Options B and C) with global rate limiting across scaled-out instances, leading them to overlook the need for a distributed coordination mechanism like queue-based load leveling.

How to eliminate wrong answers

Option A is wrong because using a singleton attribute forces the function to run on only one instance, which defeats the purpose of scaling out on a Consumption Plan and can lead to throttling or cold start issues; it does not inherently control the request rate to the external API. Option B is wrong because a static SemaphoreSlim limits concurrent calls within a single process, but on a Consumption Plan, multiple instances run in separate processes, so the semaphore is not shared across instances and cannot enforce a global rate limit. Option C is wrong because configuring host.json to limit concurrency to 1 only restricts the number of concurrent function executions within a single instance, but multiple instances can still run in parallel, potentially exceeding the rate limit across instances.

733
MCQeasy

Your application uses Azure Key Vault to store secrets. You need to ensure that the application can access secrets without storing any credentials in the application code or configuration files. What should you use?

A.Azure Managed Identity
B.Key Vault access policies
C.A connection string with the secret
D.A client certificate stored in the application
AnswerA

Managed Identity provides an automatically managed identity for authentication.

Why this answer

Azure Managed Identity allows Azure resources (like App Service, Functions, VMs) to authenticate to Key Vault without storing credentials. Option B is correct. Option A is wrong because Key Vault access policies control permissions, not authentication.

Option C is wrong because connection strings contain credentials. Option D is wrong because certificates are an authentication method but require certificate management.

734
Multi-Selecthard

Which THREE tools can you use to diagnose performance issues in an Azure App Service? (Choose three.)

Select 3 answers
A.Application Insights
B.App Service diagnostics (Diagnose and Solve Problems)
C.Azure Monitor for VMs
D.Azure SQL Analytics
E.Kudu console for logging and debugging
AnswersA, B, E

Provides detailed application performance monitoring.

Why this answer

Option A (Application Insights), Option B (Kudu console), and Option D (App Service diagnostics) are correct. Option C (Azure SQL Analytics) is for SQL, not App Service. Option E (Azure Monitor for VMs) is for virtual machines.

735
MCQeasy

You are developing a web application that allows users to upload images. The application runs on Azure App Service. You need to ensure that uploaded images are stored in Azure Blob Storage and that the application remains responsive. What should you use?

A.Upload the image to the App Service and then copy it to Blob Storage.
B.Generate a SAS token for the user to upload directly to Blob Storage.
C.Use Azure Files for image storage.
D.Make the Blob container public for anonymous uploads.
AnswerB

SAS tokens allow secure, direct uploads without burdening the app server.

Why this answer

Option B is correct because generating a SAS token allows the user's browser to upload images directly to Azure Blob Storage without routing the data through the App Service. This keeps the web application responsive by offloading the upload workload to Azure Storage, avoiding blocking the App Service's limited HTTP request threads and reducing latency.

Exam trap

The trap here is that candidates assume all uploads must go through the App Service (Option A) because they think the app must 'own' the data first, missing the SAS-based direct upload pattern that Azure Blob Storage explicitly supports for offloading work.

How to eliminate wrong answers

Option A is wrong because uploading to the App Service first and then copying to Blob Storage introduces an unnecessary intermediary hop, consuming App Service resources (CPU, memory, network bandwidth) and blocking request threads, which degrades responsiveness and scalability. Option C is wrong because Azure Files is designed for SMB file shares (e.g., legacy app migration, shared configs), not for direct user uploads to a scalable object store; it lacks the built-in SAS-based direct upload pattern and is less optimized for high-throughput image ingestion. Option D is wrong because making the Blob container public for anonymous uploads removes all access control and authentication, creating a severe security risk where anyone can upload arbitrary content without restriction; SAS tokens provide time-limited, permission-scoped access.

736
Multi-Selectmedium

You are developing a serverless application using Azure Functions. The application processes orders from a queue and writes results to Azure Cosmos DB. You need to ensure that the function scales out automatically to handle sudden spikes in order volume. Which two actions should you take? (Choose two.)

Select 2 answers
A.Configure the function app to use the Premium plan with Always Ready instances enabled.
B.Use the Consumption plan with a max instance count of 200.
C.Implement a retry policy in the queue trigger to handle throttling.
D.Set the function's WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT app setting to 500.
E.Deploy the function app to an App Service plan with multiple instances pre-allocated.
AnswersA, E

Premium plan supports Always Ready instances and can scale out quickly to handle spikes.

Why this answer

Option A is correct because the Premium plan supports Always Ready instances, which pre-warm a specified number of instances to eliminate cold start latency and ensure the function can handle sudden spikes in order volume without delay. This is critical for serverless applications that require consistent performance under load.

Exam trap

The trap here is that candidates often confuse the Consumption plan's max instance count with the ability to handle spikes instantly, overlooking the cold start issue that the Premium plan's Always Ready instances solve.

737
MCQeasy

You are using Application Insights to monitor a web application. You need to create an alert that triggers when the server response time exceeds 5 seconds for more than 10% of requests in a 5-minute window. Which type of Azure Monitor alert should you create?

A.Metric alert
B.Log alert
C.Activity log alert
D.Application Insights smart detection alert
AnswerB

Log alerts run a Kusto query that can group and count requests, calculate the percentage with duration > 5000 ms of total requests, and trigger when that percentage exceeds 10 over the evaluation period.

Why this answer

A log alert is correct because the condition involves querying Application Insights trace data to calculate the percentage of requests with a server response time exceeding 5 seconds within a 5-minute window. Log alerts run a Kusto query against the `requests` table, allowing aggregation and threshold evaluation (e.g., >10% of requests), which is not possible with simple metric thresholds.

Exam trap

The trap here is that candidates often assume a metric alert can handle percentage-based conditions, but metric alerts only support simple aggregations (e.g., average, count, max) and cannot compute a ratio of requests meeting a custom condition without a log query.

How to eliminate wrong answers

Option A is wrong because a metric alert can only monitor a single metric value (e.g., average server response time) and cannot calculate a percentage of requests exceeding a threshold; it lacks the query capability to count requests and compute ratios. Option C is wrong because an activity log alert monitors Azure resource management events (e.g., VM creation, configuration changes), not application performance metrics like response times. Option D is wrong because Application Insights smart detection alerts use built-in machine learning models to detect anomalies automatically, but they do not allow you to define custom thresholds like '>10% of requests exceeding 5 seconds'.

738
MCQmedium

Refer to the exhibit. You deploy this ARM template to an App Service named 'myapp'. After deployment, users report they are able to access the app without being prompted to log in. What is the most likely reason?

A.The Azure Active Directory registration is missing the client secret.
B.The redirect URI is not configured in the Azure AD app registration.
C.The issuer URL is incorrect; it should include the tenant ID.
D.The client ID is from a different tenant.
AnswerA

Easy Auth requires a client secret for the identity provider to work.

Why this answer

The authentication settings are correct, but the App Service might not have the 'authsettingsV2' resource deployed at the correct scope. The resource type should be 'Microsoft.Web/sites/config' with name 'authsettingsV2' but the exhibit shows it correctly. However, a common issue is that the authentication is not enabled at the site level because the resource might be missing a dependency or the site is not restarted.

But the most likely reason is that the 'globalValidation' section requires the identity provider to be properly configured with a client secret. Without a client secret, the authentication might not work. In Easy Auth, if you don't specify a client secret, it uses secret-less auth which might not work for all scenarios.

Option A is correct. Option B is wrong because the issuer is valid. Option C is wrong because the redirect URI is not needed in the template.

Option D is wrong because the client ID is correct.

739
MCQhard

You have a multi-tenant application that uses Azure AD (Microsoft Entra ID) for authentication. You want to allow only specific tenants to access your app. What is the recommended approach?

A.In the application code, validate the 'tid' claim against a list of allowed tenant IDs.
B.Configure the app manifest to require user assignment and assign users from allowed tenants.
C.Validate the 'iss' claim to ensure it matches one of your allowed tenant issuer URLs.
D.Use Azure AD tenant restrictions to block all tenants except the allowed ones.
AnswerA

This is the standard pattern for multi-tenant app tenant restriction.

Why this answer

The recommended approach is to validate the 'tid' (tenant ID) claim in the token after validation, and compare it against a list of allowed tenants. Option B is correct. Option A is wrong because user assignment requires each tenant to assign users, which is not flexible.

Option C is wrong because tenant restrictions are set at the tenant level, not the app. Option D is wrong because the 'iss' claim includes the tenant ID, but it's better to use 'tid' as it's explicit.

740
Multi-Selectmedium

Which TWO are valid ways to authenticate to Azure Service Bus from an application? (Choose two.)

Select 2 answers
A.Using an X.509 certificate directly in the connection string.
B.Using Azure AD and a managed identity.
C.Using a connection string with a SAS key from Azure Event Hubs.
D.Using a storage account access key.
E.Using a connection string with Shared Access Signature (SAS) key.
AnswersB, E

Managed identity can authenticate to Service Bus without secrets.

Why this answer

Azure Service Bus supports Shared Access Signatures (SAS) and Azure AD (managed identity). Option A (connection string with SAS) is correct; Option C (managed identity) is correct. Option B is for Event Hubs; Option D is not standard; Option E is for storage.

741
MCQmedium

You are developing a serverless function using Azure Functions that needs to write logs to a Log Analytics workspace. The function uses a managed identity. Which RBAC role should you assign to the function's managed identity?

A.Log Analytics Reader
B.Monitoring Contributor
C.Log Analytics Contributor
D.Storage Blob Data Contributor
AnswerC

This role allows writing to Log Analytics workspaces.

Why this answer

The Log Analytics Contributor role is required because it grants the managed identity the necessary permissions to send data to a Log Analytics workspace, including the ability to create and manage data collection rules and write log data. This role is specifically designed for scenarios where an Azure resource, such as an Azure Function, needs to ingest logs into Log Analytics via the Data Collection API.

Exam trap

The trap here is that candidates often confuse the Log Analytics Contributor role with the Monitoring Contributor role, mistakenly thinking the latter covers log ingestion, but Monitoring Contributor lacks the specific write permissions to the Log Analytics workspace data plane.

How to eliminate wrong answers

Option A is wrong because Log Analytics Reader only allows read access to log data and monitoring settings, not the ability to write logs. Option B is wrong because Monitoring Contributor provides broader permissions to manage monitoring resources (e.g., alert rules, metrics) but does not include the specific permission to write data to a Log Analytics workspace. Option D is wrong because Storage Blob Data Contributor is for managing blob storage data, not for writing logs to Log Analytics.

742
MCQhard

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not present in Microsoft Entra ID. The role mappings are dynamic and stored in an application database. How should you implement authorization?

A.Define the roles as Microsoft Entra ID app roles and include them in the token claims.
B.Store the role mappings in an Azure SQL Database and use a custom authorization policy that queries the database after authentication.
C.Include the roles as claims in the Microsoft Entra ID token by using a custom claim mapping policy.
D.Store the role mappings in the web.config file and read them at runtime.
AnswerB

This allows dynamic role assignments and leverages policy-based authorization in ASP.NET Core.

Why this answer

Option B is correct because the custom roles are dynamic and stored in an application database, not in Microsoft Entra ID. After authentication, a custom authorization policy can query the database to retrieve the role mappings for the authenticated user and enforce access control. This approach decouples role management from the identity provider and supports dynamic role assignments.

Exam trap

The trap here is that candidates assume custom roles must be embedded in the token via claims, overlooking that dynamic roles from a database can be evaluated post-authentication using a custom authorization policy.

How to eliminate wrong answers

Option A is wrong because defining roles as Microsoft Entra ID app roles requires static role definitions in the app registration, which cannot be dynamically updated from an external database. Option C is wrong because a custom claim mapping policy in Microsoft Entra ID can only add claims based on directory attributes or static rules, not from an external database. Option D is wrong because storing role mappings in web.config is static, insecure, and not suitable for dynamic role management; it also violates the principle of externalizing configuration from code.

743
MCQeasy

You need to store millions of small log entries (each <1 KB) per day from an IoT device. The logs are rarely read. Which storage solution is most cost-effective?

A.Azure Blob Storage Block Blob
B.Azure SQL Database
C.Azure Table Storage
D.Azure Files
AnswerA

Correct. Block blobs support high-volume storage with low-cost tiers (Cool/Archive) and can handle billions of objects.

Why this answer

Azure Blob Storage Block Blob is the most cost-effective solution for storing millions of small log entries (<1 KB) that are rarely read because it offers extremely low storage costs per GB, supports high-throughput ingestion, and is optimized for large-scale, append-oriented workloads. Block blobs can be stored in the 'Cool' or 'Archive' access tier to further reduce costs, and they can be efficiently batched into larger blocks (up to 100 MB per block) to minimize transaction costs.

Exam trap

The trap here is that candidates often choose Azure Table Storage because they think it is designed for small, structured log entries, but they overlook that Blob Storage's Cool/Archive tiers provide dramatically lower storage costs for rarely accessed data, making it the more cost-effective choice despite Table Storage's lower per-entity transaction cost.

How to eliminate wrong answers

Option B (Azure SQL Database) is wrong because it is a relational database designed for transactional workloads with high query performance, not for high-volume, low-cost storage of small log entries; its per-GB storage cost is significantly higher than Blob Storage, and it incurs additional costs for compute and IO. Option C (Azure Table Storage) is wrong because while it can store small entries, its cost per GB is higher than Blob Storage, and it is optimized for key-value lookups rather than bulk append-only logs; it also has a 1 MB entity size limit, which is not a problem here, but the overall cost for millions of entries is less efficient than block blobs in Cool/Archive tiers. Option D (Azure Files) is wrong because it is a fully managed file share for SMB protocol access, designed for shared file storage with low-latency access, not for high-volume, low-cost log archiving; its per-GB cost is higher than Blob Storage, and it lacks the tiering options (Cool/Archive) that make Blob Storage cost-effective for rarely accessed data.

744
MCQmedium

You develop an Azure Functions app that processes images triggered by blob uploads. You need to ensure the function can process images in parallel and handle high upload volumes without missing events. Which trigger and plan combination is recommended?

A.Event Grid trigger on Premium plan
B.Blob Storage trigger on Consumption plan
C.Event Grid trigger on Consumption plan
D.Blob Storage trigger on Premium plan
AnswerA

Correct. Event Grid provides built-in retry and high throughput, and Premium plan ensures sufficient resources and supports dynamic concurrency.

Why this answer

The Event Grid trigger on a Premium plan is recommended because Event Grid provides reliable, high-throughput event delivery with built-in retry and dead-lettering, ensuring no blob upload events are missed. The Premium plan offers dedicated instances and VNET connectivity, which avoids cold starts and allows parallel processing of multiple images concurrently, unlike the Consumption plan which has scaling limitations and potential for event loss under high volume.

Exam trap

The trap here is that candidates often assume the Blob Storage trigger is the natural choice for blob uploads, overlooking that Event Grid provides superior reliability and performance for high-volume scenarios, and that the Consumption plan's scaling limitations can lead to missed events or throttling.

How to eliminate wrong answers

Option B is wrong because the Blob Storage trigger on a Consumption plan uses a polling-based mechanism that can miss events under high upload volumes due to its reliance on Azure Storage logs, which have inherent latency and potential for data loss. Option C is wrong because while Event Grid is reliable, the Consumption plan has a maximum execution time of 10 minutes and limited concurrency, which can cause timeouts or throttling when processing many images in parallel. Option D is wrong because the Blob Storage trigger, even on a Premium plan, still uses the same polling-based approach that is less efficient and less reliable than Event Grid for high-volume, event-driven scenarios.

745
MCQeasy

You are developing a web app that processes images uploaded by users. The processing can take up to 30 seconds per image. You need to ensure that the web app remains responsive and can handle spikes in traffic. Which Azure service should you use to offload the image processing?

A.Azure Cosmos DB
B.Azure Queue Storage
C.Azure Event Grid
D.Azure SignalR Service
AnswerB

Decouples processing and provides buffering for spikes.

Why this answer

Option A is correct because Azure Queue Storage decouples the web frontend from the processing backend, allowing the web app to remain responsive and scale independently. Option B is wrong because Event Grid is for event notifications, not long-running queue-based work. Option C is wrong because Azure Cosmos DB is a database.

Option D is wrong because SignalR Service is for real-time messaging.

746
MCQhard

A .NET app performs point reads from Cosmos DB by id and partition key. The team wants the lowest latency and best throughput efficiency. Which API call pattern should be used?

A.ReadItemAsync with id and partition key
B.Stored procedure scanning all items
C.Change feed processor
D.SELECT * query without partition key
AnswerA

Point reads using id plus partition key are more efficient than SQL queries for single-item lookup.

Why this answer

ReadItemAsync with id and partition key is the most efficient API call pattern for point reads in Cosmos DB because it directly accesses the document using the partition key and item ID, requiring only a single request to the exact partition and replica. This avoids the overhead of querying multiple partitions or scanning all items, resulting in the lowest latency and best throughput efficiency, as it consumes the minimum request units (RUs) possible for a read operation.

Exam trap

The trap here is that candidates may confuse efficient point reads with query-based approaches or event-driven patterns, mistakenly believing that stored procedures or change feed processors can achieve lower latency, when in reality they introduce unnecessary overhead for simple single-item lookups.

How to eliminate wrong answers

Option B is wrong because stored procedures are designed for transactional operations across multiple items within the same partition, not for efficient point reads; they incur higher RU costs and latency due to script execution and potential full partition scans. Option C is wrong because the Change feed processor is used for capturing and processing incremental changes (events) to items, not for performing point reads; it introduces additional latency and resource overhead for real-time read scenarios. Option D is wrong because a SELECT * query without partition key results in a cross-partition query that scans all physical partitions, dramatically increasing RU consumption and latency compared to a direct point read.

747
MCQmedium

You are building a solution that uses Azure Cosmos DB for NoSQL. You need to implement a change feed processor to handle real-time updates. The application runs on multiple instances to ensure high availability. Which lease container configuration ensures that each instance processes a distinct set of partitions?

A.Set the partition key of the monitored container to /city
B.Configure the change feed to start from the beginning
C.Use a separate lease container with partition key /id
D.Set the lease container's throughput to 1000 RU/s
AnswerC

The lease container's partition key /id allows the change feed processor to distribute leases across instances.

Why this answer

The change feed processor uses a lease container to distribute work across instances. Each instance acquires leases on partitions. To ensure distinct processing, the lease container must be configured with a partition key that allows the processor to assign different lease documents to different instances.

The partition key of the lease container is '/id' by default, which is a unique identifier. Option A is wrong because the monitored container's partition key is irrelevant to instance distribution. Option C is wrong because throughput is not directly related to partition distribution.

Option D is wrong because the change feed is processed from the beginning only if not already stored; it doesn't ensure distinct processing.

748
MCQeasy

You are monitoring an Azure Web App with Application Insights. You notice a sudden spike in failed requests. You need to quickly identify which specific URL path is causing the most failures. Which blade in the Application Insights portal should you use?

A.Application Map
B.Failures blade
C.Performance blade
D.Live Metrics Stream
AnswerB

This blade is designed for analyzing failed requests, grouped by operation name, URL, etc., making it easy to identify the most failing endpoint.

Why this answer

The Failures blade in Application Insights is specifically designed to analyze failed requests, including HTTP 4xx and 5xx errors, and provides a breakdown by URL path, response code, and failure count. This allows you to quickly identify the specific URL path causing the most failures, which directly addresses the need to pinpoint the problematic endpoint.

Exam trap

The trap here is that candidates often confuse the Failures blade with the Performance blade, assuming performance metrics (like slow requests) are the root cause of failures, but the question explicitly asks for identifying failed requests by URL path, which is the sole purpose of the Failures blade.

How to eliminate wrong answers

Option A is wrong because the Application Map visualizes the dependency flow and health of your application components, but it does not provide a granular breakdown of failed requests by URL path. Option C is wrong because the Performance blade focuses on request durations, throughput, and slow operations, not on failed request analysis. Option D is wrong because Live Metrics Stream shows real-time telemetry (e.g., request rate, CPU usage) but does not aggregate historical failure data or allow sorting by URL path.

749
MCQmedium

An Azure App Service application has memory pressure. The developer needs distributed tracing across requests and dependencies. What should be enabled?

A.Application Insights with dependency tracking
B.Azure Policy compliance scan
C.Cost Management budgets only
D.Storage account static website logs
AnswerA

Application Insights provides request, dependency, exception, and trace telemetry for application diagnostics.

Why this answer

Application Insights with dependency tracking enables distributed tracing by automatically collecting telemetry across HTTP requests, database calls, and external service dependencies. This allows developers to correlate end-to-end transactions and identify the root cause of memory pressure, such as a specific dependency causing excessive resource consumption.

Exam trap

The trap here is that candidates may confuse Azure Policy (governance) or Cost Management (budgeting) with monitoring tools, or think static website logs can trace application dependencies, when only Application Insights provides the necessary distributed tracing and dependency correlation.

How to eliminate wrong answers

Option B is wrong because Azure Policy compliance scans enforce governance rules on resources (e.g., tagging or location restrictions) and do not provide any tracing or monitoring of application-level requests or dependencies. Option C is wrong because Cost Management budgets only track and alert on spending; they have no capability to trace distributed requests or diagnose memory pressure. Option D is wrong because Storage account static website logs capture only HTTP access logs for static content hosted in Azure Storage, not the distributed tracing of an App Service application's requests and dependencies.

750
MCQhard

You have an App Service app that uses Azure SQL Database. Users report that some queries are slow. You need to monitor query performance and receive alerts when the average query duration exceeds 1 second. Which two Azure services should you use?

A.Azure Advisor
B.Azure Monitor Alerts
C.Azure Monitor Logs
D.Application Insights
E.Azure SQL Analytics
AnswerD, E

Application Insights can track SQL dependency calls and set alerts on duration.

Why this answer

Option B (Application Insights) and Option D (Azure SQL Analytics) are correct because Application Insights can monitor the app's SQL dependency calls and set alerts, while Azure SQL Analytics provides deep query performance insights. Option A (Azure Monitor Logs) is too broad. Option C (Azure Monitor Alerts) can be used but requires a data source.

Option E (Azure Advisor) gives recommendations but not real-time monitoring.

Page 9

Page 10 of 14

Page 11