Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 751825

997 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selecthard

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster that runs a critical workload? (Choose two.)

Select 2 answers
A.Store secrets as Kubernetes secrets without encryption
B.Enable SSH access to all nodes for troubleshooting
C.Enable Azure AD integration with Kubernetes RBAC
D.Deploy Azure Firewall in the cluster VNet
E.Use network policies to restrict pod-to-pod communication
AnswersC, E

Azure AD integration provides identity-based access control.

Why this answer

Options A and D are correct. Enabling Azure AD integration and using RBAC for Kubernetes resources provide authentication and authorization. Option B is wrong because SSH access should be disabled or limited.

Option C is wrong because Kubernetes secrets are base64 encoded and not encrypted by default; use Azure Key Vault Provider. Option E is wrong because Azure Firewall is not required for AKS internal traffic.

752
MCQeasy

You are debugging a performance issue in a live web application monitored by Application Insights. You need to see real-time metrics such as request rate, response times, and any exceptions as they occur, without waiting for the usual telemetry pipeline. Which Application Insights feature should you use?

A.Application Insights Analytics (Log Analytics)
B.Live Metrics Stream
C.Metrics Explorer
D.Application Insights Profiler
AnswerB

Live Metrics Stream shows live, low-latency telemetry from your application, including request rates, response times, and exceptions. It is designed for real-time monitoring and debugging.

Why this answer

Live Metrics Stream (option B) is the correct feature because it provides real-time, low-latency telemetry directly from the Application Insights SDK, bypassing the usual ingestion pipeline. This allows you to monitor request rate, response times, and exceptions as they occur, which is exactly what the scenario requires for debugging a live performance issue without waiting for data to be processed.

Exam trap

The trap here is that candidates often confuse Live Metrics Stream with Metrics Explorer, assuming both provide real-time data, but Metrics Explorer relies on pre-aggregated metrics with a built-in delay, while Live Metrics Stream is the only feature designed for true sub-second live monitoring.

How to eliminate wrong answers

Option A is wrong because Application Insights Analytics (Log Analytics) is a query-based tool for analyzing historical telemetry data after it has been ingested and stored, not for real-time monitoring. Option C is wrong because Metrics Explorer displays pre-aggregated metrics with a delay (typically 1-2 minutes) and does not provide sub-second live data. Option D is wrong because Application Insights Profiler is used for tracing performance bottlenecks in specific requests via snapshots, not for continuous real-time monitoring of request rates and exceptions.

753
Multi-Selecteasy

Which TWO Azure services can be used to trigger an Azure Function when a new blob is added to an Azure Storage container? (Choose two.)

Select 2 answers
A.Azure Event Grid trigger
B.Azure Queue Storage trigger
C.Azure Blob Storage trigger
D.Azure Cosmos DB trigger
E.HTTP trigger
AnswersA, C

Event Grid can be set up with a Blob Created event to trigger the function.

Why this answer

Option A is correct because Azure Event Grid trigger enables an Azure Function to be invoked automatically when a new blob is created in a Storage account. Event Grid provides a reliable, low-latency event-driven architecture that supports blob created events, making it a valid trigger for this scenario.

Exam trap

The trap here is that candidates often assume only the Blob Storage trigger can react to blob creation, overlooking Event Grid as a valid alternative, or they mistakenly think Queue Storage or Cosmos DB triggers can be repurposed for blob events.

754
MCQeasy

You need to ensure that an Azure Functions app can access a blob in Azure Storage using its system-assigned managed identity. What should you do first?

A.Configure CORS on the storage account
B.Enable the managed identity in the Function App
C.Assign the Storage Blob Data Reader role to the managed identity at the storage account scope
D.Generate a SAS token for the blob
AnswerC

This grants the identity permission to read blobs.

Why this answer

You must grant the managed identity the appropriate RBAC role on the storage account, such as Storage Blob Data Reader.

755
MCQhard

Your company has a multi-tier application running on Azure Virtual Machines. The application experiences high CPU usage during peak hours. You need to implement autoscaling for the virtual machine scale set based on CPU usage. The scaling should be aggressive when CPU exceeds 80% and conservative when CPU drops below 30%. Which scaling rule configuration should you use?

A.Scale out when CPU > 50%, scale in when CPU < 20%
B.Scale out when CPU > 90%, scale in when CPU < 10%
C.Scale out when CPU > 70%, scale in when CPU < 70%
D.Scale out when CPU > 80%, scale in when CPU < 30%
AnswerD

High scale-out threshold ensures scaling only when truly needed; low scale-in threshold prevents premature scale-in.

Why this answer

Option D is correct because the question explicitly requires aggressive scaling when CPU exceeds 80% and conservative scaling when CPU drops below 30%. The scale-out threshold of 80% triggers rapid addition of instances to handle high load, while the scale-in threshold of 30% ensures instances are removed only when utilization is consistently low, preventing premature scale-in and thrashing. This matches the exact thresholds specified in the requirement.

Exam trap

The trap here is that candidates may choose Option C because it seems 'balanced' with a single threshold, not realizing that identical scale-out and scale-in thresholds cause autoscale flapping, and that the question explicitly demands distinct aggressive (80%) and conservative (30%) values.

How to eliminate wrong answers

Option A is wrong because it scales out at 50% and scales in at 20%, which does not match the required aggressive 80% scale-out and conservative 30% scale-in thresholds, leading to unnecessary scaling actions. Option B is wrong because it scales out at 90% and scales in at 10%, which is too aggressive on scale-in and too conservative on scale-out, failing to meet the specified 80% and 30% thresholds. Option C is wrong because it uses the same threshold (70%) for both scale-out and scale-in, which would cause constant oscillation (flapping) as the metric hovers around 70%, violating the requirement for distinct aggressive and conservative behaviors.

756
MCQhard

Your company has a microservices application deployed on Azure Kubernetes Service (AKS). One service, OrderProcessor, needs to read messages from an Azure Service Bus queue and write results to Azure Cosmos DB. The processing must be reliable: if the service crashes mid-processing, the message should not be lost and should be retried. You also need to ensure that messages are processed in order within a partition. The solution should minimize code changes and leverage platform features. Which approach should you use?

A.Use the Azure Service Bus SDK with ReceiveAndDelete mode in a background worker.
B.Use Azure Functions with a Service Bus trigger that uses sessions for ordered processing.
C.Use the Azure Service Bus SDK with PeekLock mode and manual message completion.
D.Use Azure Event Hubs with a consumer group and checkpointing.
AnswerB

Functions handles peek-lock and retries; sessions ensure ordering per partition.

Why this answer

Option A is correct because Azure Functions with Service Bus trigger uses peek-lock mode by default, which ensures reliable processing; if the function fails, the message is not completed and will be retried; Service Bus sessions provide ordered processing per partition. Option B is wrong because the Service Bus SDK with ReceiveAndDelete would lose messages if the service crashes after receiving but before processing. Option C is wrong because Event Hubs is not designed for ordered processing per partition with message-level retries; also it's not a queue for command messages.

Option D is wrong because the Service Bus SDK with PeekLock requires manual handling of message completion, lock renewal, and session management, leading to more code and complexity.

757
MCQhard

Your company uses Azure DevOps for CI/CD. The security team requires that all pull request (PR) merges to the main branch be signed with a valid code signing certificate to ensure code integrity. Which Azure DevOps feature should you enforce?

A.Set up branch protection with 'Require a merge commit' and enable 'Require signed commits'
B.Configure a service hook to validate signatures using Azure Functions
C.Use Azure Policy to require code signing on the repository
D.Add a build validation step in the PR pipeline that checks signatures
AnswerA

This enforces that each merge commit is signed, ensuring code integrity.

Why this answer

Branch policy with 'Require a merge commit' forces signed commits; the policy can require a valid signature from a trusted certificate. Option A is required for infrastructure. Option C is for governance.

Option D is for pipeline validation, not commit signing.

758
Multi-Selecthard

A function consumes messages from Azure Service Bus. Which two settings help handle transient failures safely? The architecture review board prefers a managed AWS-native control.

Select 2 answers
A.Configure max delivery count with a dead-letter queue
B.Make message processing idempotent
C.Disable lock renewal for long processing
D.Use anonymous sender access
AnswersA, B

Dead-lettering isolates messages after repeated delivery failures.

Why this answer

Option A is correct because configuring max delivery count with a dead-letter queue ensures that after a message has been unsuccessfully processed a specified number of times (e.g., 10), it is automatically moved to the dead-letter queue rather than being retried indefinitely. This prevents infinite retry loops during transient failures and allows for manual inspection or reprocessing of poison messages. The dead-letter queue is a native Service Bus feature that isolates problematic messages without losing them.

Exam trap

The trap here is that candidates may confuse 'transient failure handling' with 'security settings' (like anonymous access) or 'performance tuning' (like disabling lock renewal), when the question specifically asks for safe handling of transient failures using managed Azure-native features.

759
MCQmedium

You are using Azure File Storage to share configuration files across multiple virtual machines running a legacy application. The application requires SMB 3.0 protocol with encryption. You need to ensure the file share is accessible from all VMs without exposing it to the internet. Which configuration should you use?

A.Create a storage account with a shared access signature (SAS) token and mount using the SAS URL
B.Create a storage account with a public endpoint and use a VPN gateway to connect the VMs
C.Create a storage account with a public endpoint and configure the firewall to allow only the VNet
D.Create a storage account with a private endpoint and mount the file share using the private IP
AnswerD

Private endpoint provides a private IP in the VNet, ensuring traffic stays within the network.

Why this answer

Option D is correct because a private endpoint assigns the storage account a private IP address from your virtual network, allowing VMs to access the file share over SMB 3.0 with encryption without exposing the storage account to the public internet. This meets the requirement for secure, private connectivity while supporting the legacy application's SMB 3.0 protocol needs.

Exam trap

The trap here is that candidates often confuse network-level access controls (like firewalls or VPNs) with true private connectivity, mistakenly believing that restricting access via firewall rules or VPN gateways eliminates public endpoint exposure, when only a private endpoint achieves that.

How to eliminate wrong answers

Option A is wrong because a shared access signature (SAS) token provides time-limited delegated access but still uses the public endpoint, exposing the storage account to the internet; it does not eliminate public exposure. Option B is wrong because using a VPN gateway with a public endpoint still leaves the storage account's public endpoint accessible from the internet, and the VPN only secures the connection between the VMs and the gateway, not the storage endpoint itself. Option C is wrong because configuring the firewall to allow only the VNet still requires the storage account to have a public endpoint, which is inherently internet-facing; firewall rules restrict access but do not remove the public endpoint, leaving the storage account potentially discoverable and violating the 'not exposing it to the internet' requirement.

760
MCQmedium

You have an Azure CDN profile that caches content from a storage account. Users in Europe report that images load slowly. You need to improve performance for European users. What should you do?

A.Enable compression on the CDN
B.Enable prefetching on the CDN
C.Configure caching rules to cache longer
D.Add an additional CDN endpoint with a European origin
AnswerD

Multiple endpoints with local origins can reduce latency.

Why this answer

Option C is correct because adding a CDN endpoint with a European origin or closest POP reduces latency. Option A (prefetching) is not a CDN feature. Option B (compression) may help but not primarily for geographic latency.

Option D (caching rules) may improve hit ratio but not geographical distance.

761
Multi-Selecteasy

You need to implement a solution for storing and retrieving large amounts of unstructured data (e.g., images, videos, backups) in Azure, with high durability and availability. The solution must allow access from anywhere via HTTP/HTTPS and support both public and private access. Which TWO Azure storage services should you consider?

Select 2 answers
A.Azure Table Storage
B.Azure Data Lake Storage Gen2
C.Azure Queue Storage
D.Azure Blob Storage
E.Azure Files
AnswersB, D

Built on Blob Storage, supports hierarchical namespace for large datasets.

Why this answer

Azure Blob Storage is purpose-built for storing large amounts of unstructured data such as images, videos, and backups, offering high durability (99.9999999999% with RA-GRS) and availability. It supports access via HTTP/HTTPS from anywhere, and provides both public (anonymous) and private (SAS tokens, RBAC) access controls, making it the primary choice for this scenario.

Exam trap

The trap here is that candidates may confuse Azure Data Lake Storage Gen2 as a separate service, but it is actually built on top of Blob Storage, so both B and D are correct because they represent the same underlying technology for unstructured data.

762
MCQeasy

You are building a solution that processes images uploaded to Azure Blob Storage. Each image must be analyzed by Azure AI Vision (Computer Vision). You need to trigger the analysis automatically when a new blob is created. Which Azure service should you use?

A.Azure Event Grid
B.Azure Logic Apps
C.Azure Functions
D.Azure WebJobs
AnswerC

Functions can be triggered by Blob Storage events.

Why this answer

Option D is correct because Azure Functions can be triggered by Blob Storage events to run custom code. Option A is wrong because Azure Logic Apps can also be used but Functions is more appropriate for code-based processing. Option B is wrong because Event Grid itself is the event broker, not the compute.

Option C is wrong because WebJobs are outdated and less flexible.

763
MCQhard

You are developing an Azure Functions app that processes orders. Each order triggers a function that writes to Azure Cosmos DB. You notice occasional throttling (429 errors) from Cosmos DB during peak hours. The function app uses the Consumption plan. What is the most cost-effective way to reduce throttling?

A.Increase the provisioned throughput (RU/s) of the Cosmos DB container.
B.Upgrade the function app to the Premium plan for dedicated instances.
C.Increase the function app's instance count by scaling out.
D.Implement retry logic with exponential backoff in the function code.
AnswerD

Retries handle transient throttling without additional cost.

Why this answer

Option D is correct because implementing retry logic with exponential backoff is the most cost-effective way to handle transient 429 errors from Cosmos DB. The Azure Cosmos DB SDK already includes built-in retry policies, but custom retry logic in the function code can be tuned to match the workload, allowing the function to wait and retry during peak throttling without incurring additional costs from scaling or increasing throughput.

Exam trap

The trap here is that candidates often assume scaling the function app (Option C) or increasing Cosmos DB throughput (Option A) are the only ways to handle throttling, but they overlook that retry logic is a zero-cost, built-in mechanism that directly addresses the transient nature of 429 errors in a Consumption plan environment.

How to eliminate wrong answers

Option A is wrong because increasing provisioned throughput (RU/s) directly increases monthly costs, and it does not address the root cause of throttling during peak hours—it simply raises the ceiling, which is not cost-effective for sporadic bursts. Option B is wrong because upgrading to the Premium plan adds fixed costs for dedicated instances and always-on benefits, which are unnecessary when the Consumption plan already scales automatically; the throttling is on the Cosmos DB side, not the function app's compute capacity. Option C is wrong because scaling out the function app increases the number of concurrent function instances, which can actually increase the request rate to Cosmos DB and worsen throttling, not reduce it.

764
MCQmedium

A high-traffic API sends approximately 80,000 telemetry events per second to Application Insights. Monthly ingestion costs are too high. The team wants to reduce data volume by roughly 80 percent while still seeing representative samples of all request types. What should the developer configure?

A.Enable adaptive sampling in the Application Insights SDK and set a target events-per-second limit
B.Configure ingestion sampling in the Azure portal to retain 20 percent of incoming telemetry
C.Increase the TelemetryClient flush interval from 30 seconds to 5 minutes to batch events
D.Filter all events with HTTP status code 200 from the telemetry pipeline before sending
AnswerA

Adaptive sampling runs in the SDK. It monitors the outgoing telemetry rate and automatically raises or lowers the sample percentage to stay near the target rate. All operation types are sampled proportionally, so statistical trends remain meaningful even at 20 percent of raw volume. Data is reduced before transmission, lowering both network and ingestion costs.

Why this answer

Adaptive sampling in the Application Insights SDK automatically adjusts the volume of telemetry sent to the service, targeting a specified rate of events per second. By setting a target that reduces the original 80,000 events/sec to roughly 20%, the SDK will intelligently sample all request types proportionally, preserving representative data while cutting costs.

Exam trap

The trap here is that candidates confuse ingestion sampling (a portal-level fixed filter) with adaptive sampling (an SDK-level dynamic filter), assuming any sampling in the portal will suffice, but only adaptive sampling can meet the dual goals of volume reduction and representativeness across all request types.

How to eliminate wrong answers

Option B is wrong because ingestion sampling in the Azure portal is a fixed-rate filter applied after telemetry is already sent, which does not reduce network and SDK overhead, and it cannot adapt to traffic spikes or maintain representativeness across all request types. Option C is wrong because increasing the flush interval only batches events into larger payloads, reducing the number of HTTP calls but not the total number of events ingested, so it does not reduce data volume or cost. Option D is wrong because filtering all HTTP 200 status codes would discard successful requests entirely, losing critical health and performance data and violating the requirement to see representative samples of all request types.

765
MCQhard

You are using Azure Cognitive Search to index documents stored in Azure Blob Storage. The indexer is failing with the error 'Data source credentials are invalid.' You have verified that the connection string for the storage account is correct. What is the most likely cause?

A.The Cognitive Search service is in a different region than the storage account.
B.The Cognitive Search service's admin key is missing.
C.The indexer configuration is missing the storage account key.
D.The storage account is behind a firewall and the Cognitive Search service IP is not allowed.
AnswerD

Firewall rules block the search service; add its IP to the storage account firewall.

Why this answer

Option A is correct because if the storage account is behind a firewall, the Cognitive Search service must be granted access via firewall rules or by using a managed identity with appropriate permissions. The suggested resolution is to add the Cognitive Search service's IP address to the storage account firewall rules. Option B is wrong because the indexer does not require the search service to be in the same region.

Option C is wrong because the indexer uses the storage account connection string, not a search service key, to access the data source. Option D is wrong because the indexer configuration does not need to specify the storage account key separately if using a connection string.

766
MCQeasy

You are developing a solution that needs to retrieve secrets from Azure Key Vault. The solution will run as an Azure App Service managed identity. Which authentication method should you use?

A.SharedAccessSignatureCredential
B.InteractiveBrowserCredential
C.DefaultAzureCredential
D.ClientSecretCredential
AnswerC

DefaultAzureCredential automatically uses managed identity when running in Azure, and falls back to other credential types for local development.

Why this answer

The correct answer is DefaultAzureCredential because it automatically uses the managed identity of the App Service when running in Azure, and falls back to other credential types for local development. Option A is wrong because interactive browser authentication requires user interaction and is not suitable for background services. Option B is wrong because client secret authentication is not recommended for managed identities.

Option D is wrong because shared access signature is for storage access, not Key Vault.

767
MCQhard

A company is building a microservices application on Azure Container Instances. Each microservice needs to authenticate to Azure Key Vault to retrieve secrets. They want to avoid storing any credentials in the container images or environment variables. What should they do?

A.Use Docker secrets mounted as volumes.
B.Enable managed identity for the container group and grant it access to Key Vault.
C.Use a shared access signature (SAS) token to access Key Vault.
D.Store the Key Vault URI and a client secret in environment variables.
AnswerB

Managed identity allows secure authentication without credentials.

Why this answer

Option B is correct because managed identity for Azure Container Instances allows containers to authenticate to Azure services without credentials. Option A is wrong because passing connection strings as environment variables exposes secrets. Option C is wrong because Docker secrets are not natively supported in Azure Container Instances.

Option D is wrong because SAS tokens are not suitable for container-to-Key Vault authentication.

768
MCQmedium

An app uses Azure Event Grid to publish events. The events must be delivered to an Azure Function that processes them. Which Event Grid event delivery model should be used?

A.Pull delivery
B.Push delivery
C.Batch delivery
D.Poll delivery
AnswerB

Event Grid pushes events to subscribers like Azure Functions.

Why this answer

Option C is correct because Event Grid supports push delivery to event handlers like Azure Functions. Option A (pull) is for Event Hubs; Option B (poll) is not a typical model; Option D (batch) is a delivery mode, but the push model is the standard for Event Grid.

769
MCQmedium

An Azure App Service application has availability failures. The developer needs distributed tracing across requests and dependencies. What should be enabled?

A.Application Insights with dependency tracking
B.Storage account static website logs
C.Azure Policy compliance scan
D.Cost Management budgets only
AnswerA

Application Insights provides request, dependency, exception, and trace telemetry for application diagnostics.

Why this answer

Application Insights with dependency tracking is the correct choice because it provides distributed tracing across requests and dependencies in an Azure App Service application. It automatically collects telemetry data, including end-to-end transaction details, and maps dependencies like SQL databases, HTTP calls, and Azure services, enabling developers to diagnose availability failures by correlating traces across components.

Exam trap

The trap here is that candidates may confuse general monitoring tools (like logs or compliance) with the specific need for distributed tracing, overlooking that only Application Insights with dependency tracking provides the correlation and dependency mapping required for diagnosing availability failures across requests and dependencies.

How to eliminate wrong answers

Option B is wrong because Storage account static website logs only capture HTTP request logs for static content hosted in Azure Storage, not distributed tracing across application dependencies or requests. Option C is wrong because Azure Policy compliance scan evaluates resource configurations against policies for governance and compliance, not for monitoring application performance or tracing distributed requests. Option D is wrong because Cost Management budgets only track and alert on spending, providing no telemetry or tracing capabilities for application availability or dependencies.

770
MCQeasy

You are deploying a background processing job that reads messages from an Azure Storage Queue. The job must run on the same compute resources as the main web application and must not require additional deployment or monitoring overhead. Which solution should you use?

A.Deploy an Azure Function with a Queue trigger on the Consumption plan.
B.Add an Azure WebJob to the App Service that hosts the main application.
C.Create a separate Azure Container Instance to run a continuous job.
D.Use Azure Logic Apps with a recurrence trigger to poll the queue.
AnswerB

WebJobs are deployed as part of the App Service and run in the same process or as background processes, sharing the same plan and scaling without extra services.

Why this answer

Option B is correct because Azure WebJobs run in the same App Service plan as the main web application, sharing compute resources without requiring separate deployment or monitoring. A WebJob with a continuous trigger can read from an Azure Storage Queue using the QueueTrigger attribute, meeting the requirement of no additional overhead.

Exam trap

The trap here is that candidates often choose Azure Functions for queue processing without considering the requirement to share compute resources with the main web application, overlooking that WebJobs are the native background processing solution within App Service.

How to eliminate wrong answers

Option A is wrong because an Azure Function on the Consumption plan runs on separate, serverless compute resources, not on the same resources as the main web application, and introduces additional deployment and monitoring overhead. Option C is wrong because a separate Azure Container Instance requires its own compute resources, deployment pipeline, and monitoring, contradicting the requirement to run on the same resources as the main app. Option D is wrong because Azure Logic Apps with a recurrence trigger is a separate, managed service that runs independently of the web application's compute resources, adding deployment and monitoring overhead.

771
MCQeasy

You need to deploy a containerized application to Azure Container Instances (ACI) with a public IP address and a DNS name label. Which YAML property should you configure for the DNS name?

A.dnsNameLabel
B.containerGroupName
C.ipAddress
D.ports
AnswerA

Correct property for DNS name.

Why this answer

The `dnsNameLabel` property in the Azure Container Instances YAML definition is used to assign a custom DNS prefix to the container group's public IP address. When combined with the Azure region's default domain suffix (e.g., `eastus.azurecontainer.io`), this creates a fully qualified domain name (FQDN) like `<dnsNameLabel>.eastus.azurecontainer.io`, allowing clients to resolve the container group via DNS without needing the raw IP address.

Exam trap

The trap here is that candidates often confuse `dnsNameLabel` with `containerGroupName` or `ipAddress`, mistakenly thinking the container group name or the IP address property itself controls the DNS label, when in fact `dnsNameLabel` is a nested property under `ipAddress` in the YAML schema.

How to eliminate wrong answers

Option B is wrong because `containerGroupName` is the logical name of the container group within Azure Resource Manager, not a DNS-related property; it does not influence the DNS label or FQDN. Option C is wrong because `ipAddress` defines the type (e.g., Public or Private) and the assignment of the IP address itself, but the DNS name label is a separate sub-property under `ipAddress` (specifically `ipAddress.dnsNameLabel`). Option D is wrong because `ports` specifies the container ports to expose (e.g., 80, 443) and their protocol (TCP/UDP), but it has no role in configuring the DNS name label.

772
MCQeasy

The team is writing an Azure Function that needs to retrieve secrets from Azure Key Vault at runtime. The security policy prohibits storing client secrets, connection strings, or certificates in application settings or source code. What is the recommended approach?

A.Enable a system-assigned managed identity on the Function App and grant it Key Vault Secrets User (or Get/List access policy) permission on the vault
B.Create an App Registration, generate a client secret, store the secret in an Application Setting, and authenticate using ClientSecretCredential
C.Generate a Key Vault SAS token and embed it in the function's connection string setting
D.Use the Key Vault REST API with the vault's access key embedded in the code
AnswerA

The managed identity removes all credential management from the developer. DefaultAzureCredential automatically detects the managed identity context and requests tokens from the Azure Instance Metadata Service. No secret is ever stored anywhere the developer can access or accidentally expose.

Why this answer

Option A is correct because a system-assigned managed identity provides a secure, credential-free way for an Azure Function to authenticate to Key Vault. Azure automatically manages the identity's lifecycle and tokens, eliminating the need to store any secrets in application settings or code. The Function App uses the managed identity to obtain an Azure AD token, which it presents to Key Vault to retrieve secrets, fully complying with the security policy.

Exam trap

The trap here is that candidates may think a client secret or SAS token is acceptable if stored in an Application Setting, but the policy explicitly prohibits storing any secrets in settings or code, making managed identity the only compliant option.

How to eliminate wrong answers

Option B is wrong because it requires storing a client secret (the App Registration's secret) in an Application Setting, which directly violates the security policy that prohibits storing client secrets in application settings or source code. Option C is wrong because Key Vault does not support SAS tokens; SAS tokens are used for Azure Storage, not Key Vault, and embedding any token in a connection string violates the policy. Option D is wrong because Key Vault does not have an 'access key'; it uses Azure AD authentication, and embedding any credential in code violates the policy.

773
MCQmedium

You are designing a solution to store and serve large media files (500 MB to 2 GB) to a global audience. The files must be accessible via HTTPS with low latency. Which Azure Storage option should you use?

A.Azure Blob Storage with Azure CDN
B.Azure Queue Storage
C.Azure Files with SMB protocol
D.Azure Table Storage
AnswerA

Blob Storage with CDN provides global low-latency access for large files.

Why this answer

Azure Blob Storage is optimized for storing large, unstructured data like media files, and integrating it with Azure CDN caches content at edge nodes worldwide, reducing latency for global users. HTTPS access is natively supported, and CDN ensures low-latency delivery by serving files from the nearest point of presence (PoP).

Exam trap

The trap here is that candidates may confuse Azure Files (which supports SMB and REST) as a viable option for global media delivery, but it lacks built-in CDN integration and is not designed for low-latency HTTPS serving to a global audience.

How to eliminate wrong answers

Option B is wrong because Azure Queue Storage is designed for asynchronous message passing between application components, not for storing or serving large files. Option C is wrong because Azure Files with SMB protocol is intended for file shares accessed via SMB (port 445) from virtual machines or on-premises systems, not optimized for global HTTPS delivery of large media files. Option D is wrong because Azure Table Storage is a NoSQL key-value store for structured data, not suitable for large binary objects like media files.

774
MCQhard

Your application runs on Azure Kubernetes Service (AKS). It needs to access Azure Key Vault secrets. You want to avoid using a service principal. Which solution should you implement?

A.Mount secrets as a ConfigMap from Key Vault
B.Create a service principal and assign it to the AKS cluster
C.Deploy the Secrets Store CSI Driver with workload identity
D.Use a Helm chart to inject secrets
AnswerC

Workload identity allows pods to use a managed identity to access Key Vault.

Why this answer

Azure Key Vault Provider for Secrets Store CSI Driver with AAD pod identity or workload identity allows pods to access Key Vault using a managed identity, avoiding service principals. Option A is wrong because Helm charts are packaging tools. Option B is wrong because a service principal is exactly what you want to avoid.

Option D is wrong because mounting secrets via ConfigMap is insecure.

775
MCQmedium

You are designing a solution to store large amounts of structured data that is accessed frequently and requires low-latency reads. The data must be globally distributed and support automatic failover. Which Azure storage solution should you recommend?

A.Azure Table Storage with geo-replication.
B.Azure Cosmos DB with multi-region writes and automatic failover.
C.Azure SQL Database with active geo-replication and failover groups.
D.Azure Blob Storage with read-access geo-redundant storage (RA-GRS).
AnswerB

Azure Cosmos DB provides global distribution, low-latency reads, and automatic failover.

Why this answer

Azure Cosmos DB with multi-region writes and automatic failover is the correct choice because it provides globally distributed, low-latency reads and writes with automatic failover at the database level. It supports multiple consistency models and guarantees single-digit millisecond read latencies, making it ideal for frequently accessed structured data that requires global distribution and high availability.

Exam trap

The trap here is that candidates often confuse Azure Table Storage (which is a NoSQL key-value store) with Cosmos DB's Table API, but Table Storage lacks the global distribution, automatic failover, and low-latency guarantees that Cosmos DB provides, leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage with geo-replication offers only eventual consistency and higher latency compared to Cosmos DB, and it does not support automatic failover or multi-region writes natively. Option C is wrong because Azure SQL Database with active geo-replication and failover groups is designed for relational data and provides strong consistency, but it does not offer the same low-latency global distribution and multi-region write capabilities as Cosmos DB; it also requires manual failover configuration in some scenarios. Option D is wrong because Azure Blob Storage with read-access geo-redundant storage (RA-GRS) is optimized for unstructured blob data, not structured data, and it only supports read access in the secondary region during failover, not automatic failover for writes.

776
MCQmedium

You are building an Azure Logic App that must connect to a third-party CRM system using a custom API. The API requires an API key in the header of every request. You need to securely store the API key and reference it in the Logic App. Which approach should you use?

A.Store the API key in the Azure Logic App's definition file.
B.Use a parameter and a connection reference in the Logic App.
C.Store the API key in Azure Key Vault and reference it with a dynamic expression.
D.Hardcode the API key in the HTTP action.
AnswerC

Key Vault centralizes secret management; Logic Apps can use the @keyVault() expression to retrieve secrets securely, avoiding exposure.

Why this answer

Option C is correct because Azure Key Vault provides a secure, centralized store for secrets like API keys, and Logic Apps can reference these secrets at runtime using a dynamic expression (e.g., `@Microsoft.KeyVault(SecretUri=...)`). This avoids exposing the key in plaintext within the Logic App definition or configuration, aligning with Azure security best practices for managed identities and secret management.

Exam trap

The trap here is that candidates may confuse 'parameter and connection reference' (Option B) as secure because it separates the value from the definition, but it still stores the key in plaintext in the connection resource, whereas Key Vault is the only option that provides encryption and access control via Azure RBAC.

How to eliminate wrong answers

Option A is wrong because storing the API key directly in the Logic App's definition file (JSON workflow) exposes it in plaintext within the source code and deployment artifacts, violating security best practices. Option B is wrong because while parameters and connection references can abstract values, they still store the API key in plaintext within the Logic App's configuration or connection resource, not providing encryption at rest or access control. Option D is wrong because hardcoding the API key in the HTTP action embeds the secret directly in the workflow definition, making it visible to anyone with read access to the Logic App and impossible to rotate without modifying the workflow.

777
MCQeasy

A developer is building an application that needs to store and retrieve large binary files (e.g., images, videos). The application runs on Azure Virtual Machines. Which Azure service provides the most cost-effective storage for these files?

A.Azure SQL Database
B.Azure Cosmos DB
C.Azure Files
D.Azure Blob Storage
AnswerD

Blob Storage is designed for cost-effective storage of large binary files.

Why this answer

Option B is correct because Azure Blob Storage is specifically designed for storing large amounts of unstructured data like binary files at low cost. Option A is incorrect because Azure SQL Database is for relational data, not blob storage. Option C is incorrect because Azure Files is for shared file systems, not optimal for large binary files.

Option D is incorrect because Azure Cosmos DB is for NoSQL data and is more expensive for blob storage.

778
MCQeasy

You are building a solution that processes orders and needs to send order confirmation emails reliably. You choose Azure Logic Apps with a Gmail connector. However, you are concerned about hitting Gmail's sending limits. What should you do to handle this?

A.Use Azure Queue Storage to buffer messages and process them asynchronously.
B.Use a webhook instead of a connector to send emails directly via Gmail API.
C.Increase the Gmail API quota by contacting Google support.
D.Configure a retry policy in the Logic App action to retry on failure with exponential backoff.
AnswerD

Exponential backoff retry policy helps respect rate limits by spacing out retries.

Why this answer

Gmail has sending limits; to avoid hitting them, use a retry policy with exponential backoff in Logic Apps. Option A is the correct approach. Option B is not available; Option C is unnecessary if retries are configured; Option D is not a standard feature.

779
Multi-Selectmedium

You are designing a solution to store secrets for a microservices application running on Azure Kubernetes Service (AKS). The secrets must be automatically rotated and remain available if the Key Vault is temporarily unavailable. Which TWO options meet the requirements?

Select 2 answers
A.Have each microservice read secrets directly from Key Vault using the SDK.
B.Use the AKS add-on for Azure Key Vault (Secrets Store CSI driver) with a sync to Kubernetes secrets.
C.Assign a managed identity to each pod and use it to authenticate to Key Vault.
D.Deploy a sidecar container that periodically retrieves secrets from Key Vault and stores them in a shared volume.
E.Store secrets as plain text in Kubernetes secrets.
AnswersB, D

Provides caching and offline availability.

Why this answer

Option A is correct: AKS add-on for Key Vault (Secrets Store CSI driver) with a sync to Kubernetes secrets provides offline caching. Option D is correct: using a sidecar container that caches secrets locally in a volume also provides availability during Key Vault downtime. Option B is incorrect because reading directly from the SDK does not provide caching.

Option C is incorrect because managed identity is an authentication method, not a solution for availability. Option E is incorrect because storing secrets in plain text is insecure and violates the requirement.

780
Multi-Selecteasy

Which TWO of the following are valid methods for authenticating to Azure Blob Storage?

Select 2 answers
A.Connection string with account key
B.Shared access signature (SAS) token
C.Shared Key (storage account key)
D.Azure AD authentication (RBAC)
E.Client certificate authentication
AnswersC, D

Shared Key is a valid authentication method.

Why this answer

Option C is correct because the Shared Key (storage account key) method uses the HMAC-SHA256 algorithm to sign a request string with the storage account key, providing full administrative access to the storage account. Option D is correct because Azure AD authentication with RBAC allows fine-grained access control to blob containers and blobs without exposing account keys, using OAuth 2.0 tokens.

Exam trap

The trap here is that candidates often mistake a connection string (Option A) as a distinct authentication method, when it is simply a string that contains the account key and endpoint, making it equivalent to Shared Key authentication, not a separate valid method.

781
Multi-Selecteasy

Which TWO authentication methods can be used to call a Microsoft Entra ID-protected web API from a client application?

Select 2 answers
A.HTTP Basic authentication
B.OAuth 2.0 implicit flow
C.OAuth 2.0 client credentials flow
D.SAML 2.0 bearer assertion flow
E.OAuth 2.0 authorization code flow with PKCE
AnswersC, E

Correct: for server-to-server calls.

Why this answer

OAuth 2.0 authorization code flow with PKCE and client credentials flow are both supported for web API access. Implicit flow is deprecated. SAML and Basic auth are not standard for Entra ID API calls.

782
MCQeasy

You need to monitor the CPU utilization of an Azure VM in real-time and set up an alert when it exceeds 90%. Which Azure Monitor feature should you use?

A.Log Analytics Workspace
B.Metrics Explorer
C.Application Insights
D.Azure Monitor for VMs
AnswerB

Correct. Metrics Explorer provides near real-time platform metrics and supports creating metric alerts.

Why this answer

Metrics Explorer is the correct Azure Monitor feature for real-time monitoring of CPU utilization on an Azure VM because it provides near real-time metric collection (typically every 1 minute) and supports alerting based on threshold conditions. It allows you to chart performance counters like Percentage CPU and configure metric alerts that trigger when the value exceeds 90%.

Exam trap

The trap here is that candidates often confuse Azure Monitor for VMs (which provides a dashboard view) with the actual alerting mechanism, or they mistakenly think Log Analytics is needed for metric alerts when Metrics Explorer handles them directly.

How to eliminate wrong answers

Option A is wrong because Log Analytics Workspace is designed for collecting and querying log data (e.g., Windows Event Logs, Syslog) using KQL, not for real-time metric monitoring or threshold-based alerts on CPU utilization. Option C is wrong because Application Insights is an Application Performance Management (APM) service focused on monitoring live web applications, not infrastructure-level metrics like VM CPU utilization. Option D is wrong because Azure Monitor for VMs (now VM Insights) provides a pre-built experience with performance charts and dependency mapping, but it relies on underlying Metrics Explorer for alerting and is not the direct feature for setting a metric alert on CPU utilization.

783
MCQeasy

Your company runs a web application on Azure App Service that uses a custom domain. The application must be accessible only via HTTPS. You have already uploaded an SSL certificate for the custom domain. However, users can still access the site via HTTP. You need to enforce HTTPS redirection. What should you do?

A.Set the 'Minimum TLS Version' to 1.2.
B.Add a rewrite rule in the web.config file to redirect HTTP to HTTPS.
C.Configure the App Service to require client certificates.
D.Enable the 'HTTPS Only' setting in the App Service's TLS/SSL settings blade.
AnswerD

This setting enforces HTTPS redirection at the platform level.

Why this answer

The 'HTTPS Only' setting in the App Service's TLS/SSL settings blade enforces that all incoming requests are redirected from HTTP to HTTPS at the platform level, before any application code runs. Since you have already uploaded an SSL certificate, enabling this setting ensures that users cannot access the site via HTTP, meeting the requirement without modifying application code.

Exam trap

The trap here is that candidates may think a web.config rewrite rule (Option B) is sufficient, but Azure explicitly recommends the platform-level 'HTTPS Only' setting because it is simpler, more reliable, and works regardless of the application stack (e.g., .NET, Node.js, Python).

How to eliminate wrong answers

Option A is wrong because setting 'Minimum TLS Version' to 1.2 only enforces that incoming HTTPS connections use TLS 1.2 or higher; it does not redirect HTTP traffic to HTTPS. Option B is wrong because while a rewrite rule in web.config can redirect HTTP to HTTPS, it is an application-level solution that may not cover all scenarios (e.g., requests that bypass the rewrite module) and is less reliable than the platform-level 'HTTPS Only' setting. Option C is wrong because requiring client certificates is for mutual TLS authentication, not for enforcing HTTPS redirection.

784
MCQmedium

You are building an Azure Logic App that needs to call a third-party REST API. The API requires an API key to be passed in the 'X-API-Key' header. You have stored the API key as a secret in Azure Key Vault. The Logic App uses a managed identity that has read access to the Key Vault secret. You want to retrieve the API key securely at runtime and include it in the HTTP request. Which approach should you use?

A.Use the 'Get secret' action from the Azure Key Vault connector, configured to authenticate with a managed identity. Then pass the output to the 'HTTP' action's header as 'X-API-Key'.
B.Create an API connection for the external API, providing the API key in the connection parameters. Then use that connection in the Logic App.
C.Store the API key directly in the Logic App definition's 'constants' section and reference it in the HTTP action.
D.Use the 'HTTP' action with 'Managed Identity' authentication type, and configure the external API to accept Microsoft Entra ID tokens.
AnswerA

The Azure Key Vault connector allows secure retrieval of secrets using managed identity. The HTTP action can then reference the secret value in the header, keeping it out of the workflow definition.

Why this answer

Option A is correct because it uses the Azure Key Vault connector's 'Get secret' action with managed identity authentication to securely retrieve the API key at runtime. The output is then passed directly into the HTTP action's 'X-API-Key' header, ensuring the secret is never exposed in the Logic App definition or logs. This approach follows the principle of least privilege and avoids hardcoding secrets.

Exam trap

The trap here is that candidates may confuse managed identity authentication on the HTTP action (which sends an Entra ID token) with using a managed identity to authenticate to Key Vault, leading them to select option D, which is technically incorrect for an API key scenario.

How to eliminate wrong answers

Option B is wrong because creating an API connection stores the API key in the connection definition, which is persisted and can be exposed if the connection is shared or exported; it also bypasses the runtime retrieval from Key Vault. Option C is wrong because storing the API key directly in the Logic App definition's 'constants' section hardcodes the secret into the workflow, violating security best practices and exposing it in source control or deployment artifacts. Option D is wrong because the 'HTTP' action with 'Managed Identity' authentication type sends a Microsoft Entra ID token, not an API key; the external API would need to support OAuth 2.0 token validation, which is not the case here—it expects a static API key in the 'X-API-Key' header.

785
MCQeasy

You need to consume an Azure Cognitive Services Text Analytics API from a Python application. The API requires a subscription key. Where should you store the key to ensure security?

A.Store the key in a text file in the application directory.
B.Store the key in an environment variable on the hosting machine.
C.Use Azure AD authentication instead of a key.
D.Hardcode the key in the Python source code.
AnswerB

Environment variables are secure and can be set in App Service or VM configuration.

Why this answer

Option B is correct because storing the subscription key in an environment variable on the hosting machine keeps it out of source code and configuration files, reducing the risk of accidental exposure. Environment variables are a standard security best practice for secrets in cloud applications, and Azure Cognitive Services APIs require key-based authentication unless Azure AD is explicitly configured.

Exam trap

The trap here is that candidates may choose Option C (Azure AD authentication) thinking it eliminates the need for a key entirely, but the Text Analytics API does not support Azure AD out-of-the-box without additional configuration, and the question explicitly states the API requires a subscription key.

How to eliminate wrong answers

Option A is wrong because storing the key in a text file in the application directory makes it part of the deployment package, easily accessible if the file system is compromised or if the code is shared via version control. Option C is wrong because Azure AD authentication is not supported by default for the Text Analytics API; it requires additional configuration (e.g., managed identity) and is not a drop-in replacement for the subscription key in this context. Option D is wrong because hardcoding the key in Python source code exposes it to anyone with access to the codebase, including version control history, and violates the principle of separating secrets from code.

786
MCQhard

Northwind Traders is building a microservices architecture on Azure Kubernetes Service (AKS). One service needs to read messages from an Azure Service Bus queue and write them to an Azure SQL database. The solution must use managed identities for authentication. The AKS cluster is integrated with Microsoft Entra ID. The development team wants to avoid managing service principals and secrets. The team has chosen to use the Azure Identity SDK for authentication. The service will run as a pod in AKS. Which approach should the team use to authenticate to Service Bus and Azure SQL Database?

A.Generate a self-signed certificate, upload it to AKS, and use ClientCertificateCredential in the code.
B.Deploy Azure AD Pod Identity (or Workload Identity) to assign a user-assigned managed identity to the pod. Use DefaultAzureCredential in the code. Grant the identity 'Listen' on Service Bus and 'Connect' on SQL Database.
C.Store Service Bus connection string and SQL connection string in Azure Key Vault. Use Key Vault SDK to retrieve them at runtime.
D.Create a service principal and store its client secret in a Kubernetes secret. Use ClientSecretCredential in the code. Assign the service principal permissions to Service Bus and SQL.
AnswerB

Correct: uses managed identity and DefaultAzureCredential.

Why this answer

Use Azure AD Pod Identity or Workload Identity to assign a managed identity to the pod. The code uses DefaultAzureCredential to authenticate to both Service Bus (via Azure.Messaging.ServiceBus) and SQL (via Microsoft.Data.SqlClient). Option A is correct.

Option B uses a service principal with secret, not managed identity. Option C uses connection strings. Option D uses certificate, not managed identity.

787
MCQmedium

A developer exposes several backend APIs through Azure API Management. Clients must be throttled by subscription to protect the backend. What should be configured? The design must avoid adding custom operational scripts.

A.Blob soft delete
B.Application Insights sampling
C.Private DNS zone only
D.API Management rate-limit or quota policy
AnswerD

APIM policies can enforce rate limits and quotas per subscription or caller.

Why this answer

Option D is correct because Azure API Management provides built-in rate-limit and quota policies that enforce throttling at the subscription level without requiring custom code. These policies allow you to define call rates (e.g., requests per second) or quotas (e.g., requests per month) per subscription key, directly protecting backend services from overuse.

Exam trap

The trap here is that candidates may confuse monitoring features (Application Insights sampling) or unrelated Azure services (Blob soft delete, Private DNS) with API throttling mechanisms, overlooking the purpose-built rate-limit and quota policies in API Management.

How to eliminate wrong answers

Option A is wrong because Blob soft delete is a data protection feature for Azure Blob Storage that recovers accidentally deleted blobs, not a mechanism for throttling API clients. Option B is wrong because Application Insights sampling reduces telemetry volume for monitoring, not API request throttling. Option C is wrong because a Private DNS zone only resolves custom domain names within a virtual network and has no role in rate limiting or quota enforcement.

788
MCQhard

Refer to the exhibit. You are creating a custom Azure RBAC role. You assign this role to a user for the Production resource group. The user needs to read the contents of a blob in a container. Which permission is necessary for the user to list the container's blobs?

A.Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list
B.Microsoft.Storage/storageAccounts/read
C.Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
D.Microsoft.Storage/storageAccounts/blobServices/containers/read
AnswerA

This data action is required to list blobs within a container.

Why this answer

The role includes 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' data action for blob read, but does not include 'Microsoft.Storage/storageAccounts/blobServices/containers/read' action to list containers. However, the question asks to list blobs within a container, which requires 'Microsoft.Storage/storageAccounts/blobServices/containers/read' to list blobs? Actually, listing blobs is a data operation: 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' allows reading blob content and properties but not listing? Wait, listing blobs requires the data action 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list'? The exhibit shows only read, not list. But the options: Option A is the data action for reading blobs, but listing requires 'list' action.

However, in Azure RBAC, 'list' is included in 'read' for blobs? Actually, the Microsoft documentation: 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' allows reading blob content, but listing blobs requires 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list'? No, listing is a separate operation. But the role only has read. The correct answer is Option D? Let's think: The user needs to read blob contents; the role already has 'blobs/read'.

But the question says 'list the container's blobs' - that is a separate permission. The role does not include it. So the user cannot list blobs.

But the options: Option A is 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' - that is already present. Option B is 'Microsoft.Storage/storageAccounts/blobServices/containers/read' - that is for listing containers, not blobs. Option C is 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/list' - that is the correct permission for listing blobs.

Option D is 'Microsoft.Storage/storageAccounts/read' - too broad. So Option C is needed to list blobs. But the question says 'Which permission is necessary' implying that the current role lacks it.

So the user needs to add the list action. But the role already has the read action for blobs, but listing is not included. So the correct answer is Option C.

However, the stem says 'The user needs to read the contents of a blob' and 'list the container's blobs' - but the role already has read, so to list they need list. The exhibit shows the role has 'blobs/read' data action. So the missing permission is 'list'.

So Option C. But wait, the role also has 'actions' for 'containers/read' which is an ARM action, not data. That allows listing containers but not blobs.

So indeed, to list blobs, you need the data action 'list'. So Option C is correct.

789
MCQmedium

An application stores customer invoices in Azure Blob Storage. Deleted blobs must be recoverable for 14 days. What should be enabled? The design must avoid adding custom operational scripts.

A.Blob soft delete with a 14-day retention period
B.Archive access tier
C.Static website hosting
D.Immutable blob legal hold
AnswerA

Blob soft delete retains deleted blobs for the configured retention period.

Why this answer

Blob soft delete protects against accidental deletion by retaining deleted blobs for a specified retention period. Enabling it with a 14-day retention period allows recovery of deleted invoices within that window without custom scripts, meeting the requirement exactly.

Exam trap

The trap here is that candidates might confuse soft delete with versioning or immutable storage, but soft delete is the only option that provides a configurable retention period for recovering deleted blobs without custom code.

How to eliminate wrong answers

Option B is wrong because the Archive access tier is for cost-effective storage of infrequently accessed data, not for recovering deleted blobs. Option C is wrong because static website hosting enables serving static content from a container, not blob deletion recovery. Option D is wrong because an immutable blob legal hold prevents modification or deletion of blobs for legal purposes, but it does not provide a time-limited recovery window for already deleted blobs.

790
MCQmedium

You are developing a worker role that processes events from an Azure Event Hub. The worker runs on multiple virtual machines to ensure high availability. Each partition of the Event Hub should be processed by only one instance at a time, and events from the same partition must be processed in order. You need to manage partition leasing and checkpointing efficiently. Which Azure SDK class should you use?

A.EventHubClient
B.PartitionReceiver
C.EventHubConsumerClient
D.EventProcessorHost
AnswerD

EventProcessorHost abstracts partition leasing, checkpointing, and ensures that each partition is processed by a single instance. It processes events in order within partitions and is ideal for high-availability scenarios.

Why this answer

The EventProcessorHost (EPH) class is designed specifically for scenarios requiring distributed processing of Event Hub partitions across multiple instances. It manages partition leasing to ensure each partition is processed by only one instance at a time, handles checkpointing to track progress, and guarantees ordered processing within a partition. This makes it the correct choice for high-availability worker roles that must avoid duplicate processing and maintain event order.

Exam trap

The trap here is that candidates often confuse high-level consumer clients (like EventHubConsumerClient) with the distributed coordination capabilities of EventProcessorHost, overlooking the need for automatic lease management and checkpointing in multi-instance deployments.

How to eliminate wrong answers

Option A is wrong because EventHubClient is a low-level client for sending events and managing Event Hub metadata; it does not provide partition leasing, checkpointing, or distributed processing coordination. Option B is wrong because PartitionReceiver is a single-partition receiver that requires manual management of leases and checkpoints, making it unsuitable for multi-instance high-availability scenarios. Option C is wrong because EventHubConsumerClient is a high-level consumer for reading events from one or more partitions but lacks built-in lease management and checkpoint coordination across multiple instances.

791
MCQeasy

You need to provide temporary access to a file in Azure Blob Storage for a duration of one hour. The solution must not require authentication. What should you generate?

A.Storage account key.
B.Enable anonymous public read access on the container.
C.A user delegation key.
D.A shared access signature (SAS) with read permission and an expiration time of one hour.
AnswerD

SAS provides time-limited access without authentication.

Why this answer

Option D is correct because a shared access signature (SAS) with read permission and a one-hour expiration provides time-limited, delegated access to a specific blob without requiring authentication. The SAS token is appended to the URL and grants the specified permissions for the defined duration, meeting the requirement of temporary access without authentication.

Exam trap

The trap here is that candidates often confuse a SAS with a storage account key or user delegation key, mistakenly thinking those provide temporary access without authentication, when in fact they are secrets used to generate SAS tokens or require authentication themselves.

How to eliminate wrong answers

Option A is wrong because a storage account key provides full administrative access to the entire storage account and never expires, which violates the requirement for temporary access and no authentication. Option B is wrong because enabling anonymous public read access on the container makes the blob permanently accessible to anyone without any time limit, failing the one-hour duration requirement. Option C is wrong because a user delegation key is used to sign a SAS with Azure AD credentials, but it still requires authentication to obtain and does not directly provide access without authentication.

792
MCQmedium

You are migrating an on-premises .NET Framework app to Azure. The app uses Windows authentication and requires persistent storage. You want to minimize rework. Which Azure compute service should you choose?

A.Azure Spring Apps
B.Azure Functions
C.Azure Container Instances
D.Azure App Service on Windows
AnswerD

App Service supports Windows authentication and persistent storage with Azure Files.

Why this answer

Azure App Service on Windows (D) supports Windows authentication natively via its built-in integration with Azure Active Directory and on-premises Active Directory through Azure AD Domain Services or hybrid identity setups. It also provides persistent storage options like Azure Files or blob storage attached to the web app, minimizing rework by allowing the existing .NET Framework app to run with minimal code changes in a Platform-as-a-Service (PaaS) environment.

Exam trap

The trap here is that candidates often choose Azure Functions or Container Instances for their 'modern' appeal, overlooking the specific requirement for Windows authentication and minimal rework, which Azure App Service on Windows uniquely satisfies without forcing a rewrite or containerization.

How to eliminate wrong answers

Option A is wrong because Azure Spring Apps is designed for Java Spring Boot microservices, not for .NET Framework apps, and does not support Windows authentication natively. Option B is wrong because Azure Functions is a serverless compute service optimized for event-driven, stateless workloads; it lacks native support for Windows authentication and persistent storage without significant rework (e.g., using external storage accounts). Option C is wrong because Azure Container Instances runs containers on Linux or Windows but requires containerizing the app, which introduces rework, and does not provide built-in Windows authentication or persistent storage without manual configuration.

793
MCQhard

Your application uses Azure Service Bus topics. You need to ensure that messages are processed in the order they were sent within a session. What must you configure?

A.Enable duplicate detection.
B.Enable partitioning on the topic.
C.Enable sessions on the topic and set the SessionId property on messages.
D.Set the MessageId property to a GUID.
AnswerC

Sessions guarantee FIFO within a session.

Why this answer

Option B is correct because Service Bus sessions enable FIFO ordering within a session. The sender must set the SessionId property. Option A is wrong because message sessions require sessions to be enabled.

Option C is wrong because partitioning is for high availability. Option D is wrong because duplicate detection prevents duplicates but does not guarantee order.

794
MCQeasy

A company deploys a web application to Azure App Service. They want to deploy a new version of the app with zero downtime and the ability to quickly roll back if needed. Which deployment feature should they use?

A.Auto-scaling
B.Deployment slots
C.Traffic Manager
D.Application Insights
AnswerB

Deployment slots enable staging, warm-up, and swapping with immediate rollback, providing zero-downtime deployments.

Why this answer

Deployment slots are separate, live environments within Azure App Service that allow you to stage a new version of your app, perform validation, and then swap it into production with zero downtime. The swap operation ensures all traffic is redirected instantly, and if issues arise, you can immediately swap back to the previous slot for a quick rollback.

Exam trap

The trap here is that candidates often confuse Traffic Manager (a global load balancer) with deployment slots, thinking DNS-level routing provides the same zero-downtime swap within a single App Service, but Traffic Manager cannot swap application versions or configurations within the same app.

How to eliminate wrong answers

Option A is wrong because auto-scaling adjusts the number of instances based on load, not the version of the application being deployed; it does not provide zero-downtime deployment or rollback capabilities. Option C is wrong because Traffic Manager is a DNS-based traffic routing service that distributes traffic across different regions or endpoints, not a feature for deploying new versions of an app within a single App Service instance with zero downtime and rollback. Option D is wrong because Application Insights is a monitoring and diagnostics service that tracks application performance and usage, not a deployment mechanism.

795
MCQmedium

You need to upload a large file (10 GB) to Azure Blob Storage with the ability to pause and resume the upload. Which approach should you use?

A.Use a single Put Blob operation
B.Use the Azure Portal to upload the file
C.Use AzCopy with the /SyncCopy parameter
D.Use the Azure Storage SDK to upload block blobs in parallel
AnswerD

Block blobs allow resumable uploads with Put Block.

Why this answer

Option D is correct because uploading a large file (10 GB) to Azure Blob Storage with pause/resume capability requires breaking the file into blocks and uploading them in parallel using the Azure Storage SDK. The SDK supports block blob operations, allowing you to track progress, retry failed blocks, and resume from the last committed block. A single Put Blob operation cannot handle files larger than 5 GB, and neither the Azure Portal nor AzCopy with /SyncCopy provides programmatic pause/resume control.

Exam trap

The trap here is that candidates often confuse AzCopy's resume capability with the need for programmatic control, but the question specifically requires the ability to pause and resume programmatically, which only the SDK provides through block-level management.

How to eliminate wrong answers

Option A is wrong because a single Put Blob operation has a maximum size limit of 5 GB for a single upload, so it cannot handle a 10 GB file. Option B is wrong because the Azure Portal has a file size limit of approximately 1 GB for direct uploads and does not support pause/resume functionality. Option C is wrong because AzCopy's /SyncCopy parameter is used for copying blobs between storage locations, not for uploading files with pause/resume; AzCopy does support resume for uploads via its own mechanism, but /SyncCopy is specifically for incremental copy, not upload control.

796
MCQmedium

You are designing a solution that needs to relay events from an on-premises system to Azure Event Grid. The on-premises system cannot make outbound HTTPS calls. Which Azure service should you use as a bridge?

A.Azure VPN Gateway
B.Azure Relay
C.Azure ExpressRoute
D.Azure Event Grid on-premises
AnswerB

Azure Relay allows on-premises services to expose endpoints to Azure without opening inbound ports.

Why this answer

Azure Relay enables hybrid connections by allowing on-premises services to connect to Azure via outbound port 443. Option A is wrong because VPN Gateway requires network changes. Option B is wrong because ExpressRoute is a dedicated connection.

Option C is wrong because Event Grid does not support inbound connections from on-premises.

797
MCQmedium

A document rendering job hosted on App Service returns intermittent 502 errors during deployment. The team wants zero-downtime release with validation before traffic moves. What should be implemented?

A.Deploy to a staging slot, validate health, then swap
B.Deploy directly to production during business hours
C.Disable health checks
D.Restart the App Service plan before each deployment
AnswerA

Slot swaps allow pre-production validation and reduce deployment interruption.

Why this answer

Deploying to a staging slot allows the new version of the app to be fully initialized and validated via health checks before traffic is routed to it. The swap operation in Azure App Service moves the production traffic to the staging slot without any downtime, as the slots share the same front-end and the swap is atomic. This directly addresses the 502 errors caused by incomplete deployments and ensures zero-downtime release with validation.

Exam trap

The trap here is that candidates may think disabling health checks or restarting the plan solves intermittent errors, but the real issue is the lack of a safe staging environment for validation, which deployment slots directly provide.

How to eliminate wrong answers

Option B is wrong because deploying directly to production during business hours does not provide any validation before traffic hits the new code, and it risks exposing users to 502 errors if the deployment is incomplete or unhealthy. Option C is wrong because disabling health checks removes the ability to detect that the new deployment is returning 502 errors, which would allow unhealthy instances to serve traffic and worsen the issue. Option D is wrong because restarting the App Service plan before each deployment does not provide a staging environment for validation, and it causes downtime for all apps in the plan, contradicting the zero-downtime requirement.

798
MCQhard

A team develops an Azure Functions app that processes IoT telemetry. They notice cold start latency is impacting performance. The function uses the Consumption plan. Which action reduces cold starts most effectively?

A.Use Durable Functions for long-running workflows
B.Change to Premium plan with pre-warmed instances
C.Increase the function timeout to maximum
D.Use a dedicated App Service plan
AnswerB

Premium plan keeps instances warm, eliminating cold starts.

Why this answer

Premium plan keeps instances warm, reducing cold starts. Option A is wrong because using durable functions adds orchestration overhead. Option B is wrong because increasing timeout doesn't affect cold start.

Option D is wrong because App Service plan also reduces cold starts but Premium plan is more cost-effective for variable load.

799
Multi-Selectmedium

Which THREE are valid ways to authenticate an Azure app to an Azure resource using managed identities?

Select 3 answers
A.Managed identity using Azure AD tokens
B.System-assigned managed identity
C.Client certificate
D.Connection string
E.User-assigned managed identity
AnswersA, B, E

Managed identities obtain Azure AD tokens to access resources.

Why this answer

System-assigned, user-assigned, and when accessing resources that support managed identity authentication, the app can use the managed identity. Option D is wrong because certificates are not a managed identity type. Option E is wrong because connection strings are not managed identity.

800
MCQmedium

You need to grant a user the ability to read and write blobs in a specific container for 24 hours. The solution must use delegated access without exposing the storage account key. What should you use?

A.Storage account access key
B.Account shared access signature (SAS)
C.Service shared access signature (SAS)
D.User delegation shared access signature (SAS)
AnswerD

User delegation SAS uses Entra ID, no key exposure.

Why this answer

A user delegation SAS is secured with Azure AD credentials and is the only SAS type that uses delegated authorization without exposing the storage account key. It allows you to grant granular, time-limited access (e.g., 24 hours) to a specific container for read and write operations, meeting the requirement exactly.

Exam trap

The trap here is that candidates often confuse a service SAS (which is scoped to a single service like Blob) with a user delegation SAS, but the key differentiator is that a user delegation SAS uses Azure AD for signing, not the account key.

How to eliminate wrong answers

Option A is wrong because using the storage account access key directly exposes the key, violating the requirement to avoid exposing it. Option B is wrong because an account SAS is signed with the storage account key, which also exposes the key and is not delegated. Option C is wrong because a service SAS is also signed with the storage account key, not with Azure AD credentials, and thus does not provide delegated access.

801
Multi-Selectmedium

You are developing a solution that uses Azure Functions to process events from Azure Event Grid. The function must handle events reliably. Which TWO options should you implement?

Select 2 answers
A.Use Durable Functions for orchestration.
B.Enable retry policy on the Event Grid subscription.
C.Implement manual checkpointing in the function code.
D.Configure a dead-letter destination for undelivered events.
E.Use a queue trigger instead of an Event Grid trigger.
AnswersB, D

Retry policy helps handle transient failures.

Why this answer

Option B is correct because Event Grid subscriptions support automatic retry policies that can be configured to retry event delivery on transient failures, ensuring reliable processing. Option D is correct because a dead-letter destination (e.g., a storage blob) captures events that cannot be delivered after exhausting retries, preventing data loss and enabling later analysis.

Exam trap

The trap here is that candidates often confuse Event Grid's built-in retry and dead-lettering with Durable Functions or manual checkpointing, assuming they need to implement custom reliability mechanisms when Azure already provides them natively.

802
MCQmedium

Refer to the exhibit. A developer runs this Azure CLI command to set an app setting for a web app. What is the impact on the web app?

A.The command fails because the password is provided in plaintext.
B.The setting is available immediately without restart.
C.The web app restarts to apply the new setting.
D.The setting is stored in a local configuration file.
AnswerC

Setting app settings triggers a restart of the web app.

Why this answer

Option B is correct. The command sets an app setting, which triggers a restart of the web app. Option A is wrong because the setting is available immediately after restart; Option C is wrong because the app setting is stored in the app's configuration, not in a file; Option D is wrong because the command does not affect the code.

803
MCQeasy

A background worker retrieves a message from Azure Queue Storage and begins processing. The processing logic takes longer than the configured visibility timeout. Before the worker finishes, the timeout expires. What happens to the message?

A.The message becomes visible again in the queue and another worker can dequeue it
B.The message is permanently deleted because the worker already dequeued it
C.The message moves to a dead-letter queue after the visibility timeout expires
D.Processing continues uninterrupted; the visibility timeout applies only to the initial retrieval window
AnswerA

This is the core at-least-once delivery guarantee. The visibility timeout is a lease, not a lock. When the lease expires, the queue re-exposes the message. To prevent double-processing, the worker should call UpdateMessage to extend the timeout, or ensure processing is idempotent.

Why this answer

When the visibility timeout expires, the message becomes visible again in the queue because Azure Queue Storage uses a lease-based mechanism. The worker that dequeued the message loses its exclusive visibility lease, allowing another worker to dequeue and process the same message. This ensures at-least-once delivery semantics, preventing message loss if a worker fails or takes too long.

Exam trap

The trap here is that candidates assume the dequeue operation permanently locks or deletes the message, but Azure Queue Storage only hides it temporarily, and the worker must explicitly delete it to prevent reprocessing.

How to eliminate wrong answers

Option B is wrong because Azure Queue Storage does not permanently delete a message after dequeue; it only hides it for the visibility timeout period, and the message must be explicitly deleted by the worker after successful processing. Option C is wrong because messages are moved to a dead-letter queue only when they exceed the maximum dequeue count (e.g., after being dequeued but not deleted multiple times), not simply upon visibility timeout expiry. Option D is wrong because the visibility timeout applies to the entire processing window; if the worker does not update or delete the message before the timeout, the message becomes visible again, and processing can be interrupted by another worker dequeuing it.

804
MCQmedium

A developer is implementing least-privilege storage access. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

A.Use a shared administrator account
B.Disable authentication for the target resource
C.Store a client secret in source control
D.Enable managed identity and grant least-privilege access to the target resource
AnswerD

Managed identity lets Azure-hosted apps authenticate without stored secrets.

Why this answer

Option D is correct because Azure Managed Identity provides an automatically managed identity in Azure AD that allows the App Service to authenticate to any service supporting Azure AD authentication without storing any credentials. By granting the managed identity only the specific permissions required (least-privilege) on the target storage resource (e.g., Storage Blob Data Reader), the application avoids stored credentials and eliminates the need for custom operational scripts. This aligns with the principle of zero standing credentials and is the recommended approach for Azure App Service.

Exam trap

The trap here is that candidates may think storing a client secret in source control (Option C) is acceptable if the repository is private, but the question explicitly requires avoiding stored credentials, and any secret in source control is a security risk that violates the principle of credentialless access.

How to eliminate wrong answers

Option A is wrong because using a shared administrator account violates least-privilege (grants excessive permissions) and requires storing credentials, which contradicts the requirement to avoid stored credentials. Option B is wrong because disabling authentication for the target resource removes all access control, exposing the resource to unauthorized access and violating security best practices. Option C is wrong because storing a client secret in source control introduces a security risk (credential leak) and requires managing a secret, which does not avoid stored credentials and adds operational overhead.

805
Multi-Selecthard

You are deploying a critical web application on Azure App Service that must handle sudden traffic spikes. The application stores session data in memory. You need to ensure session state is preserved across scale-out events. Which THREE actions should you take?

Select 3 answers
A.Enable sticky sessions (ARR affinity) in the App Service configuration.
B.Configure the application to use Azure Cache for Redis for session state.
C.Disable ARR affinity to allow any instance to handle requests.
D.Set the session state mode to 'InProc' in the web.config.
E.Use a SQL Server session state provider to store session data.
AnswersA, B, E

Sticky sessions route requests to the same instance, reducing session loss during scale-out.

Why this answer

Option A is correct because enabling sticky sessions (ARR affinity) ensures that all requests from a client session are routed to the same App Service instance. This preserves in-memory session state during scale-out events, as the load balancer uses the ARR cookie to maintain affinity. Without this, requests could be distributed to different instances, losing session data.

Exam trap

The trap here is that candidates may think disabling ARR affinity (Option C) or using InProc mode (Option D) is sufficient, but they fail to recognize that in-memory session state is inherently tied to a single instance and requires both sticky sessions and a shared external store for true scale-out resilience.

806
MCQhard

Refer to the exhibit. You run this KQL query in Azure Resource Graph Explorer. The query returns no results. What is the most likely reason?

A.The 'contains' operator is case-sensitive.
B.The query must specify a subscription filter.
C.The 'where' clause must use '== ' instead of '=='.
D.The resource type is incorrect; it should be 'microsoft.insights/components' in lowercase.
AnswerD

Resource types in ARG are case-sensitive and must match exactly.

Why this answer

The KQL query uses the resource type 'Microsoft.Insights/Components' with mixed case, but Azure Resource Graph Explorer requires resource types to be specified in all lowercase. The correct type is 'microsoft.insights/components'. When the case does not match, the query returns no results because Azure Resource Graph performs a case-sensitive match on the 'type' property.

Exam trap

The trap here is that candidates often assume Azure resource types are case-insensitive in queries, but Azure Resource Graph enforces exact lowercase matching for the 'type' property, leading to empty results when mixed case is used.

How to eliminate wrong answers

Option A is wrong because the 'contains' operator in KQL is case-insensitive by default, so case sensitivity is not the issue here. Option B is wrong because Azure Resource Graph queries do not require a subscription filter; they can run across all accessible subscriptions without explicit filtering. Option C is wrong because the '==' operator is the correct equality operator in KQL; the syntax '== ' (with a trailing space) is not valid and would cause a syntax error, not a silent empty result.

807
MCQmedium

A web app for a claims processing function needs separate staging and production environments. The team must warm up the new version before swapping traffic. Which App Service feature should be used?

A.Deployment slots
B.Backup and restore
C.App Service access restrictions
D.Always On only
AnswerA

Deployment slots provide separate environments and support warm-up before swap.

Why this answer

Deployment slots are the correct Azure App Service feature for staging and production environments with traffic swapping. They allow you to deploy a new version to a staging slot, warm it up (e.g., by sending requests or using auto-swap with warm-up), and then swap the slot's traffic with the production slot, ensuring zero-downtime deployment and validation before going live.

Exam trap

The trap here is that candidates might confuse 'Always On' with keeping the app warm for swapping, but Always On only prevents idle shutdown and does not provide separate environments or traffic management.

How to eliminate wrong answers

Option B (Backup and restore) is wrong because it is designed for disaster recovery and data preservation, not for staging or traffic swapping between environments. Option C (App Service access restrictions) is wrong because it controls inbound network access via IP rules or service endpoints, not environment separation or deployment swapping. Option D (Always On only) is wrong because it keeps the app loaded to prevent cold starts, but it does not provide separate environments or the ability to warm up a new version before swapping traffic.

808
Multi-Selecteasy

Which TWO actions can help you reduce latency for a globally distributed web application? (Choose two.)

Select 2 answers
A.Use Azure Application Gateway with Web Application Firewall
B.Scale up the App Service plan to a higher tier
C.Use Azure Traffic Manager with performance routing
D.Enable multi-region writes on Azure Cosmos DB
E.Use Azure Front Door to route traffic to the nearest region
AnswersC, E

Traffic Manager routes users to the closest region.

Why this answer

Option A (Azure Front Door) and Option D (Azure Traffic Manager) are correct because they route traffic to the nearest endpoint. Option B (App Service scaling) helps with load but not geographic latency. Option C (Cosmos DB multi-region writes) reduces database latency but not overall application latency.

Option E (Application Gateway) is regional.

809
MCQhard

Your application uses Azure Blob Storage to store images. You need to automatically move blobs older than 30 days to the Cool tier and delete blobs older than 365 days. What should you implement?

A.Azure Automation runbook on a schedule
B.Azure Logic Apps with recurrence trigger
C.Azure Blob Storage lifecycle management policy
D.Azure Event Grid subscription with blob created event
AnswerC

Lifecycle management can tier and delete blobs based on age.

Why this answer

Azure Blob Storage lifecycle management policies allow you to define rules that automatically transition blobs to cooler tiers (e.g., Cool) after a specified number of days and delete them after a different number of days. This is the native, cost-effective, and fully managed solution for automating tier transitions and deletions based on blob age, without requiring external compute or orchestration services.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing Azure Automation or Logic Apps for scheduled tasks, not realizing that Azure Blob Storage has a built-in, serverless lifecycle management feature that directly handles age-based tiering and deletion without any external compute or orchestration.

How to eliminate wrong answers

Option A is wrong because Azure Automation runbooks require a dedicated Azure Automation account, incur additional costs, and introduce unnecessary complexity and latency for a task that is natively supported by Blob Storage lifecycle management. Option B is wrong because Azure Logic Apps with a recurrence trigger would need custom code to enumerate blobs, check their age, and perform tier changes or deletions, which is inefficient, error-prone, and not the recommended approach for storage-level automation. Option D is wrong because an Event Grid subscription with a blob created event only triggers on new blob creation, not on the passage of time, and cannot enforce age-based lifecycle rules for existing blobs.

810
MCQhard

You need to store billions of small log entries (each ~200 bytes) generated from multiple IoT devices. The logs are written in chronological order and are rarely updated. You need to run queries that scan large ranges of data by timestamp each day. You want to maximize write throughput and minimize storage costs. Which Azure Storage solution should you choose?

A.Azure Cosmos DB SQL API with a collection partitioned by timestamp.
B.Azure Blob Storage with append blobs and a custom index for timestamp queries.
C.Azure Table Storage with a partition key combining device ID and date, and row key as timestamp.
D.Azure SQL Database with a clustered columnstore index.
AnswerC

Correct. Table Storage provides high throughput at low cost. By designing the partition key appropriately, you can achieve efficient range queries on timestamps and handle billions of entries.

Why this answer

Azure Table Storage is ideal for this scenario because it supports high-volume, low-cost storage of structured log data with efficient range queries. By using a partition key of device ID combined with date, you distribute writes across partitions for high throughput, while the row key as timestamp enables fast, server-side range scans over chronological data without the overhead of a separate index.

Exam trap

The trap here is that candidates often choose Cosmos DB for its indexing and query capabilities, overlooking the fact that Table Storage provides native, cost-effective range queries on the row key without additional indexing costs, making it the optimal choice for high-volume, low-cost log storage with timestamp-based scans.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB SQL API is optimized for globally distributed, low-latency reads and writes with flexible schemas, but it incurs higher storage costs and RU consumption for billions of small log entries, making it less cost-effective than Table Storage for this write-heavy, rarely-updated workload. Option B is wrong because append blobs are designed for sequential writes and cannot be efficiently queried by timestamp without a custom external index; scanning billions of blobs or parsing blob content for timestamp ranges would be extremely slow and complex, defeating the query requirement. Option D is wrong because Azure SQL Database with a clustered columnstore index is optimized for analytical queries on large datasets, but it is over-provisioned and expensive for simple log storage, and its transactional overhead and cost per GB make it unsuitable for high-throughput, low-cost ingestion of billions of small entries.

811
MCQhard

You are using Azure Cache for Redis to cache frequently accessed database query results. You need to ensure that the cache is updated automatically when the underlying data changes. Which pattern should you implement?

A.Cache-aside pattern with cache invalidation
B.Read-through pattern
C.Event-driven cache invalidation using Azure Event Grid
D.Write-through pattern
AnswerA

Cache-aside loads data on miss and invalidates cache entries when data changes.

Why this answer

The cache-aside (or lazy loading) pattern is the most common approach: on a cache miss, the application loads data from the database and stores it in the cache with a TTL. When data changes, the cache entry is invalidated (deleted) so the next read fetches fresh data. Option A is write-through, which updates the cache synchronously on writes but does not handle automatic updates on external changes.

Option C is read-through, which is similar to cache-aside but the cache itself loads data. Option D is event-driven invalidation, which is more complex and not a standard pattern.

812
MCQeasy

A company uses Azure Logic Apps to automate business processes. They need to call an external REST API that requires OAuth 2.0 client credentials grant. Which connector should they use with minimal configuration?

A.HTTP connector
B.HTTP + Swagger connector
C.Azure Functions connector
D.Custom connector
AnswerA

Correct. The HTTP connector can be configured with OAuth 2.0 authentication, including client credentials, with minimal custom setup.

Why this answer

The HTTP connector in Azure Logic Apps supports OAuth 2.0 client credentials grant natively with minimal configuration. You can directly set the authentication type to 'Active Directory OAuth' and provide the tenant ID, client ID, client secret, and audience/resource URI. This avoids the need for custom code or additional connectors.

Exam trap

The trap here is that candidates often overthink and choose a custom connector or Swagger-based option, not realizing the built-in HTTP connector already supports OAuth 2.0 client credentials with minimal setup.

How to eliminate wrong answers

Option B (HTTP + Swagger connector) is wrong because it is used when you have an OpenAPI (Swagger) definition to import, adding unnecessary overhead for a simple OAuth 2.0 call. Option C (Azure Functions connector) is wrong because it is designed to invoke Azure Functions, not to call external REST APIs with OAuth 2.0 client credentials. Option D (Custom connector) is wrong because it requires creating a custom API connector with a Swagger definition, which involves more configuration than the built-in HTTP connector's direct OAuth support.

813
MCQmedium

Your company uses Azure Key Vault to manage encryption keys for data at rest in Azure Storage. You need to ensure that the storage account uses a customer-managed key (CMK) stored in Key Vault. Additionally, you need to periodically rotate the key automatically. Which configuration should you implement?

A.Create a key in Key Vault, assign the storage account's managed identity access to that key, and configure a Key Vault rotation policy to automatically rotate the key regularly
B.Enable soft-delete and purge protection on the Key Vault to allow key recovery during rotation
C.Use Azure Key Vault's default key (system-managed) and rely on built-in rotation
D.Manually rotate the key every 90 days by generating a new version and updating the storage account
AnswerA

This enables customer-managed keys and automatic key rotation, meeting the requirements.

Why this answer

Option A is correct because it combines the three essential elements for using a customer-managed key (CMK) with automatic rotation in Azure Key Vault. First, you must create a key in Key Vault (not use the default system-managed key). Second, the storage account's managed identity must be granted 'Get', 'Unwrap Key', and 'Wrap Key' permissions on that key so it can encrypt/decrypt the storage account's root key.

Third, you configure a Key Vault rotation policy (using the Azure Key Vault key rotation feature) to automatically create new key versions on a schedule (e.g., every 90 days), which the storage account automatically picks up without manual intervention.

Exam trap

The trap here is that candidates often confuse enabling soft-delete/purge protection (which is required for CMK but does not enable rotation) with the actual rotation policy configuration, or they assume that system-managed keys can be used when the question explicitly requires a customer-managed key.

How to eliminate wrong answers

Option B is wrong because soft-delete and purge protection are prerequisites for Key Vault (especially when using CMK with Azure Storage) but they do not enable automatic rotation; they only protect against accidental or malicious key deletion. Option C is wrong because Azure Key Vault's default key is a system-managed key (Microsoft-managed), not a customer-managed key; the question explicitly requires a CMK, and system-managed keys cannot be rotated on a custom schedule. Option D is wrong because manual rotation every 90 days does not meet the requirement for automatic rotation; it also introduces operational overhead and risk of human error, and the storage account must be updated each time a new key version is created.

814
MCQeasy

A developer is building an app that uses Azure Cognitive Services Text Analytics. The app needs to detect the language of text input. Which Azure SDK method should be called?

A.DetectLanguage
B.ExtractKeyPhrases
C.AnalyzeSentiment
D.RecognizeEntities
AnswerA

DetectLanguage is the correct method to detect the language of text.

Why this answer

Option A is correct because the Text Analytics client's DetectLanguage method is used to detect language. Option B (AnalyzeSentiment) is for sentiment; Option C (ExtractKeyPhrases) is for key phrases; Option D (RecognizeEntities) is for entities.

815
MCQhard

You have an Azure Storage account configured as shown in the exhibit. You need to ensure that all traffic to the storage account uses HTTPS. Which Azure CLI command should you run next?

A.az storage account create --name mystorageaccount --resource-group myResourceGroup --https-only true
B.az storage account update --name mystorageaccount --resource-group myResourceGroup --secure-transfer-required true
C.az storage account update --name mystorageaccount --resource-group myResourceGroup --enable-https-traffic-only true
D.az storage account update --name mystorageaccount --resource-group myResourceGroup --https-only true
AnswerD

This command sets HTTPS-only traffic correctly.

Why this answer

Option D is correct because the `az storage account update` command with the `--https-only true` parameter enforces HTTPS for all traffic to the storage account by setting the `supportsHttpsTrafficOnly` property to true. This is the specific Azure CLI parameter that controls this setting, and it must be applied after account creation. The command directly meets the requirement to ensure all traffic uses HTTPS.

Exam trap

The trap here is that candidates often confuse the `--https-only` parameter with `--secure-transfer-required` or `--enable-https-traffic-only`, which are not valid Azure CLI parameters for the `az storage account update` command, leading them to choose incorrect options that sound plausible but do not exist in the CLI syntax.

How to eliminate wrong answers

Option A is wrong because `az storage account create` is used to create a new storage account, not to update an existing one, and the `--https-only` parameter is not valid for the create command (the correct create parameter is `--https-only` but it's not supported; the create command uses `--enable-https-traffic-only`). Option B is wrong because `--secure-transfer-required` is not a valid parameter for `az storage account update`; this property is set via the Azure portal or ARM template but not directly via this CLI parameter. Option C is wrong because `--enable-https-traffic-only` is not a valid parameter for `az storage account update`; the correct parameter is `--https-only`.

816
MCQhard

You need to upload large files (up to 100 GB) to Azure Blob Storage from a web application. The upload must be resilient to network failures and support pausing/resuming. Which approach should you use?

A.Upload the blob as a single PUT operation.
B.Use block blob with multiple blocks and parallel upload.
C.Use append blob.
D.Use AzCopy from the server.
AnswerB

Correct. Block blobs support chunked upload with retry and resume capability.

Why this answer

Option B is correct because block blobs support uploading large files (up to ~4.75 TB) by splitting the file into multiple blocks, uploading them in parallel for speed, and committing the block list atomically. This approach provides resilience to network failures (individual blocks can be retried) and supports pausing/resuming by tracking which blocks have been uploaded.

Exam trap

The trap here is that candidates confuse append blobs with block blobs, thinking append blobs support arbitrary uploads, but append blobs only allow data to be added to the end and cannot be used for random-access or parallel uploads.

How to eliminate wrong answers

Option A is wrong because a single PUT operation is limited to 5 GB (or 256 MB for page blobs), cannot handle 100 GB files, and provides no resilience or pause/resume capability. Option C is wrong because append blobs are designed for append-only operations (e.g., logging), not for uploading large files; they do not support parallel uploads or efficient pause/resume. Option D is wrong because AzCopy is a command-line tool meant for server-side or scripted transfers, not for direct use from a web application; it cannot be integrated into a web app's client-side upload flow.

817
MCQmedium

You manage an API in Azure API Management. The API response varies depending on the caller's subscription key. You need to cache responses per subscription key to reduce backend load. Which policy configuration should you use?

A.Set cache key to include the subscription key
B.Use a global cache with no variation
C.Disable caching and rely on the backend
D.Use rate limiting policy
AnswerA

Correct. Using a policy like <cache-lookup vary-by-key="@(context.Subscription.Id)" /> caches different responses per subscription.

Why this answer

Option A is correct because Azure API Management's caching policy allows you to customize the cache key using the `@(context.Subscription.Id)` expression. By setting the cache key to include the subscription key, each caller's responses are cached separately based on their unique subscription, ensuring that variations in the API response per subscription key are preserved while reducing backend load.

Exam trap

The trap here is that candidates might confuse caching policies with rate limiting or assume that a single global cache is sufficient, overlooking the need to differentiate cache entries per caller identity when the API response varies by subscription key.

How to eliminate wrong answers

Option B is wrong because using a global cache with no variation would cache a single response for all callers, ignoring the fact that the API response varies per subscription key, leading to incorrect responses for most callers. Option C is wrong because disabling caching and relying on the backend would not reduce backend load, which is the primary requirement; it would force every request to hit the backend, defeating the purpose of caching. Option D is wrong because rate limiting policy controls the number of requests a caller can make, not the caching of responses; it does not address the need to cache responses per subscription key.

818
Multi-Selectmedium

Which TWO of the following are valid ways to authenticate to Azure Blob Storage from an application? (Choose two.)

Select 2 answers
A.Microsoft account (personal) OAuth token
B.SQL Server authentication
C.Storage account access key
D.Shared access signature (SAS) token
E.Azure Cosmos DB primary key
AnswersC, D

Access key provides full access to the storage account.

Why this answer

Option C is correct because a storage account access key provides full administrative access to the storage account, including Blob Storage. Applications can authenticate by including the key in the Authorization header using the SharedKey scheme, which HMAC-SHA256 signs the request. This is a standard, documented method for authenticating to Azure Blob Storage.

Exam trap

The trap here is that candidates may confuse Azure AD authentication (which uses OAuth 2.0 tokens) with personal Microsoft account OAuth tokens, or mistakenly think Cosmos DB keys or SQL Server credentials can be reused across Azure services, when each service has its own distinct authentication mechanism.

819
MCQmedium

You are developing an ASP.NET Core web API that is hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You want to avoid storing any credentials in the application code or configuration. Which approach should you use?

A.Use the Key Vault SDK with a client ID and client secret stored in App Service application settings.
B.Enable the system-assigned managed identity for the App Service and configure Key Vault access policies to allow that identity.
C.Use Microsoft Entra ID application roles to assign the App Service a role that allows reading secrets.
D.Store the Key Vault URL and a connection string with the secret in the application's app.config file.
AnswerB

Correct. Managed identity allows the App Service to authenticate to Microsoft Entra ID without any credentials. The Key Vault access policy grants the identity read access to secrets.

Why this answer

Option B is correct because enabling a system-assigned managed identity for the App Service allows it to authenticate to Azure Key Vault without any credentials stored in code or configuration. The managed identity is automatically managed by Azure AD (now Microsoft Entra ID) and can be granted access to Key Vault secrets via access policies, eliminating the need for client IDs, client secrets, or connection strings.

Exam trap

The trap here is that candidates often think storing credentials in App Service application settings is acceptable because they are 'not in code,' but the question explicitly requires avoiding any stored credentials, making managed identity the only secure, credential-free approach.

How to eliminate wrong answers

Option A is wrong because storing a client ID and client secret in App Service application settings still requires credentials in configuration, violating the requirement to avoid storing any credentials. Option C is wrong because Microsoft Entra ID application roles are used for application-level permissions and RBAC, not for granting an App Service identity direct access to Key Vault secrets; Key Vault uses access policies or RBAC roles like 'Key Vault Secrets User' for managed identities. Option D is wrong because storing the Key Vault URL and a connection string with the secret in app.config places credentials in the application code/configuration, directly contradicting the requirement.

820
Multi-Selecthard

Which THREE features of Azure API Management help enforce security policies for APIs? (Choose three.)

Select 3 answers
A.rate-limit policy
B.xml-to-json policy
C.cache-lookup policy
D.validate-jwt policy
E.IP filtering policy
AnswersA, D, E

Limits request rates to prevent overload.

Why this answer

Option A is correct: validate-jwt validates tokens. Option B is correct: rate-limit throttles requests to prevent abuse. Option D is correct: IP filtering restricts access by source IP.

Option C is wrong: cache-lookup improves performance but not security. Option E is wrong: transform XML to JSON changes format, not security.

821
MCQmedium

A checkout API uses Azure Functions with HTTP triggers. The developer wants to reject unauthenticated calls before function code executes. Which feature should be configured?

A.Deployment slots
B.App Service Authentication / Easy Auth with Microsoft Entra ID
C.Application Insights sampling
D.Function timeout
AnswerB

Built-in authentication validates requests before they reach application code.

Why this answer

App Service Authentication (Easy Auth) with Microsoft Entra ID allows the developer to reject unauthenticated calls before the function code executes by configuring the authentication provider at the App Service platform level. This ensures that the HTTP trigger function only receives requests with valid tokens, without requiring custom authorization logic in the function code.

Exam trap

The trap here is that candidates might think authentication must be handled inside the function code (e.g., using custom middleware or token validation), but Azure Functions provides a built-in platform-level authentication feature (Easy Auth) that rejects unauthenticated calls before execution.

How to eliminate wrong answers

Option A is wrong because deployment slots are used for staging, swapping, and testing different versions of the app, not for authentication or rejecting unauthenticated calls. Option C is wrong because Application Insights sampling controls the volume of telemetry data collected, not authentication or request filtering. Option D is wrong because function timeout controls the maximum execution duration for a function, not the ability to reject unauthenticated requests before code runs.

822
MCQhard

Application Insights ingestion cost is rising because a high-traffic app emits large telemetry volume. The team needs statistically useful telemetry while reducing ingestion. What should be configured? The architecture review board prefers a managed AWS-native control.

A.Move the app to a larger App Service plan
B.Adaptive sampling
C.Disable all exception telemetry
D.Increase log verbosity to debug
AnswerB

Adaptive sampling reduces telemetry volume while preserving representative diagnostic data.

Why this answer

Adaptive sampling in Application Insights automatically reduces the volume of telemetry data sent from high-traffic apps by intelligently selecting a representative subset of events. This preserves statistical utility for analysis while significantly lowering ingestion costs, making it the ideal solution for the described scenario.

Exam trap

The trap here is that candidates may confuse sampling with other cost-reduction methods like scaling up or disabling telemetry, not realizing that adaptive sampling is the only option that balances cost reduction with statistical validity.

How to eliminate wrong answers

Option A is wrong because moving to a larger App Service plan increases compute resources but does not reduce telemetry volume or ingestion costs; it may even increase costs. Option C is wrong because disabling all exception telemetry would eliminate critical diagnostic data, undermining the team's need for statistically useful telemetry. Option D is wrong because increasing log verbosity to debug would dramatically increase telemetry volume, worsening the ingestion cost problem.

823
MCQeasy

You are monitoring an Azure web application with Application Insights. You notice a sudden increase in the number of failed requests. You want to be notified automatically when such anomalies occur, without manually setting static thresholds. Which Application Insights feature should you use?

A.Create a metric alert on the 'failed requests' metric with a static threshold.
B.Enable Smart Detection for failure anomalies.
C.Use Log Analytics to run a query every 5 minutes and trigger an action.
D.Create an availability test that periodically pings the application.
AnswerB

Correct. Smart Detection automatically analyzes telemetry and alerts on anomalous patterns, such as a sudden spike in failed requests.

Why this answer

Smart Detection for failure anomalies in Application Insights uses machine learning to automatically detect unusual patterns in failed request rates without requiring manual threshold configuration. This feature is specifically designed to notify you of anomalies based on historical behavior, making it the correct choice for the scenario described.

Exam trap

The trap here is that candidates often confuse metric alerts with static thresholds as the only way to get notified, overlooking the machine learning-based Smart Detection feature that is purpose-built for anomaly detection without manual thresholds.

How to eliminate wrong answers

Option A is wrong because creating a metric alert with a static threshold requires manual configuration and does not adapt to changing traffic patterns, which contradicts the requirement to avoid setting static thresholds. Option C is wrong because using Log Analytics to run a query every 5 minutes is a custom, manual approach that lacks the built-in anomaly detection capabilities of Smart Detection and requires additional setup for scheduling and action groups. Option D is wrong because an availability test periodically pings the application to check endpoint availability, not to detect anomalies in failed request rates; it is designed for availability monitoring, not for analyzing historical failure patterns.

824
MCQmedium

Your Azure Logic Apps workflow fails intermittently with timeout errors. What should you do to improve reliability?

A.Configure retry policies for failed actions
B.Increase the action timeout to maximum
C.Reduce the number of parallel branches
D.Use Azure API Management in front of Logic Apps
AnswerA

Retries handle transient failures.

Why this answer

Option D is correct because configuring retry policies handles transient failures. Option A is wrong because increasing timeout doesn't fix the root cause. Option B is wrong because it's for other services.

Option C is wrong because it reduces parallelism, not reliability.

825
Multi-Selectmedium

Which TWO authentication methods can be used to connect an Azure App Service to an Azure SQL Database without storing connection strings in code or configuration files?

Select 2 answers
A.Client certificate installed on the App Service
B.Storage account access key
C.SQL Server authentication (username and password)
D.System-assigned managed identity
E.User-assigned managed identity
AnswersD, E

Managed identity provides a passwordless identity for the App Service.

Why this answer

Managed identities (system-assigned or user-assigned) and service principals are both identity-based methods that can authenticate to Azure SQL without storing credentials. Option A is wrong because SQL authentication uses username/password stored in configuration. Option B is wrong because the access key is for storage accounts.

Option D is wrong because certificates are stored in the app, not managed by Azure identity.

Page 10

Page 11 of 14

Page 12