Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 826900

997 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

An application stores large media files (up to 5 GB) that are frequently appended to but rarely read sequentially. Which Azure Blob Storage type should be used to optimize writes and cost?

A.Block blob
B.Append blob
C.Page blob
D.Archive blob
AnswerB

Append blobs are specifically designed for efficient append operations and support up to 195 GB, making them suitable for frequently appended media files.

Why this answer

Append blobs are optimized for append operations, making them ideal for scenarios like logging or storing media files that are frequently appended to. They support high-throughput writes without the overhead of managing block lists, and they are cost-effective for sequential append workloads compared to block blobs, which require explicit block management and are better suited for random read/write patterns.

Exam trap

The trap here is that candidates often choose block blobs because they are the default and most familiar type for large files, overlooking that append blobs are specifically designed for frequent append operations and offer better write performance and cost efficiency for that pattern.

How to eliminate wrong answers

Option A is wrong because block blobs are designed for efficient upload of large files by splitting them into blocks, but they are not optimized for frequent append operations; each append requires managing block IDs and committing a block list, which adds overhead and is less efficient than append blobs. Option C is wrong because page blobs are optimized for random read/write operations on fixed-size pages (512 bytes), typically used for virtual machine disks (VHDs), not for append-heavy workloads with large media files. Option D is wrong because archive blob is a tier (not a blob type) for infrequently accessed data with retrieval latency of hours, and it does not support frequent append operations; it is meant for cold storage, not active writes.

827
MCQmedium

The internal API team is deploying a containerized .NET API that receives sporadic requests — sometimes none for hours, then bursts of activity. Cost is a priority. The team wants the container to stop running when idle and start automatically when a request arrives, with no server management overhead. Which Azure service is the best fit?

A.Azure Container Apps with scale-to-zero enabled on the HTTP ingress
B.Azure Kubernetes Service with the cluster autoscaler set to a minimum node count of zero
C.Azure App Service on a B1 (Basic) plan with Always On disabled
D.Azure Virtual Machine Scale Sets with scheduled scaling to zero instances overnight
AnswerA

Container Apps scales to zero replicas when idle. The first request after an idle period incurs a cold-start delay (typically seconds) while a replica starts. Subsequent requests in the burst are served by the running replica. Billing is consumption-based — zero replicas means zero compute cost during idle periods.

Why this answer

Azure Container Apps with scale-to-zero enabled on the HTTP ingress is the best fit because it allows the container to scale down to zero replicas when idle, automatically stopping the container to save costs, and scales back up to handle incoming HTTP requests with no server management overhead. This serverless platform abstracts Kubernetes infrastructure, meeting the team's requirement for minimal operational burden and cost efficiency.

Exam trap

The trap here is that candidates often confuse 'scale to zero' with 'autoscaling to a minimum of zero nodes' in AKS, but AKS cannot scale to zero nodes due to system pod requirements, whereas Azure Container Apps supports scale-to-zero at the replica level without managing nodes.

How to eliminate wrong answers

Option B is wrong because Azure Kubernetes Service (AKS) with the cluster autoscaler set to a minimum node count of zero is not supported; AKS requires at least one node to run system pods, and scaling to zero nodes would break cluster functionality. Option C is wrong because Azure App Service on a B1 (Basic) plan with Always On disabled still incurs costs for the reserved instance and cannot scale to zero; the plan is always running, and idle behavior only stops the app process, not the underlying VM. Option D is wrong because Azure Virtual Machine Scale Sets with scheduled scaling to zero instances overnight does not provide automatic, request-driven scaling; it relies on a fixed schedule and cannot react to sporadic bursts, plus VMs incur costs even when deallocated if the underlying resources are not released.

828
MCQhard

You are building a solution that processes orders from multiple regions. Orders must be processed in the order they are received, but processing can take up to 5 minutes. You need to ensure exactly-once processing and minimize latency. Which Azure service and configuration should you use?

A.Azure Service Bus Queue with sessions enabled
B.Azure Event Hubs with consumer groups
C.Azure Service Bus Queue with duplicate detection enabled
D.Azure Queue Storage with poison messages
AnswerA

Sessions ensure FIFO ordering and exactly-once processing.

Why this answer

Service Bus Queues with sessions provide FIFO ordering and duplicate detection. Option A is wrong because default queues don't guarantee order. Option C is wrong because Event Hubs is for streaming, not ordered queues.

Option D is wrong because Storage Queues don't guarantee FIFO.

829
Multi-Selecthard

A company deploys a containerized application on Azure Kubernetes Service (AKS). They need to ensure high availability and disaster recovery across regions. Which THREE actions should they take?

Select 3 answers
A.Use Azure Front Door for global load balancing
B.Configure Pod Disruption Budgets
C.Use Azure Traffic Manager to route traffic
D.Deploy AKS clusters in multiple regions
E.Enable Cluster Autoscaler
AnswersB, C, D

PDBs ensure application availability during node updates.

Why this answer

Pod Disruption Budgets (PDBs) are correct because they ensure that a minimum number of pods remain available during voluntary disruptions, such as node maintenance or cluster upgrades. In a multi-region AKS deployment for high availability and disaster recovery, PDBs protect application uptime by preventing too many replicas from being taken down simultaneously, which is critical for maintaining service continuity across regional failovers.

Exam trap

The trap here is that candidates often confuse Cluster Autoscaler (which only scales nodes within a region) with cross-region disaster recovery solutions, overlooking that true high availability across regions requires deploying multiple AKS clusters and using a global traffic router like Azure Traffic Manager.

830
MCQeasy

You are developing a background job that runs every hour to process data. You choose Azure Functions with a timer trigger. What is the correct format for the cron expression to run at the start of every hour?

A.0 * * * * *
B.* 0 * * * *
C.0 0 * * * *
D.0 0 0 * * *
AnswerC

Runs at the start of every hour.

Why this answer

In Azure Functions timer triggers, the cron expression uses six fields: {second} {minute} {hour} {day} {month} {day-of-week}. To run at the start of every hour (i.e., at minute 0 and second 0 of every hour), the expression must be '0 0 * * * *'. Option C correctly sets second to 0, minute to 0, and hour to '*' (every hour), with the remaining fields as '*' (every day, every month, every day-of-week).

Exam trap

The trap here is that candidates often confuse the six-field Azure Functions cron format with the standard five-field UNIX cron format, leading them to pick '0 * * * * *' (which runs every minute) or '* 0 * * * *' (which runs every second during minute 0).

How to eliminate wrong answers

Option A is wrong because '0 * * * * *' runs at second 0 of every minute (i.e., once per minute), not at the start of every hour. Option B is wrong because '* 0 * * * *' runs every second during minute 0 of every hour (i.e., 60 times at the start of the hour), not once at the start. Option D is wrong because '0 0 0 * * *' runs at midnight (00:00:00) every day, not at the start of every hour.

831
MCQmedium

You have an Azure App Service web app that experiences fluctuating traffic. During peak hours, the CPU usage reaches 90% and response times increase. You want to automatically scale out the number of instances when CPU usage exceeds 75% and scale in when it drops below 25%. The scaling should be gradual to avoid thrashing. Which configuration should you use?

A.Enable 'Always On' and configure manual scale based on scheduled times.
B.Configure autoscale rules on the App Service plan scale-out setting, using CPU percentage as the metric with appropriate thresholds and cool-down periods.
C.Use Azure Functions with the Consumption Plan to handle the web app logic.
D.Deploy the web app to Azure Container Instances and use the scale-on-CPU feature.
AnswerB

This is the standard approach. In the Azure portal, under the App Service plan's 'Scale out' (App Service plan settings), you can add autoscale conditions with rules based on CPU percentage.

Why this answer

Option B is correct because Azure App Service autoscale rules allow you to scale out (increase instance count) when CPU percentage exceeds 75% and scale in (decrease instance count) when it drops below 25%, with configurable cool-down periods (e.g., 5–10 minutes) to prevent thrashing. This directly addresses the fluctuating traffic pattern and gradual scaling requirement using the App Service plan's scale-out blade.

Exam trap

The trap here is that candidates confuse 'Always On' (which keeps the app warm) with autoscaling, or mistakenly think Azure Functions or Container Instances are drop-in replacements for App Service autoscale, ignoring the specific requirements for gradual, metric-based scaling with cool-down periods.

How to eliminate wrong answers

Option A is wrong because 'Always On' prevents the app from being unloaded after idle periods but does not provide any autoscaling capability; manual scale based on scheduled times cannot react to real-time CPU fluctuations. Option C is wrong because Azure Functions with the Consumption Plan is designed for event-driven, stateless workloads, not for hosting a full web app with persistent connections or complex routing; it lacks the autoscale granularity and CPU-based rules required here. Option D is wrong because Azure Container Instances scale-on-CPU feature is limited to container groups and does not integrate with App Service web app deployment; it also lacks the gradual scale-in/out cool-down periods needed to avoid thrashing.

832
MCQmedium

You are developing a .NET 8 application that stores customer data in Azure Blob Storage. The application uses the Azure.Storage.Blobs SDK. You need to ensure that the blob containers are created only if they do not already exist. Which method should you call?

A.ExistsAsync
B.DeleteIfExistsAsync
C.CreateIfNotExistsAsync
D.CreateAsync
AnswerC

Creates only if not exists; no exception.

Why this answer

The `CreateIfNotExistsAsync` method is the correct choice because it atomically checks for the existence of the blob container and creates it only if it does not already exist, returning a Boolean indicating whether creation occurred. This aligns with the requirement to avoid errors when the container already exists, without requiring a separate existence check.

Exam trap

The trap here is that candidates often confuse `CreateIfNotExistsAsync` with `CreateAsync`, assuming that `CreateAsync` will silently succeed if the container exists, when in fact it throws an exception on conflict, leading to unhandled errors in production code.

How to eliminate wrong answers

Option A is wrong because `ExistsAsync` only checks whether the container exists and returns a Boolean; it does not create the container, so it fails to meet the creation requirement. Option B is wrong because `DeleteIfExistsAsync` deletes the container if it exists, which is the opposite of what is needed and would remove existing data. Option D is wrong because `CreateAsync` throws a `StorageRequestFailedException` (HTTP 409 Conflict) if the container already exists, requiring additional error handling to avoid failures.

833
MCQeasy

You are building a serverless image-processing solution using Azure Functions. The function must automatically run whenever a new image is uploaded to a blob container and must scale out to handle high upload volumes. Which trigger and hosting plan should you use?

A.Timer trigger with Consumption plan
B.Blob trigger with Consumption plan
C.HTTP trigger with Premium plan
D.Queue trigger with App Service plan
AnswerB

The blob trigger runs when a new blob is created, and the Consumption plan automatically scales out to handle high volumes.

Why this answer

The Blob trigger is designed to automatically execute a function when a blob is created or updated in Azure Blob Storage, making it the correct choice for an image-processing solution that must run on new uploads. The Consumption plan provides automatic scaling to handle high upload volumes by allocating resources on demand, which aligns with the serverless, event-driven requirement.

Exam trap

The trap here is that candidates may confuse the Blob trigger with other triggers (like Timer or Queue) that can indirectly process blobs, but only the Blob trigger directly and automatically responds to blob creation events without additional infrastructure.

How to eliminate wrong answers

Option A is wrong because a Timer trigger runs on a fixed schedule, not in response to blob uploads, so it cannot automatically process new images as they arrive. Option C is wrong because an HTTP trigger requires an explicit HTTP request to invoke the function, which is not suitable for an automatic, event-driven workflow triggered by storage events. Option D is wrong because a Queue trigger processes messages from a queue, not blob uploads directly, and the App Service plan does not provide the same automatic, fine-grained scaling as the Consumption plan for event-driven workloads.

834
MCQeasy

You are developing an Azure Functions app that uses Durable Functions to orchestrate a long-running workflow. The workflow involves calling multiple external APIs. You need to ensure that the orchestration can survive a function app restart. Which feature should you use?

A.Use the default checkpointing and replay mechanism.
B.Log orchestration state to Application Insights.
C.Implement retry policies on the activity functions.
D.Set a high timeout on the orchestration.
AnswerA

Durable Functions persists state for survival across restarts.

Why this answer

Option A is correct because Durable Functions inherently use a checkpointing and replay mechanism to persist the orchestration state to a storage backend (Azure Storage queues, tables, and blobs). This ensures that after a function app restart, the orchestrator function can replay from the last checkpoint, restoring the exact execution context and continuing the workflow without data loss.

Exam trap

The trap here is that candidates confuse logging (Application Insights) with state persistence, or assume retry policies or timeouts are sufficient for durability, when only the built-in checkpointing and replay mechanism guarantees survival across restarts.

How to eliminate wrong answers

Option B is wrong because logging orchestration state to Application Insights is for monitoring and diagnostics, not for persisting the execution state required to survive a restart; it does not provide the replay capability needed for durability. Option C is wrong because implementing retry policies on activity functions handles transient failures of individual API calls, but does not preserve the overall orchestration state across a function app restart. Option D is wrong because setting a high timeout on the orchestration only extends the maximum execution duration, but does not provide any mechanism to recover the orchestration state after a restart.

835
MCQhard

Refer to the exhibit. An administrator runs this Azure CLI command. What is the result?

A.Assigns the Contributor role to a service principal at the resource group scope
B.Assigns a managed identity to the resource group
C.Assigns the Reader role to a user at the subscription scope
D.Assigns the Reader role to a service principal at the resource group scope
AnswerD

The command correctly assigns Reader role to the service principal at the resource group scope.

Why this answer

Option C is correct. The command assigns the Reader role to the specified service principal (by object ID) at the resource group scope 'ProdRG'. Option A is wrong because the scope is the resource group, not the subscription.

Option B is wrong because the role is Reader, not Contributor. Option D is wrong because it does not assign a managed identity.

836
MCQmedium

You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function uses a Service Bus queue trigger and runs on a Consumption Plan. The queue receives a high volume of messages in bursts. You need to ensure that the function scales out to handle the load but does not exceed 10 concurrent instances. Which configuration should you apply?

A.Set the 'maxConcurrentCalls' property to 10 in the host.json file.
B.Set the 'WEBSITE_MAX_INSTANCES' application setting to 10 in the function app.
C.Set the 'maxMessageBatchSize' property to 10 in the host.json file.
D.Restrict the Service Bus queue to have a maximum concurrency of 10 at the namespace level.
AnswerB

Correct. The WEBSITE_MAX_INSTANCES setting limits the maximum number of instances that the function app can scale out to. This is the correct way to cap the number of concurrent instances.

Why this answer

Option B is correct because the 'WEBSITE_MAX_INSTANCES' application setting is the proper way to limit the number of concurrent instances (scale-out) for a function app running on a Consumption Plan. This setting caps the maximum number of instances the platform can allocate, ensuring that even under high burst loads, the function does not exceed 10 concurrent instances. The Service Bus trigger's 'maxConcurrentCalls' controls per-instance concurrency, not instance count, and 'maxMessageBatchSize' controls batch size, not scaling.

Exam trap

The trap here is confusing per-instance concurrency settings (maxConcurrentCalls) with instance-level scaling limits (WEBSITE_MAX_INSTANCES), leading candidates to incorrectly choose A when the question explicitly asks about limiting concurrent instances, not per-instance message processing.

How to eliminate wrong answers

Option A is wrong because 'maxConcurrentCalls' in host.json controls the number of messages processed concurrently within a single function instance, not the number of instances; setting it to 10 limits per-instance parallelism but does not cap the total number of instances, which can still scale out beyond 10. Option C is wrong because 'maxMessageBatchSize' defines the maximum number of messages retrieved in a single batch from the Service Bus queue, not the number of concurrent instances; it affects throughput per invocation, not scaling limits. Option D is wrong because Azure Service Bus does not have a 'maximum concurrency' setting at the namespace level that limits function app instances; concurrency is managed at the client/trigger level, and namespace-level throttling is not a configurable property for this purpose.

837
MCQeasy

Fabrikam Inc. has an Azure Function app that processes image uploads. Each time a blob is added to a container in Azure Blob Storage, the function is triggered. The function resizes the image and stores the result in another container. Currently, the function uses an Azure Storage account connection string stored in application settings. The security team requires that no connection strings or access keys be stored in application settings. The function must use managed identity to access the storage account. The storage account is in the same subscription. Which action should the team take?

A.Generate a SAS token for the storage account and store it in Key Vault. Retrieve the SAS token at runtime and use it to create the BlobServiceClient.
B.Create a user-assigned managed identity, assign it to the Function app, and grant it 'Storage Blob Data Contributor' role. Store the client ID in app settings. Use ManagedIdentityCredential with the client ID in code.
C.Keep the connection string in app settings but encrypt it using Azure Key Vault. Use Key Vault references to retrieve it.
D.Enable system-assigned managed identity on the Function app. Assign the 'Storage Blob Data Contributor' role to the managed identity on the storage account. Remove the connection string from application settings. Update the code to use DefaultAzureCredential to authenticate to Blob Storage.
AnswerD

Correct: uses managed identity, no secrets.

Why this answer

Enable system-assigned managed identity on the Function app, then assign the 'Storage Blob Data Contributor' role to the identity on the storage account. Remove the connection string from app settings. Use DefaultAzureCredential in code.

Option A is correct. Option B is for user-assigned but unnecessary; still correct but not simplest. Option C uses access keys.

Option D uses SAS token.

838
MCQmedium

You are designing a solution to ingest billions of small IoT sensor messages (each ~500 bytes). Messages arrive at high velocity and must be retained for 90 days. You need to query the data efficiently by device ID and timestamp. You want to minimize storage cost and write latency. Which Azure Storage solution should you use?

A.Azure Blob Storage with JSON logs
B.Azure Queue Storage
C.Azure Table Storage
D.Azure File Storage
AnswerC

Table Storage is optimized for storing large numbers of structured entities. Using device ID as partition key and timestamp as row key allows efficient point queries and range queries, with low write latency and cost.

Why this answer

Azure Table Storage is ideal for this scenario because it provides a cost-effective, schema-less NoSQL store that supports high-volume ingestion of billions of small messages with low write latency. Its partition key (device ID) and row key (timestamp) design enables efficient point queries by device and time range, while the 90-day retention aligns with Table Storage's lifecycle management capabilities.

Exam trap

The trap here is that candidates often choose Azure Blob Storage (Option A) because it's commonly used for log storage, but they overlook that querying billions of small blobs by device ID and timestamp is inefficient without additional indexing services like Azure Data Lake or Cosmos DB, whereas Table Storage provides native, low-latency querying via its composite key structure.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with JSON logs incurs higher storage costs per GB compared to Table Storage, and querying billions of small JSON blobs by device ID and timestamp would require expensive full-scan operations or external indexing (e.g., Azure Data Lake), not efficient native querying. Option B is wrong because Azure Queue Storage is a message queuing service for decoupling components, not a persistent storage solution for querying historical data; messages are typically deleted after processing and cannot be efficiently queried by device ID and timestamp. Option D is wrong because Azure File Storage provides SMB file shares for shared file access, not a queryable data store; it lacks native indexing for device ID and timestamp queries and is not optimized for high-velocity ingestion of billions of small messages.

839
MCQmedium

External partners are given Shared Access Signatures to upload product images to a specific Blob Storage container named 'images'. A partner reports accidentally uploading files to the 'contracts' container, which should not be accessible. What is the most likely configuration mistake?

A.The SAS was generated at the storage account level, granting write access that applies to multiple containers rather than being scoped to the 'images' container only
B.The SAS expiry time is too long, giving partners time to discover and access other containers
C.The partner used a storage account key instead of the provided SAS token
D.The SAS was signed with a stored access policy that did not name the correct container
AnswerA

An account SAS with sr=c (container) permission and no container restriction grants access to all containers. A container SAS is generated with a specific container name in the signed resource URI (e.g., https://account.blob.core.windows.net/images?sig=...), making it impossible for the holder to use the SAS against any other container.

Why this answer

A SAS generated at the storage account level grants permissions across all containers within that account. When the SAS URI includes only the account endpoint (e.g., https://<account>.blob.core.windows.net/) and a set of permissions (like write), the token can be used to access any container, including 'contracts'. To restrict access to a single container, the SAS must be scoped to the container resource URI (e.g., https://<account>.blob.core.windows.net/images) and the signed resource type must be 'c' (container) or 'b' (blob), not 's' (service).

Exam trap

The trap here is that candidates often confuse the scope of a SAS (account-level vs. resource-level) with other SAS properties like expiry time or stored access policies, leading them to incorrectly attribute the security breach to token lifetime or policy misconfiguration rather than the fundamental lack of resource-level scoping.

How to eliminate wrong answers

Option B is wrong because a long expiry time does not enable access to other containers; it only extends the window of validity for the token, but the token's scope (which containers it can access) is determined by the resource URI and signed resource type, not the expiry. Option C is wrong because using a storage account key would grant full administrative access to the entire storage account, not just the 'images' container, but the scenario states the partner was given a SAS token, so using the key would be a different authentication method, not a configuration mistake by the developer. Option D is wrong because a stored access policy defines permissions and expiry for a specific container; if the policy did not name the correct container, the SAS would be invalid or scoped to a different container, but it would not grant access to the 'contracts' container unless the policy itself was misconfigured to allow access to multiple containers, which is not the typical behavior of a stored access policy.

840
MCQeasy

You are deploying a web app on Azure App Service that stores secrets in Azure Key Vault. The app uses managed identity to access Key Vault. During testing, you get a 403 Forbidden error when the app tries to read a secret. What is the most likely cause?

A.The managed identity is not assigned to the app.
B.The Key Vault has soft-delete enabled.
C.The Key Vault access policy does not grant the managed identity the 'Get' permission for secrets.
D.The Key Vault firewall is set to allow only selected networks.
AnswerC

Without the 'Get' permission, Key Vault returns 403 Forbidden.

Why this answer

The app's managed identity must be granted a Key Vault access policy (or RBAC role) to read secrets. Without it, Key Vault denies access with a 403 error. Option A is incorrect because enabling soft-delete doesn't affect access.

Option C is incorrect because the firewall rule would block all access, not just for the app. Option D is incorrect because the managed identity is for the app, not the user.

841
MCQmedium

An e-commerce application emits a high volume of telemetry data to Azure Application Insights. You need to reduce the cost of data ingestion while preserving statistical accuracy for performance metrics. Which sampling technique should you use?

A.Adaptive sampling
B.Fixed-rate sampling with a 1% rate
C.Ingestion sampling
D.Head-based sampling
AnswerA

Adaptive sampling dynamically tunes the sampling rate to keep data volume manageable while preserving statistical validity.

Why this answer

Adaptive sampling is the correct choice because it automatically adjusts the sampling rate based on the volume of telemetry data, ensuring that during low-traffic periods all data is retained for statistical accuracy, while during high-traffic periods it reduces the rate to control costs. This technique is specifically designed for high-volume scenarios like e-commerce telemetry, where preserving statistical accuracy for performance metrics (e.g., request durations, failure rates) is critical, and it avoids the manual tuning required by fixed-rate sampling.

Exam trap

The trap here is that candidates often confuse adaptive sampling with fixed-rate sampling, assuming a constant low rate (like 1%) is always cheaper, but they miss that adaptive sampling preserves accuracy by retaining all data during low-volume periods and only reduces during spikes.

How to eliminate wrong answers

Option B is wrong because fixed-rate sampling with a 1% rate applies a constant sampling percentage regardless of traffic volume, which can lead to under-sampling during low-traffic periods (losing statistical accuracy) or over-sampling during high-traffic periods (not reducing costs effectively). Option C is wrong because ingestion sampling occurs at the Application Insights ingestion endpoint after telemetry is sent, meaning you still pay for the data transmitted to the endpoint, and it does not reduce network bandwidth or SDK-side processing costs. Option D is wrong because head-based sampling (e.g., fixed-rate sampling at the SDK level) samples telemetry before any processing, which can break end-to-end transaction correlation if not all components use the same sampling rate, and it does not adapt to changing traffic patterns.

842
MCQmedium

You are developing a solution that needs to consume an external SOAP web service. Which approach should you use to integrate it into a modern .NET Core application?

A.Use gRPC client to call the service.
B.Use HttpClient to send raw HTTP requests with SOAP envelope.
C.Use the WCF Client (System.ServiceModel) to generate a proxy and call the SOAP service.
D.Use Azure Logic Apps with a SOAP connector.
AnswerC

WCF Client supports SOAP in .NET Core.

Why this answer

Option A is correct because the WCF Client (System.ServiceModel) can be used to consume SOAP services in .NET Core. Option B is wrong because HttpClient is for REST. Option C is wrong because gRPC is for high-performance RPC, not SOAP.

Option D is wrong because Azure Logic Apps has a SOAP connector but adds unnecessary complexity.

843
MCQhard

A company uses Azure Event Hubs to ingest telemetry data from IoT devices. The data is processed by a stream analytics job that outputs to Azure Data Lake Storage Gen2. The developer needs to ensure that the stream analytics job can authenticate to Event Hubs without storing connection strings in code. Which authentication method should the developer use?

A.Use a connection string with the Event Hubs namespace
B.Use a client certificate
C.Use a Shared Access Signature (SAS) token
D.Use Managed Identity
AnswerD

Managed Identity provides secure authentication without storing credentials.

Why this answer

Option B is correct because Managed Identity allows Azure resources to authenticate to other Azure services without storing credentials. Option A is incorrect because Shared Access Signature requires a token stored somewhere. Option C is incorrect because connection strings expose secrets.

Option D is incorrect because a client certificate would need to be stored.

844
MCQeasy

You are deploying a sensitive application on Azure Kubernetes Service (AKS). You need to ensure that secrets, such as database connection strings, are encrypted at rest and in transit, and that the cluster has no static credentials. Which feature should you enable?

A.Enable etcd encryption at rest
B.Enable Azure Disk Encryption on the node pools
C.Assign a managed identity to the AKS cluster
D.Use Azure Key Vault Provider for Secrets Store CSI Driver
AnswerD

This securely mounts secrets from Key Vault without storing them in AKS.

Why this answer

Option B is correct because Azure Key Vault Provider for Secrets Store CSI Driver integrates with AKS to mount secrets as volumes without storing them in the cluster. Option A is wrong because etcd encryption is internal to Kubernetes and does not integrate with Key Vault. Option C is wrong because AKS does not offer disk encryption by default.

Option D is wrong because managed identity alone does not store secrets.

845
MCQeasy

You need to execute a PowerShell script every night to clean up unused resources in your Azure subscription. The script should run with a specific service principal identity that has the necessary permissions. You want a serverless solution with minimal management overhead. Which Azure service should you use?

A.Azure Functions with a timer trigger running PowerShell.
B.Azure Automation with a scheduled runbook.
C.Azure Logic Apps with a recurrence trigger running a PowerShell action.
D.Set up a scheduled task on an Azure VM to run the script.
AnswerB

Azure Automation allows you to create PowerShell runbooks, link them to a schedule, and use a Run As account (Microsoft Entra ID service principal) for authentication. This provides a low-management, serverless solution.

Why this answer

Azure Automation with a scheduled runbook is the correct choice because it is designed specifically for running PowerShell scripts on a recurring schedule using a service principal identity, with built-in support for Azure authentication via managed identities or Run As accounts. This provides a serverless solution with minimal management overhead, as Azure Automation handles the scheduling, execution, and identity management without requiring you to maintain any infrastructure.

Exam trap

The trap here is that candidates often choose Azure Functions (Option A) because it is a popular serverless compute option, but they overlook that Azure Automation is the dedicated service for scheduled PowerShell administration in Azure, with built-in identity management and longer execution time limits.

How to eliminate wrong answers

Option A is wrong because Azure Functions with a timer trigger can run PowerShell, but it is not optimized for long-running administrative scripts (default timeout of 5-10 minutes) and requires more manual setup for service principal authentication and module management compared to Azure Automation. Option C is wrong because Azure Logic Apps with a recurrence trigger can orchestrate workflows but does not natively run PowerShell scripts; it would require an Azure Function or Hybrid Worker to execute PowerShell, adding complexity and defeating the 'minimal management overhead' requirement. Option D is wrong because setting up a scheduled task on an Azure VM is not serverless—it requires provisioning, patching, and managing a VM, which contradicts the 'serverless solution with minimal management overhead' requirement.

846
MCQmedium

You are deploying a Node.js application to Azure Web Apps for Containers. The application needs to read configuration settings from Azure App Configuration. What is the recommended method to securely connect the app to the configuration store?

A.Store connection string in environment variables.
B.Use Key Vault references in App Settings.
C.Use managed identity.
D.Hardcode the connection string.
AnswerC

Correct. Managed identity provides secure authentication without secrets.

Why this answer

Option C is correct because using a managed identity allows the Node.js application running in Azure Web Apps for Containers to authenticate to Azure App Configuration without storing any secrets. Managed identities provide an automatically managed service principal in Azure AD, enabling secure, code-free access to the configuration store via Azure AD authentication, which is the recommended approach for production workloads.

Exam trap

The trap here is that candidates often confuse Key Vault references (which are for retrieving secrets from Key Vault) with the method to connect to App Configuration, leading them to choose Option B, but managed identity is the recommended and most secure way to authenticate to App Configuration directly.

How to eliminate wrong answers

Option A is wrong because storing the connection string in environment variables still exposes a secret (the connection string) in the app settings, which can be leaked or misconfigured, and it does not leverage Azure AD authentication. Option B is wrong because Key Vault references in App Settings are used to reference secrets stored in Azure Key Vault, not to directly connect to Azure App Configuration; they solve a different problem (retrieving secrets) and still require a connection string or managed identity for the App Configuration client. Option D is wrong because hardcoding the connection string is a severe security anti-pattern that exposes credentials in source code, violates security best practices, and is never recommended.

847
Multi-Selectmedium

Which TWO of the following are valid use cases for Azure Queue Storage? (Choose TWO.)

Select 2 answers
A.Building a reliable messaging layer between microservices.
B.Broadcasting messages to multiple subscribers.
C.Storing large JSON documents for later retrieval.
D.Streaming high-volume telemetry data for real-time analytics.
E.Decoupling components of a distributed application for asynchronous processing.
AnswersA, E

Queue storage provides reliable message delivery.

Why this answer

Option A is correct because Azure Queue Storage provides a reliable, persistent message queue that enables asynchronous communication between microservices. It guarantees at-least-once delivery and supports message visibility timeouts, making it ideal for decoupling components in a distributed architecture.

Exam trap

The trap here is that candidates confuse Azure Queue Storage with pub/sub messaging patterns (like Service Bus Topics) or assume it can handle large payloads or real-time streaming, when it is strictly a point-to-point, durable queue with size and throughput limitations.

848
MCQhard

You are developing a microservices application deployed on Azure Kubernetes Service (AKS). You need to ensure that service-to-service communication is encrypted using mutual TLS (mTLS) without modifying application code. What should you do?

A.Deploy Azure Service Mesh and enable mTLS.
B.Use Azure Application Gateway Ingress Controller with mTLS.
C.Enable Azure Kubernetes Service (AKS) pod-to-pod encryption.
D.Configure Azure Network Security Groups to enforce encryption.
AnswerA

Service Mesh provides transparent mTLS.

Why this answer

Azure Service Mesh (e.g., Open Service Mesh or Istio-based) provides a transparent infrastructure layer that can automatically inject sidecar proxies into pods and enforce mTLS for all service-to-service communication without requiring any changes to application code. This meets the requirement of encrypting traffic with mutual TLS while keeping the application code untouched.

Exam trap

The trap here is that candidates may confuse ingress-level mTLS (option B) with internal service-to-service mTLS, or assume that AKS has a built-in pod encryption feature (option C) when it does not.

How to eliminate wrong answers

Option B is wrong because Azure Application Gateway Ingress Controller handles ingress traffic from outside the cluster, not internal service-to-service communication, and its mTLS feature applies to client-to-ingress, not pod-to-pod. Option C is wrong because AKS does not have a native 'pod-to-pod encryption' feature; encryption between pods must be implemented via a service mesh or other overlay network. Option D is wrong because Network Security Groups (NSGs) filter traffic based on IP/port rules and cannot enforce encryption or mTLS at the application layer.

849
MCQeasy

You need to deploy a containerized application to Azure Container Instances (ACI) with a public IP address and DNS name label. The container must restart automatically if it exits unexpectedly. Which configuration should you use?

A.Deploy the container into an Azure Virtual Network.
B.Set restart policy to Never and configure a public IP.
C.Set restart policy to OnFailure and use a private IP address.
D.Set restart policy to Always and assign a DNS name label.
AnswerD

Always restarts on any exit, and DNS name label provides public access.

Why this answer

Option D is correct because setting the restart policy to Always ensures the container automatically restarts if it exits unexpectedly, which is the required behavior. Assigning a DNS name label to the container group makes it accessible via a public IP address and a fully qualified domain name (FQDN) in the format <dns-name-label>.<region>.azurecontainer.io, meeting the requirement for a public IP address and DNS name label.

Exam trap

The trap here is that candidates may confuse the restart policy options, thinking OnFailure covers all unexpected exits, or assume that a virtual network is required for public IP assignment, when in fact ACI assigns a public IP by default unless configured otherwise.

How to eliminate wrong answers

Option A is wrong because deploying the container into an Azure Virtual Network does not affect the restart policy or the assignment of a public IP address and DNS name label; it only provides network isolation. Option B is wrong because setting the restart policy to Never means the container will not restart automatically if it exits unexpectedly, which directly contradicts the requirement. Option C is wrong because setting the restart policy to OnFailure only restarts the container if it exits with a non-zero exit code, not for all unexpected exits, and using a private IP address does not provide public accessibility or a DNS name label.

850
Multi-Selectmedium

Which TWO of the following are valid ways to authenticate an Azure function to an Azure SQL database using managed identity?

Select 2 answers
A.Create a service principal and assign it to the function app.
B.Use the function app's default connection string with a username and password.
C.Create a user-assigned managed identity, assign it to the function app, and use its client ID in the connection string.
D.Upload a client certificate to the function app and use it to authenticate.
E.Enable system-assigned managed identity on the function app and set the SQL connection string with 'Authentication=Active Directory Managed Identity'.
AnswersC, E

User-assigned managed identity is also supported.

Why this answer

System-assigned managed identity and user-assigned managed identity are both supported. Option A and D are correct. Option B is wrong because service principal is not managed identity.

Option C is wrong because connection string with username/password is not managed identity. Option E is wrong because certificate authentication is not managed identity.

851
MCQeasy

You are deploying an application to Azure App Service that requires a custom startup script to initialize the environment. Where should you place the startup script in the application code?

A.In the 'web.config' file
B.In a 'docker-compose.yml' file
C.In the root of the application code as 'startup.sh'
D.As a startup command in the App Service configuration
AnswerD

You can set the startup command (e.g., 'dotnet myapp.dll' or a script path) in the Azure portal or CLI.

Why this answer

Option D is correct because Azure App Service allows you to specify a custom startup command or script in the App Service configuration (under 'General settings' or via the Azure CLI with `--startup-file`). This startup command runs before the application starts, enabling you to initialize the environment, run pre-deployment tasks, or set up dependencies. Placing the startup script in the configuration ensures it is executed by the App Service platform, which handles the runtime environment (Windows or Linux) and integrates with the application lifecycle.

Exam trap

The trap here is that candidates assume placing a script file in the application root is sufficient for execution, but Azure App Service requires explicit configuration to designate a startup file or command, as the platform does not automatically scan for or execute arbitrary scripts.

How to eliminate wrong answers

Option A is wrong because the 'web.config' file is used for configuring IIS settings and ASP.NET modules, not for executing custom startup scripts; it cannot run shell commands or scripts. Option B is wrong because 'docker-compose.yml' is used for multi-container Docker applications, but Azure App Service does not natively support Docker Compose; it uses single-container deployments or App Service on Linux with a Dockerfile, not a compose file. Option C is wrong because placing 'startup.sh' in the root of the application code does not automatically cause Azure App Service to execute it; the platform requires explicit configuration to run a startup script, and simply having the file present does not trigger execution.

852
MCQhard

You are designing a solution that uses Azure File Shares. The application requires low-latency access to files from multiple Azure virtual machines in the same region. The files are accessed frequently and must support SMB protocol. Which storage account type and tier should you recommend?

A.Standard general-purpose v2 with cool tier.
B.Standard general-purpose v2 with transaction-optimized tier.
C.BlobStorage with hot tier.
D.FileStorage (premium file shares).
AnswerD

FileStorage provides premium file shares with low latency and high performance.

Why this answer

Option D is correct because Azure premium file shares (FileStorage) provide low-latency, high-performance access using the SMB protocol, which is required for frequently accessed files from multiple VMs in the same region. Standard tiers (cool or transaction-optimized) do not meet the low-latency requirement, and BlobStorage does not support SMB protocol natively.

Exam trap

The trap here is that candidates often confuse the transaction-optimized tier with performance optimization, but it only optimizes for cost per transaction, not latency, while BlobStorage is mistakenly thought to support SMB via NFS or other protocols, which it does not natively.

How to eliminate wrong answers

Option A is wrong because Standard general-purpose v2 with cool tier is designed for infrequently accessed data with higher latency, not for low-latency, frequently accessed files. Option B is wrong because Standard general-purpose v2 with transaction-optimized tier is optimized for high transaction costs, not for low-latency performance, and still uses standard HDD-based storage. Option C is wrong because BlobStorage does not support the SMB protocol; it uses REST APIs or SDKs for access, not SMB, and is not suitable for file share scenarios requiring SMB.

853
MCQeasy

You need to call a third-party REST API from your Azure Function app. The API requires an API key in the header. Where should you store the API key to keep it secure?

A.Environment variable in the hosting plan
B.Azure Key Vault
C.Connection string in the Function app
D.App settings in the Function app configuration
AnswerB

Key Vault provides secure storage, access policies, and audit logging.

Why this answer

Azure Key Vault is the recommended service for storing secrets like API keys. Option A is wrong because app settings are not encrypted at rest. Option C is wrong because connection strings are not for API keys.

Option D is wrong because environment variables are not secure.

854
MCQeasy

You are processing messages from an Azure Storage queue in a worker role. To handle messages that repeatedly fail, you want to move them to a separate 'poison' queue after 5 delivery attempts. Which property of the received message should you check to determine the number of attempts?

A.MessageId
B.DequeueCount
C.ExpirationTime
D.PopReceipt
AnswerB

The DequeueCount property shows how many times the message has been dequeued, which is ideal for detecting poison messages.

Why this answer

The DequeueCount property tracks how many times a message has been dequeued from the queue. Each time a worker role retrieves the message but fails to process it (and does not delete it), the message becomes visible again after the visibility timeout expires, incrementing DequeueCount. By checking this property, you can implement a retry policy that moves the message to a poison queue after a threshold (e.g., 5 attempts).

Exam trap

The trap here is that candidates confuse PopReceipt (which changes with each dequeue and is used for deletion) with DequeueCount, assuming a new PopReceipt indicates a new attempt, but PopReceipt does not provide a cumulative count of attempts.

How to eliminate wrong answers

Option A is wrong because MessageId is a unique identifier for the message within the queue and does not change with retries; it cannot indicate delivery attempts. Option C is wrong because ExpirationTime defines when the message will be automatically deleted from the queue, not how many times it has been dequeued. Option D is wrong because PopReceipt is a receipt required to delete or update the message after a successful dequeue; it changes with each dequeue operation but does not track the count of attempts.

855
MCQhard

You need to reduce costs for an Azure Functions app that runs intermittently. The current Consumption plan bills for execution time. Which change would be MOST cost-effective?

A.Switch to Premium plan with pre-warmed instances
B.Migrate to Flex Consumption plan with higher memory
C.Use an App Service plan with Always On
D.Deploy to Azure Container Instances
AnswerB

Flex Consumption allows memory optimization to reduce execution time and cost.

Why this answer

Option B is correct because the Flex Consumption plan allows choosing higher memory which can reduce execution time for CPU-bound tasks, lowering cost. Option A is wrong because Premium plan has a fixed cost. Option C is wrong because Dedicated plan is more expensive for intermittent usage.

Option D is wrong because App Service plan is not suitable for Functions.

856
MCQhard

You have an Azure Storage account with cool tier blobs. You need to implement lifecycle management to move blobs to the archive tier after 30 days if they have not been accessed, and delete them after 365 days. Which lifecycle management rule action should you configure?

A.Use a rule with condition 'daysAfterLastAccessTimeGreaterThan' to tier and delete, and enable blob access tracking.
B.Use a rule with condition 'daysAfterLastAccessTimeGreaterThan' to tier and delete.
C.Use a rule with condition 'daysAfterSnapshotCreationGreaterThan' to tier and delete.
D.Use a rule with condition 'daysAfterModificationGreaterThan' to tier after 30 days and delete after 365 days.
AnswerD

The default condition uses last modification time, which is suitable for this scenario.

Why this answer

Option D is correct because lifecycle management rules in Azure Storage use the 'daysAfterModificationGreaterThan' condition to trigger actions based on the last modification time of a blob. This allows you to tier blobs to archive after 30 days and delete them after 365 days, which aligns with the requirement to manage blobs based on age when access tracking is not enabled.

Exam trap

The trap here is that candidates often confuse 'daysAfterModificationGreaterThan' with 'daysAfterLastAccessTimeGreaterThan', assuming the latter is the default for access-based rules, but it requires explicit enabling of blob access tracking.

How to eliminate wrong answers

Option A is wrong because it requires enabling blob access tracking, which is an additional feature that must be explicitly enabled and incurs extra cost; the question does not specify enabling access tracking. Option B is wrong because 'daysAfterLastAccessTimeGreaterThan' also requires blob access tracking to be enabled, and without it, the condition cannot be evaluated. Option C is wrong because 'daysAfterSnapshotCreationGreaterThan' applies only to blob snapshots, not to base blobs, and the requirement is about base blobs, not snapshots.

857
MCQmedium

You deploy the above ARM template resource for a web app. The web app reads the connection string from the 'DefaultConnection' name. However, the web app fails to connect to the database with an error 'Login failed for user 'myuser'. What is the most likely cause?

A.The user ID does not have access to the database.
B.The connection string type should be 'SQLServer' instead of 'SQLAzure'.
C.The SQL server is configured to use Microsoft Entra authentication only, not SQL authentication.
D.The connection string is missing 'Trusted_Connection=True;'.
AnswerC

If the server only allows Microsoft Entra authentication, SQL authentication will fail.

Why this answer

Option D is correct. The connection string includes a password in plain text. The recommended approach is to use managed identity and not include a password.

The login failure could be due to the password being incorrect or the SQL server not allowing SQL authentication. However, the most likely cause based on best practices is that the SQL server is configured to use Microsoft Entra authentication only, and the connection string uses SQL authentication. Option A is wrong because the type is correct for SQL Azure.

Option B is wrong because the connection string syntax is correct. Option C is wrong because the user ID should match the database user.

858
MCQmedium

You are developing an application that runs on Azure App Service. The application needs to store session state. The session state must be shared across multiple instances of the app and survive restarts. You need to choose a session state provider. What should you use?

A.Use Azure Table Storage for session state.
B.Use a SQL Database to store session data.
C.Use the in-memory session state provider.
D.Use Azure Redis Cache as a session state provider.
AnswerD

Redis provides fast, distributed, and persistent session storage.

Why this answer

Azure Redis Cache provides a distributed, in-memory data store that can be shared across multiple instances of an App Service application and persists data through restarts. It is the recommended session state provider for Azure App Service when high availability and scalability are required, as it stores session data externally from the application's memory.

Exam trap

The trap here is that candidates often choose the in-memory provider (Option C) because it is the simplest default in ASP.NET, forgetting that it fails the cross-instance sharing and restart survival requirements explicitly stated in the question.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage is a NoSQL key-value store designed for structured, non-relational data and does not provide the low-latency, in-memory access required for session state; it also lacks built-in expiration and eviction policies for session data. Option B is wrong because SQL Database, while persistent and shareable, introduces higher latency and overhead for session state operations compared to an in-memory cache, and is not optimized for the high-throughput, short-lived nature of session data. Option C is wrong because the in-memory session state provider stores session data within the memory of a single application instance, so it is not shared across multiple instances and is lost when the app restarts or scales out.

859
Matchingmedium

Match each Azure Storage access tier to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Optimized for frequent access, higher storage cost

Optimized for infrequent access, lower storage cost

Optimized for rarely accessed data, even lower cost

Lowest cost, offline storage for backup/compliance

Why these pairings

Azure Blob Storage offers these access tiers to optimize cost based on data usage patterns.

860
MCQeasy

Refer to the exhibit. You run the Azure CLI command to store a secret in Key Vault. Later, you run 'az keyvault secret show --vault-name myvault --name MySecret'. What will be displayed?

A.The secret's metadata only, without the value.
B.The secret's metadata with the value masked as '*****'.
C.The secret's metadata and the value 'P@ssw0rd123'.
D.An error because you cannot retrieve a secret after it is set.
AnswerC

The show command returns the secret value in plaintext.

Why this answer

The 'az keyvault secret show' command displays the secret metadata and the value (if the user has permission). The value will be displayed as the original plaintext. Option A is correct.

Option B is wrong because the value is not masked by default. Option C is wrong because the command shows the value. Option D is wrong because the command shows the secret value.

861
MCQhard

You are deploying a Java application to Azure App Service on Linux. The application requires a specific JDK version not available in the built-in stack. You need to provide the JDK without creating a custom container. What should you do?

A.Mount an Azure Files share containing the JDK
B.Use the Azure App Service Windows stack with a custom JDK
C.Use a startup script to download and set JAVA_HOME
D.Create a custom Docker container and deploy to App Service
AnswerC

Startup command can install the JDK and set env.

Why this answer

Option C is correct because Azure App Service on Linux allows you to use a startup script to download a custom JDK and set the JAVA_HOME environment variable before the application starts. This approach avoids the need for a custom container while providing the specific JDK version required by the application.

Exam trap

The trap here is that candidates may think mounting a file share (Option A) is the simplest way to provide custom binaries, but they overlook that App Service on Linux does not support mounting Azure Files for executable files, and the startup script approach is the documented method for custom runtimes.

How to eliminate wrong answers

Option A is wrong because mounting an Azure Files share containing the JDK would require the JDK to be accessible at runtime, but App Service on Linux does not support mounting Azure Files shares for custom executables in the same way as Windows; the JDK must be installed in the container's file system. Option B is wrong because the question specifies deploying to Azure App Service on Linux, and using the Windows stack would change the underlying OS, which is not allowed per the requirement. Option D is wrong because creating a custom Docker container is unnecessary and contradicts the requirement to avoid a custom container; the startup script approach achieves the same result without containerization overhead.

862
Multi-Selectmedium

You are developing an Azure Functions app that processes orders. Each order must be processed exactly once. The function is triggered by an Azure Event Hubs event. You need to ensure that if the function fails during processing, the event is not lost and is retried. Which THREE actions should you take?

Select 3 answers
A.Increase the batch size to process more events per invocation.
B.Configure a dead-letter queue for events that exceed retry attempts.
C.Disable checkpointing to avoid overhead.
D.Implement checkpointing after successful processing.
E.Use the default checkpoint store in Azure Storage.
AnswersB, D, E

Captures events that repeatedly fail.

Why this answer

Options B, D, and E are correct. B: Checkpointing after processing ensures that on restart, the function resumes from the last successful checkpoint, preventing reprocessing of already processed events. D: Enabling dead-lettering on the Event Hubs capture or using a separate queue for failed events ensures messages are not lost.

E: Using the default checkpoint store (Azure Storage) ensures checkpoint data is persisted. Option A is wrong because increasing batch size doesn't prevent loss. Option C is wrong because Event Hubs trigger already uses checkpointing; disabling it would cause reprocessing.

863
MCQmedium

You are deploying a containerized application to Azure Container Instances. The application requires writing temporary files to a local filesystem. You need to ensure that the files persist if the container restarts. What should you do?

A.Mount an Azure Files share as a volume in the container group.
B.Use the container's writable layer to store files.
C.Use Azure Blob Storage and mount it as a volume.
D.Configure a Docker volume in the container image.
AnswerA

Azure Files shares provide persistent, shared storage for containers.

Why this answer

Azure Container Instances (ACI) supports mounting Azure Files shares as volumes. When a container restarts, its writable layer is ephemeral and lost, but an Azure Files share persists independently. By mounting the share, temporary files written to the mount point survive container restarts, meeting the persistence requirement.

Exam trap

The trap here is that candidates confuse Azure Blob Storage (object storage) with Azure Files (SMB file share) and assume both can be mounted as volumes in ACI, but only Azure Files is supported for volume mounts in container groups.

How to eliminate wrong answers

Option B is wrong because the container's writable layer is ephemeral and is destroyed when the container restarts, so files stored there do not persist. Option C is wrong because Azure Blob Storage cannot be mounted as a volume in ACI; only Azure Files (SMB) shares are supported for volume mounts. Option D is wrong because Docker volumes are configured at the container runtime level, not in the container image, and ACI does not support Docker volumes; it uses its own volume mounting mechanism.

864
Multi-Selecthard

A report export service in Azure App Service must safely access Key Vault secrets without connection strings in configuration. Which two steps are required?

Select 2 answers
A.Enable anonymous access on the vault
B.Store the Key Vault access key in app settings
C.Grant the identity permission to read the required secrets
D.Enable a managed identity for the web app
AnswersC, D

The identity must be authorized on Key Vault through RBAC or access policies.

Why this answer

Option C is correct because granting the managed identity permission to read secrets in Key Vault via Azure RBAC or access policies ensures that the App Service can authenticate without storing any secrets in configuration. This follows the principle of least privilege and eliminates the risk of credential leakage from app settings or connection strings.

Exam trap

The trap here is that candidates often think storing the Key Vault URI or a reference in app settings is sufficient, but the question explicitly requires 'without connection strings in configuration,' so the correct path is to use managed identity plus granting permissions, not storing any key material.

865
MCQhard

You are reviewing an ARM template that deploys a network security group (NSG) for a web application. The exhibit shows the security rules. The web application runs on port 443. You need to ensure that HTTPS traffic from the internet can reach the web servers. What is the issue with the current configuration?

A.The SSH rule is allowing SSH from the internet, which is a security risk.
B.The SSH rule should have a higher priority (lower number) to ensure SSH access.
C.The DenyAll rule should have a lower priority (higher number) to allow more specific rules.
D.There is no rule to allow HTTPS traffic (port 443) from the internet.
AnswerD

Without an allow rule for port 443, HTTPS traffic will be blocked by the DenyAll rule.

Why this answer

The NSG has only two inbound rules: AllowSSH (port 22 from VirtualNetwork) and DenyAll (all traffic). There is no rule to allow HTTPS (port 443) from the internet. The DenyAll rule will block all traffic that does not match a higher-priority allow rule.

Therefore, Option C is correct. Option A is incorrect because the DenyAll rule is not incorrectly placed; it's needed to block other traffic. Option B is incorrect because the SSH rule is not blocking HTTPS; it's just not allowing it.

Option D is incorrect because the priority of 100 is fine.

866
MCQeasy

A company stores archival data in Azure Blob Storage. The data is accessed only a few times per year, and retrieval can take up to 15 hours. Which blob access tier minimizes storage costs while meeting these requirements?

A.Hot tier
B.Cool tier
C.Archive tier
D.Premium tier
AnswerC

Archive tier offers the lowest storage cost and supports retrieval within 1-15 hours, fitting the scenario.

Why this answer

The Archive tier is the correct choice because it is designed for data that is rarely accessed (a few times per year) and has a retrieval latency of up to 15 hours, which matches the requirement. It offers the lowest storage cost among Azure Blob Storage tiers, making it optimal for long-term archival data where infrequent access and delayed retrieval are acceptable.

Exam trap

The trap here is that candidates often confuse the Cool tier's 'infrequent access' with 'archival access,' failing to recognize that Cool tier still provides millisecond retrieval and higher storage costs, while the Archive tier alone meets the 15-hour retrieval requirement and minimizes storage costs.

How to eliminate wrong answers

Option A is wrong because the Hot tier is optimized for frequent access (multiple times per day) and has higher storage costs, making it unsuitable for archival data accessed only a few times per year. Option B is wrong because the Cool tier is intended for data accessed infrequently (about once per month) and has a retrieval latency of milliseconds, not up to 15 hours, and its storage cost is higher than the Archive tier. Option D is wrong because the Premium tier is designed for low-latency, high-performance scenarios (e.g., sub-10ms access) and has the highest storage cost, which is inappropriate for archival data with a 15-hour retrieval tolerance.

867
MCQhard

A workflow must process 500 customer records in parallel and then aggregate all results into a single summary report. The team wants to use Azure Durable Functions so the orchestration state is durable and the solution can resume after a Function App restart. Which Durable Functions pattern matches this requirement?

A.Fan-out/fan-in: start 500 activity functions in parallel with Task.WhenAll inside the orchestrator, then aggregate all returned results
B.Function chaining: call each activity function sequentially, collecting each result before starting the next
C.Async HTTP API: start the workflow with an HTTP trigger, return a 202 with a status URL, and have the client poll for completion
D.Monitor: use a Durable timer loop that checks a status table every 60 seconds until all records are marked processed
AnswerA

Task.WhenAll fires all 500 activities simultaneously (constrained by the configured max concurrency). The orchestrator yields at the await statement, checkpointing its state. When all activities complete, the orchestrator resumes and aggregates results. Durable state management handles host restarts transparently.

Why this answer

Option A is correct because the fan-out/fan-in pattern in Durable Functions is specifically designed to execute multiple activity functions in parallel using Task.WhenAll inside an orchestrator, then aggregate their results. This matches the requirement to process 500 customer records concurrently and produce a single summary report, while the orchestration state is durably persisted and can resume after a Function App restart.

Exam trap

The trap here is that candidates may confuse the fan-out/fan-in pattern with the Async HTTP API pattern, thinking that the HTTP trigger and status polling are required for parallel processing, but the key distinction is that fan-out/fan-in handles the parallel execution and aggregation within the orchestrator itself, not via external polling.

How to eliminate wrong answers

Option B is wrong because function chaining executes activity functions sequentially, which would not process 500 records in parallel and would be inefficient for this workload. Option C is wrong because the Async HTTP API pattern is about starting a workflow and providing a status endpoint for polling, not about parallel execution and aggregation of results. Option D is wrong because the Monitor pattern uses a timer loop to check a status table periodically, which is designed for polling external state changes, not for parallel processing and aggregation of customer records.

868
MCQhard

Refer to the exhibit. You create a custom RBAC role with the shown permissions. You assign this role to a user at the resource group scope. What can the user do?

A.Read secrets from Key Vaults in the resource group
B.Assign the same role to other users
C.Delete secrets from Key Vaults in the resource group
D.Create new Key Vaults in the resource group
AnswerA

The role includes Microsoft.KeyVault/vaults/secrets/read.

Why this answer

The role includes read access to Key Vaults and secrets in the vaults. Option A is wrong because the role does not include write permissions. Option B is wrong because the role does not include delete permissions.

Option D is wrong because the role is limited to the resource group scope.

869
MCQmedium

You are developing a .NET Core application that stores user profile images in Azure Blob Storage. The images are accessed frequently in the first week after upload, then rarely afterwards. You need to minimize storage costs while maintaining immediate access for the first week. What should you do?

A.Manually change the blob tier to Cool after 7 days using a scheduled job.
B.Set the default access tier of the storage account to Cool.
C.Store blobs in Archive tier and use rehydration when needed.
D.Implement a lifecycle management policy to move blobs to Cool tier 7 days after creation.
AnswerD

Automates tier transition after the frequent access period, balancing cost and performance.

Why this answer

Option B is correct because moving blobs from Hot to Cool tier after 7 days using a lifecycle management policy automatically transitions the blobs to a lower-cost storage tier for infrequently accessed data, meeting the access pattern. Option A is incorrect because changing the default access tier to Cool would increase latency during the first week. Option C is incorrect because manually changing the tier is not cost-effective or scalable.

Option D is incorrect because Archive tier has retrieval latency and is not suitable for immediate access within a week.

870
MCQhard

You are designing a disaster recovery plan for a storage account containing critical data. The storage account is in the West US region. You need to ensure that if West US becomes unavailable, read access to the data is still possible with minimal latency. The data must be replicated asynchronously. Which replication strategy should you choose?

A.Read-access geo-zone-redundant storage (RA-GZRS)
B.Locally redundant storage (LRS)
C.Read-access geo-redundant storage (RA-GRS)
D.Geo-redundant storage (GRS)
AnswerC

RA-GRS allows asynchronous replication and read access to the secondary region.

Why this answer

RA-GRS (Read-access geo-redundant storage) is the correct choice because it provides asynchronous replication to a secondary region (paired region) and enables read access to the secondary endpoint even if the primary region fails. This meets the requirement for minimal latency read access during a West US outage, as RA-GRS allows reading from the secondary region while data is asynchronously replicated.

Exam trap

The trap here is that candidates often confuse GRS with RA-GRS, overlooking that GRS does not provide read access to the secondary region until a failover is initiated, which fails the 'read access with minimal latency' requirement.

How to eliminate wrong answers

Option A (RA-GZRS) is wrong because it uses zone-redundant storage within the primary region, which does not provide a secondary region for failover; it only protects against zone failures, not regional outages. Option B (LRS) is wrong because it replicates data only within a single data center, offering no protection against a regional disaster like West US becoming unavailable. Option D (GRS) is wrong because while it replicates asynchronously to a secondary region, it does not enable read access to the secondary endpoint during a primary region outage; read access is only available after a failover, which introduces latency and manual intervention.

871
MCQhard

A developer accidentally deleted a secret from Azure Key Vault. Soft-delete is enabled with a retention period of 90 days. After 60 days, you attempt to recover the secret. What should you do?

A.Run the Azure CLI command: az keyvault secret recover
B.Enable purge protection on the Key Vault first, then recover the secret.
C.Recover is not possible because the retention period of 90 days has not elapsed.
D.Run the Azure CLI command: az keyvault secret undelete
AnswerA

This command restores the secret while within the soft-delete retention window (60 days out of 90).

Why this answer

Option A is correct because when soft-delete is enabled on Azure Key Vault, deleted secrets are retained for the specified retention period (90 days in this case). Since only 60 days have passed, the secret is still in a soft-deleted state and can be recovered using the `az keyvault secret recover` command, which restores the secret to an active state.

Exam trap

The trap here is that candidates may confuse the retention period with a mandatory waiting period before recovery, or mistakenly think that purge protection must be enabled first, when in fact recovery is available immediately after deletion as long as soft-delete is enabled.

How to eliminate wrong answers

Option B is wrong because purge protection is not required to recover a soft-deleted secret; it only prevents permanent deletion before the retention period ends. Option C is wrong because the retention period defines the maximum time the secret is kept before being purged, not a waiting period before recovery; recovery is possible at any point during the retention period. Option D is wrong because `az keyvault secret undelete` is not a valid Azure CLI command; the correct command is `az keyvault secret recover`.

872
MCQhard

You are designing a solution that stores large media files (up to 5 GB each) in Azure Blob Storage. The application must support concurrent uploads with the ability to pause and resume. You need to ensure efficient use of network bandwidth and provide progress reporting. Which approach should you use?

A.Use AzCopy with the --resume parameter.
B.Use Page blobs with 512-byte pages.
C.Use the Azure Storage SDK to upload blobs in blocks, and implement pause/resume logic using block IDs.
D.Use Append blobs and append data in chunks.
AnswerC

Block blobs support chunked upload, concurrency, and progress tracking; block IDs enable resume.

Why this answer

Option A is correct because the Azure Storage client library's block blob upload methods automatically use chunked upload with retry, and the Put Block and Put Block List operations allow manual control for pause/resume. The block blob API supports concurrent uploads and progress tracking. Option B is incorrect because Append blobs are for append operations, not for large file uploads.

Option C is incorrect because Page blobs are for random access and are not optimized for uploads. Option D is incorrect because AzCopy is a command-line tool, not suitable for an application embedding.

873
MCQmedium

Refer to the exhibit. You run this KQL query in Azure Monitor Logs. What does the timechart display?

A.Multiple lines, one for each result code, showing request count over time
B.A single line of total requests over time
C.Total requests per 5 minutes
D.Requests grouped by result code only
AnswerA

The render timechart will show separate series per resultCode.

Why this answer

Option D is correct because the query groups requests by 5-minute bins and result code, so the chart shows separate series for each result code. Option A is wrong because it aggregates over all result codes. Option B is wrong because it includes all result codes separately.

Option C is wrong because it's not total requests but per result code.

874
MCQmedium

You have an Azure Web App that uses Azure SQL Database. You need to securely connect to the database using Managed Identity. Which connection string setting should you use?

A.Server=tcp:myserver.database.windows.net;Database=mydb;User Id=myadmin;Password=mypassword;
B.Server=tcp:myserver.database.windows.net;Database=mydb;Integrated Security=True;
C.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Password;User Id=myuser@domain.com;Password=...;
D.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Managed Identity;User Id=myapp;
AnswerD

Uses managed identity authentication.

Why this answer

Option D is correct because it uses the 'Authentication=Active Directory Managed Identity' keyword, which tells the SQL client to acquire an access token from Azure AD via the managed identity endpoint. The 'User Id' is set to the name of the managed identity (the app's system-assigned or user-assigned identity), and no password is needed because the token is obtained automatically. This enables a passwordless, secure connection to Azure SQL Database without storing credentials.

Exam trap

The trap here is that candidates often confuse 'Integrated Security=True' (Windows auth) with Azure AD Managed Identity, or they think a password-based Azure AD option (like Active Directory Password) is sufficient, missing the key requirement of a passwordless, identity-based connection.

How to eliminate wrong answers

Option A is wrong because it uses a SQL admin username and password, which requires storing secrets and does not leverage Managed Identity at all. Option B is wrong because 'Integrated Security=True' is a Windows authentication mechanism for on-premises Active Directory and does not work with Azure SQL Database or Azure AD Managed Identity. Option C is wrong because 'Authentication=Active Directory Password' still requires a password and a user principal name, which defeats the purpose of using a managed identity and introduces credential management overhead.

875
MCQhard

A financial services company uses Azure Container Instances (ACI) to run batch processing jobs. Each job processes sensitive financial data and must use a custom container image stored in Azure Container Registry (ACR). The security requirements are: the ACI container must authenticate to ACR using a managed identity, the container must run as a non-root user, and all secrets must be injected via environment variables from Azure Key Vault using the managed identity. The ACI instance must also be deployed into a virtual network (VNet) to restrict network access. What configuration should you use?

A.Create a system-assigned managed identity for ACI, assign AcrPull role to the identity, and grant it Key Vault access. Deploy ACI with VNet integration.
B.Create a user-assigned managed identity, assign it to both ACI and ACR (with AcrPull role), grant it Key Vault access, and deploy ACI with the identity and VNet integration.
C.Enable ACR admin account, use admin credentials in ACI, and store secrets in Key Vault with a system-assigned managed identity for ACI.
D.Create a service principal, assign AcrPull role and Key Vault access, store the service principal secret in Key Vault, and configure ACI to use the service principal.
AnswerB

User-assigned managed identity can be reused and assigned to multiple resources.

Why this answer

Option A is correct. User-assigned managed identity can be assigned to ACI and ACR, and can also be used to access Key Vault. Enabling VNet deployment restricts network access.

Option B is wrong because system-assigned managed identity cannot be shared between ACI and ACR. Option C is wrong because service principal requires credential management. Option D is wrong because admin credentials are not secure.

876
MCQmedium

Refer to the exhibit. You are configuring Azure Monitor autoscale for a virtual machine scale set using the above JSON metric configuration. The autoscale rule is supposed to scale out when average memory usage exceeds 80%. However, autoscale is not triggering even when memory usage is consistently above 90%. What is the most likely cause?

A.The aggregation interval is too long; it should be set to 1 minute.
B.The metric name is incorrect; it should be 'Percentage Memory'.
C.The aggregation type should be 'Maximum' instead of 'Average'.
D.The autoscale rule condition is not configured to use this metric.
AnswerD

The exhibit only shows the metric definition; the autoscale rule must reference this metric, and if not, it won't trigger.

Why this answer

Option B is correct because the exhibit shows that the aggregation interval is set to 00:05:00 (5 minutes) and the aggregation type is Average. Autoscale rules use the aggregated metric over the specified duration. If the duration is not configured correctly, the rule may not trigger.

However, a common issue is that the memory metric is not available or not collected. But from the exhibit, it seems the metric is defined. Another possibility is that the autoscale rule's threshold is defined in a separate configuration.

The exhibit only shows the metric definition, not the actual autoscale rule condition. The most likely cause from the options is that the autoscale rule is not associated with the scale set or the metric is not being emitted. Option A is wrong because the aggregation interval is 5 minutes, which is valid.

Option C is wrong because the aggregation type is Average, which is appropriate. Option D is wrong because the metric name is 'MemoryPercent', which is a valid metric for VMs (if collected). However, the exhibit does not show the autoscale rule condition; it only shows the metric configuration for a custom metric.

The actual autoscale rule might be missing or misconfigured. Based on the options, Option B is the most plausible: the autoscale rule might not be configured to use this metric, or the metric source is not set.

877
MCQhard

A company uses Azure SQL Database and needs to encrypt sensitive columns (e.g., credit card numbers) at rest and in transit, with the ability to allow specific applications to decrypt. They want to manage encryption keys centrally in Azure Key Vault and avoid managing certificates. Which technology should they use?

A.Always Encrypted with column master key in Azure Key Vault.
B.Transparent Data Encryption (TDE) with Azure Key Vault.
C.Dynamic Data Masking (DDM) with Azure Key Vault.
D.Row-Level Security (RLS) with Azure Key Vault.
AnswerA

This provides column-level encryption and decryption by authorized applications.

Why this answer

Option B is correct because Always Encrypted with Azure Key Vault allows client-side encryption and decryption, with keys stored in Key Vault. Option A is wrong because TDE encrypts the entire database at rest but not in transit and not column-level. Option C is wrong because Row-Level Security is for access control, not encryption.

Option D is wrong because Dynamic Data Masking obscures data from non-privileged users but does not encrypt.

878
MCQmedium

Your company is developing a real-time dashboard that displays live metrics from IoT devices. The backend processes device data using Azure Functions with an Event Hubs trigger. The processed data is stored in Azure Cosmos DB. You need to ensure that the system can handle a sudden increase in device data without losing messages or overloading Cosmos DB. The solution must minimize latency and cost. What should you do?

A.Implement a buffer using Azure Blob storage: the Event Hubs triggered function writes raw data to blobs, and a separate timer-triggered function batches and writes to Cosmos DB at a controlled rate.
B.Configure the Event Hubs trigger to use a checkpointing strategy with a larger batch size to reduce the number of function invocations.
C.Use Azure Stream Analytics to process the Event Hubs data and write directly to Cosmos DB.
D.Increase the provisioned throughput (RU/s) on the Cosmos DB container to handle peak loads.
AnswerA

This decouples ingestion from storage, prevents Cosmos DB overload, and controls cost by batching writes.

Why this answer

Option A is correct because it decouples the ingestion rate from the write rate to Cosmos DB. By buffering raw data in Azure Blob storage and using a timer-triggered function to batch-write at a controlled rate, the system can absorb sudden spikes in device data without overwhelming Cosmos DB or losing messages. This approach minimizes latency by keeping the Event Hubs trigger processing fast (writing to blob) and reduces cost by avoiding the need to over-provision RU/s on Cosmos DB.

Exam trap

The trap here is that candidates often assume increasing throughput or batch size is the simplest solution, but the exam tests the understanding that decoupling ingestion from processing with a buffer is the correct way to handle sudden load spikes while minimizing cost and latency.

How to eliminate wrong answers

Option B is wrong because increasing the batch size in the Event Hubs trigger does not prevent Cosmos DB from being overloaded; it only reduces the number of function invocations but still writes the same volume of data per unit time, and larger batches can increase latency and risk of timeouts. Option C is wrong because Azure Stream Analytics writes directly to Cosmos DB without a built-in rate-limiting mechanism, so a sudden surge in data can still overwhelm the database or cause throttling, and it adds ongoing cost for the Stream Analytics job. Option D is wrong because simply increasing provisioned throughput (RU/s) on Cosmos DB addresses the symptom (throttling) but not the root cause (spiky load), leading to higher cost during normal operation and still risking message loss if the spike exceeds the provisioned RU/s.

879
MCQhard

You are developing an application that stores sensitive user data in Azure Table Storage. You need to ensure that data is encrypted at rest and that only authorized users can access it. What should you implement?

A.Apply Azure Information Protection labels to the storage account.
B.Enable Azure Storage Service Encryption (SSE) and use Microsoft Entra ID for authentication.
C.Implement client-side encryption using the Azure Storage SDK and manage keys via Azure Key Vault.
D.Use shared access signatures (SAS) with a stored access policy to limit access to the data.
AnswerB

SSE encrypts data at rest; Entra ID provides RBAC for access control.

Why this answer

Option B is correct because Azure Storage Service Encryption (SSE) is enabled by default for all storage accounts, encrypting data at rest. Additionally, using Microsoft Entra ID (formerly Azure AD) for authentication provides fine-grained access control via RBAC. Option A is wrong because client-side encryption is possible but not required; SSE already provides at-rest encryption.

Option C is wrong because shared access signatures (SAS) provide delegated access but do not enforce RBAC. Option D is wrong because Azure Information Protection is a data classification solution, not for encryption.

880
MCQmedium

You manage a web application hosted on Azure App Service. You need to monitor the application's availability from multiple geographic locations. The test should check that the homepage loads successfully and returns HTTP 200 within 5 seconds. You want to receive an alert if the test fails from any location. Which type of Application Insights test should you create?

A.Multi-step web test
B.URL ping test
C.Custom availability test using TrackAvailability
D.Continuous export test
AnswerB

A URL ping test checks a single URL from multiple locations and can alert based on response time and HTTP status code, perfectly matching the requirements.

Why this answer

The URL ping test is the correct choice because it is a simple, single-URL availability test that checks whether a specific endpoint (the homepage) returns HTTP 200 within a specified timeout (5 seconds). It can be configured to run from multiple geographic locations and trigger an alert on failure, meeting all requirements without the complexity of multi-step or custom code.

Exam trap

The trap here is that candidates often confuse the URL ping test with the multi-step web test, assuming that any availability check requires a multi-step test, but the URL ping test is specifically designed for single-URL validation with geographic distribution and alerting.

How to eliminate wrong answers

Option A is wrong because a multi-step web test is designed to validate a sequence of user actions (e.g., login, navigate, submit) across multiple URLs, which is overkill and unnecessary for a simple homepage load check. Option C is wrong because TrackAvailability is a custom method used in code to report availability results manually, requiring you to write and deploy custom application logic, which is not needed for a basic HTTP 200 check. Option D is wrong because continuous export is a feature for exporting Application Insights telemetry data to storage or Event Hubs, not a mechanism for creating or running availability tests.

881
Multi-Selecthard

Which THREE are valid ways to authenticate an Azure Functions app to an Azure Service Bus namespace?

Select 3 answers
A.Using an Azure AD token obtained via DefaultAzureCredential
B.Using a connection string with shared access policy
C.Using a system-assigned managed identity
D.Using a client certificate
E.Using a SAS key stored in code
AnswersA, B, C

Token-based authentication.

Why this answer

Option A is correct because DefaultAzureCredential from the Azure Identity library can authenticate to Azure Service Bus using Azure AD tokens. This credential chain attempts multiple authentication sources (environment variables, managed identity, Visual Studio, etc.) to obtain a token, which is then used to authorize requests to the Service Bus namespace via Azure RBAC.

Exam trap

The trap here is that candidates might think client certificates are a valid authentication method for Service Bus, but Service Bus only supports Azure AD, SAS tokens, and connection strings—not certificate-based authentication.

882
MCQhard

You are designing a serverless application using Azure Functions that processes high-volume events from Azure Event Hubs. The events are then written to Azure Cosmos DB. The function must guarantee at-least-once delivery and be resilient to failures. The Cosmos DB account uses the SQL API and is configured with a single write region. You need to design the function to handle transient failures when writing to Cosmos DB without losing events. What should you do?

A.Increase the Event Hubs trigger's batch size to reduce the number of writes.
B.Implement a poison message queue to store failed events and reprocess them later.
C.In the function code, manually write to Cosmos DB and then manually checkpoint the Event Hubs partition.
D.Use the Cosmos DB output binding with built-in retry policy and configure the trigger to checkpoint only after successful writes.
AnswerD

Output binding retries on failure; checkpoint after success ensures at-least-once.

Why this answer

Option D is correct because using the Cosmos DB output binding with its built-in retry policy automatically handles transient failures by retrying writes. By configuring the Event Hubs trigger to checkpoint only after a successful write, you ensure that events are not acknowledged until they are durably stored in Cosmos DB, guaranteeing at-least-once delivery and resilience to failures.

Exam trap

The trap here is that candidates often think manual checkpointing gives them more control, but it actually introduces a window for data loss if the checkpoint occurs before the write is confirmed, whereas the output binding's built-in retry and automatic checkpointing on success provide a safer, more reliable pattern.

How to eliminate wrong answers

Option A is wrong because increasing the batch size does not address transient failures; it only processes more events per invocation, which can increase memory pressure and the risk of losing a larger batch if a failure occurs. Option B is wrong because a poison message queue is used for handling malformed or unprocessable events, not for transient failures that can be retried; it adds unnecessary complexity and does not leverage the built-in retry capabilities of the Cosmos DB output binding. Option C is wrong because manually writing to Cosmos DB and then manually checkpointing introduces a risk of checkpointing before the write succeeds, leading to potential data loss; it also bypasses the automatic retry and consistency guarantees provided by the output binding.

883
Multi-Selectmedium

Which THREE of the following are valid ways to authenticate an Azure Function to an Azure SQL Database using managed identities?

Select 3 answers
A.Enable system-assigned managed identity on the function app and grant it access to the SQL database.
B.Assign the managed identity directly to the Azure SQL Database logical server.
C.Use the managed identity's principal ID to create a contained database user in SQL Database.
D.Create a user-assigned managed identity, assign it to the function app, and grant it access to the SQL database.
E.Create a service principal and assign it to the function app.
AnswersA, C, D

System-assigned identity is a type of managed identity.

Why this answer

Options A, B, and D are correct. Option A is correct because a system-assigned managed identity can be enabled for the function app and granted access to SQL DB. Option B is correct because a user-assigned managed identity can be assigned to the function app.

Option D is correct because both system and user-assigned identities can be used; they are both managed identity types. Option C is wrong because service principal is not a managed identity. Option E is wrong because managed identity cannot be assigned directly to SQL DB; it's assigned to the function app.

884
MCQmedium

A retail company uses Azure Logic Apps to integrate with third-party APIs. One Logic App sends purchase orders to a supplier's HTTP endpoint. The supplier requires that the request include an OAuth 2.0 access token obtained from their authorization server. The company wants to manage the client credentials (client ID and client secret) securely and rotate them automatically. The Logic App must also log all requests for auditing. What should you do?

A.Use the built-in HTTP action with a system-assigned managed identity and request a token from the supplier's authorization server using the managed identity.
B.Use the built-in HTTP action in the Logic App, store the client secret in Azure Key Vault, and retrieve it using the Key Vault connector. Then request a token from the supplier's authorization server.
C.Use the 'Managed API' connector for the supplier, configure it with client ID and secret in the connection parameters, and enable 'Azure AD Integration' on the Logic App.
D.Use the 'HTTP + Swagger' connector, define the OAuth2 security scheme, store the client secret in Key Vault, and configure the Logic App to use a system-assigned managed identity to access Key Vault.
AnswerD

This allows secure credential storage and automatic rotation with Key Vault.

Why this answer

Option C is correct. Using HTTP + Swagger connector with managed identity and Key Vault integration allows secure storage and automatic rotation of credentials. Option A is wrong because the built-in HTTP action does not support managed identity.

Option B is wrong because the Managed API connector does not support OAuth token acquisition. Option D is wrong because the system-assigned managed identity cannot be used for external OAuth flows.

885
MCQhard

Your Azure Function app processes messages from an Azure Service Bus queue. The function is triggered by Service Bus messages. Occasionally, the function throws an unhandled exception after the message is processed but before the function completes. What happens to the message?

A.The message is moved to the dead-letter queue.
B.The message is abandoned and becomes available for other consumers after the lock duration expires.
C.The message is completed automatically despite the exception.
D.The message is automatically removed from the queue.
AnswerB

Exception causes abandon; message is retried.

Why this answer

Option C is correct because the Service Bus trigger completes the message only when the function runs successfully to completion. If an exception occurs, the message is abandoned and becomes visible again after the lock duration expires, causing it to be retried. Option A is wrong because the message is not dead-lettered on exception; it is retried.

Option B is wrong because the message is not automatically removed; it remains in the queue. Option D is wrong because the message is not automatically completed.

886
MCQeasy

You need to expose an on-premises API securely to external partners without opening firewall ports. Which Azure service should you use?

A.Azure Traffic Manager
B.Azure API Management
C.Azure Application Gateway
D.Azure Front Door
AnswerB

Exposes APIs securely, can route to on-prem.

Why this answer

Option D is correct because Azure API Management can expose APIs securely and integrate with on-premises backends via VPN or ExpressRoute. Option A is wrong because Azure Front Door is for global load balancing and CDN, not for exposing on-premises APIs. Option B is wrong because Azure Application Gateway is a regional load balancer with WAF, but not designed for API exposure.

Option C is wrong because Azure Traffic Manager is DNS-based load balancing.

887
MCQeasy

Your company uses Azure API Management (APIM) to expose several APIs. One of the backend APIs requires an API key that is stored in Azure Key Vault. You need to configure APIM to retrieve the API key from Key Vault and pass it to the backend in a header without exposing the key in policy definitions. Which APIM feature should you use?

A.Use a policy expression with the context.Variables to store the key.
B.Store the API key directly in the backend settings of the API.
C.Use a named value that references the Key Vault secret, and reference that named value in a set-header policy.
D.Use the authentication-managed-identity policy to authenticate to Key Vault and retrieve the secret.
AnswerC

Correct. Named values in APIM can be linked to Key Vault secrets. The policy will automatically retrieve the secret value and use it in the header without exposing the secret.

Why this answer

Option C is correct because named values in Azure API Management can be configured to reference secrets stored in Azure Key Vault. When a named value is linked to a Key Vault secret, APIM automatically retrieves the secret value at runtime and can inject it into policies (e.g., a set-header policy) without the secret ever appearing in plaintext in the policy definition. This approach ensures the API key is securely managed and not exposed in source control or policy code.

Exam trap

The trap here is that candidates often confuse the authentication-managed-identity policy (used for backend authentication) with the named value Key Vault integration (used for secret retrieval), leading them to select option D even though it does not directly retrieve secrets from Key Vault.

How to eliminate wrong answers

Option A is wrong because context.Variables in a policy expression are used to store temporary values within a policy scope, but they cannot directly retrieve secrets from Key Vault; the secret would still need to be fetched via a named value or managed identity, making this approach incomplete and insecure if the key is hardcoded. Option B is wrong because storing the API key directly in the backend settings of the API would expose the key in plaintext within the APIM configuration, violating the requirement to avoid exposing the key in policy definitions and not leveraging Key Vault for secure storage. Option D is wrong because the authentication-managed-identity policy is used to authenticate APIM to a backend service (e.g., to call another Azure resource), not to retrieve secrets from Key Vault; retrieving a secret from Key Vault requires a named value with a Key Vault reference or a custom policy using the send-request policy with managed identity, but the authentication-managed-identity policy alone does not fetch secrets.

888
MCQeasy

You have enabled Application Insights on your Azure Web App. You notice that some server-side exceptions are not appearing in the Application Insights portal. What is the most likely reason?

A.The Application Insights SDK is not installed in the application
B.The developer forgot to set the Instrumentation Key in the application configuration
C.The web app is running on a Free tier App Service plan
D.The exceptions are being caught and handled in code without being re-thrown or explicitly logged
AnswerD

Caught exceptions that are not re-thrown or logged via TrackException are not automatically tracked. Developers must explicitly log handled exceptions to see them in Application Insights.

Why this answer

Option D is correct because Application Insights only captures exceptions that are unhandled or explicitly logged via the SDK. If an exception is caught in a try-catch block and not re-thrown or logged using `TelemetryClient.TrackException()`, it will not appear in the portal. This is a common oversight when developers handle exceptions silently without instrumentation.

Exam trap

The trap here is that candidates assume enabling Application Insights on the Azure portal automatically captures all exceptions, but in reality, caught exceptions require explicit logging via the SDK.

How to eliminate wrong answers

Option A is wrong because the question states that Application Insights is enabled on the Azure Web App, which implies the SDK is installed (e.g., via the App Insights extension or auto-instrumentation). Option B is wrong because if the Instrumentation Key were missing, no telemetry at all would appear, not just missing server-side exceptions. Option C is wrong because the Free tier App Service plan does not prevent exception telemetry from being sent; it only limits compute resources and does not affect Application Insights data collection.

889
Multi-Selectmedium

Which TWO approaches can help you optimize the cost of Azure Storage accounts that store infrequently accessed data? (Choose two.)

Select 2 answers
A.Use Cool or Archive storage tier
B.Use Premium storage tier
C.Enable geo-redundant storage (RA-GRS)
D.Configure lifecycle management to move blobs to cooler tiers
E.Enable Azure Storage encryption
AnswersA, D

Cool and Archive tiers are cheaper for infrequent access.

Why this answer

Option B (Cool storage tier) and Option D (lifecycle management) are correct. Option A (premium tier) is for high-performance, more expensive. Option C (RA-GRS) adds cost.

Option E (encryption) doesn't affect cost.

890
MCQeasy

You need to monitor the performance of an Azure web app. You want to track the average response time and the number of failed requests over the last hour. Which Azure service should you use?

A.Application Insights
B.Azure Monitor
C.Log Analytics
D.Azure Advisor
AnswerA

Correct. Application Insights monitors your live application and collects performance metrics, including response times and failure rates.

Why this answer

Application Insights is the correct choice because it is an extensible Application Performance Management (APM) service designed specifically for monitoring live web applications. It can track metrics like average response time and failed request counts out of the box, and it integrates directly with Azure Web Apps via the Application Insights SDK or auto-instrumentation, providing real-time telemetry without requiring custom logging code.

Exam trap

The trap here is that candidates often confuse Azure Monitor (the umbrella service) with Application Insights, assuming Azure Monitor alone can track application-level metrics like response time, when in fact it requires Application Insights for that granular, code-level telemetry.

How to eliminate wrong answers

Option B (Azure Monitor) is wrong because while it collects and stores platform-level metrics and logs (e.g., CPU, memory), it does not natively capture application-level metrics like average response time or failed request counts without additional configuration or integration with Application Insights. Option C (Log Analytics) is wrong because it is a query and analysis tool for log data stored in Log Analytics workspaces, not a real-time application performance monitoring service; it lacks built-in application telemetry collection. Option D (Azure Advisor) is wrong because it is a personalized cloud consultant that provides best practice recommendations for cost, security, reliability, and performance, but it does not collect or display live application performance metrics such as response time or failure counts.

891
MCQeasy

You are developing an ASP.NET Core web app that will be deployed to Azure App Service. The app needs to authenticate users from a Microsoft Entra ID tenant. You want to minimize development effort and rely on platform features. What should you do?

A.Implement custom OAuth 2.0 middleware in the app.
B.Add Microsoft.Identity.Web NuGet package and configure it in Startup.cs to use Microsoft Entra ID.
C.Use Microsoft Entra ID App Roles and add role checks in the code.
D.Enable App Service Authentication in the Azure portal and configure Microsoft Entra ID as the identity provider.
AnswerD

EasyAuth handles authentication at the gateway, requiring no code changes.

Why this answer

Option A is correct because App Service Authentication (EasyAuth) provides built-in authentication with Microsoft Entra ID without requiring code changes. Option B is wrong because it requires code changes. Option C is wrong because it's unnecessary if EasyAuth is used.

Option D is wrong because it's for authorization, not authentication.

892
MCQmedium

You are deploying a web app to Azure App Service. The app uses environment-specific configuration (e.g., connection strings). You need to manage these settings without redeploying the app. Which feature should you use?

A.Azure App Configuration service
B.App Service application settings
C.ARM template parameters
D.Azure Key Vault references in App Service
AnswerB

Application settings are easy to manage and override app config without redeployment.

Why this answer

App Service application settings (option B) are the correct feature because they allow you to store environment-specific configuration (e.g., connection strings, app settings) as key-value pairs that are injected into the app at runtime. These settings can be changed in the Azure portal, CLI, or PowerShell without redeploying the application code, making them ideal for managing configuration across different environments (development, staging, production). The settings are automatically encrypted at rest and overridden for the specific App Service slot when using deployment slots.

Exam trap

The trap here is that candidates often confuse Azure App Configuration service (a premium, centralized config service) with the simpler, built-in App Service application settings, or they mistakenly think Key Vault references alone can replace application settings, not realizing that references are just a value source within an application setting.

How to eliminate wrong answers

Option A is wrong because Azure App Configuration service is a centralized configuration store for distributed applications, but it requires the app to explicitly pull configuration via its SDK or a provider, and it is not the simplest or most direct way to manage environment-specific settings without redeploying—App Service application settings are built-in and require no code changes. Option C is wrong because ARM template parameters are used to parameterize infrastructure deployments (e.g., resource names, SKUs) and are evaluated at deployment time; they cannot be changed after the app is deployed without redeploying the ARM template. Option D is wrong because Azure Key Vault references in App Service allow you to reference secrets stored in Key Vault from application settings, but they are a feature built on top of application settings—you still need to define the application setting (which is an App Service application setting) to point to the Key Vault secret, and the question asks for managing environment-specific configuration, not specifically secrets.

893
Multi-Selecteasy

Which TWO Azure services can be used to trigger an Azure Function when a new blob is created in a storage account? (Choose two.)

Select 2 answers
A.Azure Cosmos DB trigger
B.Azure Queue Storage trigger
C.Azure Event Grid trigger
D.Azure Blob Storage trigger
E.Azure Service Bus trigger
AnswersC, D

Event Grid can route blob creation events to a function.

Why this answer

Option C is correct because Azure Event Grid provides a native event-driven integration that can trigger an Azure Function when a new blob is created. By subscribing to the 'Microsoft.Storage.BlobCreated' event, Event Grid delivers low-latency, reliable HTTP-based events directly to the function, making it ideal for high-throughput, serverless workflows.

Exam trap

The trap here is that candidates often assume the Blob Storage trigger is the only native option, forgetting that Event Grid is also a first-class trigger for blob creation events and is actually the recommended approach for low-latency scenarios.

894
MCQmedium

Users of a web application hosted on App Service are randomly signed out when the app is scaled out to three instances. Investigation shows that session data stored in in-process memory is not available when subsequent requests hit a different instance. What is the recommended solution?

A.Store session data in Azure Cache for Redis and configure all App Service instances to connect to the same Redis endpoint
B.Enable ARR affinity (sticky sessions) on the App Service to route each user's requests to the same instance
C.Write session data to Azure Blob Storage as a JSON file keyed by session ID on every request
D.Store session state in a Cosmos DB container with a TTL equal to the session timeout
AnswerA

Redis acts as a shared external session store. Each instance serializes the session to Redis on write and deserializes it on read. Because all instances point to the same Redis instance, any instance can serve any user's requests correctly, making the session store horizontally scalable and instance-independent.

Why this answer

When an App Service scales out to multiple instances, in-process session state is stored locally on each instance and is not shared. Azure Cache for Redis provides a centralized, in-memory data store that all instances can access, ensuring session data is available regardless of which instance handles a request. This is the recommended pattern for distributed session state in Azure.

Exam trap

The trap here is that candidates often confuse ARR affinity (sticky sessions) as a complete solution, not realizing it only masks the problem by pinning users to instances, but fails to provide resilience against instance failures or scaling operations.

How to eliminate wrong answers

Option B is wrong because enabling ARR affinity (sticky sessions) only routes requests from the same user to the same instance, but it does not solve the underlying problem of session data loss if that instance fails or is recycled, and it can lead to uneven load distribution. Option C is wrong because writing session data to Azure Blob Storage on every request introduces high latency and is not designed for low-latency, high-frequency session reads/writes; it is a file storage service, not a session store. Option D is wrong because Cosmos DB is a NoSQL database with higher latency and cost compared to Redis for session state, and its TTL feature is for document expiration, not for efficient session management; it is overkill and not the recommended solution for this scenario.

895
MCQmedium

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to access the Microsoft Graph API to read user profiles. Which type of permission should you request in the app registration to ensure the app can read profiles without user interaction?

A.Delegated permissions
B.Resource-based permissions
C.Consent permissions
D.Application permissions
AnswerD

Application permissions allow the app to run without a signed-in user, ideal for background services.

Why this answer

Application permissions are required for daemon or service principal scenarios where no signed-in user is present. Delegated permissions require a signed-in user.

896
MCQmedium

You are implementing Azure API Management (APIM) to expose a legacy SOAP service as a modern REST API. The SOAP service requires WS-Security UsernameToken authentication. How should you configure APIM to handle this?

A.Use the 'convert-soap-to-rest' policy and configure OAuth2 for the backend.
B.Use a 'set-header' policy to add the WS-Security UsernameToken to the backend request.
C.Create a custom connector in Power Automate and import it to APIM.
D.Configure APIM with a client certificate and use the 'validate-client-certificate' policy.
AnswerB

The 'set-header' policy can inject the required SOAP header with credentials.

Why this answer

APIM can transform SOAP to REST using policies. For WS-Security, you can use the 'set-header' policy to add the UsernameToken. Option C is correct because you need to pass credentials to the backend.

Option A is not possible; Option B is not needed; Option D is for OAuth.

897
MCQeasy

Your company wants to send email notifications to users via a third-party email service (SendGrid) from an Azure Logic App. What is the recommended way to securely store the SendGrid API key?

A.Store the API key in Azure Key Vault and use a managed identity to retrieve it
B.Store the API key in an App Setting of the Logic App
C.Hardcode the API key in the Logic App workflow definition
D.Store the API key in an environment variable on the integration service environment
AnswerA

Key Vault provides secure storage with access policies and auditing.

Why this answer

Option B is correct because Azure Key Vault securely stores secrets and can be accessed by Logic Apps via managed identity. Option A is wrong because app settings are less secure. Option C is wrong because hardcoding is a bad practice.

Option D is wrong because environment variables are not recommended for secrets.

898
MCQhard

Adventure Works is developing a payment processing system on Azure. The system uses an Azure Service Bus queue to decouple the frontend from the backend. The frontend sends a message to the queue. A backend service, running as an Azure WebJob, processes the message and calls a third-party payment gateway via HTTPS. The backend must authenticate to the payment gateway using a client certificate stored in Azure Key Vault. The WebJob must be able to access the certificate without storing any secrets in configuration. The WebJob runs in an App Service plan with system-assigned managed identity enabled. Which approach should the team use to retrieve the certificate and authenticate to the payment gateway?

A.In the WebJob code, use SecretClient from Azure.Security.KeyVault.Secrets to retrieve the certificate as a secret. Parse the secret value to X509Certificate2. Use the certificate in HttpClientHandler to call the payment gateway.
B.Store the certificate as a .pfx file in a blob container with a SAS token. Download the blob using the SAS token and load the certificate.
C.Create a service principal with a client secret, store the secret in Key Vault. Use ClientSecretCredential to authenticate to Key Vault and retrieve the certificate.
D.Store the certificate thumbprint in application settings. Use the Azure App Service certificate store to load the certificate by thumbprint.
AnswerA

Correct: uses managed identity to retrieve certificate from Key Vault.

Why this answer

Use the Key Vault SDK with DefaultAzureCredential to download the certificate as X509Certificate2. Use that certificate in HttpClientHandler. Option A is correct.

Option B uses a secret identifier, but certificate with private key is better. Option C uses connection strings. Option D uses a service principal with secret.

899
MCQhard

You are designing a serverless application using Azure Functions. The function must process messages from an Azure Service Bus queue. The processing time for each message can vary from a few seconds to several minutes. You need to minimize costs while ensuring that messages are processed in a timely manner. Which hosting plan should you recommend?

A.Container Instances plan
B.Premium plan
C.App Service plan
D.Consumption plan
AnswerB

Premium plan supports execution timeout up to 60 minutes, eliminates cold starts, and provides dedicated instances for predictable performance.

Why this answer

The Premium plan is correct because it supports long execution times (up to 60 minutes by default, configurable to unlimited), always-warm instances to avoid cold starts, and virtual network integration—all while providing predictable pricing and scaling. This meets the requirement of processing messages that can take several minutes without incurring the cold-start penalties or execution-time limits of the Consumption plan.

Exam trap

The trap here is that candidates often assume the Consumption plan is always the cheapest option, but they overlook its 10-minute execution timeout and cold-start latency, which can cause message processing failures or delays for long-running tasks.

How to eliminate wrong answers

Option A is wrong because Container Instances is not a hosting plan for Azure Functions; it is a separate service for running containers directly, not a Functions hosting option. Option C is wrong because the App Service plan requires a dedicated, always-running VM, which incurs higher costs than necessary for a serverless workload and does not provide the automatic scale-to-zero benefit of serverless plans. Option D is wrong because the Consumption plan has a maximum execution timeout of 10 minutes (by default 5 minutes) and can suffer from cold starts, making it unsuitable for messages that may take several minutes to process.

900
MCQmedium

You are developing a solution that uses Azure Functions with a consumption plan. The function processes messages from an Azure Service Bus queue. During a load test, you notice that the function takes a long time to start processing messages after a period of inactivity. What is the most likely cause of this cold start delay?

A.The function is using a consumption plan, which may scale to zero instances.
B.The function timeout is set too low.
C.The function is using a premium plan with pre-warmed instances.
D.The Service Bus namespace is using the Premium tier.
AnswerA

Consumption plan scales to zero, causing cold starts on first request after inactivity.

Why this answer

Option C is correct because the consumption plan can cause cold starts after inactivity due to scaling down to zero instances. Option A is incorrect because Service Bus Premium does not affect function cold starts. Option B is incorrect because the function timeout does not cause cold starts.

Option D is incorrect because premium plans reduce cold starts, not cause them.

Page 11

Page 12 of 14

Page 13