Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 901975

997 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

Your company uses Azure Logic Apps to automate a business process. The process needs to call an external REST API that requires an API key passed in the Authorization header. You need to store the API key securely and reference it in the Logic App. Which approach should you use?

A.Store the API key in the Logic App's definition as a constant
B.Use an Azure Key Vault secret and a managed identity
C.Hardcode the API key in a parameter file
D.Use an Azure Storage account table to store the key
AnswerB

Key Vault provides secure secret storage, and a managed identity allows the Logic App to authenticate without credentials.

Why this answer

Option B is correct because Azure Key Vault securely stores secrets like API keys, and using a managed identity allows the Logic App to authenticate to Key Vault without embedding credentials in code or configuration. This follows the principle of least privilege and eliminates the need to manage secrets in connection strings or parameter files.

Exam trap

The trap here is that candidates often choose Option A or C because they think storing the key in the Logic App definition or a parameter file is 'secure enough' for development, but the exam emphasizes that any plaintext storage in code or configuration is a security violation, and the only correct approach is to use a dedicated secrets store like Key Vault with managed identity.

How to eliminate wrong answers

Option A is wrong because storing the API key as a constant in the Logic App's definition exposes the key in plaintext within the workflow JSON, which can be viewed by anyone with read access to the Logic App and violates security best practices. Option C is wrong because hardcoding the API key in a parameter file still stores the key in plaintext within the deployment or configuration files, which can be leaked through source control or logs. Option D is wrong because using an Azure Storage account table to store the key does not provide encryption at rest by default (unless client-side encryption is implemented) and requires managing access keys for the storage account, introducing additional security risks.

902
MCQmedium

You are building an event-driven application that needs to publish messages to multiple independent subscribers. Each subscriber must be able to filter messages based on custom properties, and each subscriber must receive all messages that match its filter, even if other subscribers have different filters. The solution must guarantee message delivery. Which Azure messaging service should you use?

A.Azure Queue Storage
B.Azure Service Bus Topics and Subscriptions
C.Azure Service Bus Queues
D.Azure Event Hubs
AnswerB

You can create a topic with multiple subscriptions, each with its own filter. Each subscription receives a copy of messages that match its filter, supporting independent consumption.

Why this answer

Azure Service Bus Topics and Subscriptions are designed for publish-subscribe messaging where multiple independent subscribers each receive a copy of every message that matches their filter criteria. The topic allows publishing messages with custom properties, and each subscription can define a SQL-like filter (using the `SqlFilter` class) to select only relevant messages. This ensures that all subscribers receive all messages matching their filter, with guaranteed delivery via the broker's persistent storage and at-least-once delivery semantics.

Exam trap

The trap here is that candidates confuse Azure Service Bus Queues (point-to-point) with Topics (publish-subscribe), or assume Event Hubs can handle per-subscriber filtering, but Event Hubs lacks broker-side filtering and guarantees each event is consumed by only one consumer per consumer group, not by multiple independent subscribers with custom filters.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage provides a simple FIFO queue for point-to-point messaging; it does not support multiple independent subscribers or message filtering based on custom properties — each message is consumed by a single consumer. Option C is wrong because Azure Service Bus Queues also implement a point-to-point pattern where each message is delivered to only one consumer; they lack the publish-subscribe capability and per-subscriber filtering that topics and subscriptions provide. Option D is wrong because Azure Event Hubs is optimized for high-throughput event ingestion from multiple producers, not for guaranteed delivery to multiple independent subscribers with custom property filtering — it uses consumer groups for load balancing, not per-subscriber filters, and does not offer the same broker-level filtering or at-least-once delivery guarantees for each subscriber.

903
MCQhard

An e-commerce platform writes orders to a Cosmos DB container. A downstream inventory service must process every new or updated order exactly once, even if the inventory service restarts mid-batch. The solution must scale horizontally when order volume increases. What is the recommended design?

A.Use the change feed processor library with a dedicated lease container; each worker instance claims partition leases and commits checkpoints after processing each batch
B.Poll the Cosmos DB container every 30 seconds using a _ts timestamp filter to find recently modified documents
C.Subscribe to Azure Event Grid Cosmos DB events and process them in an Azure Function
D.Enable Cosmos DB analytical store and run batch queries from an Azure Synapse Spark pool every hour
AnswerA

The lease container stores the last-processed continuation token per partition. On restart, a worker reads its leases and resumes from the checkpointed position. Adding more worker instances automatically redistributes leases across instances, providing linear horizontal scaling.

Why this answer

The change feed processor library with a dedicated lease container is the recommended design because it provides exactly-once processing semantics through checkpointing, automatic partition lease management for horizontal scaling, and resilience to worker restarts by resuming from the last committed checkpoint. This pattern is purpose-built for Cosmos DB change feed consumption in distributed systems.

Exam trap

The trap here is that candidates may choose Event Grid (Option C) because it is event-driven and seems simpler, but they overlook that Event Grid does not provide exactly-once processing or checkpoint-based restart resilience for Cosmos DB change feed scenarios.

How to eliminate wrong answers

Option B is wrong because polling with _ts timestamps cannot guarantee exactly-once processing due to clock skew, missed updates within the polling interval, and lack of checkpointing for restart resilience. Option C is wrong because Azure Event Grid provides at-least-once delivery for Cosmos DB events, not exactly-once, and does not manage partition leases or checkpoints for horizontal scaling. Option D is wrong because the analytical store and Synapse Spark pool are designed for batch analytics, not real-time event processing, and cannot guarantee exactly-once per-record processing with restart resilience.

904
MCQhard

You are deploying a containerized application to Azure Kubernetes Service (AKS). The application needs to access Azure SQL Database securely. Which approach should you use to avoid storing credentials in the container image?

A.Store the connection string in a Kubernetes Secret and mount it as an environment variable
B.Use Azure AD Pod Identity (Workload Identity) to assign a managed identity to the pod and authenticate to SQL
C.Use a service principal and store its credentials in Azure Key Vault, then use the Key Vault Secrets Store CSI driver
D.Hardcode the credentials in the Dockerfile
AnswerB

Workload Identity integrates with AKS to provide managed identities to pods, eliminating the need for stored credentials.

Why this answer

Option B is correct because Azure AD Pod Identity (now evolved into Workload Identity) allows you to assign a managed identity to a pod, which can then authenticate to Azure SQL Database without any credentials stored in the image or environment variables. This approach uses Azure AD tokens obtained via the pod's identity, eliminating the need for connection strings or secrets in the container.

Exam trap

The trap here is that candidates often choose Option A (Kubernetes Secret) because it seems like a standard Kubernetes pattern, but they overlook that the question specifically requires avoiding any credential storage in the image or environment, which a Secret still represents.

How to eliminate wrong answers

Option A is wrong because storing the connection string in a Kubernetes Secret and mounting it as an environment variable still exposes the credential in the cluster's etcd and to any pod with access to the secret, violating the 'no credentials in the image' goal. Option C is wrong because while it avoids storing credentials in the image, it introduces unnecessary complexity and still relies on a service principal secret stored in Key Vault, which must be retrieved at runtime; the question specifically asks to avoid storing credentials, and a managed identity (Option B) is the simpler, more secure approach. Option D is wrong because hardcoding credentials in the Dockerfile is a fundamental security anti-pattern that embeds secrets directly in the image, making them accessible to anyone who can pull the image.

905
MCQeasy

You are developing a solution that stores large media files in Azure Blob Storage. Users access these files frequently for the first 30 days, then rarely afterwards. To optimize costs, you need to automatically move blobs to a cooler tier after 30 days of creation. Which Azure feature should you use?

A.Lifecycle management policies
B.Blob inventory
C.Change feed
D.Immutable storage
AnswerA

Correct. Lifecycle management policies automate tier transitions based on age, optimizing cost.

Why this answer

Azure Blob Storage lifecycle management policies allow you to automatically transition blobs to cooler tiers (e.g., from Hot to Cool) based on age or last modification time. By defining a rule that moves blobs to the Cool tier 30 days after creation, you optimize storage costs for frequently accessed files that become rarely used. This feature is purpose-built for automating tier transitions without manual intervention or custom code.

Exam trap

The trap here is that candidates may confuse lifecycle management with Blob inventory or Change feed, thinking that reporting or event logging alone can automate tier transitions, but only lifecycle policies provide the native, rule-based automation without additional code.

How to eliminate wrong answers

Option B (Blob inventory) is wrong because it provides a report of blobs and their metadata but does not automate tier transitions; it is used for auditing and compliance, not cost optimization. Option C (Change feed) is wrong because it records creation and modification events for blobs but requires custom processing to act on those events; it is not a built-in mechanism for automatic tiering. Option D (Immutable storage) is wrong because it enforces write-once-read-many (WORM) policies to prevent deletion or modification, not to manage storage tiers based on age.

906
MCQmedium

Refer to the exhibit. You are configuring access to an Azure Storage container using Azure RBAC via a custom role definition. You want to allow a user to list blobs in a container only if the request originates from the IP range 203.0.113.0/24. However, the user reports that they can list blobs from any IP. What is the issue?

A.The Principal is set to an Azure AD tenant instead of a specific user or group
B.The Resource should be the storage account resource ID, not the container resource ID
C.The Action should be 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'
D.The Condition for IP address is incorrectly formatted
AnswerA

RBAC assignments require a specific principal (user, group, or service principal), not a tenant.

Why this answer

Option A is correct because the custom role definition's 'AssignableScopes' property must be set to a scope that includes the user or group, but the issue here is that the role assignment's 'Principal' property is set to an Azure AD tenant instead of a specific user or group. When the principal is set to the tenant, the role assignment applies to all users in the tenant, bypassing the IP condition because the condition is evaluated per principal. To enforce the IP condition, the role must be assigned to a specific user or group, not the entire tenant.

Exam trap

Microsoft often tests the misconception that the role definition's 'AssignableScopes' or the condition syntax is the issue, when in reality the problem is that the role assignment's principal is set to the entire Azure AD tenant, which bypasses any conditions because conditions are evaluated per principal.

How to eliminate wrong answers

Option B is wrong because the 'Resource' in a custom role definition for a container-level permission should be the container resource ID (e.g., /subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{account}/blobServices/default/containers/{container}) to scope the role to that container; using the storage account resource ID would grant permissions across all containers, which is not the intent. Option C is wrong because the action 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' is correct for listing blobs; the issue is not with the action but with the role assignment scope or principal. Option D is wrong because the condition for IP address is correctly formatted using the '@Resource' attribute with 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs:ipAddress' in the condition expression; the problem is that the condition is not being evaluated because the role assignment is applied to the tenant, not a specific user.

907
Multi-Selecthard

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request? The architecture review board prefers a managed AWS-native control.

Select 2 answers
A.Issuer and signature are valid for the trusted tenant
B.The user's display name is present
C.Token audience matches the API application ID URI or client ID
D.The token was sent in a query string
AnswersA, C

Issuer and signature validation confirms the token came from the expected identity provider.

Why this answer

Option A is correct because the API must validate the issuer (iss) claim to ensure the token was issued by a trusted tenant (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0) and verify the token's digital signature using the public keys from the OpenID Connect metadata endpoint. This prevents tokens from untrusted tenants or forged tokens from being accepted.

Exam trap

The trap here is that candidates confuse 'claims that are present in the token' (like display name) with 'claims that must be validated for security' (issuer, audience, signature), leading them to select non-essential claims as validation requirements.

908
Drag & Dropmedium

Arrange the steps to implement Azure Key Vault for storing and retrieving secrets in an application in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create Key Vault, add secret, grant access, retrieve secret, use it.

909
Drag & Dropmedium

Arrange the steps to deploy a containerized application to Azure Container Instances (ACI) from Azure Container Registry (ACR) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create ACR, push image, create container group, configure settings, then start.

910
MCQeasy

A company wants to send email notifications from an Azure Function app. The function app runs on a Consumption plan. Which service should be used to send emails?

A.Azure Logic Apps
B.Microsoft Graph API
C.Azure Communication Services
D.SendGrid
AnswerD

SendGrid is a third-party email service integrated with Azure, suitable for sending emails from functions.

Why this answer

Option A is correct because SendGrid is a third-party email service available as an Azure Marketplace integration. Option B is incorrect because Azure Logic Apps could be used but adds overhead. Option C is incorrect because Azure Communication Services is for SMS/chat, not email.

Option D is incorrect because Microsoft Graph API sends emails from a user mailbox, which is not suitable for automated notifications.

911
MCQhard

Application Insights ingestion cost is rising because a high-traffic app emits large telemetry volume. The team needs statistically useful telemetry while reducing ingestion. What should be configured? The design must avoid adding custom operational scripts.

A.Move the app to a larger App Service plan
B.Adaptive sampling
C.Disable all exception telemetry
D.Increase log verbosity to debug
AnswerB

Adaptive sampling reduces telemetry volume while preserving representative diagnostic data.

Why this answer

Adaptive sampling is the correct solution because it automatically adjusts the volume of telemetry data collected from your application, ensuring that only a representative fraction of events is sent to Application Insights while preserving statistical accuracy for analysis. This reduces ingestion costs without requiring custom scripts or manual intervention, as it is a built-in feature of the Application Insights SDK that dynamically adapts based on traffic patterns.

Exam trap

The trap here is that candidates often confuse scaling (Option A) with cost optimization, or they mistakenly believe that disabling all telemetry (Option C) is a valid cost-saving measure, when in fact adaptive sampling provides a balanced approach that maintains data utility without manual overhead.

How to eliminate wrong answers

Option A is wrong because moving to a larger App Service plan increases compute resources but does not reduce telemetry volume or ingestion costs; it only addresses performance scaling, not data management. Option C is wrong because disabling all exception telemetry would eliminate critical diagnostic data needed for monitoring application health, potentially masking issues and violating the requirement for statistically useful telemetry. Option D is wrong because increasing log verbosity to debug would generate even more telemetry data, exacerbating the ingestion cost problem rather than solving it.

912
Multi-Selecteasy

Which TWO actions should you take to enable a user-assigned managed identity for an Azure App Service web app?

Select 2 answers
A.Create the managed identity resource in Microsoft Entra ID.
B.Configure the identity in each deployment slot separately.
C.Store the identity's client ID in an app setting.
D.Create the managed identity in the same resource group as the web app.
E.Assign the identity to the web app in the Azure portal or CLI.
AnswersA, E

User-assigned managed identities are created as Azure resources.

Why this answer

Option A is correct because a user-assigned managed identity is a standalone Azure resource created in Microsoft Entra ID (formerly Azure AD). It must exist as an identity resource before it can be assigned to any Azure service, including an App Service web app. This identity is then tied to a specific tenant and can be used by multiple Azure resources.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned managed identities, assuming the identity must be created in the same resource group as the web app or that its client ID must be manually stored in an app setting, when in fact user-assigned identities are independent resources that can be created anywhere and are automatically discoverable by the consuming service.

913
MCQeasy

You need to store small binary blobs (average 50 KB) that are accessed very frequently for a short period, then never accessed again. The total volume is high. Which storage tier is most cost-effective for the initial upload?

A.Hot
B.Cool
C.Cold
D.Archive
AnswerA

Correct. Hot tier optimizes for frequent access with lower per-operation costs.

Why this answer

The Hot tier is the most cost-effective for the initial upload because it is optimized for frequent access and low latency, and for small blobs (average 50 KB) that are accessed very frequently for a short period, the per-GB storage cost is higher than Cool or Cold, but the access cost (per-operation charges) is significantly lower. Since the blobs are never accessed again after the short period, the high access frequency during that period makes Hot the cheapest option when considering total cost (storage + access operations), as Cool/Cold tiers would incur much higher per-read operation costs that outweigh their lower storage costs.

Exam trap

The trap here is that candidates assume lower storage cost per GB (Cool/Cold) always means lower total cost, ignoring that frequent access operations and minimum duration charges can make Hot tier cheaper for short-lived, high-access workloads.

How to eliminate wrong answers

Option B (Cool) is wrong because Cool tier has a higher per-read operation cost and a minimum storage duration charge (30 days), making it more expensive for blobs that are accessed very frequently for a short period and then never accessed again. Option C (Cold) is wrong because Cold tier has even higher per-read operation costs and a 90-day minimum storage duration, which would be wasteful for blobs that are only needed briefly. Option D (Archive) is wrong because Archive tier has the highest latency (hours to rehydrate) and is designed for long-term backup, not for blobs that need immediate, frequent access; it also incurs a 180-day minimum storage duration and high retrieval costs.

914
Multi-Selecthard

Which THREE permissions should be granted to an application's managed identity to allow it to read secrets from Azure Key Vault and use them to access Azure Storage?

Select 2 answers
A.Key Vault Crypto User role
B.Key Vault Secrets Officer role (includes all operations)
C.Key Vault Reader role
D.Key Vault Secrets User role (includes get and list)
E.Storage Blob Data Contributor role on the storage account
AnswersD, E

This role allows getting secrets.

Why this answer

Option D is correct because the Key Vault Secrets User role grants the 'get' and 'list' permissions on secrets, which is exactly what the application's managed identity needs to read secrets from Azure Key Vault. Option E is correct because the Storage Blob Data Contributor role on the storage account provides the necessary permissions to access and use the storage account (e.g., read/write blobs) after retrieving the secret (such as a connection string or key). Together, these two roles enable the managed identity to both retrieve secrets and access Azure Storage.

Exam trap

The trap here is that candidates often confuse the Key Vault Reader role (which only allows reading metadata, not secret values) with the Key Vault Secrets User role (which allows reading the actual secret content), or they mistakenly think the Key Vault Secrets Officer role is required when only read access is needed.

915
MCQeasy

Your company stores customer payment data in an Azure SQL Database. You need to ensure that only the application's managed identity can access the database, and no SQL logins or passwords are used. Which authentication method should you configure?

A.SQL Server authentication with a strong password stored in Key Vault
B.Use Microsoft Entra ID authentication with the managed identity configured as a contained database user
C.Enable Transparent Data Encryption (TDE) and use the database's certificate
D.Configure the Azure SQL firewall to allow only the application's outbound IP
AnswerB

Managed identity can be granted access to Azure SQL via Microsoft Entra ID authentication without credentials.

Why this answer

Option B is correct because configuring the managed identity as a contained database user in Azure SQL Database using Microsoft Entra ID authentication allows the application to authenticate without any SQL logins or passwords. The managed identity provides an automatically managed service principal in Entra ID, which can be mapped to a contained database user (CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER). This enables token-based authentication using OAuth 2.0, ensuring that only the application's identity can access the database.

Exam trap

The trap here is that candidates often confuse network-level security (firewall rules) or data encryption (TDE) with authentication, failing to recognize that only Entra ID authentication with a managed identity eliminates the need for SQL logins and passwords entirely.

How to eliminate wrong answers

Option A is wrong because SQL Server authentication with a password stored in Key Vault still requires a SQL login and password, violating the requirement of 'no SQL logins or passwords.' Option C is wrong because Transparent Data Encryption (TDE) only encrypts data at rest and does not provide authentication or access control; it cannot replace the need for an identity-based authentication method. Option D is wrong because configuring the Azure SQL firewall to allow only the application's outbound IP does not authenticate the application; it only restricts network access by IP address, and the application would still need a SQL login or password to connect.

916
MCQmedium

You are developing an Azure Functions app that processes orders. The function must scale out automatically during peak hours but should not incur costs when idle. Which hosting plan should you use?

A.Premium plan
B.Container Instances
C.App Service plan
D.Consumption plan
AnswerD

Consumption plan scales automatically and charges only when the function runs.

Why this answer

The Consumption plan is correct because it automatically scales your function app based on demand, including scaling out to handle peak loads, and you only pay for execution time and resources consumed when your functions are running. When idle, there are no costs because the plan does not reserve any instances; it relies on a dynamic, event-driven scale model that can scale down to zero.

Exam trap

The trap here is that candidates often confuse the Premium plan's 'always ready' instances with the Consumption plan's true scale-to-zero capability, mistakenly thinking Premium is required for automatic scaling, when in fact Consumption provides automatic scaling and zero-cost idle behavior.

How to eliminate wrong answers

Option A is wrong because the Premium plan, while offering automatic scaling and no cold starts, incurs costs for pre-warmed instances and a minimum baseline of always-ready workers, so it does not scale to zero and will incur costs when idle. Option B is wrong because Container Instances are not a hosting plan for Azure Functions; they are a service for running containers directly, and while they can scale, they do not provide the built-in, event-driven scaling and pay-per-execution model of Azure Functions. Option C is wrong because the App Service plan runs on dedicated VMs that are always on, meaning you pay for the allocated resources (e.g., VM instances) even when the function app is idle, and it does not scale to zero.

917
MCQhard

Your organization uses Azure API Management (APIM) to expose internal APIs to external partners. You need to ensure that only partners with a valid subscription key can access the APIs. Additionally, you want to log all requests for auditing. Which APIM policy should you implement?

A.Apply a <validate-jwt> policy and a <log-to-eventhub> policy
B.Apply an <ip-filter> policy
C.Apply a <rate-limit> policy
D.Apply a <cors> policy
AnswerA

<validate-jwt> can validate the subscription key in the header, and <log-to-eventhub> enables auditing.

Why this answer

The <validate-jwt> policy can check the subscription key (via the 'Ocp-Apim-Subscription-Key' header) and the <log-to-eventhub> policy sends logs to an event hub for auditing. Option A is wrong because <rate-limit> only throttles, not validates. Option B is wrong because <cors> handles cross-origin requests.

Option C is wrong because <ip-filter> filters by IP, not by key.

918
MCQeasy

You are reviewing an ARM template snippet for an Azure App Service. The exhibit shows the site configuration. You need to ensure that the app supports WebSocket connections for a real-time feature. Which setting must be added?

A.Set alwaysOn to false.
B.Set http20Enabled to false.
C.Change ftpsState to AllAllowed.
D.Add 'webSocketsEnabled': true to siteConfig.
AnswerD

WebSockets must be explicitly enabled in App Service.

Why this answer

Option D is correct because the 'webSocketsEnabled' property in the siteConfig of an Azure App Service ARM template explicitly enables WebSocket protocol support. WebSocket connections require a persistent, full-duplex communication channel over a single TCP connection, which is not enabled by default in Azure App Service. Setting this property to true allows the app to handle real-time features like chat or live notifications.

Exam trap

The trap here is that candidates often confuse 'webSocketsEnabled' with other networking or protocol settings like HTTP/2 or alwaysOn, assuming WebSockets are automatically supported or require a different configuration flag.

How to eliminate wrong answers

Option A is wrong because setting 'alwaysOn' to false would cause the app to unload after periods of inactivity, which would break WebSocket connections that need the app to remain active; alwaysOn should be true for WebSockets. Option B is wrong because 'http20Enabled' controls HTTP/2 support, which is unrelated to WebSocket functionality; disabling it does not affect WebSocket connections. Option C is wrong because 'ftpsState' controls FTP/FTPS access for file transfers, not WebSocket protocol support; changing it to AllAllowed has no impact on real-time features.

919
MCQeasy

You deploy a containerized web application to Azure Container Instances (ACI). The application writes session data to a local directory. You need the data to persist across container restarts (e.g., after a crash or redeployment). Which storage configuration should you use?

A.Use an emptyDir volume within the container group.
B.Mount an Azure Files share as a volume in the container group.
C.Use the container's own filesystem and copy data to a blob storage on shutdown.
D.Enable Azure Disk Encryption on the container group.
AnswerB

Correct. Azure Files provides durable, shared storage that persists independently of the container lifecycle. You can mount it using the 'azureFile' volume mount in ACI.

Why this answer

Option B is correct because Azure Files provides a fully managed SMB file share in the cloud that can be mounted as a volume in an Azure Container Instance. This allows session data written to the local directory to persist across container restarts, crashes, or redeployments, as the data lives on the share rather than in the ephemeral container filesystem.

Exam trap

The trap here is that candidates confuse 'emptyDir' (which is ephemeral and often used in Kubernetes for temporary storage) with a persistent volume, not realizing that ACI's emptyDir is also ephemeral and does not survive container group restarts.

How to eliminate wrong answers

Option A is wrong because an emptyDir volume is ephemeral and tied to the lifecycle of the pod or container group; its contents are deleted when the container group is restarted or redeployed, so it does not provide persistence across restarts. Option C is wrong because relying on the container's own filesystem means data is lost on restart or redeployment, and copying data to blob storage on shutdown is unreliable (shutdown may not be graceful) and adds unnecessary complexity. Option D is wrong because Azure Disk Encryption protects data at rest but does not provide a persistent storage volume; it is a security feature, not a storage solution for persisting session data across restarts.

920
MCQmedium

You receive an error when deploying this ARM template: 'The serverFarmId property is required.' What is missing from the template?

A.The server farm resource (Microsoft.Web/serverfarms) is not defined in the template
B.The 'location' property is missing from the site resource
C.The apiVersion should be '2018-02-01'
D.The 'kind' property should be 'functionapp'
AnswerA

The template references a server farm that is not defined, causing the error.

Why this answer

The error 'The serverFarmId property is required' indicates that the ARM template is missing a reference to an App Service Plan (Microsoft.Web/serverfarms) resource. In Azure, a web app or function app must be associated with an App Service Plan, which defines the compute resources and pricing tier. The template must define the server farm resource and link it via the 'serverFarmId' property on the site resource.

Exam trap

The trap here is that candidates often think the error is about a missing property on the site resource itself (like location or kind), rather than realizing the entire server farm resource definition is absent from the template.

How to eliminate wrong answers

Option B is wrong because the 'location' property is not related to the serverFarmId error; a missing location would cause a different error like 'The location property is required'. Option C is wrong because the apiVersion '2018-02-01' is a valid version for Microsoft.Web/sites and does not affect the serverFarmId requirement; the error is about a missing resource definition, not an API version mismatch. Option D is wrong because the 'kind' property set to 'functionapp' is used to specify the app type but does not resolve the missing server farm reference; the serverFarmId is still required regardless of the kind.

921
Multi-Selecteasy

Which TWO conditions are required to use the 'Run from Package' feature in Azure App Service?

Select 2 answers
A.The package must be accessible via a URL if not deployed locally.
B.The package must be stored in Azure Blob Storage.
C.The package must be a ZIP file.
D.The package size cannot exceed 500 MB.
E.The App Service must have a managed identity to access the package.
AnswersA, C

If using external package, a URL (with SAS token if private) is required.

Why this answer

Option A is correct because the 'Run from Package' feature in Azure App Service requires the deployment package to be accessible via a URL if it is not deployed locally (e.g., uploaded directly via the Azure portal or CLI). When using a remote URL, the package must be publicly accessible or secured with a SAS token, as App Service downloads it to the /home/data/SitePackages directory during startup. This ensures the app runs directly from the package without extracting it to the wwwroot folder.

Exam trap

The trap here is that candidates often assume the package must be in Azure Blob Storage (Option B) or require a managed identity (Option E), but Azure App Service supports any accessible URL and uses SAS tokens for private storage, not managed identities.

922
MCQeasy

You are building an Azure Logic App that must send an email notification when a new file is added to a SharePoint Online document library. Which connector and trigger should you use?

A.Use the SharePoint connector with the 'When a file is created' trigger
B.Use the Office 365 Outlook connector with the 'When a new email arrives' trigger
C.Use the Azure Blob Storage connector with the 'When a blob is added or modified' trigger
D.Use the HTTP connector with a manual trigger and poll SharePoint's REST API
AnswerA

This is the correct approach: SharePoint connector natively integrates with Logic Apps and provides a trigger for file creation.

Why this answer

The SharePoint connector's 'When a file is created' trigger is the correct choice because it directly monitors a SharePoint Online document library for new file additions and initiates the Logic App workflow automatically. This trigger uses SharePoint's webhook capabilities to receive real-time notifications, eliminating the need for polling or manual intervention.

Exam trap

The trap here is that candidates may confuse the SharePoint connector with other storage connectors (like Azure Blob Storage) or mistakenly think a polling-based HTTP approach is simpler, overlooking the native event-driven trigger that is purpose-built for this exact scenario.

How to eliminate wrong answers

Option B is wrong because the Office 365 Outlook connector's 'When a new email arrives' trigger monitors an email inbox, not a SharePoint document library, and would require an email to be sent for each file addition, which is not the requirement. Option C is wrong because the Azure Blob Storage connector's 'When a blob is added or modified' trigger is designed for Azure Blob Storage containers, not SharePoint Online document libraries, and cannot directly detect file changes in SharePoint. Option D is wrong because using the HTTP connector with a manual trigger and polling SharePoint's REST API introduces unnecessary complexity, latency, and resource consumption compared to the native event-driven trigger, and it lacks the built-in authentication and optimization of the SharePoint connector.

923
MCQmedium

You deploy an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault to connect to a third-party service. You want to grant the minimum required permissions to the managed identity. Which Azure RBAC role should you assign to the managed identity at the Key Vault scope?

A.Key Vault Reader
B.Key Vault Secrets Officer
C.Key Vault Secrets User
D.Key Vault Contributor
AnswerC

This role provides read access to secret values, meeting the requirement with the minimum permissions.

Why this answer

Option C is correct because the 'Key Vault Secrets User' role grants the minimum required permission—'Microsoft.KeyVault/vaults/secrets/getSecret/action'—for a managed identity to read a secret from Azure Key Vault. This role is specifically designed for read-only access to secrets, aligning with the principle of least privilege for the app's need to retrieve a secret for third-party service authentication.

Exam trap

The trap here is that candidates often confuse management plane roles (like 'Key Vault Contributor' or 'Key Vault Reader') with data plane roles, assuming that any 'Reader' or 'Contributor' role at the vault scope grants access to secret values, when in fact they only control the vault resource itself, not the secrets.

How to eliminate wrong answers

Option A is wrong because 'Key Vault Reader' only allows listing and reading metadata of the vault (e.g., vault properties and tags), but does not grant any permissions to read secret values. Option B is wrong because 'Key Vault Secrets Officer' includes write, delete, and restore permissions on secrets (e.g., 'Microsoft.KeyVault/vaults/secrets/setSecret/action'), which exceeds the read-only requirement. Option D is wrong because 'Key Vault Contributor' provides full management of the vault itself (e.g., creating and deleting vaults), but does not grant any data plane permissions to read secrets.

924
MCQmedium

Contoso Ltd. is migrating a legacy on-premises application to Azure. The application processes customer orders and sends confirmation emails. The new solution must use Azure Functions with an HTTP trigger to receive orders, store order data in Azure Cosmos DB, and send emails via SendGrid. Security requirements: All connections must use managed identities where possible. No secrets should be stored in code or configuration files. Cosmos DB and SendGrid API keys must be retrieved at runtime from Azure Key Vault. The Azure Function app must be able to access Key Vault without storing any connection strings or secrets in application settings. The development team plans to use the Azure.Identity and Azure.Security.KeyVault.Secrets libraries. Which approach should the team use to authenticate to Key Vault?

A.Upload a client certificate to the Function app's certificate store. Use ClientCertificateCredential to authenticate to Key Vault.
B.Use Key Vault references in application settings. Store the Key Vault URI in app settings and let the Functions runtime resolve secrets.
C.Enable system-assigned managed identity on the Function app. Grant the identity 'Get' and 'List' permissions on Key Vault secrets. Use DefaultAzureCredential in code to authenticate to Key Vault.
D.Create a user-assigned managed identity, assign it to the Function app, and store its client ID in application settings. Grant the identity permissions to Key Vault. Use ClientSecretCredential with the client ID and a secret.
AnswerC

Correct: no secrets stored, managed identity used.

Why this answer

Enable system-assigned managed identity on the Function app, then grant that identity 'Get' and 'List' permissions on the Key Vault secrets. The code uses DefaultAzureCredential to authenticate. Option A is correct.

Option B requires storing a client ID, not fully secret-free. Option C requires storing certificate thumbprint. Option D requires storing connection string.

925
MCQhard

A company uses Azure Functions to process messages from Azure Service Bus. The function currently uses the Consumption plan. They notice that during high load, messages are processed slowly due to scaling latency. Which change would improve throughput most?

A.Switch to the Premium plan
B.Set the maximum instance count to 20
C.Increase the function's batch size to 100
D.Enable Service Bus sessions
AnswerA

Premium plan provides pre-warmed instances and faster scaling.

Why this answer

The Premium plan for Azure Functions provides pre-warmed instances and faster scaling, eliminating the cold start and scaling latency inherent in the Consumption plan. This directly addresses the bottleneck during high load by ensuring that new instances are allocated instantly, thereby improving message processing throughput from Service Bus.

Exam trap

The trap here is that candidates often assume increasing batch size or instance count will solve scaling latency, but they overlook that the fundamental issue is the cold start and provisioning delay inherent in the Consumption plan, which only the Premium plan resolves by providing pre-warmed instances and faster scaling.

How to eliminate wrong answers

Option B is wrong because setting the maximum instance count to 20 does not reduce scaling latency; it only caps the upper limit of instances, and the Consumption plan still suffers from cold start delays when scaling out. Option C is wrong because increasing the batch size to 100 may cause messages to be locked for longer periods, leading to increased message lock duration and potential duplicate processing, and it does not address the root cause of scaling latency. Option D is wrong because enabling Service Bus sessions does not improve throughput; sessions are used for message ordering and stateful processing, and they can actually reduce parallelism since all messages in a session must be processed by a single instance.

926
Matchingmedium

Match each Azure compute service to its execution model.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IaaS with full OS control

PaaS for web and API apps

Serverless event-driven compute

Managed job scheduling for parallel workloads

Why these pairings

Azure compute services cater to different levels of control and abstraction.

927
Multi-Selecteasy

You are designing a solution to store application secrets. You need to ensure that secrets are encrypted at rest and access is audited. Which TWO Azure services should you use?

Select 2 answers
A.Azure SQL Database
B.Azure Monitor
C.Azure Key Vault
D.Azure Storage Account with encryption
E.Azure App Configuration
AnswersB, C

Monitor can collect and analyze audit logs from Key Vault.

Why this answer

Option B is correct because Azure Key Vault provides encryption and access control. Option D is correct because Azure Monitor provides auditing via diagnostics logs. Option A is wrong because App Configuration does not provide encryption by default.

Option C is wrong because Azure SQL Database is not designed for secret storage. Option E is wrong because Storage Accounts can store secrets but lack native auditing and access control.

928
MCQmedium

Refer to the exhibit. You are deploying this ARM template to create a deployment slot for an Azure App Service. The template deploys successfully. However, the slot-specific app setting 'DEPLOYMENT_SLOT' is not visible in the Azure portal under the slot's Configuration > Application settings. What is the most likely cause?

A.Slot settings are not supported in ARM templates
B.The template does not set 'slotSticky' to true for the app setting
C.Deployment slots have been deprecated for App Service
D.The app setting name must be prefixed with 'APPSETTING_'
AnswerB

Correct: Without slotSticky, the setting is not pinned to the slot.

Why this answer

Option B is correct because in ARM templates, app settings are made slot-specific (sticky) by setting the 'slotSticky' property to true. Without this property, the setting is treated as a regular, non-sticky app setting that is not pinned to the deployment slot, so it will not appear under the slot's Configuration > Application settings in the Azure portal.

Exam trap

The trap here is that candidates assume all app settings defined in a slot's ARM template are automatically slot-sticky, but Azure requires explicit declaration via the 'slotSticky' property to make them deployment-slot-specific.

How to eliminate wrong answers

Option A is wrong because ARM templates fully support slot settings via the 'slotSticky' property on the 'Microsoft.Web/sites/slots/config/appsettings' resource. Option C is wrong because deployment slots are not deprecated; they remain a core feature of Azure App Service for staging and testing. Option D is wrong because app setting names do not require an 'APPSETTING_' prefix; that prefix is used internally by Azure for environment variables but is not required in ARM templates or the portal.

929
MCQmedium

Your Azure Function app uses an event-driven architecture with Azure Event Hubs. You need to ensure that if the function fails to process an event, the event is retried up to three times and then sent to a dead-letter queue. What should you configure?

A.Use Durable Functions to orchestrate retries and dead-lettering.
B.Implement a try-catch block in the function code and manually re-queue the event.
C.Configure the retry policy in the function's host.json file.
D.Set the 'enableRetry' property on the Event Hub namespace.
AnswerC

The retry policy in host.json allows setting maxRetryCount and dead-lettering.

Why this answer

Option C is correct because Azure Functions for Event Hubs supports a built-in retry policy configured in the host.json file. This policy allows you to specify the maximum number of retries (e.g., 3) and, after exhausting those retries, the event is automatically sent to a dead-letter queue (DLQ) configured on the Event Hub. This approach is declarative and requires no custom code for retry or dead-lettering logic.

Exam trap

The trap here is that candidates often confuse the retry policy configuration location (host.json for the function app) with properties on the Event Hubs namespace itself, or they overcomplicate the solution by choosing Durable Functions when a simple declarative setting suffices.

How to eliminate wrong answers

Option A is wrong because Durable Functions are designed for orchestrating complex, long-running workflows and stateful processes, not for simple retry-and-dead-letter patterns on Event Hubs triggers; using them here would introduce unnecessary complexity and overhead. Option B is wrong because manually re-queuing the event in a try-catch block is error-prone, violates the event-driven architecture's decoupling principles, and does not provide a built-in dead-letter mechanism; it also requires custom code to manage retry counts and queue management. Option D is wrong because the 'enableRetry' property does not exist on the Event Hubs namespace; retry policies for Azure Functions are configured at the function app level (host.json), not on the Event Hubs resource itself.

930
MCQeasy

You need to deploy a web application to Azure App Service. The application requires a custom domain name and SSL/TLS certificate. You want to automate the deployment using Azure CLI. Which command should you use to upload the SSL certificate to the App Service?

A.az appservice web config ssl upload
B.az appservice certificate import
C.az webapp config ssl upload
D.az webapp certificate upload
AnswerC

This command uploads a certificate (.pfx) to the App Service and binds it to the custom domain.

Why this answer

Option A is correct because az webapp config ssl upload is the correct Azure CLI command to upload a certificate to an App Service. Option B is wrong because az appservice web config ssl upload does not exist. Option C is wrong because az webapp certificate upload is incorrect syntax.

Option D is wrong because az appservice certificate import imports a certificate from Key Vault, not a direct upload.

931
Multi-Selecthard

A production API needs proactive alerting for unexpected exceptions. Which two elements are required for a useful Azure Monitor alert?

Select 2 answers
A.A signal or metric/log query that detects the condition
B.An action group for notification or automation
C.A public IP address on the app
D.A manually exported CSV report
AnswersA, B

The alert rule must evaluate a metric or query that represents the problem.

Why this answer

A is correct because an Azure Monitor alert requires a signal (such as a metric, log query, or activity log event) to define the condition that triggers the alert. Without a signal, the alert has no basis for evaluation, making it impossible to detect unexpected exceptions proactively.

Exam trap

The trap here is that candidates may think a public IP or exported report is needed for monitoring, but Azure Monitor alerts only require a signal and an action group, not network-level or manual data exports.

932
MCQmedium

Your company runs a batch processing job on Azure Batch. The job processes large datasets and requires access to Azure Storage. You need to ensure that the compute nodes can securely access the storage account without exposing credentials. What should you configure?

A.Azure AD service principal
B.Storage account access keys
C.Managed identity for the Batch pool
D.Shared access signatures (SAS)
AnswerC

Assign a managed identity to the Batch pool to authenticate to Azure Storage without any secrets.

Why this answer

Option C is correct because managed identities for Azure resources allow compute nodes to authenticate to Azure Storage without storing credentials. Option A is wrong because storage account keys are shared secrets. Option B is wrong because SAS tokens can be exposed.

Option D is wrong because Azure AD service principals require managing credentials.

933
MCQhard

A company has an Azure Function app that processes messages from an Azure Storage queue. The function fails intermittently with timeout exceptions when the queue has many messages. What is the best approach to handle this?

A.Upgrade to a Premium plan
B.Decrease the batch size to reduce processing time per batch
C.Scale out the function app to multiple instances
D.Increase the batch size in the function's host.json
AnswerD

Larger batch size reduces total invocations and improves throughput.

Why this answer

Increasing the batch size allows the function to process more messages per invocation, improving throughput. Option A is wrong because scaling out may cause more timeouts. Option C is wrong because reducing batch size would increase timeouts.

Option D is wrong because premium plan increases cost but does not directly solve timeouts.

934
MCQhard

You are deploying a containerized application to Azure App Service. The application consists of a web front-end and a background worker. You want to run both containers in the same App Service plan to minimize costs. The worker should scale independently from the web front-end. What should you do?

A.Deploy the web front-end in App Service and the worker in Azure Kubernetes Service.
B.Use Docker Compose to run both containers in the same App Service plan.
C.Deploy both containers in the same App Service plan using multiple containers.
D.Deploy the worker as a separate Azure Container Instance.
AnswerA

AKS allows independent scaling of the worker, while App Service handles the web front-end.

Why this answer

Option A is correct because Azure App Service does not support running multiple containers that scale independently within the same plan; each App Service plan runs a single container or a multi-container group (via Docker Compose) as a single unit. By deploying the web front-end in App Service and the worker in Azure Kubernetes Service (AKS), you can independently scale each component based on its own load, while still sharing the same App Service plan for the front-end to minimize costs. AKS provides the necessary orchestration for the worker to scale independently, and the two services can communicate over the internal network or via Azure messaging services.

Exam trap

The trap here is that candidates assume 'multiple containers' in App Service (via Docker Compose) allows independent scaling, but in reality, all containers in the same App Service plan scale as a single unit, which violates the requirement for independent scaling.

How to eliminate wrong answers

Option B is wrong because Docker Compose in Azure App Service runs all containers as a single logical unit within the same App Service plan, meaning they cannot scale independently; scaling the plan scales all containers together. Option C is wrong because deploying both containers in the same App Service plan using multiple containers (via Docker Compose) still binds them to the same scaling unit, preventing independent scaling of the worker. Option D is wrong because deploying the worker as a separate Azure Container Instance (ACI) does not allow it to scale independently; ACI is a single-instance container service without built-in scaling, and it would not share the App Service plan, potentially increasing costs.

935
MCQmedium

A serverless app must react whenever audit documents are inserted or updated in Cosmos DB. Which trigger should the Azure Function use? The design must avoid adding custom operational scripts.

A.Queue trigger
B.Timer trigger
C.HTTP trigger
D.Cosmos DB trigger
AnswerD

The Cosmos DB trigger reads the change feed and invokes the function for inserts and updates.

Why this answer

The Azure Cosmos DB trigger is the correct choice because it natively listens to the Cosmos DB change feed, which captures inserts and updates to documents. This allows the Azure Function to react automatically without any custom scripts or polling logic, aligning with the serverless and operational simplicity requirements.

Exam trap

The trap here is that candidates may confuse the Cosmos DB trigger with other triggers that require custom polling or external invocation, overlooking that the change feed provides a built-in, event-driven mechanism for reacting to data changes.

How to eliminate wrong answers

Option A is wrong because a Queue trigger processes messages from Azure Queue Storage, not changes in Cosmos DB, and would require custom code to write audit events to the queue. Option B is wrong because a Timer trigger runs on a fixed schedule, not in response to data changes, and would need custom polling logic to detect inserts/updates. Option C is wrong because an HTTP trigger requires an explicit HTTP request to invoke the function, which is not triggered automatically by Cosmos DB document changes.

936
MCQeasy

You are developing an ASP.NET Core application that needs to access Azure Key Vault to retrieve secrets. You have enabled a managed identity for the App Service. Which Azure SDK class should you use to authenticate to Key Vault?

A.DefaultAzureCredential
B.ClientSecretCredential
C.ManagedIdentityCredential
D.InteractiveBrowserCredential
AnswerA

Correct. It automatically uses the available managed identity and falls back to other credential types if needed.

Why this answer

DefaultAzureCredential is the recommended approach because it provides a chained authentication mechanism that attempts multiple credential types in order, including ManagedIdentityCredential, EnvironmentCredential, and others. When running in an Azure App Service with a managed identity enabled, DefaultAzureCredential will automatically use the managed identity to authenticate to Key Vault, making it the most flexible and future-proof choice for this scenario.

Exam trap

The trap here is that candidates see 'managed identity' and immediately choose ManagedIdentityCredential, forgetting that DefaultAzureCredential is the recommended and more robust choice that automatically includes managed identity support.

How to eliminate wrong answers

Option B (ClientSecretCredential) is wrong because it requires explicitly providing a client secret (password) for a service principal, which defeats the purpose of using a managed identity and introduces secret management overhead. Option C (ManagedIdentityCredential) is wrong because while it would work in this specific scenario, it is not the best practice; DefaultAzureCredential is preferred as it falls back to other credential types (e.g., environment variables, Visual Studio credentials) if the managed identity is unavailable, providing better portability and resilience. Option D (InteractiveBrowserCredential) is wrong because it requires user interaction via a browser to authenticate, which is unsuitable for a server-side App Service that runs unattended.

937
MCQmedium

A long-running webhook processor must process thousands of independent files. The developer wants status tracking, checkpoints, and replay-safe orchestration. Which Azure Functions capability should be used?

A.Blob lifecycle management
B.Timer trigger only
C.Durable Functions orchestrator
D.Azure Policy remediation
AnswerC

Durable Functions provides stateful orchestration, checkpointing, and durable execution history.

Why this answer

Durable Functions orchestrator is correct because it provides built-in support for status tracking, checkpointing, and replay-safe orchestration via the Event Sourcing pattern. The orchestrator function automatically saves execution history to a storage table, enabling reliable resumption after crashes or restarts, which is essential for processing thousands of independent files with long-running workflows.

Exam trap

The trap here is that candidates may confuse a simple trigger (like Timer or Blob trigger) with the orchestration capabilities needed for stateful, long-running workflows, overlooking that Durable Functions provides the necessary checkpointing and replay safety.

How to eliminate wrong answers

Option A is wrong because Blob lifecycle management is a storage policy for automatically tiering or deleting blobs based on age or last modification time; it does not provide orchestration, status tracking, or checkpointing for processing logic. Option B is wrong because a Timer trigger only invokes a function on a schedule and lacks any built-in mechanism for tracking individual file processing status, checkpoints, or replay safety across multiple independent executions. Option D is wrong because Azure Policy remediation is used to enforce compliance rules and automatically remediate non-compliant resources; it has no capability for orchestrating custom business logic or tracking file processing state.

938
Multi-Selecteasy

Which TWO Azure Blob Storage access tiers are optimized for infrequently accessed data with a minimum storage duration of 30 days?

Select 2 answers
A.Transactional
B.Archive
C.Premium
D.Cool
E.Hot
AnswersB, D

Archive tier has a 180-day minimum but is for rarely accessed data.

Why this answer

The Cool tier is optimized for data that is infrequently accessed and stored for at least 30 days, offering lower storage costs than Hot but higher access costs. The Archive tier is optimized for rarely accessed data with a minimum storage duration of 180 days, but it also supports infrequent access patterns and is often considered for long-term retention. Both Cool and Archive tiers are designed for infrequently accessed data, with Cool having a 30-day minimum and Archive a 180-day minimum, making them the correct answers for the 30-day requirement.

Exam trap

The trap here is that candidates often confuse the Archive tier's 180-day minimum with the 30-day minimum required by the question, or they incorrectly assume that Premium (which is for high-performance scenarios) is suitable for infrequently accessed data.

939
MCQmedium

You deploy a containerized application to Azure Container Instances (ACI). The application writes state to the /data directory. You need to ensure that if the container restarts, the data persists. Which type of volume mount should you use?

A.Azure Files share
B.emptyDir volume
C.hostPath volume
D.Azure Disk volume
AnswerA

Azure Files provides a fully managed file share that can be mounted in ACI, ensuring data persists beyond container restarts.

Why this answer

Azure Files shares provide a fully managed SMB file share in the cloud that can be mounted to Azure Container Instances. When a container restarts, the data written to the /data directory persists because the share lives independently of the container lifecycle, ensuring state survives crashes or restarts.

Exam trap

The trap here is that candidates often confuse emptyDir (which is ephemeral and works only in Kubernetes pods) with persistent storage, or assume hostPath is available in ACI when it is not supported in serverless container environments.

How to eliminate wrong answers

Option B is wrong because emptyDir volumes are ephemeral and tied to the pod's lifecycle; when the container restarts (especially in ACI, which doesn't use pods), the data is lost. Option C is wrong because hostPath volumes mount a file or directory from the host node's filesystem, which is not supported in Azure Container Instances (ACI runs on shared infrastructure without direct host access). Option D is wrong because Azure Disk volumes require a dedicated VM or AKS node to attach to; ACI does not support attaching Azure Disks directly.

940
MCQmedium

A company uses Azure DevOps to deploy microservices to Azure Kubernetes Service (AKS). They need to securely pull container images from Azure Container Registry (ACR) during deployment without storing credentials. Which authentication method should they use?

A.ACR Tasks
B.ACR admin keys
C.Managed Identity
D.Service principal with password
AnswerC

AKS's managed identity with AcrPull role avoids storing credentials.

Why this answer

AKS can be assigned a Managed Identity with AcrPull role to pull images from ACR without storing credentials. Option A is wrong because service principal requires credential management. Option C is wrong because admin keys are insecure.

Option D is wrong because ACR tasks build images, not pull them.

941
MCQmedium

You have an Azure App Service web app that uses a system-assigned managed identity. The app needs to read a secret stored in Azure Key Vault. You need to grant the app the minimum required permissions to access the secret. Which RBAC role should you assign to the managed identity at the Key Vault scope?

A.Key Vault Reader
B.Key Vault Secrets User
C.Key Vault Secrets Officer
D.Contributor
AnswerB

This role grants permission to read secrets (get, list) from the vault. It is the least privileged role that allows reading secret values.

Why this answer

The Key Vault Secrets User role grants the minimum required permission to read secrets from Azure Key Vault. This role provides the 'Microsoft.KeyVault/vaults/secrets/getSecret/action' permission, which is exactly what the app needs to retrieve the secret value. It does not grant any write or management capabilities, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates often confuse the Key Vault Reader role (which only allows listing vaults and reading metadata, not secret values) with the ability to read secrets, leading them to select it as the minimum permission.

How to eliminate wrong answers

Option A is wrong because Key Vault Reader only allows listing vaults and reading metadata, not reading secret values. Option C is wrong because Key Vault Secrets Officer grants full control over secrets, including create, update, delete, and restore, which exceeds the minimum required read permission. Option D is wrong because Contributor is a broad Azure RBAC role that grants full management access to all resources in the scope, far beyond the needed secret read permission.

942
MCQhard

You are developing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The API needs to call a downstream API (also secured by Microsoft Entra ID) on behalf of the signed-in user (On-Behalf-Of flow). You have already configured the web API to authenticate users with Microsoft.Identity.Web. How should you implement the token acquisition for the downstream API?

A.Use ADAL.NET's `AcquireTokenOnBehalfOf` method
B.Inject `ITokenAcquisition` and call `GetAccessTokenForUserAsync` with the scopes for the downstream API
C.Use the `Azure.Identity` library with `DefaultAzureCredential` to acquire a token
D.Manually construct an HTTP POST to the Microsoft Entra ID token endpoint with the user access token and client credentials
AnswerB

`ITokenAcquisition` from Microsoft.Identity.Web wraps MSAL.NET. `GetAccessTokenForUserAsync` performs the On-Behalf-Of flow, exchanging the user's token for a token to call the downstream API.

Why this answer

Option B is correct because Microsoft.Identity.Web provides the `ITokenAcquisition` service specifically for ASP.NET Core applications to acquire tokens for downstream APIs using the OAuth 2.0 On-Behalf-Of flow. Calling `GetAccessTokenForUserAsync` with the required scopes handles the token exchange automatically, leveraging the incoming user token and client credentials configured in the app. This is the recommended approach when using Microsoft.Identity.Web, as it abstracts the complexity of the OBO flow and integrates seamlessly with the ASP.NET Core authentication pipeline.

Exam trap

The trap here is that candidates may confuse the On-Behalf-Of flow with client credentials flow or app-only authentication, leading them to choose `DefaultAzureCredential` (Option C) or manual token endpoint calls (Option D), while forgetting that ADAL.NET (Option A) is deprecated and not part of the modern Microsoft.Identity.Web stack.

How to eliminate wrong answers

Option A is wrong because ADAL.NET is deprecated and should not be used for new development; it lacks support for modern Microsoft Entra ID features and is replaced by MSAL.NET, which is already integrated into Microsoft.Identity.Web. Option C is wrong because `DefaultAzureCredential` from Azure.Identity is designed for non-interactive scenarios (e.g., managed identities, service principals) and does not support the On-Behalf-Of flow, which requires exchanging a user token for a downstream token. Option D is wrong because manually constructing HTTP POST requests to the token endpoint is error-prone, requires handling token caching, retries, and security details that Microsoft.Identity.Web already manages; this approach is unnecessary and violates the principle of using the provided library abstractions.

943
MCQmedium

An Azure App Service application has slow API requests. The developer needs distributed tracing across requests and dependencies. What should be enabled?

A.Azure Policy compliance scan
B.Application Insights with dependency tracking
C.Storage account static website logs
D.Cost Management budgets only
AnswerB

Application Insights provides request, dependency, exception, and trace telemetry for application diagnostics.

Why this answer

Application Insights with dependency tracking is the correct choice because it provides distributed tracing across requests and dependencies, enabling developers to correlate end-to-end transactions in a microservices or multi-component application. It automatically collects telemetry for HTTP calls, database queries, and other external service calls, which is essential for diagnosing slow API requests in an Azure App Service environment.

Exam trap

The trap here is that candidates may confuse Azure Policy or storage logs with monitoring tools, but only Application Insights provides the distributed tracing and dependency correlation needed for diagnosing slow API requests across multiple components.

How to eliminate wrong answers

Option A is wrong because Azure Policy compliance scan enforces organizational rules and governance on Azure resources, but it does not collect runtime telemetry or trace requests across dependencies. Option C is wrong because Storage account static website logs capture HTTP access logs for static content hosted in blob storage, not distributed tracing for dynamic API requests in App Service. Option D is wrong because Cost Management budgets only track and alert on spending, providing no insight into application performance or dependency call chains.

944
MCQmedium

A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run?

A.Logs in Application Insights or the associated Log Analytics workspace
B.Microsoft Entra audit logs
C.Azure Key Vault diagnostic settings
D.Azure Resource Graph only
AnswerA

Application Insights stores telemetry that can be queried with KQL in Logs.

Why this answer

Application Insights stores application request data, including latency metrics, and supports Kusto queries via its Logs blade. The associated Log Analytics workspace also provides the same query capabilities, making it the correct location to run a Kusto query for 95th percentile latency by operation.

Exam trap

The trap here is that candidates may confuse Azure Resource Graph with Log Analytics, but Resource Graph only queries Azure resource properties and configurations, not application telemetry data.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra audit logs contain sign-in and directory activity, not application request latency data. Option C is wrong because Azure Key Vault diagnostic settings capture vault access and performance logs, not application request metrics. Option D is wrong because Azure Resource Graph is designed for resource inventory and configuration queries across subscriptions, not for querying application telemetry like request latency.

945
MCQhard

A company has an Azure Storage account that stores sensitive data. They need to ensure that all access to the storage account is secured using Microsoft Entra ID authentication and that no storage account keys are used. Which configuration should be applied to enforce this?

A.Enable firewall rules
B.Disable shared key access
C.Enable advanced threat protection
D.Enable soft delete
AnswerB

Disabling shared key access ensures that only Microsoft Entra ID authentication is allowed, effectively blocking the use of storage account keys.

Why this answer

Disabling shared key access (Option B) is the correct configuration because it explicitly blocks all authentication using storage account keys (both primary and secondary), forcing all requests to use Microsoft Entra ID (formerly Azure AD) for authorization. This ensures that only identities with appropriate RBAC roles (e.g., Storage Blob Data Owner) can access the storage account, meeting the requirement to eliminate key-based access entirely.

Exam trap

The trap here is that candidates often confuse network-level security (firewall rules) with authentication enforcement, mistakenly believing that restricting network access alone prevents key-based access, when in fact shared keys can still be used from allowed networks.

How to eliminate wrong answers

Option A is wrong because enabling firewall rules restricts network-level access (IP addresses or virtual networks) but does not prevent authentication using storage account keys; a request from an allowed network could still use a shared key. Option C is wrong because enabling advanced threat protection (Azure Defender for Storage) provides security monitoring and alerts for anomalies (e.g., suspicious access patterns) but does not enforce authentication method or disable key-based access. Option D is wrong because enabling soft delete protects data from accidental deletion by retaining deleted blobs for a retention period, but it has no effect on authentication or authorization mechanisms.

946
MCQeasy

Refer to the exhibit. You run the Azure CLI command shown. What is the result?

A.Creates a key named MySecret in the vault
B.Deletes the secret named MySecret from the vault
C.Stores a secret named MySecret with the value in the vault
D.Creates a certificate named MySecret in the vault
AnswerC

The command sets a secret with the specified name and value.

Why this answer

The command creates a secret named MySecret with value "P@ssw0rd!" in the Key Vault named MyVault. Option A is wrong because the command does not create a key. Option B is wrong because it creates a secret, not a certificate.

Option C is wrong because it stores a secret, not a certificate.

947
MCQhard

You are a developer for a fintech company. Your application consists of multiple Azure Functions that process sensitive financial transactions. The functions need to access an Azure SQL Database and an Azure Storage account. Security requirements are: (1) No secrets or connection strings should be stored in application settings or code. (2) Access must be restricted to the specific resources each function needs. (3) All access must be audited. (4) The solution must support local development debugging. You have already enabled system-assigned managed identity for each function app. Which course of action should you take to meet the requirements?

A.Assign a user-assigned managed identity to each function app. Grant the identity access to Azure SQL via Microsoft Entra authentication and to Storage via RBAC. Use service principal for local development.
B.Use the system-assigned managed identity to access Key Vault, where you store the SQL connection string and storage account key. Use the Key Vault SDK in the function code to retrieve them. Enable Key Vault audit logging.
C.Store the SQL connection string and storage account key in Azure Key Vault. Use Key Vault references in function app settings to retrieve them at runtime. Enable Key Vault audit logging.
D.Grant each function app's system-assigned managed identity access to Azure SQL Database using Microsoft Entra authentication (create contained user) and to Azure Storage using RBAC (Storage Blob Data Contributor role). Enable auditing on SQL and Storage. For local development, use Azure CLI to sign in with your developer account and assign it the same RBAC roles.
AnswerD

This avoids any secrets, uses managed identity, and supports local development with developer accounts.

Why this answer

Option D is correct because it uses managed identity for Azure SQL (via Microsoft Entra authentication) and RBAC for Storage, satisfying no-secret requirement. It also enables auditing via Azure SQL Auditing and Storage analytics. For local development, you can use Azure CLI or Visual Studio with your developer account that has appropriate RBAC roles.

Option A is wrong because it stores connection strings in Key Vault and uses Key Vault references, which still involves retrieving a secret (the connection string) even though it's not in code; the requirement says no secrets should be stored anywhere. Option B is wrong because it uses connection strings in Key Vault and then retrieves them. Option C is wrong because it uses a user-assigned identity but then stores connection strings in Key Vault.

948
MCQmedium

A retail system uses Azure Service Bus to process orders. Each order has multiple messages (e.g., payment, shipping, confirmation) that must be processed in sequence. You need to guarantee that all messages belonging to the same order are handled by the same consumer in order. Which Service Bus feature should you use?

A.Sessions
B.Scheduled messages
C.Dead-letter queue
D.Auto-forwarding
AnswerA

Sessions ensure FIFO ordering and guarantee that messages with the same session ID are processed by a single consumer.

Why this answer

Sessions in Azure Service Bus enable ordered, first-in-first-out (FIFO) processing of related messages. By setting the SessionId property to the order ID, all messages for that order are grouped into a session, ensuring a single consumer processes them sequentially. This guarantees that payment, shipping, and confirmation messages for the same order are handled in order and by the same consumer.

Exam trap

The trap here is that candidates may confuse Sessions with Scheduled messages or Auto-forwarding, mistakenly thinking that delaying delivery or forwarding messages can achieve ordered processing, but only Sessions provide the required consumer affinity and FIFO guarantee for grouped messages.

How to eliminate wrong answers

Option B (Scheduled messages) is wrong because it only delays message delivery to a future time and does not provide any ordering or grouping guarantees for related messages. Option C (Dead-letter queue) is wrong because it is a sub-queue for storing messages that cannot be processed normally (e.g., due to exceeding MaxDeliveryCount), not for ensuring ordered processing of grouped messages. Option D (Auto-forwarding) is wrong because it automatically forwards messages from one queue or subscription to another based on a rule, but it does not enforce FIFO ordering or consumer affinity for related messages.

949
MCQhard

You are designing a solution that writes millions of small log records (each 200 bytes) to Azure Blob Storage. The logs are written every second, always appended to a single file. The file must be read periodically by a batch process that reads the entire file. You need to maximize write throughput and minimize storage costs. Which blob type and access strategy should you choose?

A.Use Block blobs and append the data to a single blob
B.Use Append blobs and write each log entry as an append block
C.Use Page blobs and write each log entry to a page
D.Use Block blobs and create a new blob for each log entry
AnswerB

Append blobs are optimized for sequential appends, providing high throughput and low cost for small append operations.

Why this answer

Append blobs are optimized for append operations, making them ideal for writing millions of small log records sequentially to a single file. Each log entry is written as an append block, which provides high throughput for append-heavy workloads. Append blobs also minimize storage costs because they store data in a single blob without the overhead of managing multiple blobs or pages.

Exam trap

The trap here is that candidates often choose Block blobs (Option A) thinking they can append data by adding new blocks, but they overlook the inefficiency of the block list management and the lack of native append support, which makes Append blobs the correct choice for sequential append workloads.

How to eliminate wrong answers

Option A is wrong because Block blobs are not designed for frequent append operations; appending to a block blob requires reading the existing blocks, adding a new block, and committing the block list, which is inefficient and does not maximize write throughput. Option C is wrong because Page blobs are optimized for random read/write operations on fixed-size pages (512 bytes) and are not suitable for small, sequential appends; they also incur higher costs due to minimum page size and premium storage tiers. Option D is wrong because creating a new blob for each log entry introduces significant overhead in blob creation, metadata management, and listing operations, which reduces write throughput and increases storage costs due to per-blob transaction charges.

950
MCQhard

A Cosmos DB workload for telemetry events has predictable traffic during business hours and almost no traffic overnight. The team wants to reduce cost while keeping performance during peak hours. What should be configured?

A.Analytical store only
B.Autoscale throughput with an appropriate maximum RU/s
C.Manual throughput set permanently to peak RU/s
D.Disable indexing entirely
AnswerB

Autoscale adjusts provisioned throughput within a range, reducing manual management and matching predictable peaks.

Why this answer

Autoscale throughput (option B) is correct because it dynamically scales the provisioned RU/s between 10% of the configured maximum and the maximum itself based on actual demand. For a workload with predictable peak traffic during business hours and near-zero traffic overnight, autoscale eliminates the cost of provisioning for peak capacity 24/7 while ensuring performance is not throttled during high-demand periods. This directly addresses the cost-reduction goal without sacrificing peak-hour performance.

Exam trap

The trap here is that candidates often confuse 'autoscale' with 'manual throughput' and assume manual throughput set to peak is the safest choice, but they overlook the cost of idle capacity; Microsoft often tests the understanding that autoscale is the only option that dynamically matches cost to actual usage while preserving peak performance.

How to eliminate wrong answers

Option A is wrong because Analytical Store is a separate columnar store for analytical queries (e.g., Synapse Link) and does not affect the transactional throughput cost or scaling behavior; it adds cost for storage and processing, not reduces it. Option C is wrong because setting manual throughput permanently to peak RU/s would incur charges for that capacity 24/7, even during overnight low-traffic periods, defeating the cost-reduction goal. Option D is wrong because disabling indexing entirely would severely impact query performance and is not a valid cost-saving mechanism for throughput; it affects storage costs and write latency but does not reduce provisioned RU/s charges, and it breaks many query patterns.

951
MCQhard

You have an Azure App Service web app that experiences intermittent slowness. You enable Application Insights and notice that the "Failed Requests" metric is low, but "Server Response Time" is high for a subset of requests. You want to identify the specific code path causing the delay. Which feature should you use?

A.Live Metrics.
B.Snapshot Debugger.
C.Profiler.
D.Availability tests.
AnswerC

Correct. Profiler traces requests and identifies slow code paths.

Why this answer

C is correct because the Application Insights Profiler captures detailed call stacks and execution timing for slow requests, allowing you to pinpoint the exact code path causing high server response time. Unlike other features, Profiler is specifically designed for performance troubleshooting by tracing request execution at the code level.

Exam trap

The trap here is confusing the Profiler (for performance diagnostics) with the Snapshot Debugger (for exception debugging), leading candidates to choose Snapshot Debugger when the question explicitly asks about identifying the cause of high response times, not failures.

How to eliminate wrong answers

Option A is wrong because Live Metrics provides real-time monitoring of metrics like request rate and response times but does not capture detailed code-level call stacks to identify the specific slow code path. Option B is wrong because Snapshot Debugger is designed to capture debug snapshots on exceptions, not for analyzing slow response times; it helps diagnose crashes, not performance bottlenecks. Option D is wrong because Availability tests monitor the endpoint's availability and responsiveness from external locations, but they do not provide code-level profiling to identify the internal code path causing delays.

952
MCQmedium

You are designing a microservices architecture where each service needs to publish events to multiple subscribers. You choose Azure Event Grid. However, one of the subscribers is a third-party service that requires HTTPS endpoint and custom headers in the event delivery. How should you configure Event Grid?

A.Use Event Grid's 'Advanced Filters' to add custom headers to events.
B.Use Event Grid domains to route events to the third-party service.
C.Set custom headers in the event subscription's 'Delivery Properties' configuration.
D.Configure a dead-letter destination to handle delivery failures.
AnswerC

Event Grid allows you to define custom headers that are included in the HTTP POST to the endpoint.

Why this answer

Event Grid supports custom headers in event subscriptions via the 'includedEventTypes' and 'subjectBeginsWith' filters, but for custom headers, you need to use the 'Advanced Filter' or 'Delivery Properties'. Option C is correct because you can set custom headers in the event subscription. Option A is not supported; Option B is for dead-lettering; Option D is for filtering.

953
MCQeasy

A developer needs to call a third-party REST API from an Azure Function app. The API requires OAuth2 client credentials flow. Which approach should they use to securely store and retrieve the client secret?

A.Store in application settings as environment variable
B.Store in Azure App Configuration
C.Store in Azure Key Vault
D.Use Managed Identity
AnswerC

Key Vault securely stores secrets and provides access via managed identity.

Why this answer

Azure Key Vault is the secure store for secrets like client secrets. Option A is wrong because App Configuration is for configuration. Option B is wrong because environment variables are not secure.

Option D is wrong because Managed Identity does not store secrets; it provides identity.

954
Multi-Selectmedium

A company is designing a secure microservices architecture on Azure Kubernetes Service (AKS). The security requirements include: encrypting secrets at rest and in transit, rotating secrets automatically, and avoiding hard-coded credentials in application code. Which THREE solutions should the company use? (Choose three.)

Select 3 answers
A.Inject secrets as environment variables from ConfigMaps.
B.Use Kubernetes Secrets with a scheduled CronJob to rotate them.
C.Use the Azure Key Vault CSI Driver to mount secrets as volumes in pods.
D.Store secrets in Azure Key Vault with soft-delete and purge protection enabled.
E.Enable AKS-managed Microsoft Entra ID integration and use pod managed identities to authenticate to Key Vault.
AnswersC, D, E

CSI driver avoids hard-coding secrets in code.

Why this answer

Options A, B, and C are correct. Azure Key Vault stores secrets encrypted at rest and provides automatic rotation. CSI Driver enables pods to mount secrets without hard-coding.

Managed identities for Pods allow Entra ID authentication to Key Vault. Option D is wrong because Kubernetes Secrets do not provide automatic rotation. Option E is wrong because environment variables expose secrets in plaintext.

955
MCQhard

You are designing a solution that reads messages from an Azure Service Bus queue and processes them using an Azure Function. The function must process messages in order and ensure no duplicate processing. Which configuration should you use?

A.Use auto-forwarding to a dead-letter queue on failure
B.Partition the queue and use multiple functions to process each partition in order
C.Enable sessions on the queue and use peek-lock mode with automatic complete on success
D.Use receive and delete mode to ensure each message is processed only once
AnswerC

Sessions guarantee order; peek-lock with complete ensures exactly-once processing.

Why this answer

Option A is correct because Service Bus sessions enable ordered processing, and peek-lock mode with complete on success prevents duplicates. Option B is wrong because receive and delete does not allow retries. Option C is wrong because partitions are for throughput, not ordering.

Option D is wrong because manual completion is less reliable.

956
MCQhard

You are monitoring an Azure App Service using Application Insights. You notice that HTTP 500 errors are increasing, but the standard server response time metric remains normal. You suspect that the errors are occurring in an external API call made by the application. How can you identify the dependency that is failing?

A.Enable snapshot debugging for the application.
B.Use Application Insights Profiler to capture code-level traces.
C.Configure Application Insights dependency tracking and view the Dependency Metrics blade.
D.Set up a custom event telemetry for each external call.
AnswerC

Dependency tracking records each call to external services, and the metrics blade aggregates failures and durations for each dependency, making it easy to spot failures.

Why this answer

Option C is correct because Application Insights dependency tracking automatically monitors HTTP calls, SQL queries, and other external dependencies made by your application. By viewing the Dependency Metrics blade, you can see failure rates, durations, and dependency names, allowing you to identify which external API call is failing without modifying code.

Exam trap

The trap here is that candidates may confuse dependency tracking with custom event telemetry or think that snapshot debugging or profiling can identify external API failures, but only dependency tracking provides automatic, aggregated metrics for outbound calls.

How to eliminate wrong answers

Option A is wrong because snapshot debugging captures the state of the application when exceptions occur, but it does not provide aggregated metrics or dependency-specific failure data; it is for debugging individual exceptions, not for identifying failing dependencies. Option B is wrong because Application Insights Profiler captures code-level traces and performance bottlenecks within your application's own code, not external API calls; it focuses on CPU time and request processing, not dependency failures. Option D is wrong because setting up custom event telemetry for each external call would require manual instrumentation and code changes, whereas dependency tracking is automatic and provides built-in metrics; custom events add overhead and are not necessary when dependency tracking is available.

957
Multi-Selecthard

You are designing a background job processing solution using Azure Batch. The job runs a large number of tasks that are CPU-intensive and require access to large input files stored in Azure Blob Storage. You need to minimize the time to process all tasks while controlling costs. Which THREE actions should you take?

Select 3 answers
A.Set the task slots per VM to 1 to avoid contention.
B.Use a pool of small-sized VMs (e.g., Standard_A1_v2) to minimize cost per node.
C.Mount Azure Blob Storage as a file system using blobfuse to allow tasks to access files directly.
D.Use a pool of low-priority VMs to reduce compute costs.
E.Configure each task to use multiple threads to utilize multi-core VMs.
AnswersC, D, E

Eliminates download time and reduces disk I/O.

Why this answer

Mounting Azure Blob Storage as a file system using blobfuse allows tasks to directly access large input files without downloading them first, reducing data transfer time and eliminating local disk bottlenecks. This is critical for CPU-intensive tasks that need fast, concurrent access to shared data, minimizing overall processing time.

Exam trap

The trap here is that candidates often confuse 'low-priority VMs' with unreliable compute, but Azure Batch can automatically handle preemptions with task retries, making them a cost-effective choice for fault-tolerant workloads, while the real performance bottleneck is data access, not CPU contention.

958
MCQhard

You have an Azure Function app that processes messages from a Service Bus queue. The function uses the Service Bus trigger. You notice that under high load, some messages are processed multiple times. What is the most likely cause?

A.The queue is partitioned
B.The lock duration is too short for message processing time
C.The batch size is too large
D.The maxDeliveryCount is set too high
AnswerB

If processing exceeds lock duration, the message is released and reprocessed.

Why this answer

The Service Bus trigger uses peek-lock mode, and if the function fails to complete the message within the lock duration, the message becomes visible again for reprocessing. Option A is wrong because max delivery count does not cause duplicates. Option B is wrong because batch size doesn't cause duplicates.

Option D is wrong because partitioning does not cause duplicates; it relates to ordering.

959
MCQmedium

You are developing a .NET Core web application that needs to send an email notification when a user registers. You decide to use Azure Communication Services Email. Which authentication method should you use to securely connect from your application to Azure Communication Services?

A.Use an Azure AD service principal with client secret.
B.Use an endpoint and an access key from Azure Communication Services.
C.Use a connection string from the Azure portal.
D.Use a managed identity for Azure resources.
AnswerB

The correct authentication method for Azure Communication Services Email is to use the endpoint and access key provided in the Azure portal.

Why this answer

Azure Communication Services uses an endpoint and an access key for authentication. Connection strings are not used; Azure AD is supported but requires additional setup; managed identity is an option but not the simplest for this scenario.

960
MCQeasy

Your team develops a containerized web app using Azure Kubernetes Service (AKS). You need to ensure that the application can automatically scale based on HTTP request load. Which Kubernetes resource should you configure?

A.VerticalPodAutoscaler
B.PodDisruptionBudget
C.HorizontalPodAutoscaler
D.NetworkPolicy
AnswerC

Correctly scales based on load metrics.

Why this answer

The HorizontalPodAutoscaler (HPA) is the correct Kubernetes resource for automatically scaling the number of pod replicas based on observed CPU, memory, or custom metrics like HTTP request rate. In an AKS cluster, HPA adjusts the replica count of a Deployment or ReplicaSet to match the target metric, enabling the application to handle varying HTTP load without manual intervention.

Exam trap

The trap here is that candidates often confuse HorizontalPodAutoscaler with VerticalPodAutoscaler, mistakenly thinking that adjusting pod resources (CPU/memory) is the correct way to handle HTTP load, when in fact HPA scales the number of pod replicas horizontally to distribute the load.

How to eliminate wrong answers

Option A is wrong because VerticalPodAutoscaler (VPA) adjusts CPU and memory requests/limits of existing pods, not the number of replicas; it is designed for resource optimization, not scaling based on HTTP request load. Option B is wrong because PodDisruptionBudget (PDB) ensures a minimum number of pods remain available during voluntary disruptions (e.g., node maintenance), and does not perform any scaling based on load. Option D is wrong because NetworkPolicy controls ingress/egress traffic between pods using label selectors and IP blocks, and has no role in autoscaling based on HTTP request load.

961
Multi-Selecthard

Which TWO are best practices when using Azure Service Bus for high-throughput messaging?

Select 2 answers
A.Enable duplicate detection for all queues
B.Use sessions to guarantee ordering
C.Enable batching of messages when sending
D.Use partitioned queues or topics
E.Send messages larger than 256 KB to reduce the number of messages
AnswersC, D

Batching reduces the number of operations and improves throughput.

Why this answer

Batching messages reduces overhead. Using partitioned queues improves throughput. Option C is wrong because large messages reduce throughput.

Option D is wrong because sessions can limit throughput. Option E is wrong because duplicate detection adds overhead.

962
MCQmedium

Refer to the exhibit. A developer deploys this ARM template to create a web app with a connection string to Azure Cosmos DB. The deployment succeeds but the web app cannot connect to Cosmos DB. What is the most likely cause?

A.The connection string should use a secret reference to Azure Key Vault
B.The listKeys function is used incorrectly
C.The web app name parameter is missing
D.The listKeys function requires a different API version
AnswerA

Best practice is to use Key Vault references, but the immediate issue is that the connection string is incomplete; it needs the full connection string format.

Why this answer

Option B is correct because the connection string should use a secret reference to Azure Key Vault for security, and the raw master key in plaintext is not allowed. Option A is incorrect because the function is correct. Option C is incorrect because the listKeys function works.

Option D is incorrect because the deployment succeeded.

963
MCQmedium

Multiple teams need different levels of access to the same Azure Key Vault: the DevOps team needs to create and rotate secrets, the application team needs read-only secret access, and the auditing team needs list-only access. The security team wants audit logs of all access decisions and the ability to manage permissions through a single system. What access model should the developer recommend?

A.Use Azure RBAC for Key Vault with role assignments scoped per team: Key Vault Secrets Officer for DevOps, Key Vault Secrets User for the app team, and Key Vault Reader for auditing
B.Create separate access policies for each team with the minimum required permissions
C.Create a separate Key Vault per team to enforce isolation between access levels
D.Issue shared access signatures for each team scoped to the operations they need
AnswerA

RBAC assignments are integrated with Azure's identity and access management plane. All access decisions are logged in Azure Activity Log, fulfilling the audit requirement. Roles can be assigned at vault scope or narrower scopes. RBAC policies are managed centrally in Azure IAM, consistent with how all other Azure resources are governed.

Why this answer

Option A is correct because Azure RBAC for Key Vault provides a unified, centralized access management system that meets all requirements. The Key Vault Secrets Officer role allows DevOps to create and rotate secrets, the Key Vault Secrets User role grants read-only access to the application team, and the Key Vault Reader role provides list-only access for auditing. Additionally, RBAC integrates with Azure Monitor to deliver audit logs of all access decisions, satisfying the security team's need for a single management plane.

Exam trap

The trap here is that candidates may confuse the older Key Vault access policies (which are vault-specific and lack centralized audit integration) with Azure RBAC, or incorrectly assume that SAS tokens can be applied to Key Vault, when in fact SAS is exclusive to Azure Storage services.

How to eliminate wrong answers

Option B is wrong because separate access policies per team would require managing permissions individually for each vault and do not provide a single system for managing permissions across teams, nor do they natively integrate audit logs of access decisions as seamlessly as RBAC. Option C is wrong because creating a separate Key Vault per team violates the requirement for a single system to manage permissions and introduces unnecessary complexity and cost, while still not providing a unified audit trail. Option D is wrong because shared access signatures (SAS) are not supported for Azure Key Vault; SAS tokens are used for Azure Storage, not for controlling access to secrets, keys, or certificates in Key Vault.

964
MCQmedium

You are monitoring an Azure web application with Application Insights. You need to identify the top 5 slowest API endpoints over the last 7 days. The results should show the endpoint URL, average response time, and request count. Which feature or query should you use?

A.Use Log Analytics and run a query on the 'requests' table to aggregate by URL and sort by avg(duration).
B.Use the 'Performance' blade under 'Investigate' in the Application Insights resource.
C.Use the 'Application Map' feature to visualize dependencies and endpoints.
D.Configure Smart Detection to automatically identify slow API endpoints.
AnswerB

The Performance blade is specifically designed for this purpose. It shows the top operations (requests) by their average duration over a selected time range, along with request count and other metrics.

Why this answer

Option B is correct because the 'Performance' blade in Application Insights provides a pre-built, optimized view that automatically aggregates request data by endpoint URL, displaying average response time and request count. It allows you to sort by average duration to quickly identify the top 5 slowest API endpoints over the last 7 days without writing any custom query.

Exam trap

The trap here is that candidates often assume Log Analytics is always the best tool for any custom aggregation, overlooking that Application Insights provides purpose-built blades (like Performance) that offer the same functionality with zero query effort and faster results.

How to eliminate wrong answers

Option A is wrong because while Log Analytics can query the 'requests' table, it requires writing a Kusto query manually (e.g., 'requests | summarize avg(duration) by url | top 5 by avg_duration desc'), which is more complex and time-consuming than using the built-in Performance blade. Option C is wrong because the Application Map visualizes dependencies and call flows between components, not aggregated performance metrics like average response time and request count for endpoints. Option D is wrong because Smart Detection is an automated alerting feature that proactively identifies anomalies (e.g., sudden degradation), not a tool for manually querying historical top-N slowest endpoints over a fixed period.

965
MCQmedium

You are developing a solution that processes large files uploaded by users to Azure Blob Storage. Each file must be validated for malware using Microsoft Defender for Cloud Apps before being moved to a different container for further processing. The validation can take several minutes. What is the most cost-effective and scalable approach?

A.Use Azure Event Grid to trigger an Azure Function on blob creation, which validates the file and moves it after scan.
B.Use the Azure SDK to poll for new blobs from within a continuously running background service.
C.Use an Azure VM running a scheduled task to poll for new blobs and perform validation.
D.Use Azure Logic Apps with a recurrence trigger to check for new blobs and call the Microsoft Defender API.
AnswerA

Event-driven, serverless, and cost-effective.

Why this answer

Azure Event Grid can trigger an Azure Function when a blob is created. The function can use Defender for Cloud Apps (or Microsoft Defender XDR) to scan the file. This is event-driven, scalable, and cost-effective.

Option A is correct. Option B is incorrect because using a VM would require manual scaling and incur costs even when idle. Option C is incorrect because Logic Apps may be more expensive for long-running operations.

Option D is incorrect because the SDK polling is inefficient and not real-time.

966
MCQmedium

A developer exposes several backend APIs through Azure API Management. Clients must be throttled by subscription to protect the backend. What should be configured?

A.Blob soft delete
B.Application Insights sampling
C.Private DNS zone only
D.API Management rate-limit or quota policy
AnswerD

APIM policies can enforce rate limits and quotas per subscription or caller.

Why this answer

Option D is correct because Azure API Management provides built-in rate-limit and quota policies that allow you to throttle client requests based on subscription keys. These policies enforce limits per subscription scope, protecting backend services from excessive traffic by rejecting requests that exceed the defined rate (e.g., requests per second) or quota (e.g., total calls per month). This directly addresses the requirement to throttle clients by subscription.

Exam trap

The trap here is that candidates may confuse telemetry or storage features (like Application Insights sampling or Blob soft delete) with API throttling mechanisms, overlooking that API Management's rate-limit and quota policies are the correct and direct solution for subscription-based throttling.

How to eliminate wrong answers

Option A is wrong because Blob soft delete is an Azure Storage feature that protects blob data from accidental deletion by retaining deleted blobs for a specified retention period; it has no role in API throttling or subscription-based rate limiting. Option B is wrong because Application Insights sampling is a telemetry feature that reduces data ingestion volume by selecting a percentage of events to analyze; it does not enforce any request throttling or access control on API calls. Option C is wrong because a Private DNS zone only is used for custom domain name resolution within a virtual network, not for implementing API rate limits or subscription-based throttling.

967
MCQeasy

You are building a solution that needs to send millions of events per second to Azure for processing. Which Azure service should you use to ingest the events?

A.Azure Service Bus
B.Azure Event Hubs
C.Azure IoT Hub
D.Azure Notification Hubs
AnswerB

Event Hubs is a big data streaming platform and event ingestion service.

Why this answer

Azure Event Hubs is designed for high-throughput data ingestion, capable of handling millions of events per second. Option A is wrong because Service Bus is for enterprise messaging with lower throughput. Option B is wrong because IoT Hub is for IoT device connectivity.

Option D is wrong because Notification Hubs is for push notifications.

968
MCQhard

Your company has an on-premises Windows service that exposes a custom TCP endpoint. You are building an Azure Logic App that needs to send data to this endpoint. Due to network security policies, you cannot open inbound ports in the firewall. You need to establish a secure bidirectional connection without configuring a VPN. Which Azure service should you use?

A.Azure API Management with on-premises gateway
B.Azure Relay Hybrid Connections
C.Azure Application Gateway with private link
D.Azure ExpressRoute
AnswerB

Correct. Hybrid Connections allow secure, outbound-only connections from on-premises to Azure, suitable for any TCP-based protocol.

Why this answer

Azure Relay Hybrid Connections enable secure bidirectional communication between on-premises services and cloud applications without opening inbound firewall ports. The on-premises service initiates an outbound connection to the Azure Relay over port 443 (HTTPS), and the Logic App sends data through the relay, which forwards it over the already-established outbound tunnel. This satisfies the requirement for a secure, bidirectional connection without VPN or inbound port exposure.

Exam trap

The trap here is that candidates often confuse Azure Relay with Azure API Management or Application Gateway, assuming they can handle arbitrary TCP traffic, but only Hybrid Connections provide the outbound-initiated tunnel required when inbound ports are blocked.

How to eliminate wrong answers

Option A is wrong because Azure API Management with on-premises gateway is designed for exposing and managing APIs, not for establishing a bidirectional TCP tunnel; it still requires inbound connectivity or a VPN for the gateway to reach the on-premises service. Option C is wrong because Azure Application Gateway with private link provides inbound HTTPS load balancing and private connectivity to Azure services, but it does not create an outbound-initiated tunnel to an on-premises TCP endpoint without opening inbound ports. Option D is wrong because Azure ExpressRoute establishes a dedicated private network connection between on-premises and Azure, which requires BGP routing and often firewall configuration, violating the 'no VPN' and 'no inbound ports' constraints.

969
MCQmedium

A company uses Azure Logic Apps to orchestrate workflows that process sensitive data. They need to ensure that workflow runs are logged and auditable, and that the logs are tamper-proof. Which Azure service should they use?

A.Azure Monitor Log Analytics workspaces.
B.Microsoft Sentinel.
C.Microsoft Purview Audit (Premium).
D.Azure Blob Storage with immutable storage policy.
AnswerC

Purview Audit provides tamper-proof audit logs with long-term retention.

Why this answer

Option D is correct because Microsoft Purview provides audit logging and data governance, including tamper-proof capabilities. Option A is wrong because Azure Monitor collects logs but does not guarantee tamper-proof. Option B is wrong because Microsoft Sentinel is for SIEM, not tamper-proof logging.

Option C is wrong because Azure Storage with immutable blobs can provide tamper-proof storage, but the question asks for a service that combines logging and tamper-proof.

970
MCQhard

You are reviewing a lifecycle management rule configured on an Azure Storage account. The rule is defined as shown in the exhibit. You notice that blobs tagged with project=temp are not being moved to the Archive tier as expected. What is the most likely cause?

A.The rule does not include a filter for blob index tags.
B.The condition uses an incorrect operator for age.
C.The Archive tier is not supported for this storage account type.
D.Block blobs cannot be moved to the Archive tier.
AnswerB

'greaterThan' is not valid; should use 'daysAfterModificationGreaterThan'.

Why this answer

Option C is correct. The rule uses `"greaterThan": 90` which is not a valid operator. Lifecycle management supports `daysAfterModificationGreaterThan` or `daysAfterCreationGreaterThan`.

The invalid condition causes the rule to fail. Option A is incorrect because tags are supported. Option B is incorrect because block blobs support SetBlobTier.

Option D is incorrect because Archive tier is available for block blobs.

971
MCQmedium

You are designing a solution to process thousands of images uploaded to Azure Blob Storage. Each image must be resized and metadata extracted. The processing must be serverless and cost-effective. Which Azure service should you use?

A.Azure Container Instances with Blob Storage SDK
B.Azure Logic Apps with Blob Storage connector
C.Azure Event Grid with Webhook to a custom service
D.Azure Functions with Blob Storage trigger
AnswerD

Functions provide serverless compute triggered by blob uploads.

Why this answer

Azure Functions with a Blob Storage trigger is the correct choice because it provides a serverless, event-driven compute model that automatically scales to process thousands of images as they are uploaded to Blob Storage. The trigger binds directly to a blob container, invoking a function for each new blob, which allows you to resize images and extract metadata without managing infrastructure, making it both cost-effective and efficient for high-throughput workloads.

Exam trap

The trap here is that candidates may choose Azure Event Grid (Option C) because it is event-driven, but they overlook that Event Grid alone does not provide compute; it requires a separate compute service (like Functions or a webhook) to process the image, and the question specifically asks for a serverless and cost-effective solution that directly processes the images, which Azure Functions with a Blob Storage trigger achieves natively.

How to eliminate wrong answers

Option A is wrong because Azure Container Instances requires you to manage container lifecycle and polling logic, and it is not inherently event-driven or serverless in the same way as Functions; you would need to implement a polling mechanism or use additional services to trigger processing, increasing complexity and cost. Option B is wrong because Azure Logic Apps is designed for orchestration and integration workflows, not for high-throughput, compute-intensive tasks like image resizing; it lacks the native code execution environment and scaling capabilities needed for processing thousands of images efficiently. Option C is wrong because Azure Event Grid with a Webhook to a custom service introduces additional latency and operational overhead, as you must host and manage a webhook endpoint (e.g., on a VM or container) that scales independently, negating the serverless and cost-effective benefits of a fully managed trigger like Blob Storage.

972
MCQmedium

You need to enable client-side encryption for data stored in Azure Blob Storage. The encryption keys must be managed by your organization using Azure Key Vault. What should you use?

A.Azure Disk Encryption
B.Azure Information Protection
C.Azure Storage service-side encryption with customer-managed keys
D.Azure Storage client-side encryption library with Key Vault
AnswerD

Enables client-side encryption with customer-managed keys.

Why this answer

Option D is correct because client-side encryption requires the application to encrypt data before uploading it to Azure Blob Storage, and the Azure Storage client-side encryption library integrates with Azure Key Vault to allow your organization to manage the encryption keys. This approach ensures that the storage service never has access to the plaintext data or the keys, meeting the requirement for client-side encryption with customer-managed keys.

Exam trap

The trap here is confusing client-side encryption (where the client encrypts before sending) with service-side encryption (where the service encrypts after receiving), leading candidates to incorrectly choose service-side encryption with customer-managed keys (Option C) even though it does not meet the 'client-side' requirement.

How to eliminate wrong answers

Option A is wrong because Azure Disk Encryption uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt virtual machine disks at the OS and data disk level, not client-side encryption of blob data. Option B is wrong because Azure Information Protection is a classification and labeling solution for documents and emails, not a mechanism for encrypting blob storage data at the client side. Option C is wrong because Azure Storage service-side encryption with customer-managed keys encrypts data at the storage service layer after it is received, not at the client side before transmission, so the service still handles the plaintext data.

973
MCQmedium

You are monitoring an Azure Web App with Application Insights. You notice that certain requests have high server response times. You need to identify which specific database queries are causing the delays. Which Application Insights feature should you use?

A.Application Insights Profiler
B.Live Metrics Stream
C.Performance blade
D.Application Map
AnswerA

Correct. Profiler traces end-to-end requests, showing the duration of each dependency call, including database queries, at the individual query level.

Why this answer

Application Insights Profiler is the correct feature because it provides detailed, code-level diagnostics for requests with high server response times, including per-operation breakdowns of database query durations. It captures execution traces that show exactly which SQL queries or external calls are contributing to latency, enabling you to pinpoint the specific database queries causing delays.

Exam trap

The trap here is that candidates often confuse the Performance blade (which shows aggregated dependency durations) with the Profiler (which provides per-request, code-level traces), leading them to choose the Performance blade when they need to identify specific slow queries rather than overall trends.

How to eliminate wrong answers

Option B (Live Metrics Stream) is wrong because it shows real-time metrics like request rate and failure counts but does not provide per-query profiling or detailed database query timings. Option C (Performance blade) is wrong because it aggregates performance data (e.g., average response times, dependency durations) but lacks the granular, per-request trace-level detail needed to identify specific slow queries. Option D (Application Map) is wrong because it visualizes the topology and dependencies of your application components but does not drill into individual query execution times or provide profiling data.

974
Multi-Selectmedium

Which TWO actions should you take to reduce the cost of an Azure App Service plan that is underutilized?

Select 2 answers
A.Deploy the application to a different region
B.Enable auto-scaling
C.Purchase Reserved Instances
D.Scale out to fewer instances
E.Scale down the App Service plan to a lower tier
AnswersD, E

Fewer instances reduce cost.

Why this answer

Options B and D are correct. Scaling down to a lower tier reduces cost. Scaling out to fewer instances also reduces cost.

Option A is wrong because enabling auto-scaling may increase cost if it scales out. Option C is wrong because Reserved Instances require a commitment. Option E is wrong because deploying to a different region may not reduce cost.

975
MCQhard

You are configuring a managed identity for an Azure App Service to access Azure Key Vault. The identity has been assigned, but the app receives a 403 Forbidden when trying to retrieve a secret. What is the most likely cause?

A.The app is using the wrong endpoint
B.The managed identity is not enabled in the App Service
C.The managed identity lacks an access policy or RBAC role in Key Vault
D.The Key Vault firewall is blocking the request
AnswerC

Access policies or RBAC roles are required to authorize the identity to read secrets.

Why this answer

The managed identity must be granted explicit access via an access policy or RBAC role in Key Vault. Simply assigning the identity does not grant access.

Page 12

Page 13 of 14

Page 14