Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 976997

997 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQhard

A company runs a critical web app on Azure App Service that must handle traffic spikes without downtime. They set up autoscaling rules based on CPU percentage. However, during a spike, the app becomes unresponsive before new instances are added. What should they do?

A.Switch to memory-based autoscaling
B.Decrease the scale-in cooldown period
C.Use pre-warming instances with a scheduled scaling rule
D.Increase the CPU percentage threshold for scale-out
AnswerC

Pre-warming ensures instances are ready before the spike.

Why this answer

Option C is correct because pre-warming instances with a scheduled scaling rule ensures that additional instances are already running and ready to handle traffic before the CPU spike occurs. This avoids the cold-start delay inherent in reactive autoscaling, where new instances take time to provision and initialize, causing unresponsiveness during rapid spikes.

Exam trap

The trap here is that candidates assume reactive autoscaling (e.g., lowering thresholds or changing metrics) can solve latency issues, but they overlook the fundamental cold-start delay that requires proactive instance pre-warming.

How to eliminate wrong answers

Option A is wrong because switching to memory-based autoscaling does not address the fundamental issue of reactive scaling latency; the app would still become unresponsive while waiting for new instances to start. Option B is wrong because decreasing the scale-in cooldown period affects how quickly instances are removed after a scale-out, not how fast new instances are added during a spike, so it does not prevent the initial unresponsiveness. Option D is wrong because increasing the CPU percentage threshold for scale-out would delay scaling even further, making the app more likely to become unresponsive during a spike.

977
Multi-Selecteasy

Which TWO of the following are benefits of using Azure Key Vault to store application secrets?

Select 2 answers
A.Centralized management of secrets with access policies.
B.Improved application performance by caching secrets.
C.Integration with Azure DevOps for automatic secret rotation in pipelines.
D.Automatic encryption of secrets at rest and in transit.
E.Auditing of secret access through Azure Monitor and Log Analytics.
AnswersA, E

Key Vault centralizes secret storage.

Why this answer

Key Vault provides centralized secret management with access control and auditing. Option A and D are correct. Option B is wrong because Key Vault does not improve performance.

Option C is wrong because secrets are encrypted at rest. Option E is wrong because Key Vault is not a CI/CD tool.

978
MCQhard

You are using Azure API Management (APIM) to expose a REST API. The backend API requires mutual TLS (client certificate) for authentication. The client certificate is stored in Azure Key Vault. You need to configure APIM to use this certificate when calling the backend, without exposing the certificate contents in the policy files. Which APIM feature and policy should you use?

A.Use the authentication-certificate policy with a named value that references the Key Vault certificate.
B.Use the authentication-managed-identity policy to authenticate to the backend.
C.Upload the client certificate directly to APIM's Certificate store and reference it in the policy.
D.Use a JavaScript policy to fetch the certificate from Key Vault and attach it.
AnswerA

Named values can securely reference a certificate from Key Vault. The authentication-certificate policy uses the named value to attach the certificate to the backend request.

Why this answer

Option A is correct because the `authentication-certificate` policy in Azure API Management can reference a client certificate stored in Azure Key Vault via a named value. Named values securely store secrets and can point to Key Vault certificates without exposing the certificate contents in policy files. This allows APIM to present the certificate during mutual TLS authentication to the backend API.

Exam trap

The trap here is that candidates may confuse the `authentication-managed-identity` policy with certificate-based authentication, or assume that uploading the certificate directly to APIM is equivalent to using Key Vault, but the question explicitly requires avoiding exposure of certificate contents in policy files, which only the named value approach with Key Vault reference achieves.

How to eliminate wrong answers

Option B is wrong because `authentication-managed-identity` policy authenticates APIM to a backend using Azure AD tokens, not client certificates; it cannot satisfy mutual TLS requirements. Option C is wrong because uploading the certificate directly to APIM's Certificate store exposes the certificate contents in the APIM instance and requires manual management, whereas the requirement is to avoid exposing certificate contents in policy files and leverage Key Vault. Option D is wrong because using a JavaScript policy to fetch the certificate from Key Vault would expose the certificate contents in the policy code and is not the recommended or secure approach; APIM provides built-in integration with Key Vault via named values.

979
MCQmedium

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to call a downstream API on behalf of the signed-in user. Which OAuth 2.0 flow should you implement?

A.Client credentials flow
B.Implicit flow
C.Authorization code flow with PKCE
D.Device code flow
AnswerC

Authorization code flow with PKCE is the secure standard for user-authenticated API calls.

Why this answer

Option C is correct because the authorization code flow with PKCE is the recommended flow for single-page apps and native apps that need to call APIs on behalf of the user. Option A is wrong because the implicit flow is deprecated and less secure. Option B is wrong because client credentials is for non-user scenarios.

Option D is wrong because device code flow is for devices without browsers.

980
MCQmedium

You need to implement a shared access signature (SAS) for an Azure blob container that allows a client to list blobs and read blob contents. The SAS must be valid for one hour and should not allow write or delete operations. Which permissions should you include in the SAS token?

A.r, l, and c
B.r and l
C.r, l, and d
D.r, l, and w
AnswerB

Read and list permissions are sufficient for the requirements.

Why this answer

Option B is correct because the SAS token needs 'r' (read) to allow reading blob contents and 'l' (list) to allow listing blobs in the container. These two permissions together satisfy the requirement for read-only access without write or delete capabilities.

Exam trap

The trap here is that candidates may confuse 'l' (list) with 'r' (read) or include 'c' (create) thinking it's needed for listing, but 'l' alone enables listing blobs in a container without requiring create permissions.

How to eliminate wrong answers

Option A is wrong because it includes 'c' (create), which allows creating new blobs, violating the requirement to not allow write operations. Option C is wrong because it includes 'd' (delete), which allows deleting blobs, violating the requirement to not allow delete operations. Option D is wrong because it includes 'w' (write), which allows writing blob content, violating the requirement to not allow write operations.

981
MCQmedium

An application uses Azure Redis Cache to improve performance. The team notices that cache misses are high and the cache is not effectively reducing database load. What should they do to improve cache hit ratio?

A.Increase the cache size
B.Increase the time-to-live (TTL) for cached items
C.Implement cache-aside pattern with manual invalidation
D.Change the eviction policy to allkeys-lfu
AnswerB

Longer TTL keeps data in cache, reducing misses.

Why this answer

Increasing TTL keeps data in cache longer, reducing misses. Option A is wrong because increasing cache size does not guarantee better hit ratio. Option C is wrong because manual invalidation may increase misses.

Option D is wrong because eviction policy affects which data is removed, not hit ratio directly.

982
MCQeasy

You develop an Azure Function that writes to Azure Blob Storage. During testing, you notice that the function fails intermittently with a 503 (Service Unavailable) error. What is the most likely cause?

A.The storage account is throttling requests due to high volume
B.The storage account firewall is blocking the function
C.The function does not have proper authentication
D.The blob container does not exist
AnswerA

503 errors often indicate throttling when exceeding scalability targets.

Why this answer

A 503 (Service Unavailable) error from Azure Blob Storage indicates that the storage service is temporarily unable to handle the request, typically due to server-side load. The most common cause is throttling when the storage account exceeds its scalability targets (e.g., 20,000 requests per second per account for blob storage). This aligns with intermittent failures under high request volume, not with configuration or existence issues.

Exam trap

The trap here is that candidates confuse HTTP status codes: 503 (Service Unavailable) is often mistaken for authentication or configuration errors, but it specifically indicates a server-side capacity issue, not a client-side misconfiguration.

How to eliminate wrong answers

Option B is wrong because a storage account firewall blocking the function would result in a 403 (Forbidden) or network-level error, not a 503. Option C is wrong because improper authentication (e.g., missing or invalid SAS token or managed identity) would produce a 401 (Unauthorized) or 403 error, not a 503. Option D is wrong because a missing blob container would cause a 404 (Not Found) error when attempting to write, not a 503.

983
MCQeasy

Your web app hosted on Azure App Service needs to consume an external SaaS API that requires an API key. The key must be stored securely and rotated without redeploying the app. What is the best approach?

A.Store the API key in Azure SQL Database and query it at startup.
B.Store the API key in Azure Key Vault and use a managed identity to retrieve it.
C.Store the API key in a configuration file in the application code.
D.Store the API key in an App Service application setting.
AnswerD

App settings are encrypted and can be changed without redeployment; they are accessible via environment variables.

Why this answer

Option D is correct because App Service application settings are encrypted at rest and can be updated directly in the Azure portal or via CLI without redeploying the app. The app reads the setting at runtime from environment variables, making it easy to rotate the API key by simply changing the setting value. This approach satisfies the requirements of secure storage and rotation without redeployment.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing Azure Key Vault with managed identity (Option B) because it is the most secure option in general, but the question specifically asks for the 'best approach' given the constraints of secure storage and rotation without redeployment, and App Service application settings are the simplest and most direct solution that fully meets those requirements.

How to eliminate wrong answers

Option A is wrong because querying an Azure SQL Database at startup introduces unnecessary latency, complexity, and potential security exposure from connection strings, and it does not leverage Azure's built-in secure storage for secrets. Option B is wrong because while Azure Key Vault with managed identity is a highly secure approach, it is overkill for a single API key and requires additional code and configuration (e.g., using Key Vault references or SDK calls), whereas App Service application settings provide a simpler solution that still meets the requirements. Option C is wrong because storing the API key in a configuration file in the application code exposes the key in source control and prevents rotation without redeploying the app, violating both security and rotation requirements.

984
MCQmedium

You are building an Azure Logic App that needs to call an external API secured with OAuth 2.0 client credentials flow. You have registered an application in Microsoft Entra ID with client ID 'myClientId' and client secret stored in Key Vault. Which action should you use to authenticate?

A.HTTP action with Active Directory OAuth authentication
B.HTTP action with Managed Identity authentication
C.Invoke the API through Azure API Management
D.Use the Microsoft Entra ID OAuth 2.0 connector
AnswerA

The HTTP action in Logic Apps can be configured with Active Directory OAuth, which handles the client credentials flow and token management.

Why this answer

Option A is correct because the HTTP action in Azure Logic Apps supports an 'Active Directory OAuth' authentication type that directly implements the OAuth 2.0 client credentials flow. By providing the tenant ID, client ID, and referencing the client secret from Key Vault (via a secure parameter or connection reference), the Logic App can obtain an access token from Microsoft Entra ID and authenticate to the external API without custom code.

Exam trap

The trap here is that candidates often confuse the 'Managed Identity' option (which works only for Azure resources that accept Microsoft Entra ID tokens directly) with the need to authenticate to an external third-party API, or they mistakenly look for a dedicated 'OAuth 2.0 connector' instead of using the HTTP action's built-in authentication type.

How to eliminate wrong answers

Option B is wrong because Managed Identity authentication is designed for Azure-to-Azure scenarios where the resource (e.g., Azure Storage, Key Vault) supports Microsoft Entra ID token-based auth; it cannot be used to authenticate to an arbitrary external API secured with OAuth 2.0 client credentials flow unless that API explicitly trusts the managed identity's token. Option C is wrong because invoking the API through Azure API Management does not solve authentication; API Management would still need to authenticate to the external API, and the Logic App would need to pass credentials or tokens to API Management, adding unnecessary complexity. Option D is wrong because the 'Microsoft Entra ID OAuth 2.0 connector' is a deprecated or non-existent connector; the correct approach is to use the HTTP action with the built-in Active Directory OAuth authentication type, not a separate connector.

985
MCQhard

Your company uses Azure Service Bus topics and subscriptions to send order notifications. You notice that some messages are not being delivered to a subscription. The subscription has a SQL filter that matches messages with a 'region' property equal to 'EU'. You verify that the messages have 'region' set to 'eu' (lowercase). What is the most likely cause?

A.The SQL filter is case-sensitive and 'EU' does not match 'eu'.
B.The subscription is disabled.
C.The subscription has no filter defined.
D.The subscription has a correlation filter instead.
AnswerA

SQL filters are case-sensitive by default.

Why this answer

Option B is correct because SQL filters in Service Bus are case-sensitive. Option A is wrong because the Action property does not affect filtering. Option C is wrong because the default filter is 'MatchAll', which would match all messages.

Option D is wrong because the subscription already exists.

986
MCQhard

You are developing a web API hosted on Azure App Service. The API must authenticate requests using Microsoft Entra ID OAuth 2.0 bearer tokens. You want to validate the token in your ASP.NET Core API code with minimal custom validation logic. Which library should you use?

A.Microsoft Authentication Library (MSAL)
B.Azure Identity client library
C.Microsoft.Identity.Web
D.Azure Management Libraries for .NET
AnswerC

This library is designed for ASP.NET Core and simplifies the integration with Microsoft Entra ID, including token validation, claims mapping, and authorization policies.

Why this answer

Microsoft.Identity.Web is the correct choice because it provides a high-level, opinionated library that integrates directly with ASP.NET Core's authentication pipeline, handling token validation, scopes, and app roles with minimal custom code. It abstracts away the complexity of JWT bearer token validation against Microsoft Entra ID, including automatic OpenID Connect discovery and token signature verification.

Exam trap

The trap here is that candidates often confuse MSAL (for token acquisition) with Microsoft.Identity.Web (for token validation), or assume the Azure Identity library handles all authentication scenarios, when it is actually focused on service-to-service authentication and Azure SDK credentials.

How to eliminate wrong answers

Option A is wrong because MSAL is designed for acquiring tokens from Microsoft Entra ID, not for validating incoming bearer tokens in a web API. Option B is wrong because the Azure Identity client library provides credential types for authenticating to Azure services, not for validating OAuth 2.0 bearer tokens in an ASP.NET Core API. Option D is wrong because Azure Management Libraries for .NET are used for managing Azure resources (e.g., creating VMs, configuring App Service), not for token validation.

987
MCQmedium

Your app uses Azure Key Vault to store secrets. You need to grant the app access to read secrets using managed identity. Which RBAC role should you assign to the app's managed identity?

A.Key Vault Crypto Officer
B.Key Vault Reader
C.Key Vault Contributor
D.Key Vault Secrets User
AnswerD

This role allows reading secret values.

Why this answer

Key Vault Secrets User is the least-privilege role for reading secrets. Option A is wrong because Key Vault Reader only allows listing secrets, not reading values. Option C is wrong because Key Vault Contributor allows management.

Option D is wrong because Key Vault Crypto Officer is for cryptographic keys.

988
MCQmedium

After deploying a new version to the staging slot and swapping to production, users report a 60-second spike in 503 errors. The application takes 45 seconds to initialize its connection pools and caches before it can serve traffic. What is the root cause, and what should the developer configure to prevent this?

A.Configure Application Initialization in the App Service settings so the swap waits for the warm-up path to return 200 before redirecting production traffic
B.Roll back the slot swap and investigate the new version for bugs that only appear in production
C.Increase the App Service health check grace period so the load balancer waits longer after the swap
D.Disable Always On for the staging slot so the slot starts fresh on every swap
AnswerA

Application Initialization instructs the App Service platform to send a warm-up request to a configured URL path after the slot starts and before the swap completes. The platform holds traffic on the old slot until the warm-up succeeds. This makes swaps zero-downtime even for applications with long initialization times.

Why this answer

The root cause is that the swap operation immediately redirects production traffic to the new slot before the application has finished its 45-second initialization (connection pools, caches). Application Initialization (warm-up) in Azure App Service can be configured to send a request to a specified path and wait for a 200 response before completing the swap, ensuring the app is ready to serve traffic. This eliminates the 503 errors by preventing the swap from routing users to an uninitialized instance.

Exam trap

The trap here is that candidates confuse the health check feature (which monitors instance health after traffic is routed) with Application Initialization (which delays the swap until the app is ready), leading them to incorrectly choose Option C.

How to eliminate wrong answers

Option B is wrong because the issue is not a bug in the new version—the application initializes successfully after 45 seconds, and the 503 errors only occur during the swap window, indicating a warm-up timing problem, not a code defect. Option C is wrong because the health check grace period controls how long the load balancer waits before marking an instance as unhealthy after a failed health check; it does not delay the swap itself or wait for the app to initialize before routing traffic. Option D is wrong because disabling Always On would cause the staging slot to cold-start on every swap, which would actually increase initialization time and worsen the 503 spike, not prevent it.

989
Matchingmedium

Match each Azure authentication mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated identity for Azure resources without secrets

Identity for applications to access Azure resources

Delegated access token with limited permissions

Identity service for customer-facing applications

Why these pairings

These are key authentication methods in Azure.

990
MCQeasy

A developer is building a function app that processes messages from an Azure Storage queue. The function must scale automatically based on queue length. Which hosting plan supports this automatic scaling?

A.Consumption plan
B.Premium plan
C.App Service plan
D.Azure Container Instances
AnswerA

Automatically scales based on event-driven triggers.

Why this answer

Consumption plan (option D) automatically scales based on triggers. Premium plan (A) also scales but has pre-warmed instances. App Service plan (B) does not auto-scale based on queue length.

Container Instances (C) is not for functions.

991
MCQeasy

Your application runs on Azure App Service and needs to access Azure Queue Storage. You want to avoid storing connection strings in configuration files. Which approach should you use?

A.Hardcode the connection string in the application code.
B.Use a system-assigned managed identity with RBAC role 'Storage Queue Data Contributor' on the queue.
C.Use an environment variable in the App Service configuration.
D.Store the connection string in Azure Key Vault and retrieve it at runtime using Key Vault references.
AnswerB

Managed identity avoids storing credentials and provides secure access.

Why this answer

Option B is correct because using a system-assigned managed identity for an Azure App Service allows it to authenticate to Azure Queue Storage without any stored secrets. By assigning the 'Storage Queue Data Contributor' RBAC role, the app gains the necessary permissions to read, write, and delete queue messages, and the identity is automatically managed by Azure AD, eliminating the need for connection strings.

Exam trap

The trap here is that candidates often choose Key Vault references (Option D) thinking it's the most secure, but fail to recognize that managed identity eliminates the need for any secret at all, which is the true 'zero-trust' approach tested in AZ-204.

How to eliminate wrong answers

Option A is wrong because hardcoding a connection string in application code violates security best practices, exposes secrets in source control, and makes rotation difficult. Option C is wrong because while environment variables in App Service configuration avoid hardcoding, they still store the connection string as plaintext in the Azure portal and are not a zero-secret solution. Option D is wrong because although Key Vault references improve security by storing the connection string in a vault, they still require a connection string to be stored and retrieved, whereas managed identity eliminates the need for any secret entirely.

992
MCQmedium

Your company uses Azure Key Vault to store secrets. You need to ensure that only a specific Microsoft Entra ID application can read a particular secret, while other applications are denied access. You want to apply the principle of least privilege. Which access control method should you configure?

A.Assign the application to the Key Vault Contributor RBAC role
B.Assign the application to the Key Vault Secrets User RBAC role at the secret scope
C.Use Key Vault access policies
D.Use managed identity and assign the Key Vault Secrets User role at the vault scope
AnswerB

This role allows read access to secrets. By assigning it at the individual secret scope (instead of vault scope), you restrict access to only that secret.

Why this answer

Option B is correct because Azure RBAC allows you to assign the Key Vault Secrets User role at the secret scope, which grants read access exclusively to the specified Microsoft Entra ID application for that particular secret. This aligns with the principle of least privilege by restricting access to only the necessary secret, without granting broader permissions at the vault level.

Exam trap

The trap here is that candidates often confuse vault-scoped access policies or RBAC roles with secret-scoped RBAC, mistakenly thinking they can achieve per-secret isolation with access policies, when in fact only RBAC at the secret scope provides that granularity.

How to eliminate wrong answers

Option A is wrong because the Key Vault Contributor RBAC role grants management-level permissions (e.g., creating and deleting secrets) rather than read access, violating the least privilege requirement. Option C is wrong because Key Vault access policies operate at the vault scope and cannot be scoped to an individual secret; they would grant the application access to all secrets in the vault. Option D is wrong because assigning the Key Vault Secrets User role at the vault scope grants read access to all secrets in the vault, not just the specific secret, and using a managed identity is unnecessary when a specific application identity is already specified.

993
MCQmedium

You are developing a web app that experiences intermittent slow responses. You enable Application Insights and notice that the server-side request duration is normally under 200ms, but some requests take over 5 seconds. Which diagnostic tool should you use to identify the root cause?

A.Availability Tests
B.Application Insights Profiler
C.Snapshot Debugger
D.Live Metrics Stream
AnswerB

Profiler traces code-level performance to identify slow operations.

Why this answer

Option B is correct because Profiler traces the specific line of code that causes slow requests. Option A (Snapshot Debugger) is for exceptions, not performance. Option C (Live Metrics) shows real-time data but doesn't pinpoint code.

Option D (Availability Tests) checks endpoint availability, not performance.

994
MCQmedium

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The design must avoid adding custom operational scripts.

A.Password hash synchronization
B.Delegated permissions only
C.Device code flow
D.Application permissions with client credentials flow
AnswerD

Application permissions allow daemon apps to act as themselves without a user context.

Why this answer

Application permissions with the client credentials flow are required because the background service must call Microsoft Graph without a signed-in user. This flow uses OAuth 2.0 client credentials grant (RFC 6749) where the service authenticates as itself using a client secret or certificate, not on behalf of a user. Delegated permissions (Option B) always require a signed-in user context, making them unsuitable for unattended background services.

Exam trap

The trap here is that candidates confuse 'delegated permissions' (which require a user) with 'application permissions' (which do not), often selecting Option B because they think 'permissions' alone suffices, ignoring the 'without a signed-in user' constraint.

How to eliminate wrong answers

Option A is wrong because password hash synchronization is an Azure AD Connect feature for syncing user password hashes to Azure AD, not a permission model for calling Microsoft Graph. Option B is wrong because delegated permissions require a signed-in user to delegate the service's access; a background service without a user cannot use delegated permissions. Option C is wrong because the device code flow is designed for devices with limited input capabilities (e.g., smart TVs, IoT) and still requires a signed-in user to authenticate interactively, not suitable for an unattended background service.

995
Multi-Selectmedium

You are developing a background job that runs every hour to process data from an Azure SQL database and send notifications via SendGrid. The job must be serverless and cost-effective, and must automatically retry on failure. Which TWO options meet the requirements?

Select 2 answers
A.Azure Scheduler
B.Azure Functions with Timer trigger
C.Azure Batch with a schedule
D.Azure WebJobs with TimerTrigger
E.Azure Logic Apps with Recurrence trigger
AnswersB, E

Serverless, cost-effective, and supports automatic retries via the configured retry policy.

Why this answer

Azure Functions with a Timer trigger is correct because it provides a serverless, cost-effective compute model that runs on a schedule (e.g., every hour) without managing infrastructure. It integrates with Azure SQL via built-in bindings and supports automatic retry on failure through the host's retry policy or by implementing custom retry logic in code, meeting the requirements for a background job.

Exam trap

The trap here is that candidates often confuse Azure WebJobs with TimerTrigger (which requires an App Service plan and is not serverless) with Azure Functions Timer trigger (which is serverless), leading them to incorrectly select WebJobs as a cost-effective serverless option.

996
MCQmedium

You need to store temperature readings from IoT devices in Azure Table Storage. Each reading includes a device ID (string), timestamp (datetime), temperature value, and location. You must optimize for the query: "Retrieve all temperature readings for a specific device ID within a given one-hour time range." Which PartitionKey and RowKey combination should you use?

A.PartitionKey = DeviceId, RowKey = Timestamp
B.PartitionKey = Location, RowKey = DeviceId
C.PartitionKey = Temperature, RowKey = Timestamp
D.PartitionKey = DeviceId + Timestamp, RowKey = empty
AnswerA

DeviceId as PartitionKey allows direct partition access, and Timestamp as RowKey enables efficient range scanning for the time window.

Why this answer

Option A is correct because Azure Table Storage queries are most efficient when the PartitionKey and RowKey are chosen to match the query pattern. By using DeviceId as the PartitionKey, all readings for a specific device are stored in the same partition, enabling fast partition-level scans. Using Timestamp as the RowKey allows efficient range queries within a one-hour window using RowKey comparisons, which is the optimal design for time-range queries on a single device.

Exam trap

The trap here is that candidates often choose Option D, thinking that a composite PartitionKey will improve query performance, but in Azure Table Storage, a composite key in PartitionKey actually creates unique partitions per row, which prevents efficient range queries and forces point lookups, making it worse for time-range queries.

How to eliminate wrong answers

Option B is wrong because Location as PartitionKey scatters data across partitions, requiring a full table scan to filter by DeviceId and timestamp, which is inefficient. Option C is wrong because Temperature as PartitionKey is meaningless for the query; it does not group data by device, and timestamp as RowKey still requires scanning multiple partitions for a single device. Option D is wrong because concatenating DeviceId and Timestamp into PartitionKey creates a unique partition per reading, eliminating the benefit of partition-level grouping and forcing point queries instead of efficient range scans; an empty RowKey also violates the requirement that RowKey must be unique within a partition.

997
Multi-Selecthard

Which TWO services can be used to manage secrets and certificates for applications running on Azure? (Choose two.)

Select 2 answers
A.Azure Key Vault
B.Azure App Configuration
C.Azure Automation
D.Azure Active Directory Certificate Services
E.Azure Policy
AnswersA, B

Key Vault is the centralized secret and certificate management service.

Why this answer

Options A and D are correct. Azure Key Vault is the primary service for secrets and certificates. Azure App Configuration can also store secrets as Key Vault references or encrypted values.

Option B is wrong because Certificate Services is for issuing certificates, not management. Option C is wrong because Azure Automation stores credentials in runbooks, not a general-purpose secret store. Option E is wrong because Azure Policy is for compliance.

Page 13

Page 14 of 14