Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 76150

997 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQmedium

Refer to the exhibit. You run the Azure CLI command to check if blob encryption is enabled for a storage account. The command returns 'false'. However, you know that Azure Storage encrypts all data at rest by default. What is the explanation?

A.The storage account was created with Azure Disk Encryption instead
B.The command is querying the wrong property; use 'encryption.requireInfrastructureEncryption'
C.The property 'encryption.services.blob.enabled' refers to customer-managed key encryption, not the default encryption
D.The storage account is in a region that does not support encryption
AnswerC

When using Microsoft-managed keys, this property is false; encryption is still active.

Why this answer

Option C is correct because the property `encryption.services.blob.enabled` in the Azure CLI command `az storage account show` specifically indicates whether customer-managed keys (CMK) are enabled for blob encryption, not whether the default Microsoft-managed key encryption is active. Azure Storage automatically encrypts all data at rest using Microsoft-managed keys, and this default encryption is always enabled and cannot be disabled. The command returns 'false' because CMK has not been configured, but the underlying default encryption is still in effect.

Exam trap

The trap here is that candidates assume the `encryption.services.blob.enabled` property reflects the presence of any encryption (including default encryption), when in fact it only indicates whether customer-managed keys are in use, leading them to incorrectly conclude that encryption is disabled.

How to eliminate wrong answers

Option A is wrong because Azure Disk Encryption is a separate feature for encrypting OS and data disks of virtual machines, not for Azure Storage blob encryption, and it does not affect the `encryption.services.blob.enabled` property. Option B is wrong because `encryption.requireInfrastructureEncryption` is a different property that controls double encryption (infrastructure encryption) at the storage account level, not the blob encryption setting queried by the command. Option D is wrong because all Azure Storage accounts in all regions support default encryption at rest; there is no region that lacks this capability.

77
MCQhard

You are creating an Azure Container Instance using the Azure CLI command shown in the exhibit. The container needs to connect to a SQL database. After running the command, you notice that the DB_PASSWORD environment variable is visible in the container's logs. What is the most likely reason?

A.The --secure-environment-variables flag is misspelled.
B.The --secure-environment-variables flag is not supported for ACI.
C.The DB_PASSWORD value contains special characters that were not escaped.
D.The container image logs environment variables at startup, exposing the secure variable.
AnswerD

Secure environment variables are not visible in the Azure portal or CLI, but if the container logs them, they are exposed.

Why this answer

Option D is correct because the `--secure-environment-variables` flag in Azure CLI for Azure Container Instances does not prevent the values from being logged by the container itself. The flag only masks the values in the Azure portal and CLI output, but if the container image explicitly logs environment variables at startup (e.g., via a startup script or application code), the secure variable will be exposed in the container logs. The issue is not with Azure's handling but with the container image's behavior.

Exam trap

The trap here is that candidates assume `--secure-environment-variables` fully protects the variable from any exposure, but it only masks it in Azure's management plane, not from the container's own logging or process environment.

How to eliminate wrong answers

Option A is wrong because the correct flag is `--secure-environment-variables` (with a hyphen), and the exhibit shows it spelled correctly; a misspelling would cause a CLI parsing error, not silent exposure in logs. Option B is wrong because `--secure-environment-variables` is indeed supported for ACI (since API version 2018-10-01) and correctly masks values in Azure CLI output and portal. Option C is wrong because special characters in environment variable values require proper escaping in the shell command, but this would cause a syntax error or incorrect value assignment, not exposure in logs after successful deployment.

78
MCQmedium

Your organization runs a critical e-commerce application on Azure App Service. The application uses a Standard App Service plan with three instances. During a flash sale, traffic spikes cause some requests to fail with HTTP 503 errors. The operations team reports that the app's CPU usage reaches 95% during spikes. You need to ensure the application remains responsive without manual intervention. The solution must minimize cost while handling unpredictable traffic patterns. You evaluate the following options: A) Enable autoscale to scale out based on CPU usage threshold of 70%, with a maximum of 10 instances. B) Change the App Service plan to Premium v3 and enable zone redundancy. C) Implement a queue-based load leveling pattern using Azure Queue Storage and a background process. D) Use Azure Front Door with a Web Application Firewall (WAF) policy to distribute traffic. Which option should you recommend?

A.Use Azure Front Door with a Web Application Firewall (WAF) policy to distribute traffic.
B.Enable autoscale to scale out based on CPU usage threshold of 70%, with a maximum of 10 instances.
C.Implement a queue-based load leveling pattern using Azure Queue Storage and a background process.
D.Change the App Service plan to Premium v3 and enable zone redundancy.
AnswerB

Autoscale handles spikes cost-effectively.

Why this answer

Option B is correct because enabling autoscale on the Standard App Service plan allows the application to automatically scale out from 3 to up to 10 instances when CPU exceeds 70%, handling traffic spikes without manual intervention. This minimizes cost by only adding instances when needed, and the Standard plan supports autoscale natively, making it the most cost-effective solution for unpredictable traffic patterns.

Exam trap

The trap here is that candidates often confuse traffic distribution solutions (like Azure Front Door) with scaling solutions, or assume that upgrading the plan is necessary for high availability, when autoscale on the existing Standard plan is the most cost-effective and direct fix for CPU-driven 503 errors.

How to eliminate wrong answers

Option A is wrong because Azure Front Door with WAF is a global load balancer and security layer that distributes traffic across endpoints but does not scale the underlying App Service instances; it would not resolve CPU saturation causing 503 errors. Option C is wrong because a queue-based load leveling pattern decouples request processing but introduces latency and complexity for a synchronous e-commerce application where users expect immediate responses, and it does not directly address CPU spikes on the web tier. Option D is wrong because changing to Premium v3 and enabling zone redundancy improves availability and performance but significantly increases cost and does not provide dynamic scaling based on CPU usage; it is overprovisioning for unpredictable spikes.

79
MCQmedium

You have an order processing system using Azure Service Bus. Each order generates multiple messages that must be processed in order and by the same consumer. Which Service Bus feature ensures this?

A.Message sessions
B.Topics and subscriptions
C.Dead-letter queues
D.Auto-forwarding
AnswerA

Correct. Sessions guarantee ordered, first-in-first-out (FIFO) delivery and that messages in a session are handled by a single consumer.

Why this answer

Message sessions in Azure Service Bus enable ordered, sequential processing of related messages by a single consumer. When messages belong to the same session, they are guaranteed to be delivered in order and are locked to a single consumer until the session is complete, ensuring that all messages for a given order are processed by the same consumer without interleaving.

Exam trap

The trap here is that candidates often confuse topics/subscriptions (which handle fan-out messaging) with the need for ordered, single-consumer processing, not realizing that only sessions provide the required ordering and consumer affinity.

How to eliminate wrong answers

Option B is wrong because topics and subscriptions implement a publish/subscribe pattern, which broadcasts messages to multiple subscribers and does not guarantee ordered delivery or single-consumer processing. Option C is wrong because dead-letter queues are used to hold messages that cannot be processed normally (e.g., due to exceeding max delivery count), not to enforce ordering or consumer affinity. Option D is wrong because auto-forwarding moves messages from one queue or subscription to another automatically, but it does not provide session-based ordering or ensure the same consumer processes all related messages.

80
Multi-Selecthard

A Blob Storage workflow for product images must prevent accidental overwrite and support recovery of prior versions. Which two features should be enabled?

Select 2 answers
A.SFTP support
B.Blob soft delete
C.Static website hosting
D.Blob versioning
AnswersB, D

Soft delete helps recover deleted blobs and versions within the retention period.

Why this answer

Blob soft delete (B) protects against accidental deletion or overwrite by retaining deleted blobs for a configurable retention period, allowing recovery. Blob versioning (D) automatically maintains prior versions of a blob, enabling restoration of any previous state. Together, they provide comprehensive protection against overwrites and support version recovery.

Exam trap

The trap here is that candidates may confuse SFTP support or static website hosting with data protection features, but neither provides versioning or soft-delete capabilities required for overwrite prevention and recovery.

81
Multi-Selectmedium

A healthcare application stores patient diagnostic images in Azure Blob Storage. The images are accessed by radiologists worldwide. You need to reduce latency for image retrieval while maintaining security and compliance. Which TWO actions should you take?

Select 2 answers
A.Upgrade to Premium Block Blob storage.
B.Enable Azure CDN or Azure Front Door with caching rules.
C.Enable read-access geo-redundant storage (RA-GRS).
D.Use Azure Front Door with private link to the storage account.
E.Use Blob Storage lifecycle management to delete blobs after reading.
AnswersB, D

Caches content at edge locations globally, reducing latency.

Why this answer

Options A and D are correct. Enabling Azure CDN or Azure Front Door caches content at edge locations, reducing latency. Geo-redundant storage provides replication to another region, but does not reduce latency for read access unless read-access is enabled (RA-GRS).

Option B (RA-GRS) provides a secondary read endpoint, but does not improve latency for all users globally. Option C incorrectly suggests deleting the blob after reading. Option E (Premium tier) improves performance but is costly and not specifically for global latency reduction.

82
MCQeasy

Avanade is developing a .NET Core console application that runs on an Azure VM. The application needs to read a secret from Azure Key Vault. The VM has a system-assigned managed identity enabled. The managed identity has been granted 'Get' and 'List' permissions on the Key Vault secrets. The code uses the Azure.Identity and Azure.Security.KeyVault.Secrets NuGet packages. Which code snippet should the developer use to authenticate to Key Vault?

A.var client = new SecretClient(new Uri(keyVaultUrl), new EnvironmentCredential());
B.var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
C.var client = new SecretClient(new Uri(keyVaultUrl), new ManagedIdentityCredential());
D.var client = new SecretClient(new Uri(keyVaultUrl), new ClientSecretCredential(tenantId, clientId, clientSecret));
AnswerB

Correct: DefaultAzureCredential will use system-assigned managed identity.

Why this answer

Use DefaultAzureCredential to automatically use the managed identity. Option A is correct. Option B uses ClientSecretCredential which requires a secret.

Option C uses ManagedIdentityCredential but requires client ID for user-assigned. Option D uses EnvironmentCredential which requires environment variables.

83
Multi-Selecteasy

Which TWO of the following are valid reasons to use Azure Table Storage instead of Azure Cosmos DB?

Select 2 answers
A.Global distribution with multi-master writes
B.Lower latency and higher throughput
C.Simpler API and no need for throughput provisioning
D.Lower cost for simple key-value workloads
E.Support for complex queries with indexing
AnswersC, D

Table Storage has a simpler model.

Why this answer

Option C is correct because Azure Table Storage offers a simpler REST API based on OData and does not require explicit throughput provisioning (RU/s). In contrast, Azure Cosmos DB requires you to configure request units per second for each container, which adds operational complexity. For simple key-value workloads, Table Storage's pay-per-query model with no reserved capacity is more straightforward.

Exam trap

The trap here is that candidates assume 'simpler' always means 'better performance,' but Azure Table Storage's simplicity comes at the cost of limited indexing and throughput, making it unsuitable for low-latency or complex query scenarios.

84
MCQeasy

You are developing a microservices application that needs to send messages between services asynchronously. Which Azure service should you use to decouple the components and ensure reliable message delivery?

A.Azure Cosmos DB
B.Azure Service Bus
C.Azure Queue Storage
D.Azure Event Hubs
AnswerC

Queue Storage is a simple, scalable queue for asynchronous message passing.

Why this answer

Azure Queue Storage provides a simple, reliable message queue for asynchronous communication. Option A is wrong because Azure Service Bus offers more advanced features but is overkill for basic queuing. Option B is wrong because Azure Event Hubs is for big data streaming.

Option D is wrong because Azure Cosmos DB is a database.

85
MCQmedium

Coho Vineyard has an Azure Logic App that processes orders. The workflow must call a third-party API that uses Basic authentication. The credentials (username and password) must be stored securely in Azure Key Vault. The Logic App uses a system-assigned managed identity. The managed identity has been granted 'Get' permission on the Key Vault secrets. Which approach should the team use to pass the credentials to the third-party API?

A.Use an HTTP connector with 'Active Directory OAuth' authentication. Provide the client ID and client secret.
B.Use managed identity authentication on the HTTP connector. The third-party API must support managed identity.
C.Store the username and password directly in the Logic App's connection settings for the HTTP connector.
D.Add a Key Vault connector step to retrieve the secret containing the password. Then use an HTTP connector with 'Basic' authentication type. In the authentication parameters, reference the secret for the password.
AnswerD

Correct: retrieves password from Key Vault, uses Basic auth.

Why this answer

Use an HTTP connector with Basic authentication. In the authentication settings, use 'Raw' authentication and construct the Basic header using the secret from Key Vault via a Key Vault connector. Option A is correct.

Option B uses OAuth, not Basic. Option C stores credentials in Logic App config. Option D uses managed identity for the third-party, which is not supported.

86
MCQmedium

You have an Azure Front Door Premium instance with a Web Application Firewall (WAF) policy. The exhibit shows a custom rule. What is the effect of this rule?

A.Allows all traffic
B.Blocks traffic from 192.168.1.0/24 and 10.0.0.0/8
C.Blocks traffic that does NOT originate from 192.168.1.0/24 or 10.0.0.0/8
D.Allows traffic from 192.168.1.0/24 and 10.0.0.0/8
AnswerC

NegateCondition true inverts the match, so the rule blocks non-matching IPs.

Why this answer

Option C is correct because the rule blocks requests that do NOT originate from the specified IP ranges (negateCondition: true). Option A is wrong because it allows those IPs. Option B is wrong because it blocks only those IPs.

Option D is wrong because it allows all traffic, which is opposite.

87
MCQeasy

You need to deploy a container that runs a simple web server on Azure Container Instances. The container should be accessible via a public IP address. Which property should you set in the container group configuration?

A.ipAddress.type = "Public"
B.osType = "Linux"
C.restartPolicy = "Always"
D.volumes.mountPath = "/mnt"
AnswerA

This property explicitly requests a public IP address for the container group, enabling external access.

Why this answer

To make a container group accessible from the internet via a public IP address, you must set the `ipAddress.type` property to `"Public"`. This instructs Azure Container Instances to assign a public IP and optionally a fully qualified domain name (FQDN) to the container group, allowing inbound traffic from the internet to reach the container's exposed ports.

Exam trap

The trap here is that candidates often confuse operational settings like OS type or restart policy with networking configuration, mistakenly thinking they influence public accessibility, when in fact only the `ipAddress.type` property controls public IP assignment in Azure Container Instances.

How to eliminate wrong answers

Option B is wrong because `osType` (e.g., "Linux" or "Windows") determines the underlying operating system for the container, not its network accessibility; a public IP can be assigned regardless of the OS type. Option C is wrong because `restartPolicy` (e.g., "Always") controls whether the container restarts after it exits, not its network exposure; it does not affect public IP assignment. Option D is wrong because `volumes.mountPath` specifies where a volume is mounted inside the container for persistent storage, which has no bearing on making the container publicly reachable.

88
MCQmedium

Refer to the exhibit. You are configuring a Key Vault key using an ARM template. What does this configuration achieve?

A.The key can only be used for encryption
B.The key size is 4096 bits
C.The key will be rotated 90 days before expiration
D.The key will be rotated 90 days after creation
AnswerD

timeAfterCreate: P90D triggers rotation 90 days after creation.

Why this answer

The rotation policy specifies that the key should be rotated 90 days after creation. Option A is wrong because the key has both encrypt and decrypt operations. Option B is wrong because the key size is 2048 bits, not 4096.

Option C is wrong because the policy triggers rotation based on time after creation, not expiration. Option D is correct.

89
MCQmedium

An Azure Functions image resize worker must run for up to 30 minutes and uses a VNet integration feature. The team wants serverless scaling without managing virtual machines. Which hosting plan should be used? The design must avoid adding custom operational scripts.

A.App Service Free tier
B.Premium plan
C.Azure Batch pool
D.Consumption plan
AnswerB

The Premium plan supports longer execution duration, VNet integration, pre-warmed instances, and serverless scale.

Why this answer

The Premium plan is correct because it supports VNet integration, allows execution durations up to 30 minutes (unlike the Consumption plan's 10-minute default), and provides serverless scaling without requiring you to manage virtual machines or add custom operational scripts. It is the only plan that combines these capabilities for a long-running, VNet-connected function.

Exam trap

The trap here is that candidates often assume the Consumption plan is the only serverless option, forgetting that the Premium plan also provides serverless scaling with additional features like VNet integration and extended execution duration.

How to eliminate wrong answers

Option A is wrong because the App Service Free tier does not support VNet integration and has strict resource limits (e.g., 1 GB memory, 60 minutes of CPU per day) that cannot sustain a 30-minute image resize worker. Option C is wrong because Azure Batch requires you to manage a pool of virtual machines or use a job scheduler, which adds operational scripts and contradicts the requirement to avoid managing VMs. Option D is wrong because the Consumption plan has a maximum execution timeout of 10 minutes (configurable up to 10 minutes by default) and does not support VNet integration without a dedicated plan.

90
Multi-Selecthard

Which THREE Azure services can be used to securely store and retrieve secrets, connection strings, and API keys for a cloud-native application?

Select 3 answers
A.Azure Blob Storage
B.Azure App Configuration
C.Azure Managed HSM
D.Azure Cosmos DB
E.Azure Key Vault
AnswersB, C, E

Correct: stores configuration and feature flags, can reference Key Vault.

Why this answer

Azure Key Vault, Azure App Configuration, and Azure Managed HSM are designed to store secrets and configuration securely. Azure Cosmos DB and Azure Blob Storage are not primarily for secret management.

91
Matchingmedium

Match each Azure caching service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

In-memory data store based on Redis

Content delivery network for static assets

Global HTTP load balancer and web application firewall

Regional HTTP load balancer with SSL termination

Why these pairings

These services improve performance and availability of applications.

92
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The design must avoid adding custom operational scripts.

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth 2.0 flow for single-page applications (SPAs) that cannot securely store a client secret. PKCE uses a dynamically generated cryptographic code verifier and challenge, ensuring that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original verifier. This flow is designed for public clients (like SPAs) and avoids the need for custom operational scripts.

Exam trap

The trap here is that candidates often confuse the deprecated implicit flow with the modern authorization code flow with PKCE, mistakenly believing that SPAs must use the implicit flow because they cannot store a secret, but the correct answer is the PKCE-enhanced authorization code flow.

How to eliminate wrong answers

Option A is wrong because the implicit flow is deprecated by the OAuth 2.0 Security Best Current Practice (BCP) RFC 8252 due to security risks like access token leakage in the browser history and lack of token binding. Option B is wrong because the client credentials flow is intended for server-to-server (confidential client) scenarios, not for user authentication in a single-page app; it requires a client secret and cannot represent an interactive user. Option C is wrong because the resource owner password credentials flow (ROPC) is highly discouraged for modern apps as it exposes the user's credentials to the client, violates security best practices, and is not suitable for SPAs; it also requires custom scripting to handle credential collection.

93
Multi-Selecthard

Which THREE Azure services or features can be used to implement retry logic for transient failures when calling an external API from a .NET Core application?

Select 3 answers
A.Azure SDK retry policies
B.Azure Logic Apps retry policy
C.Polly library
D.Azure Traffic Manager
E.Azure Front Door
AnswersA, B, C

Built-in in many SDKs.

Why this answer

A, B, and D are correct. Polly is a .NET library for retry logic. Azure SDKs include built-in retry policies.

Azure Logic Apps provides retry policies for connectors. Option C is wrong because Azure Traffic Manager is for DNS load balancing, not retry logic. Option E is wrong because Azure Front Door is a global load balancer, not for application-level retry.

94
MCQmedium

An application writes millions of small log entries (500 bytes each) daily. The logs are rarely read, and when read, they are accessed sequentially. You need to minimize storage costs and maximize write throughput. Which Azure Blob Storage type should you use?

A.Block Blob
B.Page Blob
C.Append Blob
D.Archive Blob
AnswerC

Append Blobs are purpose-built for append-only operations, offering high throughput for log data and efficient sequential reads.

Why this answer

Append Blob is optimized for append operations, making it ideal for logging scenarios where new data is continuously added to the end of the blob. It provides high write throughput for small, sequential writes (like 500-byte log entries) and lower storage costs compared to Block Blob for this pattern, as it avoids the overhead of managing multiple blocks per append. Additionally, Append Blob supports sequential read access efficiently, matching the rare, sequential read requirement.

Exam trap

The trap here is that candidates confuse 'Append Blob' with 'Block Blob' because both support blocks, but they fail to recognize that Append Blob is specifically designed for append-only workloads, while Block Blob is not optimized for sequential writes and incurs higher overhead per operation.

How to eliminate wrong answers

Option A is wrong because Block Blob is designed for random read/write access and requires managing blocks for each write, which introduces overhead and reduces write throughput for millions of small appends; it is not optimized for sequential append-only workloads. Option B is wrong because Page Blob is optimized for random read/write operations on fixed-size 512-byte pages (e.g., for virtual machine disks) and incurs higher costs due to its support for frequent updates and snapshots, making it unsuitable for low-cost, append-only logging. Option D is wrong because Archive Blob is a tier for cold data with infrequent access and high retrieval latency (hours), not a blob type; it cannot be used for active writes and would block the required high write throughput.

95
MCQmedium

You are developing a solution that needs to store and retrieve JSON documents with a flexible schema. The data is accessed via REST API and requires low-latency reads. Which Azure Storage service should you use?

A.Azure Blob Storage
B.Azure Cosmos DB
C.Azure Table Storage
D.Azure Files
AnswerB

Cosmos DB provides flexible schema and low-latency.

Why this answer

Azure Cosmos DB is the correct choice because it natively supports storing and querying JSON documents with a flexible schema via its SQL API, and it guarantees single-digit millisecond read latencies at the 99th percentile, which meets the low-latency requirement. Unlike other Azure storage services, Cosmos DB is a fully managed NoSQL database designed for REST API access with automatic indexing of all JSON properties.

Exam trap

The trap here is that candidates often confuse Azure Blob Storage's ability to store JSON files (as blobs) with the ability to efficiently query and retrieve individual documents with low latency, overlooking the fact that Blob Storage lacks native indexing and querying capabilities for JSON content.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage stores unstructured binary data as blobs and does not provide native JSON document querying or indexing; it requires additional logic to parse and retrieve specific fields. Option C is wrong because Azure Table Storage is a key-value store that stores entities as rows with a fixed schema (partition key and row key), not flexible JSON documents, and it lacks native support for JSON querying or indexing. Option D is wrong because Azure Files provides SMB and NFS file shares for file-level access, not a REST API for JSON document storage and retrieval with low-latency reads.

96
MCQhard

Application Insights ingestion cost is rising because a high-traffic app emits large telemetry volume. The team needs statistically useful telemetry while reducing ingestion. What should be configured?

A.Move the app to a larger App Service plan
B.Adaptive sampling
C.Disable all exception telemetry
D.Increase log verbosity to debug
AnswerB

Adaptive sampling reduces telemetry volume while preserving representative diagnostic data.

Why this answer

Adaptive sampling is the correct solution because it automatically adjusts the volume of telemetry data sent to Application Insights, retaining only a representative subset that preserves statistical accuracy for analysis. This reduces ingestion costs while ensuring the sampled data remains statistically useful for detecting trends and anomalies in high-traffic applications.

Exam trap

The trap here is that candidates may think increasing resources (larger plan) or disabling entire telemetry categories (exceptions) is a valid cost-control measure, but the exam tests understanding that adaptive sampling is the designed Azure feature for reducing telemetry volume while preserving statistical significance.

How to eliminate wrong answers

Option A is wrong because moving the app to a larger App Service plan increases compute resources and cost, but does not reduce telemetry ingestion volume or address the root cause of rising Application Insights costs. Option C is wrong because disabling all exception telemetry would eliminate critical diagnostic data needed for monitoring application health, and it does not provide a balanced approach to reducing ingestion while maintaining statistical usefulness. Option D is wrong because increasing log verbosity to debug would generate even more telemetry data, exacerbating the ingestion cost problem rather than solving it.

97
Multi-Selectmedium

Which TWO Azure services can be used to implement a pub/sub messaging pattern for decoupling microservices? (Choose two.)

Select 2 answers
A.Azure Storage Queue
B.Azure Service Bus Topics
C.Azure Event Hubs
D.Azure Event Grid
E.Azure Logic Apps
AnswersB, D

Supports pub/sub with multiple subscribers.

Why this answer

Azure Service Bus Topics (A) and Azure Event Grid (D) support pub/sub. Storage Queue (B) is point-to-point. Event Hubs (C) is for telemetry but can be used for pub/sub, but not the typical choice.

Azure Logic Apps (E) is an integration service, not a messaging broker.

98
MCQhard

You have an Azure API Management instance that exposes a REST API. You need to secure the API using OAuth 2.0 with Microsoft Entra ID. The API should accept tokens from multiple client applications. Which policy should you add to the inbound processing section?

A.<validate-jwt header-name="Authorization" failed-validation-httpcode="401" />
B.<xml-to-json>
C.<rate-limit>
D.<cache-lookup>
AnswerA

validate-jwt policy validates the JWT token from the Authorization header.

Why this answer

The 'validate-jwt' policy is used in Azure API Management to validate JWT tokens issued by Microsoft Entra ID. It can be configured to accept tokens from multiple audiences by specifying an array of allowed audiences. Option A is for caching, B is for rate limiting, and D is for transforming XML to JSON, none of which handle JWT validation.

99
MCQhard

You run the above command. The web app is connected to a GitHub repository via Continuous Deployment. You push a new commit to the 'main' branch, but the web app does not update. What is the most likely cause?

A.The repository is Mercurial, not Git.
B.The GitHub webhook is not configured to trigger on push events.
C.The deployment rollback is enabled and blocking new deployments.
D.The 'branch' property is set to 'main', but the actual branch is 'master'.
AnswerB

Without a webhook, Azure App Service is not notified of new commits.

Why this answer

The web app is configured for Continuous Deployment via GitHub, which relies on a webhook to notify Azure App Service of new commits. When a push event occurs on the 'main' branch, the webhook must be configured to trigger the deployment. If the webhook is not set to fire on push events, Azure will never receive the notification, and the app will not update despite the new commit.

Exam trap

The trap here is that candidates may assume the webhook is automatically configured correctly when setting up Continuous Deployment, but Azure requires explicit event selection, and a missing 'push' event trigger is a frequent oversight.

How to eliminate wrong answers

Option A is wrong because Azure App Service's Continuous Deployment from GitHub only supports Git repositories; Mercurial is not supported, so the connection would have failed at setup, not silently after a push. Option C is wrong because deployment rollback is a feature that allows reverting to a previous deployment, but it does not block new deployments; it only affects the ability to swap slots or revert after a deployment completes. Option D is wrong because if the 'branch' property were set to 'main' but the actual branch were 'master', the webhook would still trigger on push events to 'master', but the deployment would fail or not match; however, the question states the push is to 'main', and the web app is connected to the repository, so the branch mismatch would cause a deployment failure, not a silent lack of update.

100
MCQhard

You are implementing a serverless function in Azure Functions that processes messages from an Azure Storage Queue. The function must ensure that each message is processed at least once and that processing failures are retried up to 5 times. After 5 failed attempts, the message should be moved to a poison queue. What should you configure?

A.Set the message time-to-live (TTL) to 5.
B.Implement a custom retry policy in the function code with a maximum of 5 retries.
C.Use the default queue poison message handling with 'maxDequeueCount' set to 5.
D.Set the visibility timeout to 5 minutes.
AnswerC

This is the built-in mechanism for retries and poison queue management.

Why this answer

Option C is correct because Azure Functions' Storage Queue trigger automatically implements a poison queue mechanism. By setting the 'maxDequeueCount' property in the host.json file to 5, the runtime will dequeue a message up to 5 times; after the 5th failed attempt, the message is automatically moved to the associated poison queue (named {originalqueue}-poison). This ensures at-least-once processing and retry handling without custom code.

Exam trap

The trap here is that candidates often think they need to write custom retry logic (Option B) or adjust visibility timeout (Option D), when Azure Functions provides a declarative configuration-based poison queue solution that handles retries and dead-lettering automatically.

How to eliminate wrong answers

Option A is wrong because message time-to-live (TTL) controls the maximum time a message stays in the queue before being discarded, not the number of retry attempts. Option B is wrong because implementing a custom retry policy in function code is unnecessary and error-prone; the Azure Functions runtime already provides built-in poison queue handling via configuration, and custom retries could lead to duplicate processing or missed poison queue routing. Option D is wrong because setting the visibility timeout to 5 minutes only controls how long a message is hidden after a dequeue failure, not the number of retry attempts; it does not move messages to a poison queue after repeated failures.

101
MCQmedium

You are deploying a containerized application to Azure Container Instances (ACI). The application requires a connection string to an Azure SQL Database. The connection string contains a password that is stored as a secret in Azure Key Vault. The container image expects to read the connection string from an environment variable named SQL_CONNECTION_STRING. You want to pass the secret securely without embedding it in the YAML deployment file and without modifying the container image. The ACI container group will use a system-assigned managed identity that has access to the Key Vault secret. Which approach should you use?

A.Mount a volume from Azure Files containing the connection string
B.Use a secure environment variable with a Key Vault reference syntax (e.g., secret://myvault/secretname)
C.Use the managed identity inside the container to call the Key Vault SDK and retrieve the secret
D.Store the connection string as an environment variable in ACI configuration but mark it as secure
AnswerB

ACI resolves the Key Vault reference at runtime using the managed identity, keeping the secret out of the deployment definition and requiring no image changes.

Why this answer

Option B is correct because Azure Container Instances supports Key Vault references in environment variables using the `secret://` syntax, which allows you to securely inject secrets into containers at runtime without exposing them in the deployment YAML. The system-assigned managed identity is automatically used by the ACI infrastructure to authenticate to Key Vault and retrieve the secret, so no code changes to the container image are required.

Exam trap

The trap here is that candidates often assume they must write code inside the container to use the managed identity with the Key Vault SDK, but ACI provides a built-in mechanism to inject secrets as environment variables without any code changes.

How to eliminate wrong answers

Option A is wrong because mounting a volume from Azure Files would require the connection string to be stored in a file, which still exposes the secret in the storage account and does not leverage Key Vault for secret management. Option C is wrong because using the managed identity inside the container to call the Key Vault SDK would require modifying the container image to include code for secret retrieval, which violates the requirement of not modifying the image. Option D is wrong because marking an environment variable as 'secure' in ACI only hides its value in the Azure portal and logs, but the secret is still embedded in the deployment configuration and can be retrieved by anyone with access to the resource definition.

102
MCQeasy

You deploy a containerized application to Azure Container Instances (ACI). The application needs to store configuration settings that might change at runtime. You need to update the configuration without redeploying the container. What should you do?

A.Use environment variables in the container group
B.Mount an Azure Files share and update the configuration file
C.Use Application Settings in the container
D.Modify the container image to include new configuration
AnswerA

Environment variables can be updated by restarting the container group with new values.

Why this answer

Environment variables in Azure Container Instances (ACI) can be set at container group creation or updated by redeploying the container group with new values. They are accessible at runtime without modifying the container image, allowing configuration changes without a full redeploy. This is the recommended approach for dynamic configuration in ACI because environment variables are lightweight, secure, and natively supported by the container runtime.

Exam trap

The trap here is that candidates confuse Azure Container Instances with Azure App Service, mistakenly selecting 'Application Settings' (Option C) which is an App Service feature, not available in ACI.

How to eliminate wrong answers

Option B is wrong because mounting an Azure Files share and updating a configuration file requires the application to watch for file changes and reload configuration, which adds complexity and is not a built-in ACI feature for runtime updates without redeployment. Option C is wrong because 'Application Settings' is an Azure App Service concept, not applicable to Azure Container Instances; ACI does not have an Application Settings blade. Option D is wrong because modifying the container image to include new configuration requires rebuilding, pushing to a registry, and redeploying the container group, which contradicts the requirement to avoid redeployment.

103
MCQhard

Your company uses Microsoft Sentinel for security information and event management (SIEM). You need to detect and automatically respond to a potential credential theft attack where an anomalous number of failed logins are followed by a successful login from a different geographic location. Which Microsoft Sentinel feature should you use?

A.Microsoft Sentinel Data Connectors
B.An analytics rule with an automated response
C.Microsoft Defender for Identity
D.Microsoft Sentinel playbooks
AnswerB

Analytics rules detect the pattern; automated response (e.g., disable user) can be configured as part of the rule.

Why this answer

An analytics rule in Microsoft Sentinel can be configured to detect patterns like anomalous failed logins followed by a successful login from a different geography. The rule can then trigger an automated response, such as running a playbook or creating an incident, to remediate the threat in near real-time. This combines detection and automated action within a single rule, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse 'playbooks' (the automation component) with the complete detection-and-response feature, forgetting that an analytics rule is required to trigger the playbook and that the rule itself can include an automated response directly.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel Data Connectors are used to ingest log data from various sources (e.g., Azure AD, firewalls) but do not perform detection or automated response. Option C is wrong because Microsoft Defender for Identity is a separate security product focused on on-premises Active Directory identity threats, not a native Sentinel feature for creating custom detection rules with automated responses. Option D is wrong because Microsoft Sentinel playbooks are automated workflows (based on Azure Logic Apps) that can be triggered by analytics rules, but they are not the detection mechanism themselves; the question asks for the feature that both detects and automatically responds, which is the analytics rule with an automated response.

104
Multi-Selectmedium

Which TWO options are valid ways to authenticate an Azure Functions app to Azure Storage when using a managed identity? (Choose two.)

Select 2 answers
A.Enable system-assigned managed identity on the function app and grant it the 'Storage Blob Data Contributor' role
B.Generate a shared access signature (SAS) token and include it in the connection string
C.Use the storage account access key in the connection string
D.Create a user-assigned managed identity, assign it to the function app, and grant it the 'Storage Queue Data Contributor' role
E.Use the default AzureWebJobsStorage connection string from the function app settings
AnswersA, D

System-assigned managed identity is tied to the function app and can be granted RBAC roles.

Why this answer

Option A is correct because enabling a system-assigned managed identity on the function app allows it to authenticate to Azure Storage without storing credentials. Granting the 'Storage Blob Data Contributor' role to that identity via Azure RBAC authorizes the function app to perform blob data operations (read, write, delete) using Azure AD tokens, which are automatically managed by the Azure platform.

Exam trap

The trap here is that candidates may confuse 'managed identity' with any non-key-based method (like SAS tokens) or assume the default AzureWebJobsStorage connection string automatically uses managed identity, when in fact it defaults to a key-based connection unless explicitly configured for identity-based authentication.

105
MCQmedium

You are developing a serverless function app that processes credit card payments. The function app must securely store the payment gateway API key. Which Azure service should you use to store the key?

A.Store the key in an Azure Storage queue and read it at runtime.
B.Store the key in Azure Key Vault and retrieve it using a managed identity.
C.Store the key in Azure Cosmos DB with client-side encryption.
D.Store the key in the function app's application settings.
AnswerB

Key Vault provides secure, audited storage for secrets, and managed identity allows secure access without hardcoding credentials.

Why this answer

Option C is correct because Azure Key Vault is designed to securely store secrets like API keys, certificates, and connection strings. Option A is wrong because App Service application settings are not encrypted at rest by default and are visible in the portal. Option B is wrong because Azure Cosmos DB is a database, not a secrets store.

Option D is wrong because Azure Storage queues are for messaging, not secure storage.

106
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used?

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth flow for single-page apps that cannot securely store a client secret. PKCE ensures that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original code verifier, mitigating the risk of code injection attacks. This flow aligns with Microsoft's best practices for native and browser-based applications using Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse the implicit flow (which was historically used for SPAs) as still valid, but Microsoft and OAuth standards now mandate the authorization code flow with PKCE for all public clients, including single-page apps.

How to eliminate wrong answers

Option A is wrong because the implicit flow is deprecated by the OAuth 2.0 Security Best Current Practice (BCP) and Microsoft Entra ID due to security risks like access token leakage in the browser history and lack of PKCE support. Option B is wrong because the client credentials flow is designed for server-to-server (daemon) applications without a user context, not for single-page apps that need to sign in users and call APIs on their behalf. Option C is wrong because the resource owner password credentials flow requires the app to handle user credentials directly, which is insecure for browser-based apps and violates the principle of not exposing passwords to the client.

107
MCQmedium

An Azure Functions IoT command API must run for up to 30 minutes and uses a VNet integration feature. The team wants serverless scaling without managing virtual machines. Which hosting plan should be used?

A.Azure Batch pool
B.Consumption plan
C.App Service Free tier
D.Premium plan
AnswerD

The Premium plan supports longer execution duration, VNet integration, pre-warmed instances, and serverless scale.

Why this answer

The Premium plan (Elastic Premium EP) is the correct choice because it supports VNet integration for accessing resources inside a virtual network, allows execution durations up to 30 minutes (the Consumption plan caps at 10 minutes by default), and provides serverless scaling without requiring you to manage virtual machines. This plan also offers always-ready instances to reduce cold start latency, which is critical for IoT command APIs.

Exam trap

The trap here is that candidates often assume the Consumption plan supports VNet integration and long timeouts because it is the default serverless option, but they overlook the explicit 10-minute timeout limit and the lack of native VNet integration without a dedicated gateway.

How to eliminate wrong answers

Option A is wrong because Azure Batch pool is designed for large-scale parallel and high-performance computing jobs, not for hosting a single long-running API with serverless scaling, and it requires managing virtual machine pools. Option B is wrong because the Consumption plan has a maximum execution timeout of 10 minutes (configurable up to 10 minutes) and does not support VNet integration for outbound traffic without additional configuration like a VNet NAT gateway, making it unsuitable for a 30-minute API. Option C is wrong because the App Service Free tier does not support VNet integration, has a 60-second request timeout, and lacks serverless scaling (it runs on shared, fixed-capacity VMs).

108
MCQhard

A background data pipeline runs on a schedule and must read user profile data from Microsoft Graph. No user is present during execution. The service authenticates to Microsoft Entra ID and calls the Graph API. Which permission type and OAuth 2.0 flow are correct for this scenario?

A.Application permissions with the client credentials flow, authenticating with the app's client ID and secret (or certificate)
B.Delegated permissions with the authorization code flow, initiating a browser redirect to collect user consent
C.Delegated permissions with the device code flow, prompting a user to authenticate on a separate device
D.Application permissions with the on-behalf-of flow, passing the calling user's token to the Graph API
AnswerA

Application permissions are granted by an admin via the app registration manifest. The client credentials flow does not require user interaction — the service presents its own credentials to the token endpoint and receives a token scoped to the application. This is the standard pattern for background services, daemons, and scheduled jobs that call Microsoft Graph.

Why this answer

This scenario requires a background service to access Microsoft Graph without any user interaction. Application permissions are designed for such non-interactive, service-to-service calls, and the client credentials OAuth 2.0 flow (defined in RFC 6749 section 4.4) allows the app to authenticate using its own identity (client ID and secret or certificate) to obtain an access token. Delegated permissions would be incorrect because they require a signed-in user context, which is absent here.

Exam trap

The trap here is that candidates often confuse application permissions with delegated permissions, mistakenly thinking a user context is always required for Graph API calls, but the client credentials flow is the correct choice for any background service that operates without a signed-in user.

How to eliminate wrong answers

Option B is wrong because delegated permissions require a signed-in user and the authorization code flow involves a browser redirect for user consent, which cannot occur in an unattended background pipeline. Option C is wrong because the device code flow is designed for devices with limited input capabilities and still requires a user to authenticate interactively on a separate device, not suitable for a fully automated service. Option D is wrong because the on-behalf-of flow (OAuth 2.0 On-Behalf-Of) is used to pass a user's delegated token to a downstream API, requiring an initial user token, which does not exist in this no-user scenario.

109
MCQmedium

A Cosmos DB container for session records receives hot-partition throttling because the partition key has only five possible values. What should the developer change?

A.Increase the default TTL
B.Enable analytical store only
C.Choose a partition key with higher cardinality and even request distribution
D.Use a stored procedure for every write
AnswerC

A good partition key spreads storage and throughput across logical partitions.

Why this answer

Option C is correct because a partition key with only five values leads to hot partitions, where one or a few partitions handle the majority of requests, causing throttling. By choosing a partition key with higher cardinality (many distinct values) and even request distribution, the load is spread evenly across physical partitions, eliminating hot spots and throttling.

Exam trap

The trap here is that candidates often confuse throttling with performance tuning (TTL) or data storage (analytical store), rather than recognizing that the root cause is an insufficiently granular partition key leading to uneven request distribution.

How to eliminate wrong answers

Option A is wrong because increasing the default TTL (Time to Live) only affects how long data lives in the container; it does not change the partition key design or distribute request load, so it cannot resolve hot-partition throttling. Option B is wrong because enabling analytical store only creates a separate columnar store for analytical queries; it does not alter the transactional partition key or distribute write/read requests, so throttling persists. Option D is wrong because using a stored procedure for every write does not change the underlying partition key distribution; stored procedures execute within a single logical partition and cannot spread load across partitions, so hot partitions remain throttled.

110
MCQhard

Refer to the exhibit. You have an Azure App Service that uses the authentication settings shown. Users report that they are repeatedly prompted to sign in even after authenticating. What is the most likely cause?

A.The 'allowedAudiences' is missing the App Service URL.
B.The 'loginParameters' does not include 'offline_access'.
C.The 'issuer' URL is incorrect; it should be a tenant-specific endpoint.
D.No 'tokenRefreshEndpoint' is configured for session management.
AnswerD

Without a refresh endpoint or session management, tokens expire and prompt re-authentication.

Why this answer

Option D is correct because the absence of a 'tokenRefreshEndpoint' in the authentication configuration prevents the App Service from automatically refreshing the user's session token. Without this endpoint, the token expires after its lifetime (typically 1 hour for Azure AD access tokens), causing the user to be repeatedly prompted to sign in again. Configuring a token refresh endpoint enables the use of refresh tokens to silently obtain new access tokens, maintaining the session without user interaction.

Exam trap

The trap here is that candidates often confuse the need for 'offline_access' scope (which requests a refresh token) with the need for a configured 'tokenRefreshEndpoint' (which actually uses that refresh token to silently renew the session).

How to eliminate wrong answers

Option A is wrong because the 'allowedAudiences' parameter is used to validate the token's audience claim, not to control session persistence; missing the App Service URL here would cause authentication failures, not repeated sign-in prompts. Option B is wrong because 'offline_access' in 'loginParameters' is required to request a refresh token, but the question states users are repeatedly prompted after authenticating, implying the initial authentication succeeds; the issue is that no token refresh endpoint is configured to use that refresh token. Option C is wrong because the 'issuer' URL being tenant-specific is about token validation, not session refresh; an incorrect issuer would cause authentication to fail entirely, not just prompt re-authentication after a successful login.

111
Multi-Selecthard

Which THREE considerations are important when designing a solution using Azure Functions with a Consumption plan for a latency-sensitive application?

Select 3 answers
A.Cold start latency may impact initial requests.
B.Function execution timeout is limited to 10 minutes.
C.Scaling may not be instantaneous, causing latency spikes.
D.Always-on feature must be enabled to avoid cold starts.
E.Pre-warmed instances can be configured to reduce latency.
AnswersA, B, C

Cold starts add latency to first request.

Why this answer

A is correct because Azure Functions on the Consumption plan can experience cold starts when a function app is idle or after scaling down to zero instances. During a cold start, the runtime must load the function host, load dependencies, and execute the function code, which adds latency that can be unacceptable for latency-sensitive applications. This delay occurs because the Consumption plan does not keep instances warm when there is no traffic.

Exam trap

The trap here is that candidates often confuse the features of the Consumption plan with those of the Premium plan, mistakenly thinking Always-on or pre-warmed instances are available in the Consumption plan, when they are exclusive to higher-tier plans.

112
Multi-Selectmedium

Which TWO actions should you take to optimize costs for an Azure SQL Database that is underutilized? (Choose two.)

Select 2 answers
A.Enable geo-replication
B.Increase the DTU or vCore limit
C.Purchase reserved capacity
D.Enable read scale-out
E.Scale down to a lower service tier
AnswersC, E

Reserved capacity provides significant discounts.

Why this answer

Option B (scale down) and Option D (use reserved capacity) are correct because scaling down reduces compute costs and reserved capacity offers discounts. Option A (increase DTU) increases cost. Option C (geo-replication) adds cost.

Option E (read scale-out) adds cost.

113
MCQeasy

You are developing an application that stores user-uploaded profile pictures in Azure Blob Storage. Users frequently access these pictures for the first 7 days after upload, then rarely. To minimize costs, you need to automatically delete pictures that are older than 30 days. Which Azure Storage feature should you use to achieve this?

A.Lifecycle management policy
B.Blob snapshots
C.Change feed
D.Soft delete
AnswerA

Correct. Lifecycle management policies can automatically delete blobs after a specified number of days, aligning with the requirement to delete pictures older than 30 days.

Why this answer

Azure Blob Storage lifecycle management policies allow you to automatically tier or expire blobs based on age. By defining a rule that deletes blobs after 30 days from creation, you can remove old profile pictures without manual intervention, directly minimizing storage costs.

Exam trap

The trap here is that candidates may confuse soft delete (which retains deleted blobs) with automatic deletion, or think change feed or snapshots can trigger deletions, when only lifecycle management provides scheduled, rule-based expiration.

How to eliminate wrong answers

Option B (Blob snapshots) is wrong because snapshots are point-in-time read-only copies of a blob, used for versioning or backup, not for automatic deletion based on age. Option C (Change feed) is wrong because it provides transaction logs of blob changes for event processing or replication, not a mechanism to delete blobs automatically. Option D (Soft delete) is wrong because it protects blobs from accidental deletion by retaining them for a specified period, but it does not automatically delete blobs based on age; it requires an explicit delete operation to trigger.

114
MCQmedium

Refer to the exhibit. You executed the Azure CLI command to create a storage account. Later, you attempt to connect from an application that uses TLS 1.1. The connection fails. What is the most likely reason?

A.The storage account uses Standard_GRS replication which is not accessible from all clients
B.The storage account is in a different location than the client
C.The storage account kind is StorageV2 which does not support blobs
D.The minimum TLS version is set to 1.2, blocking TLS 1.1
AnswerD

The command sets the minimum TLS version to 1.2.

Why this answer

The '--min-tls-version 1.2' parameter sets the minimum TLS version to 1.2, so TLS 1.1 is rejected. Option A is wrong because Standard_GRS is geo-redundant storage, which is available. Option B is wrong because the kind StorageV2 supports blobs.

Option D is wrong because the location eastus is valid.

115
MCQmedium

You are developing a .NET Core application that stores session state data. The data is infrequently updated but must be read quickly for every user request. You need a serverless, globally distributed storage solution with low latency reads. Which Azure storage solution should you use?

A.Azure Table Storage
B.Azure Cosmos DB with SQL API
C.Azure Redis Cache
D.Azure Blob Storage
AnswerB

Cosmos DB offers fast, predictable read latencies, global replication, and serverless capacity, ideal for session data that requires quick reads.

Why this answer

Azure Cosmos DB with SQL API is the correct choice because it provides a globally distributed, serverless database service with single-digit millisecond read latency at any scale, making it ideal for infrequently updated session state that must be read quickly for every user request. Its multi-region replication ensures low-latency reads from any location, and the SQL API offers a familiar query interface for .NET Core applications.

Exam trap

The trap here is that candidates often choose Azure Redis Cache because of its reputation for low-latency caching, but they overlook the 'serverless' and 'globally distributed' requirements, which Redis Cache does not natively satisfy without manual configuration and provisioning, whereas Cosmos DB offers these features out of the box.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage is a NoSQL key-value store that does not offer global distribution or guaranteed low-latency reads; it is regionally scoped and lacks the throughput and latency guarantees required for fast session reads. Option C is wrong because Azure Redis Cache is an in-memory data store that provides low-latency reads, but it is not serverless (requires provisioning and managing cache tiers) and is not inherently globally distributed; it would require additional configuration like geo-replication, and it is optimized for frequently updated data, not infrequently updated session state. Option D is wrong because Azure Blob Storage is designed for unstructured object storage with higher latency for individual reads, and it does not support the low-latency, high-frequency read patterns needed for session state per user request.

116
MCQmedium

You are building an Azure Logic App that processes orders. When an order is placed, the Logic App must send a message to an Azure Service Bus queue. The queue is secured using managed identity. Which connector action should you use?

A.HTTP action with SAS token
B.Service Bus connector with managed identity authentication
C.Azure Functions connector
D.Event Grid connector
AnswerB

Correct. The Service Bus connector has built-in support for managed identity, allowing secure authentication without secrets.

Why this answer

The Service Bus connector with managed identity authentication is correct because it allows the Logic App to authenticate to the Azure Service Bus queue using an Azure AD managed identity, eliminating the need for secrets or SAS tokens. This is the recommended approach for securing Service Bus resources when using Azure services, as it leverages Azure RBAC for fine-grained access control and aligns with the principle of least privilege.

Exam trap

The trap here is that candidates may confuse the HTTP action with SAS token as a valid way to use managed identity, but managed identity requires Azure AD authentication, not SAS, and the Service Bus connector explicitly supports this authentication type.

How to eliminate wrong answers

Option A is wrong because the HTTP action with SAS token requires you to generate and manage a Shared Access Signature token, which introduces secret management overhead and does not use managed identity; it is less secure and not the intended method for managed identity scenarios. Option C is wrong because the Azure Functions connector is used to trigger or invoke Azure Functions, not to directly send messages to a Service Bus queue; it would add unnecessary complexity and latency. Option D is wrong because the Event Grid connector is designed for publishing and subscribing to events via Azure Event Grid, not for sending messages to a Service Bus queue; it does not support Service Bus queue operations directly.

117
MCQmedium

You find the above ARM template for an App Service. What is a security concern with this configuration?

A.The connection string is stored in the source code.
B.The password is passed as a parameter and may be exposed in deployment logs.
C.The connection string type should be 'Custom' instead of 'SQLAzure'.
D.The connection string is not encrypted at rest.
AnswerB

Parameters can be logged, exposing the password.

Why this answer

Option A is correct because the connection string includes the password as a parameter, which may be stored in plain text in the ARM template parameters file or deployment history. Option B is wrong because the connection string uses SQLAzure type, which is correct. Option C is wrong because the connection string is encrypted at rest in App Service, but the issue is at deployment time.

Option D is wrong because the connection string is stored in App Service configuration, not in source code, but the ARM template exposes the password.

118
MCQhard

You are designing a solution that uses Azure Container Instances (ACI) to run a batch job that processes images. The job is triggered by a message in Azure Queue Storage. Each image takes about 5 minutes to process. You need to ensure that the container runs only when there are messages in the queue and scales automatically. What should you use?

A.Use Azure Logic Apps with a Container Instances connector.
B.Use Azure Functions with a custom container and queue trigger.
C.Use Azure Batch to process the images in a pool of VMs.
D.Deploy the image processing job as a pod in Azure Kubernetes Service.
AnswerA

Logic Apps can trigger on queue messages and start ACI containers per message.

Why this answer

Option A is correct because Azure Logic Apps provides a serverless workflow that can be triggered by a queue message (via the Azure Queue Storage connector) and then use the Container Instances connector to start a container group. This ensures the container runs only when messages are present and scales automatically by creating a new container instance per message, matching the requirement for event-driven, on-demand execution without idle costs.

Exam trap

The trap here is that candidates often assume Azure Functions is the only serverless option for queue-triggered workloads, overlooking that Logic Apps can directly orchestrate ACI creation without writing custom code, which is simpler and more aligned with the requirement to 'run the container only when there are messages'.

How to eliminate wrong answers

Option B is wrong because Azure Functions with a custom container and queue trigger runs the function code inside the container, but it does not directly orchestrate the creation of a separate ACI container for each batch job; the function would need to manage ACI lifecycle manually, adding complexity and not leveraging ACI's native scaling. Option C is wrong because Azure Batch is designed for large-scale parallel batch processing with a pool of VMs, which is overkill for a simple queue-triggered job and introduces unnecessary overhead for managing a VM pool. Option D is wrong because Azure Kubernetes Service (AKS) is a full orchestration platform for containerized applications, requiring cluster management and scaling configuration, which is excessive for a single batch job that should run only on demand; it does not natively integrate with Azure Queue Storage triggers without additional components like KEDA.

119
Multi-Selectmedium

Which TWO Azure services can be used to implement a pub/sub messaging pattern?

Select 2 answers
A.Azure Service Bus Topics
B.Azure Blob Storage
C.Azure Event Hubs
D.Azure Queue Storage
E.Azure Event Grid
AnswersA, E

Service Bus Topics support pub/sub with multiple subscribers.

Why this answer

Options B and D are correct. Service Bus Topics support pub/sub with multiple subscribers. Event Grid also supports pub/sub with event subscriptions.

Option A (Queue Storage) is point-to-point; Option C (Event Hubs) is for event streaming, but can be used for pub/sub; Option E (Blob Storage) is not messaging.

120
MCQhard

You are a developer for a large e-commerce company. The company has a global customer base and runs a critical web application on Azure App Service (Premium v3 plan) deployed in multiple regions. The application uses Azure Cosmos DB (multi-region writes enabled) for product catalog and session state. Recently, the operations team reported that during peak shopping hours (e.g., Black Friday), the application becomes slow and some users experience timeouts. You have implemented Application Insights to collect telemetry. After analyzing the data, you find that the Cosmos DB write operations are experiencing high latency (average 200ms) and occasional throttling (429 errors). The read latency is acceptable. The App Service instances are scaled out to 20 instances during peak, and CPU usage is around 70%. You need to optimize the solution to reduce write latency and eliminate throttling without over-provisioning resources. The solution must be cost-effective and require minimal code changes. What should you do?

A.Scale up the App Service plan to a higher tier to increase CPU capacity
B.Implement Azure Cache for Redis to cache Cosmos DB read and write operations
C.Increase the provisioned RU/s manually before peak hours and decrease after
D.Enable autoscale on the Cosmos DB container with a maximum throughput limit
AnswerD

Autoscale dynamically adjusts RU/s based on demand, preventing throttling.

Why this answer

Option C is correct because enabling Cosmos DB request unit (RU) autoscale allows the database to automatically scale up throughput during peak times, preventing throttling. This is cost-effective when traffic is variable. Option A is wrong because scaling up the App Service plan may help CPU but does not address Cosmos DB throttling.

Option B is wrong because increasing RU/s manually could lead to over-provisioning during off-peak. Option D is wrong because enabling Azure Cache for Redis would reduce read latency, not write latency.

121
MCQhard

You need to emit a custom metric in Application Insights that tracks the number of page views per browser. You expect high volume (millions of events per day). Which API should you use to ensure efficient pre-aggregation and avoid performance issues?

A.TrackEvent
B.TrackMetric
C.GetMetric
D.TrackDependency
AnswerC

GetMetric is designed for high-volume metrics with dimensions and performs client-side aggregation for efficiency.

Why this answer

C is correct because the GetMetric API (previously known as Pre-Aggregated Metric API) is designed for high-volume telemetry scenarios. It pre-aggregates metrics on the client side before sending them to Application Insights, significantly reducing network traffic and storage costs while avoiding performance bottlenecks from millions of individual events.

Exam trap

The trap here is that candidates often confuse TrackEvent (for custom events) with metric tracking, or assume TrackMetric is the correct choice because of its name, not realizing it is deprecated and lacks client-side pre-aggregation.

How to eliminate wrong answers

Option A is wrong because TrackEvent sends each event individually, which would generate millions of separate telemetry records, causing excessive network overhead and ingestion costs. Option B is wrong because TrackMetric is deprecated and also sends individual metric values without client-side aggregation, leading to similar performance issues. Option D is wrong because TrackDependency is used to track external dependency calls (e.g., HTTP, SQL), not custom metrics like page views per browser.

122
MCQeasy

You are deploying a containerized application using Azure Kubernetes Service (AKS). You need to ensure that sensitive configuration data, such as API keys, is not stored in container images. Which Kubernetes resource should you use?

A.Deployment
B.ConfigMap
C.PersistentVolume
D.Secret
AnswerD

Secrets store sensitive data.

Why this answer

Option D is correct because Kubernetes Secrets are specifically designed to store sensitive data like API keys, connection strings, and passwords. They are stored in etcd as base64-encoded values (and can be encrypted at rest) and are injected into pods as environment variables or mounted as volumes, ensuring the sensitive data never resides in the container image.

Exam trap

The trap here is that candidates often confuse ConfigMaps with Secrets, assuming both are interchangeable for configuration, but ConfigMaps store data in plain text and are not secure for sensitive information, while Secrets provide base64 encoding and optional encryption for sensitive data.

How to eliminate wrong answers

Option A is wrong because a Deployment manages replica sets and pod lifecycle, but it does not provide any mechanism for storing or injecting sensitive configuration data. Option B is wrong because ConfigMaps store non-sensitive configuration data in plain text (base64-encoded but not encrypted by default) and are not intended for secrets; using a ConfigMap for API keys would expose them in plain text. Option C is wrong because a PersistentVolume provides storage for stateful workloads (e.g., databases) but is not designed for injecting sensitive configuration into pods; it would require manual management of secret files and does not integrate with Kubernetes RBAC or encryption for secrets.

123
Multi-Selecthard

Which TWO actions should you take to securely store and access secrets for a legacy application that cannot be modified? The application runs on an Azure Virtual Machine and needs to read a database connection string. The solution must use Azure Key Vault and adhere to the principle of least privilege.

Select 2 answers
A.Create a new VM and install the Key Vault extension during provisioning.
B.Configure the application to read the connection string from a local file that is updated by the Key Vault extension.
C.Assign a managed identity to the legacy application.
D.Use a user-assigned managed identity and assign it to the VM.
E.Enable the Azure Key Vault VM extension for the virtual machine.
AnswersB, E

The extension can write the secret to a local file, which the app reads.

Why this answer

Option A is correct because Key Vault VM extension automatically syncs certificates and secrets as files, but for connection strings, the application still needs to read the file. Option C is correct because the application can be configured to read the connection string from a local file that is synced by the extension. Option B is wrong because managed identity is assigned to the VM, not the app; the extension uses the VM's identity.

Option D is wrong because enabling the extension with a system-assigned managed identity is sufficient; a user-assigned identity is not required. Option E is wrong because the extension can be enabled on existing VMs.

124
MCQmedium

You have an Azure Function app that processes orders. The function uses a queue trigger from Azure Storage. Recent load tests show that the function is not scaling out fast enough under high load. What should you do to improve scaling?

A.In the function code, increase the number of retries on failure
B.In host.json, increase the batchSize and increase the newBatchThreshold
C.In host.json, increase the batchSize and decrease the newBatchThreshold
D.Switch from Consumption plan to Premium plan
AnswerB

Correct: Larger batchSize means each function instance grabs more messages, and higher newBatchThreshold triggers scale-out sooner.

Why this answer

Option B is correct because increasing the batchSize and newBatchThreshold in host.json allows the Azure Functions runtime to fetch more messages per polling cycle and trigger more parallel function instances sooner. This directly improves scaling velocity under high load by reducing the latency between message arrival and processing, which is the core issue identified in the load test.

Exam trap

The trap here is that candidates often confuse scaling improvements with plan upgrades (Premium vs. Consumption) or retry logic, when the real solution lies in tuning the queue trigger's batch processing parameters in host.json.

How to eliminate wrong answers

Option A is wrong because increasing the number of retries on failure does not affect scaling speed; it only affects fault tolerance for individual message processing failures. Option C is wrong because decreasing newBatchThreshold would cause the runtime to wait longer before fetching a new batch, which would actually slow down scaling and worsen the problem. Option D is wrong because switching to Premium plan provides more predictable scaling and VNET integration but does not inherently improve scaling speed; the bottleneck here is the queue trigger configuration, not the hosting plan.

125
Multi-Selecteasy

You are monitoring an Azure App Service web app that is experiencing intermittent high CPU usage. You need to configure alerts and troubleshoot the issue. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Create a metric alert rule that triggers when average CPU exceeds 90% over 5 minutes.
B.Scale up the App Service plan to a higher tier to ensure sufficient resources.
C.Create a Log Analytics workspace and configure diagnostic settings to send platform logs.
D.Enable Application Insights and configure autoscale based on custom metrics.
E.Create an autoscale rule for the App Service plan to scale out when CPU > 80%.
AnswersC, E

A Log Analytics workspace is required to collect and analyze diagnostic logs for troubleshooting.

Why this answer

Option A is correct: A Log Analytics workspace is required to collect and analyze diagnostic logs for troubleshooting. Option D is correct: An autoscale rule based on CPU percentage can help handle intermittent high CPU usage by scaling out. Option B is wrong: Application Insights is for application performance monitoring, not for autoscaling based on custom metrics easily.

Option C is wrong: Scaling up increases resources but does not automatically scale based on load; autoscale is needed. Option E is wrong: While Log Analytics helps, the question asks for actions to configure alerts and troubleshoot, and creating an autoscale rule is a proactive action.

126
Multi-Selecteasy

You are developing a solution that uses Azure Functions to process messages from Azure Service Bus. Which TWO configurations are required to ensure the function scales out to handle high throughput?

Select 2 answers
A.Enable sessions on the Service Bus queue.
B.Set the maxConcurrentCalls property to a value greater than 1.
C.Use a managed identity to connect to Service Bus.
D.Set the batch size to a value greater than 1.
E.Use a Premium App Service plan for the function app.
AnswersB, D

Increases concurrency for message processing.

Why this answer

To scale out Azure Functions with Service Bus, you need to set the maxConcurrentCalls to allow multiple messages to be processed concurrently. Also, you should enable sessions if you need to process messages in order; but for scaling, enabling sessions is not required. However, the correct options are: setting maxConcurrentCalls and ensuring the Service Bus trigger is used with a batch size.

Option A is correct because maxConcurrentCalls controls concurrency. Option B is correct because batch size allows processing multiple messages per function invocation. Option C is incorrect because enabling sessions can limit scaling due to session locking.

Option D is incorrect because Premium plan is not required for scaling; Consumption plan scales automatically. Option E is incorrect because managed identity is for authentication, not scaling.

127
MCQeasy

You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS certificate. What should you do?

A.Place an Azure Application Gateway in front of the container group.
B.Configure the container to listen on port 443 and map a custom domain.
C.Upload the certificate to the container and configure the web server.
D.Use a private endpoint with a custom domain.
AnswerA

Application Gateway can terminate SSL and route based on hostname.

Why this answer

Azure Container Instances (ACI) does not natively support custom domain names or SSL/TLS termination. By placing an Azure Application Gateway in front of the container group, you can offload SSL/TLS termination at the gateway layer, map a custom domain via the gateway's frontend IP, and route traffic to the container group's private IP. This is the recommended pattern for adding HTTPS and custom domains to ACI workloads.

Exam trap

The trap here is that candidates assume Azure Container Instances supports custom domains and SSL/TLS natively, similar to Azure App Service, but ACI lacks these features, requiring an external load balancer or gateway like Application Gateway.

How to eliminate wrong answers

Option B is wrong because simply configuring the container to listen on port 443 and mapping a custom domain does not provide SSL/TLS termination; ACI does not support binding a custom domain or certificate directly to the container group's public IP. Option C is wrong because uploading a certificate to the container and configuring the web server would require managing the certificate lifecycle inside the container, but ACI still cannot expose a custom domain name on its public endpoint; the container's FQDN is auto-generated and cannot be changed. Option D is wrong because a private endpoint with a custom domain only enables private connectivity within a virtual network; it does not expose the container group to the internet with a custom domain and SSL/TLS certificate.

128
MCQeasy

A Windows desktop application uses standard .NET file system calls such as File.ReadAllText and Directory.GetFiles. The team wants to move the file storage to Azure. The application code must not be rewritten. Which Azure storage service supports this requirement?

A.Azure Files with an SMB share mounted as a drive letter on the Windows machine
B.Azure Blob Storage with the Azure Storage SDK replacing all file system calls
C.Azure Queue Storage for staging files between producer and consumer processes
D.Azure Table Storage with the file content stored as base64-encoded entity properties
AnswerA

SMB shares exposed by Azure Files are indistinguishable from local or network drives at the OS level. The .NET file system APIs translate directly to SMB operations on the share, requiring zero code changes in the application.

Why this answer

Azure Files with an SMB share mounted as a drive letter on the Windows machine allows the existing .NET application to use standard file system calls like File.ReadAllText and Directory.GetFiles without any code changes. This is because the mounted SMB share presents itself as a local drive, and the .NET runtime interacts with it through the standard Windows file system API, which internally uses the SMB protocol (CIFS) to communicate with Azure Files. No SDK or API rewrite is required.

Exam trap

The trap here is that candidates may assume Azure Blob Storage is the only file storage option and overlook Azure Files, which is specifically designed for lift-and-shift scenarios requiring SMB-based file sharing without code changes.

How to eliminate wrong answers

Option B is wrong because Azure Blob Storage with the Azure Storage SDK would require rewriting all file system calls to use the SDK's methods (e.g., BlobClient.DownloadAsync), which violates the requirement that the application code must not be rewritten. Option C is wrong because Azure Queue Storage is a messaging service for asynchronous communication between processes, not a file storage service, and cannot be used with standard file system calls. Option D is wrong because Azure Table Storage is a NoSQL key-value store with a 64 KB entity size limit, making it impractical for storing file content as base64-encoded properties, and it does not support standard file system APIs.

129
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. When applied to a subscription, what is the effect of this policy?

A.Audit resources in locations other than eastus or westus
B.Append a tag to resources in eastus or westus
C.Deny deployment of resources in eastus or westus
D.Deny deployment of resources in locations other than eastus or westus
AnswerD

The policy denies if location is not in the allowed list.

Why this answer

Option B is correct. The policy denies any resource deployment if the location is not in the allowedLocations parameter (eastus or westus). Option A is wrong because it audits, not denies.

Option C is wrong because it denies if the location is in the list, not outside. Option D is wrong because it does not append tags.

130
MCQmedium

A company runs a microservices application on Azure Kubernetes Service (AKS). One service needs to securely access an Azure SQL Database. The solution should avoid storing connection strings in code or configuration. What should they use?

A.Azure Key Vault with a secret store CSI driver
B.Virtual machine managed identity
C.Kubernetes secrets
D.Azure AD Pod Identity (aad-pod-identity)
AnswerD

Assigns Azure AD identities to pods for direct authentication.

Why this answer

Azure AD Pod Identity (option D) assigns an Azure AD identity to pods, allowing them to authenticate to Azure SQL without secrets. Option A uses secrets which are stored in Kubernetes. Option B uses managed identities at the VM level, not pod level.

Option C uses Azure Key Vault but still requires initial secret retrieval.

131
MCQmedium

You are designing a solution where an Azure Logic App needs to send emails via Microsoft Graph. The Logic App should authenticate without user interaction. What authentication method should you use?

A.Use a user-assigned managed identity and grant it the Mail.Send application permission
B.Use OAuth 2.0 authorization code grant with a user account
C.Use a service principal and store its client secret in the Logic App configuration
D.Use basic authentication with an email account password
AnswerA

A managed identity with the appropriate application permission allows the Logic App to send mail without user interaction.

Why this answer

Managed identity allows the Logic App to authenticate to Microsoft Graph without credentials, using the system-assigned identity.

132
MCQeasy

You are deploying a multi-tier application: a frontend web app (Azure App Service) that calls a backend API (another Azure App Service). Both apps use Microsoft Entra ID for authentication. The frontend needs to authenticate to the backend on behalf of the signed-in user. You need to configure the OAuth 2.0 flow correctly. You have already registered both applications in Microsoft Entra ID. Which configuration should you apply?

A.In the frontend app registration, grant API permissions for the backend using the 'Delegated permissions' type. In the backend app registration, expose an API scope. The frontend uses the on-behalf-of flow (OBO) to exchange the user's token for a token to call the backend.
B.In the frontend app registration, enable the implicit grant flow for access tokens. The frontend gets a token for the backend directly from the authorization endpoint.
C.In the frontend app registration, set the redirect URI to the backend URL. The frontend uses the authorization code flow to get a token for the backend directly.
D.In the frontend app registration, grant API permissions for the backend using the 'Application permissions' type. In the backend app registration, expose an API scope. The frontend uses the client credentials flow to get a token for the backend.
AnswerA

OBO flow allows the frontend to act on behalf of the user.

Why this answer

Option B is correct because the on-behalf-of flow (OBO) is designed for this scenario: the frontend receives a token for the user, then exchanges it for a token to call the backend. This requires exposing an API in the backend app registration and granting API permissions from the frontend. Option A is wrong because the client credentials flow is for non-interactive scenarios, not on behalf of a user.

Option C is wrong because the authorization code flow alone does not allow the frontend to pass the user's identity to the backend. Option D is wrong because the implicit grant flow is deprecated.

133
Multi-Selecteasy

You are creating an Azure Functions app that uses a Blob Storage trigger to process new files. The function must process files only when they are completely written (i.e., no ongoing writes). You need to avoid processing partially written files. Which TWO configurations should you consider?

Select 2 answers
A.Increase the 'BatchSize' to reduce the frequency of trigger evaluations.
B.Check the blob's 'LastModified' timestamp in the function code to verify no recent changes.
C.Use a timer-triggered function that lists blobs and processes those with a stable size.
D.Use the 'BlobTrigger' with the 'LeaseBlob' property set to 'True'.
E.Set the 'ScanBlob' property to 'True' in the trigger binding.
AnswersD, E

LeaseBlob ensures the blob is committed and not being written.

Why this answer

Option D is correct because setting the 'LeaseBlob' property to 'True' in the BlobTrigger binding acquires a lease on the blob before processing, ensuring that no other process (including ongoing writes) can modify the blob. This prevents processing partially written files. Option E is correct because setting 'ScanBlob' to 'True' forces the trigger to scan the blob's metadata and content to verify it is complete before firing, which helps avoid triggering on incomplete writes.

Exam trap

The trap here is that candidates often confuse 'BatchSize' or 'LastModified' checks as solutions for partial writes, when in fact the correct native mechanisms are blob leasing and scan verification, which are directly configurable in the trigger binding.

134
MCQhard

You are developing an ASP.NET Core web API that uses Microsoft Entra ID for authentication via Microsoft.Identity.Web. The application needs to authorize actions based on custom roles such as "Editor" and "Reviewer". These roles are not defined in Microsoft Entra ID app roles or directory roles; instead, they are stored in an application database and can be assigned dynamically by administrators. You need to implement authorization with minimal impact on performance and without modifying the application's authentication flow. Which approach should you use?

A.Add custom claims to the token via Microsoft Entra ID custom claims policies
B.Implement a custom authorization filter that reads the user's roles from the database on each request and caches them
C.Use Microsoft Entra ID app roles and assign them to users or groups
D.Use a custom middleware to modify the User principal after authentication, adding role claims from the database
AnswerD

This adds role claims to the principal early in the pipeline, supports caching, and makes the roles available for all authorization policies without altering the authentication flow.

Why this answer

Option D is correct because it allows you to add role claims from the application database to the User principal after authentication via custom middleware, without altering the authentication flow. This approach leverages the existing Microsoft.Identity.Web authentication pipeline and caches the role claims in the principal, minimizing performance impact by avoiding repeated database lookups on every request.

Exam trap

The trap here is that candidates often confuse custom middleware with authorization filters, assuming both run at the same point in the pipeline, but middleware modifies the principal before authorization runs, while filters run after authentication and can cause redundant database calls if not designed carefully.

How to eliminate wrong answers

Option A is wrong because custom claims policies in Microsoft Entra ID are used to add claims to tokens issued by Entra ID, but they cannot dynamically read roles from an external database; they are static and defined at the tenant level, not suitable for application-specific dynamic roles. Option B is wrong because implementing a custom authorization filter that reads roles from the database on each request would cause a database call for every authorization check, significantly impacting performance even with caching, as the filter runs after authentication and does not modify the principal for downstream use. Option C is wrong because Microsoft Entra ID app roles are static and must be defined in the app manifest and assigned to users or groups in the portal, which does not support dynamically assigning roles from an application database without administrative intervention.

135
MCQeasy

You are developing a solution that uploads large files to Azure Blob Storage. Users report that uploads fail after 4 minutes. You need to ensure uploads can complete successfully. What should you do?

A.Enable soft delete and versioning on the blob container.
B.Use premium block blob storage accounts.
C.Increase the client-side timeout value in the upload request.
D.Increase the storage account scale limit.
AnswerC

The default per-block timeout is 4 minutes; increasing it allows large uploads.

Why this answer

The default client-side timeout for Azure Blob Storage uploads is 4 minutes. When uploading large files, the operation may exceed this timeout, causing the upload to fail. Increasing the client-side timeout value in the upload request extends the allowed duration, ensuring the upload completes successfully.

Exam trap

The trap here is that candidates may confuse client-side timeout with server-side timeout or storage account limits, leading them to choose options like increasing scale limits or using premium storage, which do not address the root cause of the upload failure.

How to eliminate wrong answers

Option A is wrong because enabling soft delete and versioning protects against accidental deletion or overwrites, but does not affect upload timeout limits. Option B is wrong because premium block blob storage accounts offer consistent low-latency and high transaction rates, but they do not change the default client-side timeout for upload operations. Option D is wrong because increasing the storage account scale limit raises throughput or capacity caps, but does not extend the client-side timeout for individual upload requests.

136
MCQhard

You are building a serverless API using Azure Functions with an HTTP trigger. The API must authenticate requests using Microsoft Entra ID (formerly Azure AD). You need to validate the token in the function code. Which component should you use?

A.Configure the Azure Functions host to use Microsoft Entra ID authentication.
B.Use the Microsoft Authentication Library (MSAL) to validate the token.
C.Use the Microsoft.Identity.Web library to validate the token.
D.Use Azure AD B2C to validate the token.
AnswerC

Microsoft.Identity.Web provides token validation for Microsoft Entra ID tokens.

Why this answer

Option C is correct because Microsoft.Identity.Web is the recommended library for integrating Azure Functions with Microsoft Entra ID. It provides built-in token validation, including signature verification, issuer validation, and audience checking, by leveraging the same middleware used in ASP.NET Core. This library simplifies the process of validating JWT tokens issued by Microsoft Entra ID without requiring manual token parsing or validation logic.

Exam trap

The trap here is that candidates often confuse MSAL (for token acquisition) with token validation libraries, or assume that host-level Easy Auth (Option A) is equivalent to in-code validation, when the question explicitly requires validation within the function code.

How to eliminate wrong answers

Option A is wrong because configuring the Azure Functions host to use Microsoft Entra ID authentication (Easy Auth) offloads authentication to the host layer, but the question specifically requires validating the token in the function code, not at the host level. Option B is wrong because MSAL is designed for acquiring tokens, not for validating them; it does not include token validation APIs, and using it for validation would be incorrect and unsupported. Option D is wrong because Azure AD B2C is a separate identity service for customer-facing applications with custom policies, not the appropriate choice for validating tokens from Microsoft Entra ID in a serverless API.

137
MCQmedium

You are designing a backup solution for a virtual machine. Monthly backups are large VHD files (up to 1 TB) that must be retained for 7 years. After creation, backups are accessed only rarely (once or twice per year). You need to minimize storage cost. Which storage tier should you use for the VHD files?

A.Hot tier
B.Cool tier
C.Archive tier
D.Premium tier
AnswerC

Archive tier provides the lowest storage cost for data that is accessed less than once a year and can tolerate a retrieval time of several hours.

Why this answer

The Archive tier is the correct choice because it offers the lowest storage cost for data that is rarely accessed (once or twice per year) and has a long retention period (7 years). Azure Archive storage is optimized for data that can tolerate a retrieval latency of several hours, which is acceptable given the infrequent access pattern of these monthly backup VHD files.

Exam trap

The trap here is that candidates often choose Cool tier because they see 'backup' and think 'infrequent' but fail to recognize that 'rarely accessed' (once or twice per year) and 'long retention' (7 years) specifically point to Archive tier as the most cost-effective option, not Cool.

How to eliminate wrong answers

Option A is wrong because the Hot tier is designed for frequently accessed data and incurs higher storage costs, making it unsuitable for backups accessed only once or twice per year. Option B is wrong because the Cool tier, while cheaper than Hot, still has higher storage costs than Archive and is intended for data accessed every 30 days or more, not for annual access patterns. Option D is wrong because the Premium tier is for low-latency, high-performance workloads (e.g., I/O-intensive VMs) and has the highest cost, which is wasteful for rarely accessed backup files.

138
MCQhard

You have an Azure Logic App that processes orders. Occasionally, the Logic App fails due to a transient error from a downstream API. You want to automatically retry the failed action after 10 seconds, up to 3 times, with exponential backoff. Which configuration should you set on the action?

A.Set retry policy to default with interval of 10 seconds and count of 3
B.Set retry policy to fixed interval with 10-second delay and 3 retries
C.Set retry policy to none and implement custom retry logic
D.Set retry policy to custom with exponential interval and 3 retries
AnswerA

Default retry policy uses exponential backoff.

Why this answer

Option B is correct because the default retry policy uses exponential backoff with settings for interval and count. Option A (fixed interval) is not exponential. Option C (none) disables retries.

Option D (custom) requires explicit backoff calculation.

139
MCQhard

A company has an Azure Service Bus namespace with a topic that receives high-throughput messages. They need to ensure that if a subscriber fails, messages are not lost and can be replayed. The subscriber is a client application that uses the PeekLock receive mode. What should they configure?

A.Enable auto-forwarding on the subscription.
B.Set a SQL filter on the subscription.
C.Disable dead-lettering on the subscription.
D.Enable dead-lettering on the subscription.
AnswerD

Dead-letter queue stores messages that fail processing, allowing replay.

Why this answer

A subscription with dead-lettering (option A) ensures messages that cannot be processed are moved to a dead-letter queue. Option B disables dead-lettering. Option C enables auto-forwarding, not dead-letter.

Option D sets a filter, not relevant.

140
MCQmedium

You are building an IoT solution that generates millions of small log entries (each less than 1 KB) per day. The logs are rarely read, and when they are read, they are always accessed in chronological order. You need to minimize storage costs and maximize write throughput. Which Azure Blob Storage type should you use?

A.Append Blob
B.Block Blob
C.Page Blob
D.Archive Blob
AnswerA

Correct. Append Blobs are designed for efficient append operations and sequential read, and are cost-effective for logging.

Why this answer

Append Blob is optimized for append operations, making it ideal for scenarios like logging where data is continuously added and rarely modified. It supports high-throughput writes because each append operation is atomic and does not require reading or updating existing blocks, which minimizes overhead. Since the logs are accessed in chronological order, Append Blob's sequential block structure allows efficient streaming reads without random access overhead.

Exam trap

The trap here is that candidates often choose Block Blob because it is the most common blob type for general-purpose storage, but they overlook that Append Blob is specifically designed for append-heavy workloads like logging, where write throughput and cost efficiency for small sequential writes are critical.

How to eliminate wrong answers

Option B (Block Blob) is wrong because while it supports high throughput for large objects, it requires managing block IDs and committing blocks, which adds complexity and overhead for millions of small appends; it is not optimized for frequent append-only writes. Option C (Page Blob) is wrong because it is designed for random read/write operations on fixed-size pages (512 bytes), typically used for virtual machine disks, and its write throughput is lower for small sequential appends due to page alignment requirements. Option D (Archive Blob) is wrong because it is a tier for cold data with high latency and no real-time write throughput optimization; it is meant for long-term storage after data is already written, not for active ingestion.

141
MCQhard

You are a developer at a financial services company. You need to design a solution for processing real-time stock trade data. The system receives thousands of trades per second from an on-premises system. Each trade must be validated, enriched with reference data, and then stored in a data lake for analytics. You have the following requirements: - The processing must be serverless and scale automatically with high throughput. - The enrichment step requires calling an external REST API that can handle up to 100 requests per second. If the API is overwhelmed, trades must be retried with exponential backoff. - The solution must minimize cost and operational overhead. - Trades must be processed in order per stock symbol. You provision an Azure Event Hubs namespace with a single event hub. Trades are sent to the event hub with the stock symbol as the partition key. You configure an Azure Functions app with an Event Hubs trigger to process events. The function validates, enriches by calling the external API, and writes the enriched trade to Azure Data Lake Storage. During testing, you notice that some trades are processed out of order for the same stock symbol when the external API throttles requests. What should you do to ensure ordering per stock symbol?

A.Use Durable Functions to orchestrate the processing and enforce ordering.
B.Increase the 'maxEventBatchSize' setting to 100 in the host.json file to improve throughput.
C.Set the 'maxEventBatchSize' to 1 in the host.json file to process one event at a time per instance.
D.Use a different partition key such as a unique trade ID to distribute load evenly.
AnswerC

Ensures sequential processing per partition, preserving order.

Why this answer

Option D is correct. To maintain ordering per stock symbol, you need to ensure that all events for a given symbol are processed by a single function instance. Event Hubs partitions guarantee ordering within a partition.

By using the stock symbol as the partition key, all trades for the same symbol go to the same partition. However, if the function scales out to multiple instances, the Event Hubs trigger may distribute partitions across instances, but each partition is processed by only one instance at a time. The issue is that when the external API throttles, the function may retry the event, but during the retry, other events from the same partition might be processed by the same instance out of order if the function does not wait for the retry to complete before processing next events.

By setting 'maxEventBatchSize' to 1 in the host.json, you ensure that only one event is processed at a time per function instance, preventing out-of-order processing. Option A is wrong because increasing batch size would increase concurrency and worsen ordering. Option B is wrong because Durable Functions add complexity and are not needed for simple ordering.

Option C is wrong because using a different partition key would scatter events for the same symbol across partitions, breaking ordering.

142
MCQhard

Refer to the exhibit. You are deploying an API in Azure API Management using an ARM template. The API is configured to use OAuth 2.0 authentication. The deployment fails with a validation error. What is the most likely cause?

A.The serviceUrl is not a valid URL.
B.The dependsOn array uses resourceId incorrectly.
C.The protocols array does not include http.
D.The authorization server 'auth-server-1' is not defined in the template.
AnswerD

The dependsOn expects the authorization server resource to exist; if missing, validation fails.

Why this answer

The dependsOn references an authorization server, but the authorization server resource might not be defined in the template (option C). Option A: protocols is correct. Option B: serviceUrl is valid.

Option D: dependsOn syntax is correct.

143
Matchingmedium

Match each Azure messaging pattern to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Point-to-point messaging for decoupling components

Pub/sub messaging with multiple subscribers

Big data streaming ingestion service

Push notification service for mobile apps

Why these pairings

Azure offers various messaging services for different patterns.

144
MCQmedium

You are building an Azure Logic App that needs to call an external HTTP API secured with OAuth 2.0 Client Credentials flow. The client ID and client secret are stored in Azure Key Vault. You need to obtain an access token and include it in the Authorization header of each request. Which combination of actions should you use within the Logic App?

A.Use an HTTP action with the OAuth 2.0 authentication type. Set the client secret parameter to a secure reference to the Key Vault secret.
B.Use two HTTP actions: first, call the token endpoint with credentials to get a token, then use the token in the second action. Store credentials in a string variable.
C.Use the HTTP action with managed identity authentication.
D.Use the 'Invoke an Microsoft Entra ID protected API' connector with the client credentials grant type.
AnswerA

Logic Apps' built-in OAuth 2.0 authentication for HTTP actions handles token acquisition and renewal. The secret can be securely referenced from Key Vault via a parameter.

Why this answer

Option A is correct because the HTTP action in Azure Logic Apps natively supports the OAuth 2.0 authentication type, which can directly handle the Client Credentials flow. By setting the client secret parameter to a secure reference (e.g., `@Microsoft.KeyVault(SecretUri=...)`) pointing to the secret stored in Azure Key Vault, you avoid exposing credentials in the workflow definition. The Logic Apps runtime automatically retrieves the secret from Key Vault, obtains an access token from the token endpoint, and includes it in the Authorization header of each request without requiring custom token management.

Exam trap

The trap here is that candidates often overcomplicate the solution by manually implementing token acquisition (Option B) or misapplying managed identity (Option C) or prebuilt connectors (Option D), not realizing that the built-in HTTP action's OAuth 2.0 authentication type directly supports the Client Credentials flow with Key Vault integration.

How to eliminate wrong answers

Option B is wrong because storing credentials in a string variable within the Logic App is insecure and defeats the purpose of using Key Vault; it also requires manual token acquisition and renewal, which is error-prone and unnecessary when the built-in OAuth 2.0 authentication type handles it automatically. Option C is wrong because managed identity authentication is designed for Azure AD-protected resources that support managed identities (e.g., Azure Storage, Azure SQL), not for external HTTP APIs secured with OAuth 2.0 Client Credentials flow; it cannot be used to obtain a token for a third-party API that expects a client ID and client secret. Option D is wrong because the 'Invoke an Microsoft Entra ID protected API' connector is a prebuilt connector that works only with APIs registered in the same Azure AD tenant and does not support the Client Credentials grant type with custom client secrets from Key Vault; it is intended for delegated user authentication scenarios, not for service-to-service calls.

145
Multi-Selecthard

A company stores customer images in Azure Blob Storage. They need to reduce costs by automatically moving blobs that have not been accessed for 30 days to Cool tier, and after 90 days to Archive tier. They also need to delete blobs after one year. Which two Azure features should they implement? (Choose two.)

Select 1 answer
A.Azure Blob Storage lifecycle management policy
B.Azure Blob Storage object replication
C.Azure Blob Storage soft delete
D.Azure Blob Storage immutability policy
E.Azure Blob Storage versioning with a retention policy
AnswersA

Lifecycle management policies can automate tier transitions and deletions based on last modified or creation time.

Why this answer

Azure Blob Storage lifecycle management policy is the correct feature because it allows you to define rules to automatically transition blobs to cooler tiers (Cool, Archive) based on the 'last accessed' or 'last modified' time, and to delete blobs after a specified period. This directly meets the requirement to move blobs after 30 days to Cool, after 90 days to Archive, and delete after one year, without manual intervention.

Exam trap

The trap here is that candidates may confuse lifecycle management with soft delete or versioning, thinking those features can also handle automatic tiering and deletion, but they are designed for data protection and recovery, not cost-optimized tier transitions based on age.

146
MCQeasy

You need to ensure that data stored in Azure Blob Storage is encrypted at rest using a customer-managed key stored in Azure Key Vault. Which feature should you configure?

A.Azure Storage encryption with customer-managed keys in Azure Key Vault
B.Azure Disk Encryption (ADE) for the storage account
C.Azure Information Protection (AIP) for the blob container
D.Azure Storage Service Encryption (SSE) with Microsoft-managed keys
AnswerA

This enables encryption at rest using a key stored in Key Vault, meeting the requirement.

Why this answer

Azure Storage encryption with customer-managed keys in Azure Key Vault allows you to use your own encryption keys to protect data at rest in Blob Storage. This feature leverages Azure Storage Service Encryption (SSE) but wraps the data encryption key with a customer-managed key stored in Azure Key Vault, providing full control over key rotation and access policies.

Exam trap

The trap here is that candidates confuse Azure Disk Encryption (ADE) with storage account encryption, or assume that default Microsoft-managed keys satisfy the requirement for customer-managed keys, when in fact you must explicitly configure customer-managed keys in Azure Key Vault.

How to eliminate wrong answers

Option B is wrong because Azure Disk Encryption (ADE) encrypts OS and data disks of virtual machines using BitLocker or DM-Crypt, not the data stored in Azure Blob Storage. Option C is wrong because Azure Information Protection (AIP) classifies and protects documents and emails with labels and rights management, not encryption at rest for blob containers. Option D is wrong because Azure Storage Service Encryption (SSE) with Microsoft-managed keys encrypts data at rest by default, but it does not allow you to use your own customer-managed keys from Azure Key Vault.

147
MCQeasy

You are building an Azure Logic App that must call a third-party REST API. The API requires an API key passed as a query parameter. You need to store the API key securely and automatically add it to each request. Which approach should you use?

A.Hardcode the API key in the Logic App definition.
B.Use Azure Key Vault and the Key Vault connector to retrieve the secret dynamically.
C.Store the API key in an Azure Storage Table and reference it from the Logic App.
D.Use an environment variable in the Logic App.
AnswerB

Key Vault is designed for secure secret storage. The Logic App connector retrieves the secret at runtime without exposing it in code.

Why this answer

Option B is correct because Azure Key Vault provides a secure, centralized service for storing secrets like API keys, and the Key Vault connector in Logic Apps allows you to dynamically retrieve the secret at runtime without exposing it in the workflow definition. This approach ensures the API key is never hardcoded or stored in plaintext, meeting security best practices for accessing third-party APIs.

Exam trap

The trap here is that candidates may think storing the key in an Azure Storage Table or using environment variables is sufficient, but Azure Key Vault is the only option that provides secure, auditable, and managed secret storage with built-in integration for Logic Apps.

How to eliminate wrong answers

Option A is wrong because hardcoding the API key in the Logic App definition exposes the secret in plaintext within the workflow JSON, making it visible to anyone with access to the definition and violating security best practices. Option C is wrong because storing the API key in an Azure Storage Table does not provide encryption at rest by default (unless client-side encryption is implemented), and the key would be stored as plaintext in a table, which is not a secure secret management solution. Option D is wrong because Logic Apps do not support environment variables; this concept is not applicable to Azure Logic Apps, and even if it were, environment variables are not a secure way to store secrets as they can be exposed in logs or configuration files.

148
MCQmedium

You are a developer at a global e-commerce company. The company uses Azure Blob Storage to store product images and customer uploads. The application is deployed in the East US region. You need to design a solution that meets the following requirements: - Customers upload images (up to 10 MB) that must be immediately accessible worldwide after upload. - You must minimize egress costs for data transfer from Azure to customers. - The solution must be resilient to regional outages. - You must not use any custom caching logic. Which approach should you implement?

A.Use read-access geo-redundant storage (RA-GRS) and direct customers to the secondary endpoint for reads.
B.Use Premium Block Blob storage in multiple regions and use Traffic Manager for routing.
C.Use Azure CDN from Microsoft with the storage account as origin, and enable geo-replication on the storage account.
D.Use Azure Front Door with caching enabled, and point it to a single Blob Storage account in East US.
AnswerD

Front Door caches at edges, reduces egress, and provides failover to a secondary origin if configured.

Why this answer

Option A is correct. Azure Front Door provides global load balancing and caching at edge locations, reducing latency and egress costs by serving cached content from the closest edge. It also provides regional failover.

Option B is incorrect because CDN alone does not provide regional failover or origin load balancing. Option C is incorrect because RA-GRS provides a secondary read endpoint but does not cache globally; egress costs are still incurred from the secondary region. Option D is incorrect because Premium Blob Storage does not provide global caching or failover.

149
Multi-Selectmedium

You are deploying a containerized application to Azure Container Instances (ACI). Which TWO actions should you take to ensure the container can securely access an Azure Key Vault?

Select 2 answers
A.Pass secrets as environment variables
B.Enable a managed identity for the container group
C.Mount a volume that maps to a Key Vault secret store
D.Register the container with an Azure AD application
E.Configure a custom DNS server
AnswersB, C

Correct: Managed identity allows secure access to Key Vault.

Why this answer

Option B is correct because enabling a managed identity for the container group allows the container to authenticate to Azure Key Vault without storing any credentials in the container image or code. The managed identity is automatically integrated with Azure AD, and the container can request an access token from the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254. This token is then used to authorize requests to Key Vault, ensuring secrets are never exposed in environment variables or configuration files.

Exam trap

The trap here is that candidates often assume environment variables are a secure way to pass secrets, but Azure explicitly recommends against this in ACI because environment variables can be viewed in the container's metadata and logs, whereas managed identities and volume mounts provide secure, auditable access without embedding secrets.

150
MCQmedium

You are developing a solution that uses Azure Table Storage to store time-series data. You need to query data for a specific device within a time range efficiently. Which two properties should you use as the PartitionKey and RowKey?

A.PartitionKey = timestamp, RowKey = reverse deviceId
B.PartitionKey = timestamp, RowKey = deviceId
C.PartitionKey = deviceId, RowKey = timestamp
D.PartitionKey = deviceId, RowKey = reverse timestamp
AnswerC

DeviceId as PartitionKey distributes data evenly; timestamp as RowKey allows efficient time range queries per device.

Why this answer

Option C is correct because using deviceId as the PartitionKey ensures all data for a specific device is stored in the same partition, enabling efficient point queries. Using timestamp as the RowKey allows range queries within a time range for that device, as RowKey is sorted lexicographically within a partition. This design optimizes query performance by minimizing partition scans and leveraging Azure Table Storage's natural ordering.

Exam trap

The trap here is that candidates often assume timestamp should be the PartitionKey for time-series data, but this ignores the need for partition-level query efficiency, leading to costly cross-partition scans instead of single-partition range queries.

How to eliminate wrong answers

Option A is wrong because using timestamp as the PartitionKey scatters data for the same device across multiple partitions, requiring cross-partition queries that are slower and more expensive. Option B is wrong because it also uses timestamp as the PartitionKey, causing the same cross-partition issue, and deviceId as RowKey does not support efficient time-range queries for a specific device. Option D is wrong because using a reversed timestamp as RowKey would sort data in descending order, which breaks natural time-range queries (e.g., BETWEEN) that rely on ascending lexicographic order, and the PartitionKey of deviceId is correct but the RowKey design is suboptimal.

Page 1

Page 2 of 14

Page 3