Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 151225

997 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
Multi-Selecthard

Which THREE considerations are important when designing a solution using Azure API Management (APIM) to secure backend APIs?

Select 3 answers
A.Implement rate limiting to prevent abuse
B.Store backend database credentials in APIM policies
C.Use OAuth2 authentication with Azure AD
D.Use JWT validation policies to verify tokens
E.Disable TLS to improve performance
AnswersA, C, D

Rate limiting protects backend APIs from excessive calls.

Why this answer

Options A, B, and D are correct. APIM can validate JWT tokens, limit requests via rate limiting, and use OAuth2 for authentication. Option C (store SQL credentials) is not a best practice; Option E (disable TLS) is insecure.

152
MCQhard

Refer to the exhibit. You run the Azure CLI command to retrieve a secret from Azure Key Vault. The output shows the secret metadata but not the secret value. The command returns without error. What is the most likely cause?

A.The secret has expired.
B.The user does not have the Key Vault Secrets Officer role.
C.The secret is in a soft-deleted state.
D.The command output only shows metadata by default; you must specify --query "value" to retrieve the secret value.
AnswerD

The Azure CLI hides secret values by default.

Why this answer

The Azure CLI `az keyvault secret show` command returns the secret metadata (including attributes like id, enabled, created, updated) by default, but does not include the secret value unless you explicitly request it using the `--query "value"` parameter. Since the command completed without error and only metadata was shown, the most likely cause is that the output was not filtered to retrieve the secret value.

Exam trap

The trap here is that candidates assume the command output includes the secret value by default, but Azure CLI intentionally omits it for security, requiring an explicit `--query "value"` to retrieve the actual secret.

How to eliminate wrong answers

Option A is wrong because an expired secret would still return its value if queried; the command would show an error or the secret would be disabled, not silently omit the value. Option B is wrong because the Key Vault Secrets Officer role is required to manage secrets (set, delete, etc.), but reading a secret value requires the Key Vault Secrets User role; a permissions issue would result in a 403 Forbidden error, not a successful command with metadata only. Option C is wrong because a soft-deleted secret would not be returned by the standard `show` command; you would need to use `az keyvault secret show --id <id> --include-soft-deleted` to see it, and the command would not succeed without that flag.

153
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used?

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish/subscribe pattern where multiple independent subscribers can each receive a copy of the same message. This decouples the publisher from subscribers, allowing new subscribers to be added later without modifying the publisher. The topic's subscription mechanism ensures each subscriber processes the event independently.

Exam trap

The trap here is that candidates often confuse Azure Storage Queue (point-to-point) with Service Bus topics (pub/sub), mistakenly thinking a queue can serve multiple independent subscribers when it actually requires a single consumer or competing consumers pattern.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policies automate tiering or deletion of blobs based on age, not message delivery to multiple subscribers. Option B is wrong because Azure Storage Queue provides a point-to-point messaging model where a single consumer processes each message, not a broadcast to multiple independent subscribers. Option C is wrong because Azure Cache for Redis list only supports a simple list data structure for point-to-point message queuing (e.g., via LPUSH/BRPOP), lacking the publish/subscribe semantics needed for multiple independent subscribers.

154
MCQmedium

You are developing a web application that uses Azure Files shares for storing user documents. Users complain that they sometimes see stale file listings. The application uses the SMB protocol. What should you do to ensure the file listing is always current?

A.Set the SMB_DIRECTORY_CACHE_MAX_AGE registry key to 0 on clients.
B.Enable soft delete for the file share.
C.Switch to using REST API for file listings.
D.Disable CDN caching for the storage account.
AnswerA

This disables directory caching on SMB clients, ensuring fresh listings.

Why this answer

Option A is correct because the SMB protocol caches directory listings on the client side to improve performance. By setting the SMB_DIRECTORY_CACHE_MAX_AGE registry key to 0, you disable this caching, forcing the client to always fetch the latest directory listing from the Azure file share. This ensures that users see current file listings instead of stale cached data.

Exam trap

The trap here is that candidates often confuse client-side caching with server-side features like soft delete or CDN, or assume that switching to a different API (REST) will bypass the caching issue, when in fact the root cause is the SMB protocol's built-in directory cache on the client.

How to eliminate wrong answers

Option B is wrong because soft delete is a data protection feature that recovers accidentally deleted files; it does not affect client-side caching of directory listings. Option C is wrong because switching to the REST API for file listings does not change the client-side SMB caching behavior—the issue is caused by the SMB protocol's directory cache, not the API used. Option D is wrong because CDN caching is for static content delivery and is not involved in SMB-based file share listings; disabling it would not resolve client-side SMB caching.

155
MCQeasy

You are using Azure Blob Storage to store large media files. Clients upload files directly to the storage account using SAS tokens. You need to ensure that the SAS token expires 1 hour after creation. Which parameter should you set when generating the SAS token?

A.SignedProtocol (spr)
B.IP range (sip)
C.SignedExpiry (se)
D.SignedStart (st)
AnswerC

SignedExpiry sets the expiration time of the SAS token.

Why this answer

The 'signedexpiry' parameter (se) defines when the SAS token expires. Setting it to 1 hour from now meets the requirement. Option A is for the start time, C is for the IP range, and D is for allowed protocols.

156
MCQmedium

You have an Azure Function app that uses an Event Hubs trigger. The function processes events in batches. You notice that some events are being processed more than once. Which setting should you adjust to minimize duplicate processing?

A.Increase the maxRetries per event
B.Enable checkpointing in the function code
C.Increase the event batch size
D.Decrease the prefetch count
AnswerB

Correct: Checkpointing saves the offset so events are not reprocessed.

Why this answer

Option B is correct because checkpointing in Azure Event Hubs stores the offset of the last successfully processed event in a durable store (e.g., Azure Blob Storage). When the function restarts or scales, it resumes from that checkpoint, preventing reprocessing of already-handled events. Without checkpointing, the default behavior may start from the earliest offset or use the `latest` position, leading to duplicate processing.

Exam trap

The trap here is that candidates often confuse retry policies or batch sizes with the checkpointing mechanism, not realizing that duplicate processing in Event Hubs is typically caused by missing or infrequent checkpointing, not by event handling failures.

How to eliminate wrong answers

Option A is wrong because increasing `maxRetries` per event only controls how many times a failed event is retried, not the root cause of duplicate processing from checkpointing gaps. Option C is wrong because increasing the event batch size processes more events per invocation but does not affect whether events are reprocessed after a restart or scaling event. Option D is wrong because decreasing the prefetch count reduces the number of events buffered locally, which can reduce the chance of duplicates from a crash during processing, but it does not address the fundamental need for checkpointing to persist progress across function restarts.

157
MCQeasy

Your application stores user profile images in Azure Blob Storage. You need to serve these images to users with low latency from a domain name that you own. What should you use?

A.Enable static website hosting and configure a custom domain directly on the storage account.
B.Create an Azure CDN endpoint with a custom domain and point it to the blob container.
C.Configure a custom domain in Azure DNS and point it to the storage account endpoint.
D.Use Azure Front Door with a custom domain.
AnswerB

Azure CDN provides low-latency content delivery with custom domain support.

Why this answer

Option B is correct because Azure CDN provides global edge caching, which reduces latency for serving static images from Blob Storage. By configuring a custom domain on the CDN endpoint, you can serve content under your own domain name while benefiting from CDN acceleration. This combination addresses both the low-latency requirement and the custom domain ownership.

Exam trap

The trap here is that candidates often confuse Azure CDN with Azure Front Door or static website hosting, assuming any custom domain on a storage account automatically provides low latency, but only CDN adds the necessary edge caching layer for static blob content.

How to eliminate wrong answers

Option A is wrong because enabling static website hosting on a storage account serves static content (e.g., HTML, JS) but does not inherently provide low-latency edge caching; it only allows a custom domain for the static website endpoint, not for blob containers. Option C is wrong because pointing a custom domain in Azure DNS directly to the storage account endpoint (e.g., via a CNAME record) bypasses any caching layer, resulting in higher latency for users far from the storage account's primary region. Option D is wrong because Azure Front Door is a global load balancer and application delivery service optimized for HTTP(S) traffic with advanced routing and WAF, which is overkill for simple static image serving and incurs higher cost and complexity compared to CDN.

158
Multi-Selecteasy

Which TWO Azure services can be used to implement a publish-subscribe messaging pattern?

Select 2 answers
A.Azure Queue Storage
B.Azure Event Grid
C.Azure Notification Hubs
D.Azure Service Bus Topics
E.Azure Event Hubs
AnswersB, D

Event Grid supports pub-sub with event subscriptions.

Why this answer

Azure Service Bus Topics and Azure Event Grid both support publish-subscribe. Event Hubs is for event streaming, not pub-sub. Queue Storage is for point-to-point messaging.

Notification Hubs is for push notifications.

159
Multi-Selecteasy

Which TWO Azure services can be used to trigger an Azure Function in response to a new blob being added to an Azure Storage account? (Choose two.)

Select 2 answers
A.HTTP trigger
B.Queue trigger
C.Timer trigger
D.Azure Blob Storage trigger
E.Azure Event Grid subscription
AnswersD, E

Built-in trigger for blob events.

Why this answer

Azure Blob Storage trigger (A) and Azure Event Grid subscription (D) can trigger functions on blob creation. Timer trigger (B) is time-based. HTTP trigger (C) is for HTTP requests.

Queue trigger (E) is for queue messages.

160
MCQhard

You are deploying this ARM template. After deployment, you want to ensure that all traffic to the storage account uses HTTPS. However, you notice that HTTP requests are still accepted. What is the most likely reason?

A.The property 'supportsHttpsTrafficOnly' is misspelled
B.The storage account's network rules allow HTTP traffic from certain IP addresses
C.The property should be set on the blob service, not the storage account
D.The API version does not support this property
AnswerB

Network ACLs can override the HTTPS enforcement for specific sources.

Why this answer

Option C is correct. The property 'supportsHttpsTrafficOnly' only enforces HTTPS for the storage account's endpoints, but the default action for public network access is Allow, so HTTP requests from allowed networks are accepted. Option A is wrong because the property is set.

Option B is wrong because the property is correct. Option D is wrong because the API version is fine.

161
Multi-Selectmedium

Which THREE features are supported by Azure Container Apps? (Select three.)

Select 3 answers
A.Virtual network (VNet) injection.
B.Mounting Azure NetApp Files volumes.
C.Event-driven scaling using KEDA.
D.Blue-green deployment with revisions.
E.Integration with Dapr (Distributed Application Runtime).
AnswersC, D, E

KEDA is integrated for scaling based on events.

Why this answer

Azure Container Apps uses KEDA (Kubernetes Event-Driven Autoscaling) to scale containers based on event-driven metrics such as queue depth, HTTP request count, or custom Prometheus metrics. This allows containers to scale to zero when idle and scale out rapidly based on real-time demand, making it ideal for event-driven workloads.

Exam trap

The trap here is that candidates often confuse Azure Container Apps with Azure Kubernetes Service (AKS) and assume VNet injection and NetApp Files are supported, but Container Apps abstracts the underlying Kubernetes layer and restricts these advanced networking and storage features.

162
MCQhard

Refer to the exhibit. You run the Azure CLI command to list blobs in a container that are larger than 1 MB. The command returns no results even though you know there are blobs larger than 1 MB. What is the most likely cause?

A.The JMESPath query uses backticks incorrectly
B.The storage account has hierarchical namespace enabled (Azure Data Lake Storage Gen2)
C.The --container-name parameter is case-sensitive
D.The --account-name parameter is incorrect
AnswerB

When hierarchical namespace is enabled, the blob list output uses a different schema; the 'properties' object may not exist or be structured differently, causing the query to fail.

Why this answer

The Azure CLI command uses the `az storage blob list` command with a JMESPath query to filter blobs larger than 1 MB. However, when a storage account has hierarchical namespace enabled (Azure Data Lake Storage Gen2), the blob listing API returns directory entries and file entries in a flat list, but the `az storage blob list` command does not support the hierarchical namespace by default. The command may return no results because the underlying REST API (Blob Service REST API) does not properly enumerate blobs in a Data Lake Storage Gen2 account without using the `--use-hierarchical-namespace` flag or the `az storage fs file list` command instead.

This is a known limitation where the standard blob list operation fails to list files in a hierarchical namespace-enabled account.

Exam trap

Microsoft often tests the distinction between Azure Blob Storage and Azure Data Lake Storage Gen2, specifically that the `az storage blob list` command does not work as expected in hierarchical namespace accounts, leading candidates to overlook the storage account type as the root cause.

How to eliminate wrong answers

Option A is wrong because backticks in JMESPath queries are used correctly in the command to denote a comparison value; the issue is not with backtick syntax but with the storage account type. Option C is wrong because the `--container-name` parameter in Azure CLI is not case-sensitive; container names are lowercase by convention but the CLI handles them case-insensitively. Option D is wrong because if the `--account-name` parameter were incorrect, the command would fail with an authentication or resource-not-found error, not return an empty result set.

163
MCQmedium

Your web app running on Azure App Service requires access to a storage account using managed identity. You enable the system-assigned managed identity on the App Service and assign the 'Storage Blob Data Contributor' role at the storage account scope. However, the app receives 403 errors when trying to read blobs. What is the most likely cause?

A.The managed identity token is being requested with the wrong audience. You need to specify 'https://storage.azure.com' as the resource.
B.Managed identity is not supported for Azure App Service; use a connection string instead.
C.The role assignment has not propagated yet; wait 30 minutes.
D.The storage account has a firewall rule that blocks the App Service outbound IPs.
AnswerA

App Service's default token endpoint uses Azure Resource Manager audience; storage requires a specific audience.

Why this answer

Option A is correct because when using managed identity with Azure Storage, the access token must be requested with the correct audience (resource). For Azure Blob Storage, the audience must be 'https://storage.azure.com'. If the app requests the token with a different audience (e.g., the default Azure Resource Manager endpoint 'https://management.azure.com'), the token will be rejected by the storage service, resulting in a 403 error despite the role assignment being in place.

Exam trap

The trap here is that candidates assume the role assignment alone is sufficient, overlooking that the token's audience must match the target service (storage vs. management), which is a subtle but critical detail in managed identity authentication flows.

How to eliminate wrong answers

Option B is wrong because managed identity is fully supported for Azure App Service; it is a recommended best practice over connection strings for security. Option C is wrong because role assignments for managed identities typically propagate within a few minutes, not 30 minutes; waiting 30 minutes is unnecessary and not the cause of the 403 error. Option D is wrong because firewall rules blocking outbound IPs would cause a network-level failure (e.g., timeout or connection refused), not a 403 authorization error; a 403 indicates the request reached the storage account but was denied due to invalid credentials or permissions.

164
Multi-Selectmedium

You are designing a solution that uses Azure Functions to process messages from an Azure Service Bus queue. Which TWO configurations can improve the throughput of the function?

Select 1 answer
A.Set maxDeliveryCount to a higher value
B.Set maxMessagesPerBatch to a higher value
C.Set newBatchThreshold to a lower value
D.Set maxMessagesPerBatch to a lower value
E.Set maxEventBatchSize to a higher value
AnswersB

Correct: Allows more messages per function execution.

Why this answer

Increasing maxMessagesPerBatch allows the Azure Functions Service Bus trigger to retrieve more messages in a single batch from the queue, reducing the number of round trips to the Service Bus namespace. This directly improves throughput by enabling the function to process multiple messages concurrently within the same function invocation, assuming the function code can handle parallel processing efficiently.

Exam trap

The trap here is that candidates confuse maxMessagesPerBatch with maxEventBatchSize, which is specific to Event Hubs, or assume that lowering thresholds like newBatchThreshold improves throughput when it actually increases fetch frequency and overhead.

165
MCQmedium

You are deploying a sensitive configuration to Azure Container Instances. The configuration must be encrypted at rest and not visible in the container logs. What should you use?

A.Environment variables in the container group
B.Azure Key Vault with managed identity and secret volumes
C.Azure Files volume mounted into the container
D.ConfigMap in a Kubernetes cluster
AnswerB

Correct. This approach ensures secrets are encrypted in Key Vault, mounted as volumes, and not exposed in logs.

Why this answer

Azure Key Vault with managed identity and secret volumes is the correct choice because it allows you to mount secrets as files into the container without exposing them in environment variables or logs. The secrets are encrypted at rest in Key Vault and are only accessible via a managed identity assigned to the container group, ensuring the configuration remains secure and invisible in container logs.

Exam trap

The trap here is that candidates often choose environment variables (Option A) because they are easy to implement, but they overlook the requirement that the configuration must not be visible in container logs, which environment variables inherently violate.

How to eliminate wrong answers

Option A is wrong because environment variables in the container group are visible in the container logs and can be exposed through the Azure portal or CLI, failing the requirement to not be visible in logs. Option C is wrong because Azure Files volumes are not encrypted at rest by default (unless using Azure Storage Service Encryption, but the configuration data would still be visible in the container's file system and potentially in logs if accessed). Option D is wrong because ConfigMap is a Kubernetes concept and does not apply to Azure Container Instances, which is a serverless container service without Kubernetes orchestration.

166
Multi-Selectmedium

You need to design a solution to securely store and access secrets (e.g., API keys, connection strings) for a set of Azure Functions. The solution must minimize administrative overhead and avoid storing secrets in code or configuration files. Which THREE should you include? (Choose three.)

Select 3 answers
A.Store secrets in Azure Key Vault
B.Store secrets in application settings as plain text
C.Use Azure App Configuration for feature flags
D.Assign a managed identity to each function app
E.Enable Key Vault soft-delete and purge protection
AnswersA, D, E

Key Vault is the recommended service for storing secrets securely.

Why this answer

Azure Key Vault is the correct service for securely storing secrets like API keys and connection strings because it provides centralized, hardware-backed secret management with access policies and auditing. By referencing Key Vault secrets from Azure Functions via a managed identity, you avoid storing secrets in code or configuration files, which aligns with the requirement to minimize administrative overhead and eliminate plaintext secrets.

Exam trap

The trap here is that candidates often confuse Azure App Configuration with a secret store, but App Configuration is for feature flags and non-sensitive configuration, while Key Vault is the dedicated service for secrets, and managed identities are required to access it securely without storing credentials.

167
MCQeasy

Your company stores sensitive financial documents in Azure Blob Storage. You need to ensure that only authorized users can access the blobs, and you must avoid exposing storage account keys. You want to generate time-limited URLs that grant access to specific blobs. What should you use?

A.Shared Access Signatures (SAS)
B.Storage account access keys
C.Azure role-based access control (RBAC)
D.Managed identities for Azure resources
AnswerA

SAS tokens provide time-limited, delegated access to specific blobs.

Why this answer

Option D is correct because Shared Access Signatures (SAS) allow you to grant time-limited, specific permissions to a blob without exposing account keys. Option A is incorrect because Azure RBAC does not provide time-limited, delegated access to a specific blob. Option B is incorrect because storage account keys grant full access to the account.

Option C is incorrect because managed identities are used for service-to-service authentication, not for generating time-limited URLs.

168
MCQmedium

You deploy the ARM template shown in the exhibit. After deployment, you need to change the replication to geo-redundant storage (GRS) with read access (RA-GRS). What should you do?

A.Redeploy the same template; Standard_GRS already provides geo-redundancy.
B.Set the 'supportsHttpsTrafficOnly' property to false.
C.Change the 'accessTier' to 'Cool'.
D.Update the 'sku.name' to 'Standard_RAGRS' and redeploy.
AnswerD

Standard_RAGRS provides read-access geo-redundant storage.

Why this answer

Option D is correct because the ARM template initially deploys a storage account with 'Standard_GRS' (geo-redundant storage), but to enable read access to the secondary region (RA-GRS), you must change the SKU name to 'Standard_RAGRS'. Redeploying the template with this updated property updates the replication setting to RA-GRS, which provides both geo-redundancy and read access to the secondary endpoint.

Exam trap

The trap here is that candidates confuse 'Standard_GRS' (which already provides geo-redundancy) with 'Standard_RAGRS', not realizing that read access to the secondary region requires an explicit SKU change, not just a property toggle.

How to eliminate wrong answers

Option A is wrong because 'Standard_GRS' provides geo-redundancy but does not allow read access to the secondary region; you need 'Standard_RAGRS' for read access. Option B is wrong because the 'supportsHttpsTrafficOnly' property controls whether HTTPS is required for storage account access, not replication type. Option C is wrong because changing the 'accessTier' to 'Cool' affects blob storage pricing and performance, not the replication strategy.

169
MCQmedium

Your company develops a microservices application deployed to Azure Kubernetes Service (AKS). You need to enable secure communication between services using managed identities. Which Azure service should you use to manage the identities and access control for the pods?

A.Azure Service Bus
B.Microsoft Entra Workload ID
C.Azure Key Vault
D.Azure Policy
AnswerB

Entra Workload ID (formerly Azure AD Pod Identity) assigns managed identities to AKS pods for secure service-to-service communication.

Why this answer

Microsoft Entra Workload ID (formerly Azure AD Workload Identity) is the correct choice because it integrates with Kubernetes to automatically project an Azure AD-managed identity into each pod. This allows pods to authenticate to Azure resources (e.g., Key Vault, Storage) without managing secrets, using federated identity credentials that map a Kubernetes service account to an Azure AD application or user-assigned managed identity.

Exam trap

The trap here is that candidates often confuse Azure Key Vault (a secret store) with identity management, but Key Vault cannot authenticate pods—it requires an identity service like Workload ID to grant access to its secrets.

How to eliminate wrong answers

Option A is wrong because Azure Service Bus is a message broker for decoupling applications, not an identity or access control service for pods. Option C is wrong because Azure Key Vault stores secrets, keys, and certificates but does not manage identities or provide pod-level authentication; it relies on an identity service like Workload ID to grant access. Option D is wrong because Azure Policy enforces compliance rules on Azure resources (e.g., requiring TLS) but cannot assign or manage managed identities for AKS pods.

170
MCQeasy

Your web app needs to authenticate users with Microsoft Entra ID (formerly Azure AD). Which OAuth 2.0 flow should you use for a single-page application (SPA) that uses MSAL.js?

A.Client credentials flow
B.Authorization code flow with PKCE
C.Implicit flow
D.Resource owner password credentials flow
AnswerB

PKCE provides secure token exchange for SPAs.

Why this answer

The authorization code flow with PKCE is the recommended OAuth 2.0 flow for SPAs. Option B is wrong because implicit flow is deprecated. Option C is wrong because client credentials flow is for daemon apps.

Option D is wrong because resource owner password credentials flow is not recommended.

171
MCQmedium

An app must store relational state and perform transactions across multiple tables with T-SQL support. Which Azure data service should the developer choose?

A.Azure Queue Storage
B.Azure SQL Database
C.Azure Cache for Redis
D.Azure Blob Storage
AnswerB

Azure SQL Database supports relational schema, T-SQL, and transactions.

Why this answer

Azure SQL Database is a fully managed relational database service that supports T-SQL and ACID transactions across multiple tables, making it the correct choice for storing relational state and performing transactional operations. It provides built-in high availability, automatic backups, and elastic scaling, which are essential for enterprise applications requiring consistent, multi-table transactions.

Exam trap

The trap here is that candidates often confuse Azure SQL Database with Azure Storage services (Blob, Queue, Cache) because all fall under the 'Azure storage' domain, but only Azure SQL Database provides relational, T-SQL-based transactional capabilities.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage is a message queuing service for asynchronous communication, not a relational database; it does not support T-SQL or multi-table transactions. Option C is wrong because Azure Cache for Redis is an in-memory data store used for caching and session state, lacking relational capabilities, T-SQL support, and transactional integrity across tables. Option D is wrong because Azure Blob Storage is an object storage service for unstructured data (blobs), not a relational database; it cannot execute T-SQL queries or enforce ACID transactions across tables.

172
MCQmedium

Your company uses Azure App Service to host a web application that requires periodic database maintenance. The maintenance tasks are time-consuming and must run outside of peak hours. You need to schedule these tasks to run automatically at 2:00 AM every Sunday. The tasks should be implemented as an Azure Function that runs in the same App Service plan to reduce costs. What should you do?

A.Deploy the maintenance code as an Azure Function in the Consumption plan and configure a timer trigger.
B.Create a separate Azure Function App in the same App Service plan and configure a timer trigger.
C.Add a WebJob to the App Service that uses a scheduled trigger to run the maintenance code.
D.Use Azure Logic Apps with a recurrence trigger to call the web application's maintenance endpoint.
AnswerC

WebJobs can be scheduled and run within the same App Service plan at no extra cost.

Why this answer

Option C is correct because WebJobs in Azure App Service allow you to run background tasks on a schedule using a settings.job file with a CRON expression. Since the WebJob runs in the same App Service plan as the web application, it shares the same resources and incurs no additional cost, meeting the requirement to reduce costs. The scheduled trigger at 2:00 AM every Sunday can be configured with the CRON expression '0 0 2 * * 0'.

Exam trap

The trap here is that candidates often confuse Azure Functions with WebJobs, assuming that a timer-triggered Azure Function in the same plan is the correct choice, but they overlook that WebJobs are the native, cost-effective way to run scheduled background tasks within an existing App Service without creating a separate Function App resource.

How to eliminate wrong answers

Option A is wrong because deploying the Azure Function in the Consumption plan would incur separate costs and does not run in the same App Service plan, violating the cost-reduction requirement. Option B is wrong because creating a separate Azure Function App in the same App Service plan still requires a separate Function App resource, which adds management overhead and does not leverage the existing App Service's built-in WebJob feature for cost efficiency. Option D is wrong because Azure Logic Apps is a separate service with its own pricing model, and using it to call a maintenance endpoint would introduce additional costs and complexity, not reducing costs as required.

173
MCQeasy

You are developing an application that needs to store and retrieve large binary objects (up to 5 TB) in Azure Blob Storage. The application requires the ability to access data from any URL via HTTP/HTTPS. Which Blob Storage access tier should you use?

A.Hot
B.Archive
C.Cool
D.Premium
AnswerA

Hot tier is optimized for frequent access and supports instant retrieval via HTTP/HTTPS.

Why this answer

Option B is correct because the Hot tier is optimized for frequent access and supports instant retrieval, which matches the requirement for accessing data from any URL. Option A is wrong because the Cool tier is for infrequent access with a 30-day minimum storage duration and higher access costs. Option C is wrong because the Archive tier is for rarely accessed data with hours-long retrieval latency, not suitable for instant HTTP access.

Option D is wrong because the Premium tier is for low-latency, high-transaction scenarios and is more expensive, not necessary for this use case.

174
MCQhard

Your Azure Function app needs to call a third-party REST API that requires OAuth 2.0 client credentials flow. The API expects a JWT token signed with a client certificate. You want to store the certificate securely and rotate it automatically. Which Azure service and feature should you use?

A.Store the certificate in Azure Cosmos DB as a document, and retrieve it using the Cosmos DB SDK.
B.Store the certificate in Azure Key Vault with automatic rotation enabled, and use Managed Identity to access it from the Function app.
C.Store the certificate in Azure App Service as a TLS/SSL binding, and use the WEBSITE_LOAD_CERTIFICATES app setting.
D.Store the certificate in Azure Storage as a blob, and reference it from the Function app using a SAS token.
AnswerB

Key Vault supports certificate auto-rotation, and Managed Identity provides secure access without secrets.

Why this answer

Azure Key Vault can store the certificate, and the Managed Identity of the Function app can authenticate to Key Vault. Automatic rotation requires Key Vault's certificate auto-rotation feature. Option A is the best combination.

175
MCQmedium

You are developing a serverless API using Azure Functions. The API should only be accessible from a specific virtual network. You need to configure network security. What should you do?

A.Place the Functions in Azure API Management and configure IP restrictions.
B.Configure IP address restrictions on the Function App to allow only the VNet's public IP range.
C.Deploy the Function App in a Premium plan and configure VNet integration, then use a Network Security Group to restrict traffic.
D.Configure a private endpoint for the Function App and disable public access.
AnswerC

VNet integration allows the function app to access resources in the VNet and restrict inbound traffic.

Why this answer

Azure Functions Premium plan supports VNet integration. You can enable VNet integration and then use network security groups (NSG) or service endpoints to restrict access. Option C is correct.

Option A is wrong because Azure API Management is a separate service. Option B is wrong because App Service access restrictions can be used but VNet integration is more appropriate. Option D is wrong because private endpoints are for inbound access from a VNet, but Functions Premium also supports VNet integration.

176
Multi-Selecthard

A production API needs proactive alerting for high telemetry cost. Which two elements are required for a useful Azure Monitor alert?

Select 2 answers
A.A signal or metric/log query that detects the condition
B.A public IP address on the app
C.A manually exported CSV report
D.An action group for notification or automation
AnswersA, D

The alert rule must evaluate a metric or query that represents the problem.

Why this answer

Option A is correct because an Azure Monitor alert requires a signal—either a metric (e.g., number of API calls) or a log query (e.g., Application Insights traces)—that defines the condition to detect high telemetry cost. Without this signal, the alert has no data source to evaluate against a threshold or pattern, making proactive detection impossible.

Exam trap

The trap here is that candidates often confuse the components needed for an alert (signal and action group) with unrelated infrastructure details like IP addresses or manual exports, leading them to select options that are not part of the alert definition.

177
MCQeasy

You have an Azure Storage account that hosts blobs for a public website. You need to grant a partner application read-only access to a specific container for 24 hours without using a storage account key. What should you create?

A.A shared access signature (SAS) URI with read permission and expiry set to 24 hours
B.An access policy for the container with read permission
C.A storage account key
D.A managed identity for the partner application
AnswerA

SAS provides time-limited, scoped access without exposing account key.

Why this answer

A shared access signature (SAS) URI with read permission and a 24-hour expiry provides time-limited, delegated access to a specific container without exposing the storage account key. This meets the requirement for read-only access for exactly 24 hours, as the SAS token can be scoped to a single container and its permissions set to read.

Exam trap

The trap here is that candidates often confuse a stored access policy (Option B) with a SAS, not realizing that a policy alone does not grant access—it only defines constraints that a SAS must reference, and without a SAS token, no access is provided.

How to eliminate wrong answers

Option B is wrong because an access policy (stored access policy) alone does not grant access; it must be combined with a SAS to enforce permissions and expiry, and it cannot be used directly to grant time-limited access without a SAS token. Option C is wrong because using a storage account key would grant full administrative access to the entire storage account, not read-only access to a specific container, and violates the requirement to avoid using a storage account key. Option D is wrong because a managed identity is used for Azure resources to authenticate to Azure services without credentials, but it cannot be assigned to an external partner application and does not provide a time-limited, scoped access token for a specific container.

178
MCQmedium

You are designing a solution that needs to react to changes in an Azure Cosmos DB container in real-time. Whenever a new document is inserted or updated, a downstream service must be triggered to process the change. You want to build a serverless solution that reliably captures each change exactly once. Which Azure Cosmos DB feature should you use?

A.Stored procedures
B.T-SQL queries
C.Change feed
D.Triggers
AnswerC

The change feed provides a sequential log of changes to items in a container. Azure Functions can bind to the change feed to trigger on each change, enabling reliable real-time processing.

Why this answer

The Change feed in Azure Cosmos DB is designed to capture document-level changes (inserts and updates) in the order they occur and provides an event-driven, serverless mechanism to reliably process each change exactly once. It integrates natively with Azure Functions, enabling real-time reactions without polling or custom tracking.

Exam trap

The trap here is that candidates confuse Change feed with triggers, but triggers are synchronous and transactional, whereas Change feed provides an asynchronous, at-least-once (with idempotent handling) stream designed for event-driven architectures.

How to eliminate wrong answers

Option A is wrong because stored procedures are transactional scripts executed within the database engine, not designed for capturing or streaming changes to downstream services. Option B is wrong because T-SQL queries are used for ad-hoc data retrieval and do not provide a continuous, ordered stream of changes. Option D is wrong because triggers in Cosmos DB are pre- or post-operation hooks that run within the same transaction scope, not for decoupled, exactly-once event delivery to external services.

179
Multi-Selecthard

A company stores sensitive customer data in Azure Blob Storage. They require that all access to the storage account be logged and that any access from outside the corporate network be denied. They also need to allow read access from a specific Azure web app without exposing the storage account publicly. Which three actions should be taken? (Choose three.)

Select 3 answers
A.Enable Azure Defender for Storage
B.Enable diagnostic settings for the storage account and send logs to a Log Analytics workspace
C.Assign the 'Storage Blob Data Reader' role to the web app's managed identity
D.Configure the storage account firewall to allow access only from the virtual network/subnet of the web app
E.Generate a SAS token and store it in the web app's configuration
AnswersB, C, D

This captures all requests and fulfills the logging requirement.

Why this answer

Option B is correct because enabling diagnostic settings for the storage account and sending logs to a Log Analytics workspace captures all access logs (including read, write, and delete operations) as required by the scenario. This satisfies the logging requirement without exposing the storage account publicly, as logs are sent over the Azure backbone network.

Exam trap

The trap here is that candidates often confuse Azure Defender for Storage (a security monitoring service) with diagnostic logging, or they incorrectly assume that a SAS token is the only way to grant access to a web app, overlooking managed identity and role-based access control (RBAC).

180
Multi-Selecthard

An API receives JWT access tokens from Microsoft Entra ID. Which two token properties should the API validate before accepting a request?

Select 2 answers
A.Issuer and signature are valid for the trusted tenant
B.The user's display name is present
C.Token audience matches the API application ID URI or client ID
D.The token was sent in a query string
AnswersA, C

Issuer and signature validation confirms the token came from the expected identity provider.

Why this answer

Option A is correct because the API must validate that the JWT's issuer (iss) claim matches the trusted tenant's issuer URL (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0) and that the token's cryptographic signature is valid, ensuring the token was issued by Microsoft Entra ID and hasn't been tampered with. This prevents token forgery and tokens from untrusted tenants.

Exam trap

The trap here is that candidates confuse optional user claims (like display name) with mandatory security claims (iss, aud, signature), or think token transport method (query string vs. header) is a validation property rather than a security best practice.

181
Multi-Selecthard

Which TWO of the following are correct about Azure Cosmos DB consistency levels?

Select 2 answers
A.Strong consistency provides the highest availability.
B.Strong consistency is available in all Azure regions.
C.Session consistency is the default consistency level for all new Cosmos DB accounts.
D.Bounded staleness consistency is the default consistency level.
E.Eventual consistency is the default consistency level for all new Cosmos DB accounts.
AnswersB, E

Strong consistency is supported globally.

Why this answer

Option B is correct because Strong consistency is available in all Azure regions when the Cosmos DB account is configured to use it. However, it is important to note that Strong consistency cannot be combined with multi-region writes; it only supports a single write region. This ensures that all reads return the most recent write, but it comes at the cost of higher latency and reduced availability during regional outages.

Exam trap

Microsoft often tests the misconception that Strong consistency provides high availability, when in reality it sacrifices availability for consistency, and that Session consistency is not the default, leading candidates to incorrectly select Bounded staleness or Eventual consistency as defaults.

182
MCQmedium

You are developing a solution that processes orders from an e-commerce website. The order processing logic is CPU-intensive and can take up to 30 seconds per order. You need to ensure that the web front-end remains responsive and that orders are processed reliably. What should you use?

A.Use Azure WebJobs to process orders in the same App Service plan.
B.Add orders to Azure Queue Storage and process them using a background worker role.
C.Use Azure Service Bus Queues with sessions for order processing.
D.Use Azure Functions with Durable Functions to manage order processing state.
AnswerB

Queue Storage decouples the front-end from processing, ensuring responsiveness and reliability.

Why this answer

Option B is correct because Azure Queue Storage provides a reliable, asynchronous message-passing mechanism that decouples the CPU-intensive order processing from the web front-end. By adding orders to a queue and processing them with a background worker (e.g., a WebJob or Worker Role), the web front-end remains responsive, and the queue ensures at-least-once delivery and durability, even if the worker fails or restarts.

Exam trap

The trap here is that candidates often choose Azure Service Bus Queues (Option C) because they assume 'reliable' messaging requires a premium service, but Azure Queue Storage is fully reliable for this scenario and simpler/cheaper, while sessions are a red herring for unordered processing.

How to eliminate wrong answers

Option A is wrong because running CPU-intensive work in the same App Service plan (via WebJobs) can still compete for resources (CPU, memory) with the web front-end, potentially causing responsiveness issues; it does not truly decouple the workload. Option C is wrong because Azure Service Bus Queues with sessions are designed for ordered, grouped message processing (e.g., FIFO per session), but the scenario does not require session-based ordering or grouping—simple reliable queuing suffices, and Service Bus adds unnecessary complexity and cost. Option D is wrong because Durable Functions are optimized for orchestrating long-running, stateful workflows with checkpoints, not for simple CPU-intensive batch processing; they introduce overhead for state management and are not the simplest or most cost-effective solution for this use case.

183
MCQeasy

You are building an API that needs to validate JWT tokens issued by Microsoft Entra ID. The API is registered as an application in Entra ID. Which endpoint should the API use to obtain the signing keys?

A.https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
B.https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
C.https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
D.https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys
AnswerD

This endpoint returns the public keys used to sign tokens.

Why this answer

The OpenID Connect discovery endpoint (well-known/openid-configuration) provides metadata, including the jwks_uri, which points to the keys endpoint. Option A is wrong because the authorize endpoint is for user authentication. Option B is wrong because the token endpoint issues tokens.

Option D is wrong because the metadata endpoint for Microsoft Entra ID is correct but the question asks for the endpoint to get signing keys; the jwks_uri is obtained from the discovery endpoint.

184
MCQmedium

You are developing a microservice that needs to publish events to multiple subscribers. Each subscriber should receive the event independently and at its own pace. The event must be retained for up to 7 days. Which Azure messaging service should you use?

A.Azure Service Bus queue
B.Azure Service Bus topic
C.Azure Event Grid
D.Azure Event Hubs
AnswerC

Event Grid supports pub/sub with independent subscribers and retention up to 7 days.

Why this answer

Option D is correct because Event Grid supports event publishing to multiple subscribers, each receiving the event independently, and has a retention period of up to 7 days by default (configurable up to 7 days). Option A is wrong because Service Bus queues are for point-to-point communication, not pub/sub. Option B is wrong because Event Hubs is for streaming large volumes of data, not for discrete event fan-out.

Option C is wrong because Service Bus topics support pub/sub, but the default retention is up to 14 days, but the requirement is for 7 days; however, Event Grid is more appropriate for discrete events and has simpler integration.

185
MCQeasy

You are a developer for a startup that is building a real-time chat application on Azure. The application uses Azure Web PubSub to broadcast messages to clients. The security team requires that only authenticated users can connect to the Web PubSub service. You plan to use Microsoft Entra ID for authentication. The application backend is an Azure Function that generates access tokens. What is the correct course of action to secure the Web PubSub service?

A.Configure the Web PubSub service to use a shared access key and distribute it to clients via the Function.
B.Enable managed identity for the Azure Function, assign it the 'Web PubSub Service Owner' role, and use the Web PubSub SDK to generate a client access token after authenticating the user.
C.Set the Web PubSub service's 'Anonymous mode' to 'Allow anonymous connections' and authenticate users at the application level.
D.Use the Web PubSub connection string (access key) in the Function to generate a client token, and store the connection string in Azure Key Vault.
AnswerB

This uses Entra ID authentication and generates a scoped token for the client.

Why this answer

Option A is correct. Using managed identity for the Function to get Entra ID tokens and then generating a client token with the Web PubSub SDK ensures authenticated connections. Option B is wrong because the access key does not use Entra ID.

Option C is wrong because shared access keys are not tied to user identities. Option D is wrong because anonymous connections are not authenticated.

186
MCQmedium

You are developing a mobile app that uses Azure Cognitive Services to analyze images. The app must authenticate to the Computer Vision API using a key that is rotated monthly. What is the best practice for handling the key?

A.Store the key in Azure App Configuration with Key Vault references and retrieve it at runtime
B.Use a system-assigned managed identity and acquire a token for Cognitive Services
C.Prompt the user to enter the key on first launch
D.Store the key in the mobile app's local secure storage after initial retrieval
AnswerA

App Configuration supports dynamic secret retrieval from Key Vault, enabling key rotation without redeployment.

Why this answer

Option C is correct because App Configuration with Key Vault references allows key rotation without redeployment. Option A is wrong because user identity is not suitable for service-to-service. Option B is wrong because tokens from managed identity are easier.

Option D is wrong because local storage is insecure.

187
MCQeasy

You are developing a web app that uses Azure AD B2C for customer identity. The app must allow users to sign in with their social media accounts like Facebook and Google. Which Azure AD B2C policy type should you configure?

A.Profile editing policy
B.Sign-up and sign-in policy
C.Password reset policy
D.Conditional access policy
AnswerB

Sign-up and sign-in policies allow users to sign up or sign in with social identity providers.

Why this answer

The sign-up and sign-in policy (now called a user flow in the Azure portal) is the correct choice because it is the Azure AD B2C policy type specifically designed to handle both user registration and authentication in a single flow. This policy can be configured to include social identity providers like Facebook and Google, allowing users to sign in using those accounts. It orchestrates the OAuth 2.0 and OpenID Connect protocols to redirect users to the social provider's authorization endpoint and then process the returned tokens.

Exam trap

The trap here is that candidates often confuse the sign-up and sign-in policy with separate sign-up or sign-in policies, or mistakenly think a password reset policy can handle social logins, but Azure AD B2C requires the combined policy to support multiple identity providers in a single authentication journey.

How to eliminate wrong answers

Option A is wrong because a profile editing policy is used only for allowing authenticated users to modify their account attributes (e.g., display name, city), not for initial sign-in or registration with social providers. Option C is wrong because a password reset policy is specifically for resetting a forgotten password via email verification or other methods; it does not handle social identity provider authentication. Option D is wrong because conditional access policy is a security feature that evaluates risk signals (e.g., location, device state) to grant or block access after authentication, not a policy type for configuring sign-in with social identity providers.

188
Multi-Selectmedium

Which TWO are correct ways to securely store and access secrets for Azure Functions? (Choose two.)

Select 2 answers
A.Use Environment.ExpandEnvironmentVariables in the code.
B.Use a Key Vault reference in the Function App settings.
C.Store secrets in the Function App code as constants.
D.Use App Settings with 'slot-sticky' settings and access restrictions.
E.Store secrets in a local.settings.json file and deploy it.
AnswersB, D

Key Vault references allow secure access without exposing secrets.

Why this answer

Azure Key Vault references and App Settings with access restrictions are both secure. Option A (Key Vault reference) is correct; Option C (App Settings) is correct. Option B exposes secrets; Option D is not secure; Option E is for local development only.

189
MCQhard

You are building a solution that processes events from multiple Azure Event Hubs. Events must be dispatched to different downstream services based on the event type. You need a serverless solution that can handle high throughput and uses managed identity to authenticate to Event Hubs. Which Azure service should you use?

A.Azure Functions (Event Hubs trigger) with managed identity
B.Azure Stream Analytics
C.Azure Logic Apps (Event Hubs connector)
D.Azure Data Factory
AnswerA

Correct. Azure Functions can process events from Event Hubs at scale and supports managed identity for authentication.

Why this answer

Azure Functions with an Event Hubs trigger supports managed identity authentication, enabling secure, passwordless connections to Event Hubs. It is a serverless, event-driven compute service that can scale to handle high throughput by processing events in parallel across multiple partitions. This makes it the ideal choice for dispatching events to downstream services based on event type.

Exam trap

The trap here is that candidates often confuse Azure Stream Analytics as a general-purpose event dispatcher, but it is specifically a stream analytics engine, not a serverless event router; Azure Functions is the correct choice for event-driven dispatching with managed identity support.

How to eliminate wrong answers

Option B (Azure Stream Analytics) is wrong because it is designed for real-time analytics and complex stream processing (e.g., SQL-like queries over time windows), not for dispatching individual events to multiple downstream services based on event type. Option C (Azure Logic Apps) is wrong because while it can connect to Event Hubs, it is a low-throughput, workflow-orchestration service that does not natively support managed identity for Event Hubs authentication and is not optimized for high-throughput event processing. Option D (Azure Data Factory) is wrong because it is a data integration and ETL service for scheduled, batch-oriented data movement, not a real-time event processing or dispatching service.

190
MCQmedium

Your company uses Microsoft Entra ID for identity management. You need to ensure that users accessing a line-of-business application from unmanaged devices must complete a multi-factor authentication (MFA) challenge. What should you configure?

A.Create a Conditional Access policy that requires MFA for users accessing the application, with a condition for 'Device state' set to 'Unmanaged'.
B.Configure a device compliance policy in Microsoft Intune.
C.Create a Conditional Access policy that requires MFA for all users.
D.Enable risk-based Conditional Access in Microsoft Entra ID Protection.
AnswerA

Conditional Access can target specific applications and device states.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to enforce MFA based on device compliance. Option C is the correct approach. Option A (Intune) is used for device management but not directly for MFA enforcement.

Option B (Privileged Identity Management) is for just-in-time access. Option D (identity protection) is for risk-based policies, not device state.

191
Drag & Dropmedium

Arrange the steps to implement Azure Blob Storage lifecycle management to archive blobs after 30 days in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create storage and container, upload blobs, navigate to lifecycle, add rule with actions.

192
MCQmedium

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required?

A.Password hash synchronization
B.Delegated permissions only
C.Device code flow
D.Application permissions with client credentials flow
AnswerD

Application permissions allow daemon apps to act as themselves without a user context.

Why this answer

Option D is correct because when a background service or daemon calls Microsoft Graph without a signed-in user, it must authenticate as itself using application permissions (app roles) rather than delegated permissions. The client credentials flow (OAuth 2.0 grant type) allows the service to obtain an access token using its own credentials (client ID and client secret or certificate), without any user interaction. This flow is designed for server-to-server scenarios where the application acts on its own behalf.

Exam trap

The trap here is that candidates often confuse delegated permissions (which require a user) with application permissions (which do not), and mistakenly choose the device code flow thinking it works without a user, when in fact it still requires user authentication via a browser.

How to eliminate wrong answers

Option A is wrong because password hash synchronization is an Azure AD Connect feature for syncing user password hashes to Azure AD for hybrid identity, not a permission model for calling Microsoft Graph. Option B is wrong because delegated permissions require a signed-in user to delegate the application's permissions to act on the user's behalf, which contradicts the requirement of no signed-in user. Option C is wrong because the device code flow is an OAuth 2.0 flow designed for devices with limited input capabilities (e.g., IoT, CLI) that still requires a signed-in user to authenticate via a browser; it does not support unattended background service scenarios.

193
MCQmedium

A background service must call Microsoft Graph without a signed-in user. Which Microsoft identity platform permission model is required? The team wants the control to be enforceable during normal operations.

A.Password hash synchronization
B.Delegated permissions only
C.Device code flow
D.Application permissions with client credentials flow
AnswerD

Application permissions allow daemon apps to act as themselves without a user context.

Why this answer

Option D is correct because the scenario requires an unattended background service to call Microsoft Graph without a signed-in user. Application permissions, combined with the client credentials flow (OAuth 2.0 grant type), allow the service to authenticate as itself using a client ID and client secret or certificate, obtaining an access token with pre-authorized application-level permissions. This model enforces control during normal operations because the permissions are granted directly to the application and cannot be delegated by a user, ensuring consistent access regardless of user presence.

Exam trap

The trap here is that candidates often confuse delegated permissions (which require a user) with application permissions (which do not), and mistakenly choose the device code flow thinking it works without a user, when in fact it still requires interactive user authentication.

How to eliminate wrong answers

Option A is wrong because password hash synchronization is an Azure AD Connect feature for syncing user password hashes for hybrid identity, not a permission model for calling Microsoft Graph. Option B is wrong because delegated permissions require a signed-in user to delegate their privileges to the app; they cannot be used in a background service without a user context. Option C is wrong because the device code flow is designed for devices with limited input capabilities and still requires a signed-in user to authenticate interactively on another device, making it unsuitable for an unattended background service.

194
MCQmedium

You are developing a serverless application using Azure Functions that processes orders. Each order must be validated by calling a third-party API. If the third-party API is unavailable, the function should retry with exponential backoff. How should you implement this?

A.Implement retry logic with exponential backoff and circuit breaker using Polly within the function
B.Enable automatic retries on the function's trigger binding
C.Configure the function to have a long timeout and hope the API responds
D.Use Azure Durable Functions to orchestrate the retry
AnswerA

Polly provides robust transient fault handling.

Why this answer

Option A is correct because Azure Functions can retry on transient faults with exponential backoff and circuit breaker pattern. Option B is wrong because it does not handle failures. Option C is wrong because it does not handle the external call.

Option D is wrong because it's not a built-in feature.

195
MCQeasy

You are using Application Insights to monitor a web application. The business team wants to track how many users click a specific button on the page. You need to send custom telemetry data from the client-side JavaScript. Which Application Insights JavaScript SDK method should you call?

A.appInsights.trackTrace
B.appInsights.trackEvent
C.appInsights.trackPageView
D.appInsights.trackException
AnswerB

trackEvent is the correct method to send custom events, such as button clicks, along with properties and measurements.

Why this answer

The correct method is `trackEvent` because it is specifically designed for capturing user interactions, such as button clicks, as custom events in Application Insights. Unlike other methods, `trackEvent` allows you to attach custom properties and measurements, making it ideal for business metrics like click tracking. This method sends the data as a custom event telemetry item, which can be analyzed in the Azure portal under 'Events'.

Exam trap

The trap here is that candidates often confuse `trackEvent` with `trackTrace` or `trackPageView`, thinking that any custom data can be sent via `trackTrace`, but `trackEvent` is the only method designed for user-defined business events like button clicks.

How to eliminate wrong answers

Option A is wrong because `trackTrace` is used for logging diagnostic trace messages, not for tracking user interactions or custom business events. Option C is wrong because `trackPageView` is designed to track page loads and views, not individual button clicks on a page. Option D is wrong because `trackException` is used to report exceptions and errors, not to track user actions or custom telemetry events.

196
MCQhard

Your company has several Azure subscriptions, and you need to create a custom role that allows security engineers to start and stop Azure virtual machines but not delete them or modify their network interfaces. The role must be scoped to a specific resource group. How should you define this custom role?

A.Assign the built-in Contributor role to the resource group.
B.Create a custom role with allowed actions for start and stop, and explicitly deny delete actions using NotActions.
C.Use Azure Policy to prevent deletion of VMs in that resource group.
D.Add the engineers to an Microsoft Entra ID administrative unit and assign permissions for VM operations.
AnswerB

A custom role can include 'Microsoft.Compute/virtualMachines/start/action' and 'stop/action' in the 'Actions' list, and 'Microsoft.Compute/virtualMachines/delete' in 'NotActions' to deny deletion. This provides exactly the required permissions.

Why this answer

Option B is correct because custom roles in Azure RBAC allow you to define granular permissions using Actions and NotActions. By specifying start and stop actions (e.g., Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/deallocate/action) and excluding delete actions via NotActions (e.g., Microsoft.Compute/virtualMachines/delete), you can precisely control what security engineers can do. Scoping the role to a specific resource group ensures the permissions apply only to that resource group, meeting the requirement.

Exam trap

The trap here is that candidates often confuse Azure Policy with RBAC, thinking Policy can control runtime actions like start/stop, when in fact Policy only governs resource configuration and compliance, not operational permissions.

How to eliminate wrong answers

Option A is wrong because the built-in Contributor role grants full management access, including the ability to delete VMs and modify network interfaces, which violates the requirement to prevent deletion and network interface changes. Option C is wrong because Azure Policy is used to enforce compliance rules (e.g., tagging, location restrictions) and cannot directly grant or deny RBAC permissions for specific actions like start/stop; it audits or prevents resource creation but does not control runtime operations. Option D is wrong because Microsoft Entra ID administrative units manage administrative scope for user and group management, not Azure resource permissions; RBAC roles are required for VM operations, and administrative units do not provide a mechanism to assign start/stop permissions.

197
MCQhard

You are deploying a Docker container to Azure Container Instances (ACI). The container must use GPU resources for machine learning inference. You need to select the appropriate option to provision GPU-enabled containers. What should you do?

A.Deploy the container to a container group with a GPU-enabled SKU (e.g., NV series).
B.Mount a GPU volume from the host.
C.Use Azure Batch with GPU-enabled pools.
D.Enable container GPU support in the Dockerfile.
AnswerA

A GPU SKU in the container group resource allocation assigns a physical GPU from the Azure infrastructure to the container instance.

Why this answer

Azure Container Instances supports GPU resources only when you deploy a container group using a GPU-optimized SKU, such as the NV-series (e.g., Standard_NC6s_v3). These SKUs provide NVIDIA Tesla GPUs (e.g., K80, P100, V100) that are directly exposed to the container, enabling hardware-accelerated machine learning inference. You must specify the GPU SKU in the container group's resource requests during deployment, and the container image must include the appropriate NVIDIA CUDA drivers or runtime.

Exam trap

The trap here is that candidates confuse local Docker GPU configuration (e.g., `--gpus all` in Dockerfile or docker run) with ACI's infrastructure-level GPU provisioning, assuming that a Dockerfile directive alone will enable GPU access in ACI, when in fact the SKU selection is mandatory and overrides any local settings.

How to eliminate wrong answers

Option B is wrong because ACI does not support mounting a GPU volume from the host; GPU access is provided exclusively through the container group's SKU selection, not via volume mounts. Option C is wrong because Azure Batch with GPU-enabled pools is a separate service for batch processing, not a direct method to provision a single GPU container in ACI; the question specifically asks about ACI deployment. Option D is wrong because enabling GPU support in the Dockerfile (e.g., using `--gpus all` or NVIDIA runtime) is a local Docker configuration that does not affect ACI's provisioning; ACI ignores Dockerfile GPU directives and requires the SKU-based approach.

198
MCQhard

You need to restrict access to an Azure Storage blob container so that only users from your Microsoft Entra tenant can read blobs, and deny all other access including anonymous traffic. What should you configure?

A.Generate a shared access signature (SAS) for the container
B.Set public access level to private and assign RBAC roles to users
C.Configure a network firewall to allow only your tenant's IP range
D.Use storage account access keys and distribute them to users
AnswerB

This ensures only authenticated users from your tenant can access blobs.

Why this answer

Option D is correct because disabling anonymous access and enabling Azure AD authentication with RBAC ensures only authenticated users from your tenant can access blobs. Option A is wrong because SAS tokens can be shared externally. Option B is wrong because firewall rules do not authenticate users.

Option C is wrong because access keys provide full access, not user-specific.

199
MCQmedium

You are designing a solution that uses Azure Event Grid to handle events from multiple Azure services. The events must be filtered and routed to different endpoints based on event type. Which component should you use to filter events before they are sent to subscribers?

A.Event grid domain
B.Event grid topic
C.Event subscription with filters
D.Event handler
AnswerC

Event subscriptions can include filters to select which events to forward.

Why this answer

Event Grid allows you to create event subscriptions with filters. You can filter events by event type, subject, or custom properties. This is done at the event subscription level, not on the topic itself.

Option A is wrong because topics are logical endpoints for publishing events, not for filtering. Option C is wrong because domains are for multi-tenant scenarios, not filtering. Option D is wrong because event handlers are the destinations, not filtering components.

200
MCQeasy

Refer to the exhibit. You deploy this ARM template to a resource group. The template fails with a 'ResourceNotFound' error. What is the most likely cause?

A.The App Service plan 'myplan' does not exist in the resource group.
B.The 'apiVersion' is incorrect.
C.The template is missing the 'dependsOn' property.
D.The 'type' property is incorrect for a web app.
AnswerA

The plan must exist or be defined in the template.

Why this answer

The ARM template references an App Service plan named 'myplan' in the 'serverFarmId' property of the Microsoft.Web/sites resource. If 'myplan' does not exist in the same resource group, the deployment fails with a 'ResourceNotFound' error because Azure Resource Manager cannot resolve the dependency on a non-existent resource. The template does not include a definition for the App Service plan, so it must already exist in the resource group.

Exam trap

Microsoft often tests the distinction between a missing resource and a missing dependency; the trap here is that candidates assume a 'ResourceNotFound' error always means a missing 'dependsOn' property, when in fact it indicates the referenced resource does not exist at all.

How to eliminate wrong answers

Option B is wrong because an incorrect 'apiVersion' typically causes a 'NoRegisteredProviderFound' or 'InvalidApiVersion' error, not a 'ResourceNotFound' error. Option C is wrong because the 'dependsOn' property is not required when referencing an existing resource by name; it is only needed to enforce deployment order when both resources are defined in the same template. Option D is wrong because the 'type' property 'Microsoft.Web/sites' is correct for a web app; an incorrect type would result in a 'InvalidResourceType' or 'ResourceNotFound' error only if the resource provider does not recognize it.

201
MCQhard

A company has an Azure Kubernetes Service (AKS) cluster. They want to ensure that pods can securely access Azure SQL Database without using connection strings or secrets. The solution must use the principle of least privilege. What should they implement?

A.Use the Azure Key Vault Provider for Secrets Store CSI Driver to mount secrets into the pod.
B.Store the SQL connection string in a Kubernetes secret and mount it as a volume in the pod.
C.Enable Azure AD Workload Identity for AKS and assign a managed identity to the pod that has access to Azure SQL Database.
D.Configure Azure SQL Database firewall to allow the AKS cluster's IP addresses.
AnswerC

Pod-managed identity allows the pod to authenticate to Azure SQL without secrets, using a managed identity.

Why this answer

Option D is correct because AKS pod-managed identity (or Azure AD Workload Identity) allows pods to assume a managed identity, which can be granted access to Azure SQL Database via Microsoft Entra authentication. Option A is wrong because Kubernetes secrets are not encrypted at rest by default and require manual management. Option B is wrong because Azure Key Vault with CSI driver still requires a secret to access Key Vault unless combined with managed identity, but the question asks to avoid connection strings/secrets entirely.

Option C is wrong because cluster IP addresses are not a secure method for database authentication.

202
Multi-Selectmedium

Which TWO Azure Monitor features can help troubleshoot a web app that returns slow response times intermittently?

Select 2 answers
A.Sentinel incidents
B.Advisor recommendations
C.Live Metrics
D.Application Map
E.Policy compliance
AnswersC, D

Real-time monitoring of response times.

Why this answer

Options A and D are correct. Live Metrics shows real-time performance; Application Map visualizes dependencies and latency. Option B is wrong because it's for cost.

Option C is wrong because it's for security. Option E is wrong because it's for policy compliance.

203
MCQhard

You deploy the above ARM template. Later, you update the web app's code by deploying a new ZIP package to Azure Blob Storage and updating the WEBSITE_RUN_FROM_PACKAGE setting with the new package URL. However, the web app continues to run the old code. What is the most likely cause?

A.The app setting name is misspelled. It should be 'WEBSITE_RUN_FROM_ZIP'.
B.The setting requires a value of '0' to enable external packages.
C.The ARM template uses an incorrect apiVersion.
D.The value '1' indicates the package is from local storage, not an external URL.
AnswerD

A value of '1' means the package is already deployed locally. To use a URL, set the value to the URL directly.

Why this answer

Option D is correct because when the WEBSITE_RUN_FROM_PACKAGE app setting is set to '1', it tells Azure App Service to use a local package stored in the site's wwwroot folder. To use an external package from Azure Blob Storage, the setting must be set to the full URL of the blob (with a SAS token if private). Keeping the value as '1' means the service ignores the new blob URL and continues to run the old local package.

Exam trap

The trap here is that candidates assume setting the value to '1' is a generic 'enable' flag, not realizing it has a specific meaning (local package) and that external packages require the full URL as the setting value.

How to eliminate wrong answers

Option A is wrong because the correct app setting name is 'WEBSITE_RUN_FROM_PACKAGE', not 'WEBSITE_RUN_FROM_ZIP'; the latter is not a recognized setting. Option B is wrong because a value of '0' disables the run-from-package feature entirely, causing the app to run from the deployed files directly, not enabling external packages. Option C is wrong because the apiVersion in the ARM template only affects deployment of the template itself, not the runtime behavior of the web app after it's deployed; an incorrect apiVersion would cause a deployment failure, not silent use of old code.

204
Multi-Selecteasy

You are deploying an Azure App Service that uses a Linux container to host a custom web application. You need to configure continuous deployment from a GitHub repository. Which TWO actions should you take?

Select 2 answers
A.Set up an FTP trigger to poll the GitHub repository for changes.
B.Use the App Service built-in CI/CD feature to connect to GitHub.
C.Configure the 'Deployment Center' in the App Service to use GitHub Actions.
D.Use the Kudu service to sync with GitHub.
E.Push the container image to Docker Hub and configure webhook.
AnswersB, C

Built-in CI/CD supports GitHub.

Why this answer

Option B is correct because Azure App Service provides a built-in CI/CD feature that directly integrates with GitHub, enabling automatic deployment of code changes without additional configuration. Option C is also correct because the Deployment Center in App Service allows you to configure GitHub Actions as the CI/CD pipeline, which builds and deploys the container to the App Service on each push.

Exam trap

The trap here is that candidates may think Kudu is the only deployment engine for App Service, but for Linux containers, the built-in CI/CD and GitHub Actions are the supported methods, and Kudu is not used for GitHub sync in this scenario.

205
MCQeasy

Your application writes temperature data to Azure Table Storage every second. You have noticed that queries for the latest readings are slower than expected. What is the most likely cause?

A.The storage account access tier is set to Cool.
B.The table name is too long.
C.The application is using an outdated version of the Azure Storage SDK.
D.The PartitionKey is not being used in the query filter.
AnswerD

Queries without PartitionKey can be slow as they scan all partitions.

Why this answer

In Azure Table Storage, queries that do not include the PartitionKey in the filter result in a full table scan, which is significantly slower than a point query that uses both PartitionKey and RowKey. Since the application writes data every second, the latest readings likely have a timestamp-based RowKey, but without filtering by PartitionKey, the query must scan all partitions, causing poor performance.

Exam trap

The trap here is that candidates often focus on SDK versions or storage tiers, but the real performance killer in Table Storage is failing to include the PartitionKey in the query filter, which forces a full table scan.

How to eliminate wrong answers

Option A is wrong because the storage account access tier (Cool vs. Hot) affects blob storage pricing and performance, not Table Storage query speed. Option B is wrong because table names in Azure Table Storage can be up to 63 characters, and length does not impact query performance.

Option C is wrong because while an outdated SDK might lack optimizations, it would not cause a fundamental performance issue like missing PartitionKey filtering; the primary bottleneck is the query design, not the SDK version.

206
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Function app that is triggered by an HTTP request? (Choose two.)

Select 2 answers
A.Use function-level authorization keys (function or admin keys) for all HTTP triggers.
B.Enable App Service Authentication and configure Microsoft Entra ID as the identity provider.
C.Store connection strings and secrets in Azure Key Vault and reference them from the function app settings using Key Vault references.
D.Set the function app's public access to 'Off' and use virtual network integration.
E.Enable Cross-Origin Resource Sharing (CORS) with allowed origins set to '*'.
AnswersB, C

This ensures only authenticated users can invoke the function.

Why this answer

Options A and C are correct. Enabling App Service Authentication with Microsoft Entra ID ensures only authenticated users can call the function. Using Azure Key Vault references for secrets prevents secrets from being stored in plaintext in configuration.

Option B is wrong because function-level authorization keys are less secure than Entra ID. Option D is wrong because public access is not a security feature. Option E is wrong because enabling CORS does not authenticate users.

207
MCQmedium

A serverless app must react whenever audit documents are inserted or updated in Cosmos DB. Which trigger should the Azure Function use?

A.Queue trigger
B.Timer trigger
C.HTTP trigger
D.Cosmos DB trigger
AnswerD

The Cosmos DB trigger reads the change feed and invokes the function for inserts and updates.

Why this answer

The Azure Cosmos DB trigger listens to the change feed of a Cosmos DB container, which captures inserts and updates to documents. This makes it the ideal choice for reacting to audit document changes in a serverless app, as it automatically invokes the function when new or modified documents appear in the feed.

Exam trap

The trap here is that candidates may confuse the Cosmos DB trigger with a generic database trigger, forgetting that it specifically relies on the change feed and not on direct database events like stored procedures or triggers in SQL Server.

How to eliminate wrong answers

Option A is wrong because a Queue trigger responds to messages in an Azure Storage Queue, not to document changes in Cosmos DB. Option B is wrong because a Timer trigger runs on a fixed schedule (e.g., every 5 minutes) and cannot react to real-time data changes. Option C is wrong because an HTTP trigger requires an explicit HTTP request to invoke the function, and it does not automatically fire when documents are inserted or updated in Cosmos DB.

208
MCQeasy

Your company is building a microservices application on Azure Kubernetes Service (AKS). The application must securely access Azure Key Vault to retrieve secrets. Which identity type should you use for the pods?

A.Service principal with certificate stored in the pod
B.User-assigned managed identity on the node resource group
C.System-assigned managed identity on AKS cluster
D.Microsoft Entra Workload ID (formerly Azure AD Pod Identity)
AnswerD

Workload ID assigns managed identities to pods, enabling secure access to Azure services.

Why this answer

Option B is correct because Azure AD Pod Identity (now Microsoft Entra Workload ID) allows pods to assume a managed identity to access Azure resources like Key Vault. Option A is wrong because system-assigned managed identity is for Azure resources, not pods. Option C is wrong because service principals require managing credentials.

Option D is wrong because user-assigned managed identity can be assigned to Azure resources, but for pods, Workload ID is recommended.

209
MCQmedium

You are building a data pipeline that writes billions of small log records (each ~200 bytes) to Azure Blob Storage. The logs are always written in chronological order and are read sequentially in order. You must minimize storage cost and achieve maximum write throughput. Which blob type should you use?

A.Block blobs in the Cool tier
B.Append blobs in the Hot tier
C.Page blobs in the Premium tier
D.Block blobs in the Archive tier
AnswerB

Append blobs are designed for efficient append operations, providing high write throughput for log data. Hot tier is appropriate for frequently written data.

Why this answer

Append blobs are optimized for append operations, making them ideal for writing billions of small log records in chronological order. They support high-throughput sequential writes without the overhead of managing block IDs, and the Hot tier provides low-latency access for immediate reading, minimizing storage cost while maximizing write throughput.

Exam trap

The trap here is that candidates often choose Block blobs (Option A) thinking they are the default for any data, but they overlook the append-specific optimization and the overhead of block management for billions of small writes.

How to eliminate wrong answers

Option A is wrong because Block blobs require managing block IDs and committing blocks, which adds overhead for billions of small writes and reduces throughput; the Cool tier also incurs early deletion penalties if logs are read soon after writing. Option C is wrong because Page blobs are designed for random read/write operations (e.g., VHDs) and use a fixed 512-byte page size, which is inefficient for small log records and incurs higher costs in the Premium tier. Option D is wrong because the Archive tier has high latency for read access (hours to rehydrate) and is not suitable for logs that need to be read sequentially in order; Block blobs also suffer from the same block management overhead as Option A.

210
MCQeasy

You are developing an API using Azure API Management (APIM). The API is backed by an Azure Function that processes requests. You need to implement caching for responses that are expensive to compute. The cache should expire after 10 minutes. What should you configure in APIM?

A.Configure Azure Redis Cache as an external cache in APIM.
B.Add a cache-lookup and cache-store policy to the API operation.
C.Implement response caching in the Azure Function code.
D.Use Azure Front Door to cache responses.
AnswerB

These policies cache responses in APIM's built-in cache.

Why this answer

Option B is correct because Azure API Management (APIM) provides built-in caching policies—`cache-lookup` and `cache-store`—that can be applied directly to an API operation. These policies cache the response from the backend (the Azure Function) and respect the `cache-control` header or a specified duration, such as 10 minutes, without requiring an external cache. This is the simplest and most direct way to implement response caching for expensive-to-compute operations within APIM.

Exam trap

The trap here is that candidates often assume an external cache like Redis is required for any caching in APIM, but the built-in cache-lookup and cache-store policies use APIM's internal cache by default, making external Redis optional and only needed for advanced scenarios like multi-region deployments or higher cache capacity.

How to eliminate wrong answers

Option A is wrong because configuring Azure Redis Cache as an external cache in APIM is an optional enhancement for scenarios requiring a distributed cache across multiple APIM instances, but it is not necessary for basic response caching; the built-in cache-lookup and cache-store policies work with APIM's internal cache by default. Option C is wrong because implementing response caching in the Azure Function code would cache responses at the function level, but the question specifically asks what to configure in APIM, and APIM caching policies provide centralized control, offload the backend, and can cache even non-cacheable responses from the function. Option D is wrong because Azure Front Door is a global load balancer and CDN that caches at the edge, not within APIM; it operates at a different layer and does not integrate with APIM's policy-based caching for API operations.

211
MCQhard

You have an Azure Policy as shown in the exhibit. The roleDefinitionId corresponds to the 'Contributor' role. What does this policy do?

A.Denies Contributors from creating or modifying virtual machines
B.Allows Contributors to create virtual machines
C.Audits when Contributors create virtual machines
D.Deploys a virtual machine when a Contributor action occurs
AnswerA

The policy denies specified actions on VMs for the Contributor role.

Why this answer

Option B is correct because the policy denies actions from Contributors on VMs. Option A (allows) is wrong because effect is deny. Option C (audits) is wrong because effect is deny.

Option D (deploys) is wrong because effect is deny.

212
MCQeasy

You need to process large volumes of streaming data from IoT devices in near real-time. The processed data must be stored in Azure Cosmos DB for further analysis. Which Azure service should you use for stream processing?

A.Azure Batch
B.Azure Databricks
C.Azure Data Lake Storage
D.Azure Stream Analytics
AnswerD

Stream Analytics is designed for real-time stream processing and can output directly to Cosmos DB.

Why this answer

Option C is correct because Azure Stream Analytics is designed for real-time stream processing and can output directly to Azure Cosmos DB. Option A is wrong because Azure Data Lake Storage is a storage service, not a stream processing service. Option B is wrong because Azure Databricks is a big data analytics platform, but it is not the most straightforward for simple stream processing to Cosmos DB; it requires more configuration.

Option D is wrong because Azure Batch is for batch processing, not streaming.

213
MCQhard

Refer to the exhibit. You have an Azure Storage account with a blob container named container1. The container's public access level is set to Blob (anonymous read access for blobs only). You attempt to assign the custom role defined in the JSON using Azure PowerShell. The role assignment fails. What is the most likely reason?

A.The action 'Microsoft.Storage/storageAccounts/blobServices/containers/read' is not a valid action.
B.The principal ID is invalid.
C.The condition StringEquals expects publicAccess to be 'none', but the container has Blob (anonymous) access.
D.The resource scope is incorrectly formatted.
AnswerC

Condition fails because public access is not 'none'.

Why this answer

C is correct because the custom role includes a condition that uses the `StringEquals` operator to check that the `publicAccess` property of the container is set to `'none'`. Since `container1` has public access level set to `Blob (anonymous read access for blobs only)`, the condition evaluates to false, causing the role assignment to fail. Azure role assignments with conditions require all specified conditions to be met; otherwise, the assignment is rejected.

Exam trap

The trap here is that candidates often overlook the condition in the custom role definition and focus on the action or scope, assuming the failure is due to a syntax error or invalid principal, rather than recognizing that Azure RBAC conditions are evaluated at assignment time and can block the assignment if the resource's current state does not satisfy the condition.

How to eliminate wrong answers

Option A is wrong because `Microsoft.Storage/storageAccounts/blobServices/containers/read` is a valid Azure RBAC action that grants read access to blob containers. Option B is wrong because the principal ID is a standard GUID and there is no indication in the question that it is invalid; the failure is due to the condition, not the principal. Option D is wrong because the resource scope (e.g., `/subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{account}/blobServices/default/containers/container1`) is correctly formatted for a container-level role assignment.

214
MCQmedium

You have an Azure Storage account that contains a blob container with thousands of small files. You need to generate a URL that allows users to download a single file for a limited time without changing the storage account's firewall rules or requiring authentication. Which approach should you use?

A.Create a Shared Access Signature (SAS) for the specific blob with a time limit
B.Provide the storage account key to the user so they can authenticate
C.Assign the user an RBAC role (e.g., Storage Blob Data Reader) and have them authenticate via Microsoft Entra ID
D.Set the blob container's public access level to Blob (anonymous read access for blobs)
AnswerA

SAS provides secure, time-limited delegated access to a specific resource without sharing the account key.

Why this answer

A Shared Access Signature (SAS) for a specific blob provides delegated, time-limited access to that blob without requiring the storage account key or changing firewall rules. By generating a SAS token with a defined expiration time and attaching it to the blob URL, users can download the file directly via HTTPS while the storage account remains secured behind its firewall and authentication requirements.

Exam trap

The trap here is that candidates often confuse a container-level SAS or public access with a service-level SAS, or mistakenly think RBAC roles can provide anonymous access, when in fact only a blob-level SAS meets the exact constraints of time-limited, single-file, no-authentication access without altering firewall rules.

How to eliminate wrong answers

Option B is wrong because providing the storage account key grants full administrative access to the entire storage account, including all containers and blobs, which violates the principle of least privilege and is not a limited-time or single-file solution. Option C is wrong because assigning an RBAC role and requiring Microsoft Entra ID authentication would still require the user to authenticate, which contradicts the requirement of 'without requiring authentication.' Option D is wrong because setting the container's public access level to Blob makes all blobs in the container anonymously readable indefinitely, which does not provide time-limited access and bypasses the need for a SAS token.

215
MCQmedium

A IoT command API runs in Azure App Service and must call a private API hosted inside a virtual network. Which feature allows outbound access from the app to the VNet?

A.Regional VNet integration
B.Azure CDN custom domain
C.Application Gateway path routing
D.Private Endpoint for the web app only
AnswerA

Regional VNet integration enables App Service outbound connectivity to resources in a virtual network.

Why this answer

Regional VNet integration enables an Azure App Service app to make outbound calls to resources in a virtual network (VNet) using the app's outbound IP addresses. It works by injecting the app's outbound traffic into the VNet via a delegated subnet, allowing the app to reach private APIs hosted inside the VNet without exposing them to the public internet.

Exam trap

The trap here is that candidates often confuse Private Endpoint (inbound) with VNet integration (outbound), mistakenly thinking a Private Endpoint on the app allows it to call VNet resources, when in fact it only allows VNet resources to call the app.

How to eliminate wrong answers

Option B is wrong because Azure CDN custom domain is a content delivery feature that caches and serves static content from edge locations; it does not provide outbound connectivity from an App Service to a VNet. Option C is wrong because Application Gateway path routing is an inbound traffic management feature that routes external HTTP/S requests to backend pools; it does not enable outbound access from the app to the VNet. Option D is wrong because Private Endpoint for the web app only secures inbound traffic to the app from the VNet; it does not allow the app to make outbound calls to resources inside the VNet.

216
MCQhard

You need to create a custom RBAC role that allows a security group to start and stop Azure virtual machines in a specific resource group, but not delete them or modify their network interfaces. Which set of actions should you include in the role definition?

A.Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/deallocate/action
B.Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/powerOff/action
C.Microsoft.Compute/virtualMachines/restart/action and Microsoft.Compute/virtualMachines/deallocate/action
D.Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/write
AnswerA

These actions allow starting and deallocating (stopping) VMs without allowing deletion or network interface changes.

Why this answer

Option A is correct because the custom RBAC role needs to allow starting and stopping (deallocating) VMs without permitting deletion or network interface modifications. The actions Microsoft.Compute/virtualMachines/start/action and Microsoft.Compute/virtualMachines/deallocate/action precisely grant the ability to start a VM and deallocate it (which stops and releases resources), while excluding delete or write permissions on the VM or its network interfaces.

Exam trap

The trap here is that candidates confuse 'powerOff' (which stops the VM but keeps it allocated and billable) with 'deallocate' (which stops and releases resources), leading them to choose Option B instead of the correct deallocate action.

How to eliminate wrong answers

Option B is wrong because Microsoft.Compute/virtualMachines/powerOff/action only stops the VM but does not deallocate it, leaving the VM in a 'stopped' state that still incurs compute costs; the question requires the ability to stop (deallocate) the VM to release resources. Option C is wrong because Microsoft.Compute/virtualMachines/restart/action is not a stop operation—it restarts the VM, which does not fulfill the requirement to stop the VM. Option D is wrong because Microsoft.Compute/virtualMachines/write grants the ability to modify the VM resource, including deleting it or changing its configuration, which violates the requirement to prevent deletion or modification of network interfaces.

217
MCQeasy

You deploy a web application to Azure App Service. You need to deploy a new version of the application without downtime and have the ability to test the new version before switching traffic. Which feature should you use?

A.Deployment slots
B.Auto-scaling
C.Backup
D.Custom domains
AnswerA

Correct. Deployment slots allow you to deploy to a staging environment and swap with production, enabling zero downtime and testing.

Why this answer

Deployment slots are live, independently running app versions in Azure App Service that allow you to deploy a new build to a staging slot, validate it with zero impact on production, and then swap it into production with instant traffic redirection. This swap operation is atomic and warm-up aware, ensuring no downtime during the transition.

Exam trap

The trap here is that candidates confuse auto-scaling with deployment strategies, thinking scaling out instances can serve new code without downtime, but auto-scaling only replicates the existing app version and does not provide a mechanism to test or switch traffic between builds.

How to eliminate wrong answers

Option B (Auto-scaling) is wrong because it adjusts the number of instances based on load metrics, not for staging or testing new code versions. Option C (Backup) is wrong because it creates point-in-time copies of app files and databases for disaster recovery, not for zero-downtime deployment or pre-production validation. Option D (Custom domains) is wrong because it maps a DNS name to the app's endpoint and has no role in deployment staging or traffic switching.

218
MCQeasy

You are designing a solution that stores customer order data in Azure Table Storage. The data includes OrderID (string), CustomerID (string), OrderDate (datetime), and TotalAmount (decimal). You need to query orders for a specific customer within a date range efficiently. Which partition key and row key design should you use?

A.PartitionKey = OrderDate, RowKey = OrderID
B.PartitionKey = CustomerID, RowKey = OrderDate (inverted ticks for descending order)
C.PartitionKey = OrderDate, RowKey = CustomerID
D.PartitionKey = OrderID, RowKey = CustomerID
AnswerB

Groups orders by customer and supports efficient range queries on OrderDate.

Why this answer

Option B is correct because Azure Table Storage queries are most efficient when they use PartitionKey for exact matches and RowKey for range scans. By setting PartitionKey = CustomerID, all orders for a specific customer are stored in the same partition, allowing fast retrieval. Using RowKey = OrderDate (inverted ticks for descending order) enables efficient date-range filtering within that partition, as Azure Table Storage supports range queries on RowKey.

Exam trap

The trap here is that candidates often choose PartitionKey = OrderDate thinking it enables date-range queries, but they overlook that Azure Table Storage requires PartitionKey to be an exact match for efficient queries, and date-range filtering must be done on RowKey within a single partition.

How to eliminate wrong answers

Option A is wrong because PartitionKey = OrderDate scatters orders for the same customer across many partitions, requiring a full table scan to gather all orders for a customer. Option C is wrong because PartitionKey = OrderDate has the same scattering issue, and RowKey = CustomerID does not support efficient date-range filtering within a partition. Option D is wrong because PartitionKey = OrderID creates a unique partition per order, making it impossible to query all orders for a customer without scanning every partition.

219
MCQmedium

You have multiple Azure virtual machines that need to access the same Azure Key Vault to retrieve certificates. You want to minimize administrative overhead while ensuring each VM can authenticate without managing credentials. Which identity type should you use?

A.System-assigned managed identity on each VM
B.User-assigned managed identity assigned to each VM
C.Service principal with client secret stored in each VM
D.Storage account key
AnswerB

A single user-assigned identity can be assigned to all VMs. You grant Key Vault access once, reducing overhead.

Why this answer

Option B is correct because a user-assigned managed identity can be created once and then assigned to multiple Azure VMs, allowing all of them to authenticate to the same Key Vault without storing any credentials. This minimizes administrative overhead compared to managing separate system-assigned identities or service principals, as the identity is independent of any single VM's lifecycle and can be reused across resources.

Exam trap

The trap here is that candidates often choose system-assigned managed identities (Option A) because they seem simpler per-VM, but they overlook the administrative overhead of managing separate access policies for each VM when multiple VMs require identical access to the same Key Vault.

How to eliminate wrong answers

Option A is wrong because system-assigned managed identities are tied to the lifecycle of each individual VM, meaning you would need to configure Key Vault access policies separately for each VM's identity, increasing administrative overhead when multiple VMs need identical access. Option C is wrong because storing a service principal's client secret on each VM reintroduces credential management overhead and security risks, contradicting the goal of minimizing administrative overhead and avoiding credential management. Option D is wrong because a storage account key is used for authenticating to Azure Storage, not Azure Key Vault, and it would require storing and rotating a shared secret across all VMs, which is insecure and high-overhead.

220
MCQeasy

A company develops a web app that processes images uploaded by users. The app uses Azure Cognitive Services to analyze images for moderation. The solution must minimize latency when calling the Cognitive Services endpoint. Which service should the developer use to call the endpoint?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure API Management
D.Azure Blob Storage with a public endpoint
AnswerB

Azure Front Door provides global load balancing and acceleration, reducing latency for Cognitive Services calls.

Why this answer

Option A is correct because Azure Blob Storage with public endpoint adds latency. Option B is correct because Azure Front Door provides global load balancing and acceleration, reducing latency. Option C is incorrect because Azure API Management adds processing overhead.

Option D is incorrect because Azure Traffic Manager is DNS-based and doesn't optimize the connection path.

221
MCQmedium

You design an application that writes millions of small sensor readings (each ~100 bytes) to Azure Blob Storage. The data is appended to files every minute and after 7 days it is archived for compliance. You need to minimize write costs and storage costs. Which blob type and tier strategy should you use?

A.Block blobs with Hot tier and a lifecycle rule to move to Cool after 7 days.
B.Append blobs with Hot tier and a lifecycle rule to move to Archive after 7 days.
C.Page blobs with Premium tier.
D.Append blobs with Cool tier and no lifecycle rule.
AnswerB

Append blobs are ideal for append-heavy workloads, Hot tier optimizes write performance, and Archive provides the lowest cost for compliance data not accessed frequently.

Why this answer

Append blobs are optimized for append operations, making them ideal for continuously adding small sensor readings without rewriting existing data, which minimizes write costs. Moving the blobs to the Archive tier after 7 days via a lifecycle rule reduces storage costs for compliance data, as Archive is the lowest-cost tier for infrequently accessed data.

Exam trap

The trap here is that candidates often choose block blobs (Option A) assuming they are the default for all data, overlooking the append blob's specific optimization for append operations and the cost benefits of Archive tier for compliance data.

How to eliminate wrong answers

Option A is wrong because block blobs require rewriting the entire block list for each append operation, leading to higher write costs and inefficiency for millions of small appends. Option C is wrong because page blobs are designed for random read/write access (e.g., VHDs) and use Premium tier, which is expensive and unsuitable for append-heavy sensor data. Option D is wrong because using Cool tier without a lifecycle rule keeps data in Cool tier indefinitely, missing the opportunity to further reduce storage costs by moving to Archive after 7 days.

222
MCQhard

You are optimizing an Azure API Management instance that handles 10,000 requests per second. You notice that caching is not effective. The cache hit ratio is below 10%. You need to increase the cache hit ratio. What should you do?

A.Use external Azure Cache for Redis
B.Configure cache key to include only relevant query parameters
C.Disable caching for low-traffic APIs
D.Increase the cache size to 5 GB
AnswerB

Proper cache key design increases cache hits by avoiding unnecessary variations.

Why this answer

Option D is correct because implementing a cache key strategy that includes only relevant query parameters avoids cache fragmentation. Option A (increasing cache size) doesn't address fragmentation. Option B (using external Redis) adds latency.

Option C (removing caching) is counterproductive.

223
MCQhard

Litware Inc. has an Azure App Service web app that needs to authenticate users via Microsoft Entra ID. The app uses the Microsoft Authentication Library (MSAL) for .NET. The app must also call Microsoft Graph to read user profiles. The app is registered in Entra ID with delegated permissions for 'User.Read'. The team wants to use the OAuth 2.0 authorization code flow with PKCE. The redirect URI is set to the App Service's URL. The app uses the App Service Authentication feature (EasyAuth) and also custom code. The team notices that after signing in, the app receives an ID token but not an access token for Microsoft Graph. What is the most likely cause?

A.The app registration in Entra ID is missing the 'User.Read' delegated permission. The team must grant admin consent for the permission.
B.The App Service Authentication feature is not configured to request the 'User.Read' scope. The team must add the scope in the 'Allowed external redirect URLs' or configure the 'Additional login parameters' to include 'scope=User.Read'.
C.The authorization code flow with PKCE is not supported by App Service Authentication. The team should use the implicit flow.
D.The redirect URI is incorrect. The team must use the App Service's authentication endpoint instead of the app's URL.
AnswerB

Correct: EasyAuth does not automatically request Graph scopes.

Why this answer

The App Service Authentication feature (EasyAuth) by default only requests the 'openid' and 'profile' scopes. It does not request the 'User.Read' scope for Graph unless configured. The team must configure the 'Allowed token audiences' or scopes in the EasyAuth settings.

Option A is correct. Option B is wrong because the app registration does include the scope. Option C is wrong because PKCE is not the issue.

Option D is wrong because the redirect URI is correct.

224
MCQhard

Refer to the exhibit. You run the above Azure CLI command to upload a blob to Azure Blob Storage. The command fails with the error 'This request is not authorized to perform this operation.' You have verified that the storage account name and container name are correct, and the file exists. What should you do to resolve the error?

A.Provide the storage account key using the --account-key parameter or set the AZURE_STORAGE_KEY environment variable.
B.Generate a shared access signature (SAS) and use it instead of key.
C.Change --auth-mode key to --auth-mode login.
D.Upgrade to the latest version of Azure CLI.
AnswerA

The command uses key auth but does not supply the key; adding the key resolves the error.

Why this answer

Option D is correct because the --auth-mode key option uses the storage account key for authentication. However, the error indicates that the request is not authorized, which typically means the key is missing or invalid. By default, the CLI uses Azure AD authentication.

To use key authentication, you must provide the account key either via the --account-key parameter or set the AZURE_STORAGE_KEY environment variable. The command as shown does not include the key, so it fails. Option A is wrong because upgrading the CLI version does not fix missing credentials.

Option B is wrong because the --auth-mode key is correct for key-based auth, but the key itself is missing. Option C is wrong because SAS is not required; key auth should work.

225
MCQhard

You are designing a serverless data processing pipeline. The pipeline receives JSON messages from an Azure Event Hubs instance. Each message must be enriched with data from a Cosmos DB database and then written to a Parquet file in Azure Data Lake Storage Gen2. The enrichment step involves a lookup that takes approximately 2 seconds per message. The pipeline must process up to 1000 messages per second. You need to choose the most cost-effective and scalable compute option. Consider the following options: A) Use a single Azure Function with Event Hubs trigger and output to Data Lake Storage. B) Use a Durable Functions orchestration with fan-out/fan-in pattern. C) Use Azure Stream Analytics with a reference data input from Cosmos DB and output to Data Lake Storage. D) Use an Azure Databricks notebook with structured streaming. Which option should you recommend?

A.Use an Azure Databricks notebook with structured streaming.
B.Use a Durable Functions orchestration with fan-out/fan-in pattern.
C.Use Azure Stream Analytics with a reference data input from Cosmos DB and output to Data Lake Storage.
D.Use a single Azure Function with Event Hubs trigger and output to Data Lake Storage.
AnswerC

Scalable, serverless, supports enrichment and Parquet output.

Why this answer

Azure Stream Analytics with a reference data input from Cosmos DB is the most cost-effective and scalable option because it can handle high-throughput streams (up to 1 GB/s) with sub-second latency, and it natively supports enriching incoming events with static or slowly-changing reference data (like Cosmos DB) without requiring custom code. The enrichment lookup is performed in-memory within the Stream Analytics job, avoiding per-message function invocation overhead and enabling linear scale-out across streaming units to meet 1000 messages/second with a 2-second lookup.

Exam trap

The trap here is that candidates often assume Azure Functions are the default serverless choice for all event processing, but they fail to recognize that per-message enrichment with a 2-second lookup creates a throughput bottleneck that only a streaming engine like Stream Analytics can handle cost-effectively at scale.

How to eliminate wrong answers

Option A is wrong because a single Azure Function with an Event Hubs trigger cannot scale to 1000 messages/second with a 2-second enrichment per message — the function would be severely throttled by its concurrency limits (default 200 max per plan) and the 2-second lookup would create a backlog, causing massive event processing delays and potential data loss. Option B is wrong because Durable Functions orchestration with fan-out/fan-in is designed for long-running workflows and stateful coordination, not for high-throughput stateless stream processing; the orchestration overhead and checkpointing would introduce latency and cost that far exceed the requirements. Option D is wrong because Azure Databricks with structured streaming, while scalable, is overkill and cost-inefficient for this simple enrichment and write pipeline — it requires a running cluster with VMs, incurs high per-hour costs, and introduces operational complexity (cluster management, autoscaling delays) that is unnecessary compared to a fully managed serverless service like Stream Analytics.

Page 2

Page 3 of 14

Page 4