Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 301375

997 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQmedium

Your application stores user-generated content in Azure Blob Storage. You need to implement a shared access signature (SAS) that allows users to upload files to a specific container but not read or delete. The SAS must be valid for one hour. Which type of SAS should you use?

A.Account SAS
B.Service SAS
C.Stored access policy
D.User delegation SAS
AnswerB

Service SAS can be restricted to a container with only write permission.

Why this answer

A Service SAS is the correct choice because it allows you to delegate access to a specific Azure Blob Storage resource (in this case, a container) with granular permissions. You can generate a Service SAS scoped to the container with only the 'Create' and 'Write' permissions (no 'Read' or 'Delete'), and set its expiry to one hour. This meets the requirement of allowing uploads while preventing reads or deletes.

Exam trap

The trap here is that candidates often confuse 'Service SAS' with 'Account SAS' because both can be used for blobs, but the Account SAS applies to the entire storage account and cannot be restricted to a single container, whereas the Service SAS is resource-specific.

How to eliminate wrong answers

Option A is wrong because an Account SAS grants access to multiple services (blob, queue, table, file) and all resources under the storage account, making it too broad and not scoped to a single container. Option C is wrong because a stored access policy is not a type of SAS; it is a server-side policy that can be used to control SAS permissions and expiry, but the question asks for the type of SAS itself. Option D is wrong because a User delegation SAS is secured with Azure AD credentials and is used for operations like listing blobs or reading/writing with specific RBAC roles, but it is typically used for scenarios requiring finer-grained identity-based access, not for a simple time-limited upload-only SAS.

302
MCQeasy

You are monitoring an Azure App Service using Application Insights. You want to alert when the average server response time exceeds 2 seconds over a 5-minute window. What should you create?

A.An availability alert
B.A log alert with a custom KQL query
C.A metric alert with 'Server response time' as the signal
D.An activity log alert
AnswerC

Metric alerts are ideal for numeric thresholds over time.

Why this answer

Option A is correct because a metric alert on the 'Server response time' metric can trigger when the threshold is exceeded. Option B (log alert) requires log queries. Option C (activity log alert) is for resource events.

Option D (availability alert) is for endpoint availability.

303
MCQmedium

You are configuring an Azure Event Grid subscription to trigger an Azure Function when a blob is created in a storage account. However, the function is not being triggered. You have verified that the function endpoint is reachable and the storage account is in the same region. What is the most likely cause?

A.The storage account has public network access disabled.
B.The AzureWebJobsStorage connection string is missing from the function app settings.
C.Blob versioning is not enabled on the storage account.
D.The Event Grid subscription does not have the required RBAC role on the function.
AnswerD

Event Grid requires the 'EventGrid Data Sender' role on the function endpoint to invoke it.

Why this answer

Option C is correct because Event Grid requires explicit permission to invoke the function endpoint. If the Event Grid subscription's managed identity or service principal does not have the 'EventGrid Data Sender' role on the function, the invocation will fail silently. Option A is wrong because Event Grid can trigger functions even with public network access disabled as long as private endpoints are configured.

Option B is wrong because the AzureWebJobsStorage connection string is for function runtime storage, not for Event Grid triggers. Option D is wrong because blob versioning is not required for Event Grid triggers.

304
MCQhard

Your application uses Azure Cosmos DB with the SQL API. You notice that read requests are being throttled (HTTP 429) during peak hours. You need to improve read performance without changing the application code. Which action should you take?

A.Add a composite index to the container
B.Increase the provisioned throughput (RU/s) for the container
C.Enable multi-region writes for the Cosmos DB account
D.Change the default consistency level to Strong
AnswerB

More RU/s means more capacity for reads and writes.

Why this answer

Option B is correct because increasing RU/s for the container directly increases throughput, reducing throttling. Option A is wrong because adding a global index is not a standard Cosmos DB concept; indexing is automatic. Option C is wrong because changing consistency to Strong reduces performance.

Option D is wrong because enabling multi-region writes improves write availability, not read performance.

305
MCQmedium

Your company uses Azure Blob Storage to store sensitive documents. You need to ensure that all access to the storage account is encrypted in transit and that clients must use TLS 1.2 or higher. Which configuration should you enforce?

A.Use a private endpoint for the storage account.
B.Set the 'Minimum TLS version' to 1.2 in the storage account's configuration.
C.Configure network rules to allow only from trusted IPs.
D.Enable 'Secure transfer required' (HTTPS only).
AnswerB

Enforces TLS 1.2 or higher.

Why this answer

Option B is correct because the 'Minimum TLS version' property on the storage account enforces TLS 1.2 for all requests. Option A is wrong because HTTPS-only is already default but doesn't enforce TLS version. Option C is wrong because firewall rules control network access, not encryption.

Option D is wrong because private endpoint ensures private connectivity but not TLS version.

306
MCQhard

You have an Azure Container Apps environment running multiple microservices. One microservice is experiencing high CPU usage and slow response times. You need to configure autoscaling rules to scale based on HTTP requests. Which scaling rule should you add?

A.HTTP scaling rule (KEDA)
B.CPU percentage scaling rule
C.Memory percentage scaling rule
D.Custom scaling rule using Azure Monitor metrics
AnswerA

HTTP scaling rule scales based on request rate, ideal for web microservices.

Why this answer

Option A is correct because KEDA's HTTP scaling rule is specifically designed to scale Azure Container Apps based on the number of concurrent HTTP requests, which directly addresses high CPU usage and slow response times caused by request load. Unlike CPU or memory metrics, HTTP scaling reacts to incoming request volume proactively, allowing the microservice to handle spikes before resource saturation occurs.

Exam trap

The trap here is that candidates often choose CPU or memory scaling rules because they seem directly related to high CPU usage, but the question explicitly asks for scaling based on HTTP requests, which requires a request-based scaler like KEDA's HTTP scaler, not resource-based metrics.

How to eliminate wrong answers

Option B is wrong because CPU percentage scaling rule reacts to resource utilization after it has already increased, which is reactive and may not prevent slow response times during sudden request surges. Option C is wrong because memory percentage scaling rule is typically used for memory-bound workloads, not CPU-bound or request-driven scenarios, and memory often lags behind CPU as a scaling signal. Option D is wrong because custom scaling rules using Azure Monitor metrics require additional configuration and are not as straightforward or purpose-built as KEDA's HTTP scaler for request-based autoscaling in Container Apps.

307
MCQmedium

You have an Azure App Service that runs a web API. The API is accessed by multiple client applications. You need to implement authentication and authorization using Microsoft Entra ID. The solution must allow client applications to obtain access tokens using the OAuth 2.0 client credentials flow. Which authentication setting should you configure in the App Service?

A.Enable the 'Token store' in the Authentication / Authorization blade.
B.Configure the app to use the Microsoft.Identity.Web library to validate tokens.
C.Use the built-in authentication module with Microsoft Entra ID as the identity provider.
D.Upload a client certificate and configure certificate-based authentication.
AnswerC

Easy Auth can validate tokens issued by Microsoft Entra ID.

Why this answer

Option B is correct. The 'App Service authentication' feature (Easy Auth) with Microsoft Entra ID as the identity provider can be configured to allow the client credentials flow by setting the 'Client ID' and 'Client Secret' and enabling the 'Allow anonymous requests' option appropriately. However, for the client credentials flow, the App Service itself doesn't issue tokens; clients obtain tokens from Microsoft Entra ID directly and then present them.

The App Service must be configured to accept tokens from Microsoft Entra ID as the identity provider. Option A is wrong because the built-in authentication does not require the app to handle tokens manually. Option C is wrong because the 'Token store' is for storing tokens, not for configuring authentication.

Option D is wrong because client certificates are for mutual TLS authentication, not OAuth.

308
MCQeasy

You are deploying a web application to Azure App Service. The application needs to read configuration settings that vary by deployment environment (development, staging, production). You want to minimize application changes and leverage Azure services. What should you use?

A.Use Azure Key Vault secrets for configuration values.
B.Use Azure DevOps variable groups and inject them at build time.
C.Use Azure App Configuration with feature flags.
D.Use Azure App Service application settings.
AnswerD

Application settings are environment variables that can be configured per deployment slot.

Why this answer

Azure App Service application settings are the correct choice because they are natively supported by the App Service platform, allowing you to define key-value pairs that are injected as environment variables at runtime. This approach requires no application code changes, as the settings are automatically available via standard configuration APIs (e.g., `Environment.GetEnvironmentVariable` in .NET or `process.env` in Node.js), and you can configure different values per deployment slot (e.g., development, staging, production) without redeploying the application.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing Azure App Configuration or Key Vault for all configuration needs, forgetting that Azure App Service application settings are the simplest, most direct way to handle environment-specific, non-sensitive settings without additional code or services.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault secrets are designed for storing sensitive data (e.g., passwords, connection strings) and require explicit code changes to retrieve them via SDK calls or a managed identity, adding complexity for non-sensitive configuration settings. Option B is wrong because Azure DevOps variable groups are a build-time mechanism that injects values during the CI/CD pipeline, not a runtime configuration service; this would require modifying the build process and does not leverage Azure App Service's native environment-based settings. Option C is wrong because Azure App Configuration with feature flags is a centralized configuration service for managing feature toggles and hierarchical settings, but it is overkill for simple environment-specific key-value pairs and requires additional SDK integration in the application code.

309
MCQhard

A containerized booking backend deployed to Azure Container Apps must scale to zero when idle and scale out based on queue length. What should the developer configure?

A.A manual replica count only
B.An Availability Set
C.An Azure Front Door health probe
D.A KEDA-based scale rule for the queue trigger
AnswerD

Azure Container Apps uses KEDA scale rules to scale replicas based on event sources such as queues.

Why this answer

Option D is correct because KEDA (Kubernetes Event-Driven Autoscaling) is natively integrated with Azure Container Apps to enable event-driven scaling. By configuring a KEDA-based scale rule with an Azure Queue Storage trigger, the container app can scale to zero replicas when the queue is empty and scale out based on the queue length, meeting the requirement for idle scaling and queue-driven scaling.

Exam trap

The trap here is that candidates may confuse Azure Front Door health probes (used for traffic routing) with scaling triggers, or assume manual replica counts or Availability Sets are relevant to container scaling, when in fact KEDA is the specific technology for event-driven scaling in Azure Container Apps.

How to eliminate wrong answers

Option A is wrong because a manual replica count only sets a fixed number of replicas and cannot scale to zero or dynamically scale based on queue length. Option B is wrong because an Availability Set is a feature for virtual machine high availability within a region, not applicable to Azure Container Apps which uses replica-based scaling. Option C is wrong because an Azure Front Door health probe is used for load balancing and routing traffic based on backend health, not for scaling container replicas based on queue metrics.

310
MCQmedium

Refer to the exhibit. The APIM policy is applied to an API. What is the effect of this policy?

A.Each subscription can make up to 10 calls per minute.
B.Each subscription can make up to 10 calls total.
C.Each IP address can make up to 10 calls per minute.
D.All calls from a single IP are blocked after 10 requests.
AnswerA

The rate-limit policy with calls='10' and renewal-period='60' limits to 10 calls per 60 seconds (1 minute) per subscription.

Why this answer

Option A is correct. The policy limits each subscription to 10 calls per 60 seconds. Option B is wrong because the policy applies to all operations; Option C is wrong because it doesn't limit total calls; Option D is wrong because it doesn't block IPs.

311
MCQhard

You need to store billions of small telemetry data entries (each ~100 bytes) from IoT devices. The data is written once and rarely updated. You need to run analytical queries on the last 30 days of data daily. The queries scan large ranges of data by timestamp and require sub-second response times. You need the lowest storage cost while meeting query latency requirements. Which Azure Storage solution should you use?

A.Azure Blob Storage with hot access tier and Data Lake Storage Gen2.
B.Azure Table Storage with a timestamp partition key.
C.Azure Cosmos DB with SQL API and automatic indexing.
D.Azure Blob Storage with cool access tier and Azure Data Lake Storage Gen2.
AnswerD

ADLS Gen2 provides the capabilities of Blob Storage with a hierarchical namespace, enabling efficient analytical queries. Cool tier minimizes cost for data that is queried daily but infrequently modified.

Why this answer

Option D is correct because Azure Blob Storage with the cool access tier provides the lowest storage cost for data that is written once and rarely accessed, while Azure Data Lake Storage Gen2 enables hierarchical namespace and POSIX-like access, allowing efficient analytical queries on large timestamp-ranged data with sub-second response times via partitioning and parallel processing.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB (Option C) for its low-latency queries, overlooking that its cost model (RU/s) makes it prohibitively expensive for scanning billions of small records, while Blob Storage with Data Lake Storage Gen2 provides the required performance at a fraction of the cost when using proper partitioning and file formats.

How to eliminate wrong answers

Option A is wrong because the hot access tier has higher storage costs than cool tier, which is unnecessary for data that is rarely updated and only queried daily on the last 30 days. Option B is wrong because Azure Table Storage with a timestamp partition key can lead to hot partitions (all writes go to the same partition) and does not support sub-second analytical queries on large ranges of data efficiently due to lack of indexing and parallel scan capabilities. Option C is wrong because Azure Cosmos DB with SQL API and automatic indexing is optimized for transactional workloads with low-latency point reads, not for large-range analytical scans; it incurs high RU costs for scanning billions of small entries, making it far more expensive than Blob Storage for this use case.

312
MCQmedium

You are developing a .NET application that needs to store and retrieve large binary objects (up to 4.7 TB) in Azure Blob Storage. The application requires the lowest possible latency for reads and must support object-level tiering. Which blob type should you use?

A.Block blob
B.Archive storage account
C.Page blob
D.Append blob
AnswerA

Block blobs support large objects (up to ~4.7 TB) and offer object-level tiering, making them suitable for this scenario.

Why this answer

Block blobs are designed for storing large binary objects up to approximately 4.74 TB and support object-level tiering (Hot, Cool, Cold, Archive). They offer the lowest read latency among Azure blob types because they can be accessed directly via HTTP/HTTPS and are optimized for streaming and random read access. Object-level tiering allows you to change the access tier of individual blobs without moving the storage account, which meets the requirement for granular cost optimization.

Exam trap

The trap here is that candidates confuse storage account tiers (Hot, Cool, Archive) with blob types, or assume Page blobs are suitable for large binary objects because of their high maximum size, overlooking that Page blobs lack object-level tiering and are designed for VHDs, not general binary storage.

How to eliminate wrong answers

Option B (Archive storage account) is wrong because it is a storage account tier, not a blob type; it applies to the entire account and does not support object-level tiering—individual blobs cannot be moved between tiers within an Archive account. Option C (Page blob) is wrong because it is optimized for random read/write operations on virtual machine disks (VHDs) and has a maximum size of 8 TB, but it does not support object-level tiering and typically has higher latency for large binary object reads compared to block blobs. Option D (Append blob) is wrong because it is designed for append-only operations (e.g., logging) and does not support object-level tiering; it also has a maximum size of 195 GB, far below the 4.7 TB requirement.

313
Multi-Selecthard

A company uses Azure Functions to process sensitive customer data. The functions are triggered by Service Bus messages. The security requirements mandate that all function code must be encrypted in transit and at rest, and that access to the function must be authenticated using Microsoft Entra ID. Which TWO configurations should be implemented? (Choose two.)

Select 2 answers
A.Enable 'App Service Authentication' and set the action to 'Allow anonymous requests'.
B.Configure the function app's authentication to 'Microsoft Entra ID' with 'Require authentication' set to 'On'.
C.Set the function app's 'HTTPS Only' setting to 'On' to enforce encryption in transit.
D.Use Service Bus managed identity with access keys for authentication.
E.Set the function app's 'HTTP version' to 'HTTP/2' to improve encryption.
AnswersB, C

This ensures only Entra ID-authenticated requests are accepted.

Why this answer

Options A and C are correct. Enforcing HTTPS ensures encryption in transit. Restricting function access to Entra ID meets authentication requirement.

Option B is wrong because Service Bus access keys are not Entra ID. Option D is wrong because HTTP-only functions can still be called via HTTP. Option E is wrong because anonymous access allows unauthenticated requests.

314
MCQmedium

You are developing a web application that allows users to upload images. The application is deployed on Azure App Service. After upload, the images must be processed to generate thumbnails and to extract metadata. The processing should happen asynchronously and must be resilient to failures. You need to design the solution using serverless components. The solution must minimize latency for the user during upload, and the processing must be retried automatically if it fails. You also need to ensure that the processing is idempotent, so that duplicate messages do not cause duplicate thumbnails. Which approach should you use? Option A: Use Azure Functions with a Blob Storage trigger to process each image as it is uploaded. The function generates thumbnails and stores metadata in Cosmos DB. Use the `leaseBlob` property to prevent duplicate processing. Option B: Use Azure Functions with an Event Grid trigger to process images. The function generates thumbnails and stores metadata in Cosmos DB. Use Event Grid's built-in retry policy and idempotent logic in the function. Option C: Use Azure Logic Apps with a Blob Storage connector to process images. The logic app generates thumbnails and stores metadata in Cosmos DB. Configure retry policy on the connector. Option D: Use Azure Functions with a Service Bus queue trigger. The web app sends a message to the queue after upload. The function processes the message, generates thumbnails, and stores metadata. Use message deduplication to ensure idempotency.

A.Azure Functions with Blob Storage trigger, using leaseBlob
B.Azure Logic Apps with Blob Storage connector
C.Azure Functions with Event Grid trigger
D.Azure Functions with Service Bus queue trigger and duplicate detection
AnswerD

Service Bus duplicate detection ensures idempotency; the queue separates upload from processing.

Why this answer

Option D is correct because it uses a Service Bus queue with duplicate detection, which ensures idempotent processing by automatically discarding duplicate messages within a defined time window. The web app uploads the image and immediately sends a message to the queue, minimizing user latency. The Azure Function triggered by the queue processes the image asynchronously, and Service Bus's built-in retry policy (via dead-lettering and max delivery count) provides resilience against failures.

Exam trap

The trap here is that candidates often choose Event Grid (Option B) because it is serverless and has retry policies, but they overlook that Event Grid does not provide built-in message deduplication, which is critical for idempotent processing in this scenario.

How to eliminate wrong answers

Option A is wrong because Blob Storage triggers do not have a `leaseBlob` property for deduplication; blob leases are used for concurrency control, not for preventing duplicate processing of the same blob event, and Blob Storage triggers can miss events or fire duplicates without built-in deduplication. Option B is wrong because Event Grid triggers have a retry policy but lack built-in message deduplication; idempotency must be implemented manually in the function, and Event Grid does not guarantee exactly-once delivery, making duplicate handling error-prone. Option C is wrong because Logic Apps with a Blob Storage connector are not serverless in the same sense (they have higher latency and cost), and the connector does not provide message-level deduplication; retry policies on connectors do not ensure idempotent processing of duplicate blob events.

315
MCQeasy

You are developing an Azure Function that uses a Service Bus queue trigger. You need to ensure that the function processes messages one at a time to guarantee order. Which configuration should you use?

A.Set the batchSize to 1 in host.json
B.Set the maxMessages to 1 in the ServiceBusTrigger attribute
C.Set the function to run on a Premium Plan
D.Set the maxDequeueCount to 1 in host.json
AnswerA

Correct. This ensures one message per function invocation, maintaining order.

Why this answer

Option A is correct because setting `batchSize` to 1 in `host.json` forces the Service Bus trigger to process only one message at a time from the queue. This ensures strict message ordering, as the function will not fetch or process the next message until the current one is completed (either successfully or moved to the dead-letter queue). The Service Bus trigger uses a message pump that respects the `batchSize` setting to control concurrency.

Exam trap

The trap here is that candidates often confuse `batchSize` (which controls how many messages are fetched at once) with `maxConcurrentCalls` (which controls how many parallel executions are allowed), and incorrectly assume that setting `maxConcurrentCalls` to 1 in the trigger attribute is the solution, but the attribute does not have a `maxMessages` property.

How to eliminate wrong answers

Option B is wrong because `maxMessages` is not a valid property of the `ServiceBusTrigger` attribute; the correct attribute property to control concurrency is `IsBatched` or `MaxConcurrentCalls`, but neither directly limits batch size to 1 for ordering. Option C is wrong because the Premium Plan provides higher throughput and predictable performance but does not inherently enforce single-message processing; ordering must be configured via `batchSize`. Option D is wrong because `maxDequeueCount` in `host.json` controls the number of times a message can be retried before being dead-lettered, not the concurrency or batch size.

316
MCQeasy

A developer is building a solution that sends emails via SendGrid from Azure. Which Azure service should they use to integrate with SendGrid?

A.Azure Logic Apps
B.Azure API Management
C.Azure Functions
D.Azure Event Grid
AnswerA

Logic Apps has a built-in SendGrid connector.

Why this answer

Azure Logic Apps provides connectors for SendGrid, making it easy to send emails. Option B is wrong because API Management is for managing APIs, not direct integration. Option C is wrong because Event Grid is for event routing.

Option D is wrong because Functions can be used but require custom code; Logic Apps are simpler for this scenario.

317
Multi-Selectmedium

Which THREE are benefits of using Azure Logic Apps compared to Azure Functions for workflow orchestration?

Select 3 answers
A.Native connectors to hundreds of services
B.Support for long-running workflows with checkpointing
C.Better suited for custom code logic
D.Visual designer for workflow creation
E.Lower cost for high-volume processing
AnswersA, B, D

Large library of connectors.

Why this answer

Option A is correct because Azure Logic Apps provides over 400 prebuilt connectors to services like Office 365, Dynamics 365, Salesforce, and SQL Server, enabling rapid integration without writing any code. This native connector ecosystem is a key differentiator from Azure Functions, which requires custom code to interact with external services via SDKs or HTTP calls.

Exam trap

The trap here is that candidates often confuse the low-code nature of Logic Apps with being 'better for custom logic,' when in fact Azure Functions excel at custom code, and Logic Apps are superior for integration and orchestration with native connectors and visual design.

318
MCQeasy

You are using Azure Monitor to collect logs from multiple Azure resources. You need to query logs to find all error events from the last 24 hours. Which query language should you use?

A.Transact-SQL (T-SQL)
B.PromQL
C.PowerShell
D.Kusto Query Language (KQL)
AnswerD

KQL is the native query language for Azure Monitor Logs.

Why this answer

Option A is correct because Kusto Query Language (KQL) is the query language for Azure Monitor Logs. Option B (SQL) is for relational databases. Option C (PowerShell) is for scripting.

Option D (PromQL) is for Prometheus.

319
MCQmedium

You are developing an ASP.NET Core web app that uses Azure SQL Database. The SQL connection string contains a password that must be rotated every 30 days. The app runs on Azure App Service. You want to store the connection string securely and enable automatic rotation without redeploying the app. Which approach should you use?

A.Store the connection string in an App Setting and use Key Vault references. Configure a Key Vault policy to automatically rotate the secret.
B.Store the connection string in an App Setting as a plain text value and use deployment slots to swap when the password changes.
C.Use a managed identity to access the SQL database directly, bypassing the connection string entirely.
D.Store the connection string in Azure Key Vault and use an ARM template with a secret reference at deployment time.
AnswerA

This approach uses a Key Vault reference in the App Setting, which the runtime resolves automatically. The secret can have an expiration date, and you can automate its renewal using Azure automation or functions, enabling rotation without redeployment.

Why this answer

Option A is correct because Azure App Service supports Key Vault references in App Settings, allowing you to securely store the connection string in Key Vault and reference it without exposing the password. By configuring a Key Vault policy to automatically rotate the secret (e.g., using a scheduled rotation or event-driven trigger), the password can be rotated every 30 days without redeploying the app, as the App Service runtime resolves the reference at runtime.

Exam trap

The trap here is that candidates often confuse Key Vault references with ARM template secret references, assuming both are resolved at runtime, but ARM template references are only evaluated during deployment, not dynamically.

How to eliminate wrong answers

Option B is wrong because storing the connection string as plain text in an App Setting exposes the password in the Azure portal and configuration files, violating security best practices, and deployment slots do not automate rotation—they only swap environments, requiring manual password updates. Option C is wrong because managed identity can authenticate to Azure SQL Database without a password, but it does not eliminate the need for a connection string entirely; the connection string still contains the server and database name, and managed identity does not support automatic rotation of a password (it uses certificate-based authentication). Option D is wrong because ARM template secret references are resolved at deployment time, not at runtime, so rotating the secret in Key Vault would require a new deployment to update the connection string, failing the requirement to avoid redeployment.

320
MCQeasy

You are monitoring an Azure Function app that processes messages from an Event Hub. You want to be alerted if the function is failing to process messages (e.g., exceptions) and automatically restart the function host. Which Azure service should you use?

A.Azure Monitor alerts with a metric alert on exception count.
B.Application Insights availability tests.
C.Azure Service Health alerts.
D.Azure Advisor recommendations.
AnswerA

A metric alert on exception count can trigger an action group that restarts the function app, providing automated recovery.

Why this answer

Azure Monitor metric alerts on exception count can trigger when the function app throws exceptions during message processing. By configuring an alert rule that fires on the 'Exceptions' metric, you can then set up an action group that includes an auto-remediation step, such as restarting the function app host via a webhook or Azure Automation runbook. This directly addresses the requirement to be alerted and automatically restart the host.

Exam trap

The trap here is that candidates often confuse Application Insights availability tests (which only check HTTP endpoint availability) with the need to monitor internal function exceptions, or they mistakenly think Azure Service Health alerts cover application-level errors instead of Azure platform issues.

How to eliminate wrong answers

Option B is wrong because Application Insights availability tests are designed to monitor the availability and responsiveness of HTTP endpoints, not to detect processing failures or exceptions within an Azure Function. Option C is wrong because Azure Service Health alerts notify you about service-level issues, outages, or planned maintenance affecting Azure services, not application-level exceptions in your function code. Option D is wrong because Azure Advisor provides proactive recommendations for best practices (e.g., performance, cost, reliability) but does not offer real-time alerting or automated restart capabilities based on exception metrics.

321
MCQmedium

You are developing a .NET Core application that uploads large files (up to 50 GB) to Azure Blob Storage. The application must support resuming uploads that are interrupted due to network failures. Which approach should you use?

A.Use an append blob and append blocks in sequence.
B.Use a block blob and upload blocks in parallel, then commit the block list.
C.Use the Put Blob API to upload the entire file in a single request.
D.Use a page blob and upload pages in sequence.
AnswerB

Block blobs support block-level operations, allowing resumable uploads by re-uploading only failed blocks.

Why this answer

Block blobs are designed for large files and support uploading blocks in parallel, which improves throughput and reliability. By uploading individual blocks and then committing the block list, you can resume an interrupted upload by re-uploading only the missing blocks, as each block is identified by a unique block ID. This approach is ideal for files up to 50 GB and aligns with Azure's recommended pattern for resumable uploads.

Exam trap

Microsoft often tests the misconception that append blobs are suitable for large file uploads because they support appending, but the trap is that append blobs lack the block-level granularity needed for resumable uploads, unlike block blobs which are explicitly designed for this scenario.

How to eliminate wrong answers

Option A is wrong because append blobs are optimized for append operations (e.g., logging) and do not support resumable uploads; if an append fails, you cannot easily resume without re-uploading the entire blob. Option C is wrong because the Put Blob API can only upload blobs up to 5 TB for block blobs, but it uploads the entire file in a single request, which is impractical for large files and does not support resumability; for files over 256 MB, Azure requires using block uploads. Option D is wrong because page blobs are designed for random read/write access (e.g., VHDs) and are not optimized for large file uploads; they do not provide a built-in mechanism for resuming interrupted uploads.

322
MCQmedium

You develop a containerized application that runs on Azure Container Instances (ACI). The application needs to securely access Azure SQL Database using a connection string. You want to minimize administrative effort and avoid storing secrets in the container image. What should you do?

A.Embed the connection string in the container image as a configuration file.
B.Store the connection string in an environment variable in the container group.
C.Enable managed identity for the container group and use Microsoft Entra authentication to Azure SQL.
D.Mount a volume from Azure Key Vault using a secret volume.
AnswerC

Managed identity eliminates the need for secrets and is the recommended approach.

Why this answer

Option C is correct because enabling a managed identity for the container group allows the application to authenticate to Azure SQL Database using Microsoft Entra ID (formerly Azure Active Directory) without storing any secrets. The application requests an access token from the Azure Instance Metadata Service (IMDS) endpoint at 169.254.169.254, then uses that token to connect to Azure SQL. This eliminates the need to manage connection strings or secrets, minimizing administrative effort and keeping secrets out of the container image.

Exam trap

The trap here is that candidates often confuse environment variables (Option B) as a secure alternative to embedding secrets, but environment variables are still plaintext and visible in the container's process list, whereas managed identity provides true secretless authentication.

How to eliminate wrong answers

Option A is wrong because embedding the connection string in the container image as a configuration file violates the requirement to avoid storing secrets in the image; anyone with access to the image can extract the secret. Option B is wrong because storing the connection string in an environment variable in the container group still exposes the secret in plaintext within the container's runtime environment and requires manual management of the secret value. Option D is wrong because mounting a volume from Azure Key Vault using a secret volume still requires the container to have a connection string (or secret) to access Key Vault initially, and it introduces additional complexity without leveraging the simpler managed identity approach.

323
Multi-Selecthard

Which THREE Azure Storage features can be used to enforce immutability for compliance requirements?

Select 3 answers
A.Blob versioning with delete lock policy
B.Legal hold on a blob container
C.Blob immutability policy (time-based retention)
D.Soft delete for blobs
E.Storage account firewall rules
AnswersA, B, C

Versioning with delete lock can prevent permanent deletion.

Why this answer

Option A is correct because blob versioning with a delete lock policy prevents deletion of blob versions, effectively enforcing immutability by ensuring that once a version is created, it cannot be deleted or overwritten. This satisfies compliance requirements such as SEC 17a-4(f) or FINRA rules that mandate data preservation.

Exam trap

The trap here is that candidates may confuse soft delete with immutability, not realizing that soft delete only offers recovery, not prevention of deletion or modification, which is required for true compliance immutability.

324
MCQhard

You are designing a solution that stores sensitive customer data in Azure Blob Storage. The data must be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, the solution must support automatic key rotation every 90 days. You need to configure the encryption settings. Which combination of Azure services and features should you use?

A.Use Azure Information Protection to encrypt the blobs with a customer-managed key.
B.Use Azure Disk Encryption with Azure Key Vault to encrypt the storage account.
C.Use Azure Storage Service Encryption (SSE) with Microsoft-managed keys and enable automatic key rotation.
D.Use Azure Storage encryption with a customer-managed key stored in Azure Key Vault. Configure a key rotation policy in Key Vault to rotate the key every 90 days.
AnswerD

This supports CMK and automatic rotation via Key Vault's key rotation policy.

Why this answer

Option D is correct because Azure Storage Service Encryption (SSE) supports customer-managed keys (CMK) stored in Azure Key Vault for encrypting blob data at rest. Automatic key rotation every 90 days can be achieved by configuring a key rotation policy in Azure Key Vault, which allows you to define a rotation frequency (e.g., 90 days) and automatically generate a new key version. This meets both the CMK and automatic rotation requirements without additional services.

Exam trap

The trap here is that candidates confuse Azure Disk Encryption (for VMs) with Azure Storage encryption (for Blob Storage), or assume that Microsoft-managed keys can be configured to meet a customer-controlled rotation schedule, when in fact only customer-managed keys in Key Vault allow custom rotation policies.

How to eliminate wrong answers

Option A is wrong because Azure Information Protection is a classification and labeling service for data protection policies, not an encryption mechanism for Azure Blob Storage at rest; it does not integrate with Azure Storage SSE for CMK. Option B is wrong because Azure Disk Encryption encrypts virtual machine disks (OS and data disks) using BitLocker or DM-Crypt, not Azure Blob Storage data; it is designed for IaaS VMs, not PaaS storage services. Option C is wrong because it specifies Microsoft-managed keys, which do not satisfy the customer-managed key requirement; automatic key rotation with Microsoft-managed keys is handled by Azure, but the customer cannot control the key material or rotation schedule.

325
MCQhard

A company runs an ASP.NET Core web app on Azure App Service. They need to implement health checks that monitor the app's dependencies, such as a database and an external API. The health endpoint should return a 200 status if all dependencies are healthy, a 503 if any dependency is unhealthy, and a 400 if the request is malformed. Which approach should you take?

A.Implement custom health checks using the ASP.NET Core Health Checks middleware.
B.Use the ASP.NET Core Diagnostics middleware to generate a health page.
C.Configure Application Insights availability tests.
D.Use the built-in health check endpoint in Azure App Service.
AnswerA

Allows custom status codes and dependency checks.

Why this answer

Option A is correct because the ASP.NET Core Health Checks middleware allows you to implement custom health checks that monitor specific dependencies like a database and an external API. You can configure the middleware to return a 200 OK status when all checks pass, a 503 Service Unavailable when any check fails, and a 400 Bad Request for malformed requests by using the appropriate response writer and status code mapping.

Exam trap

The trap here is that candidates often confuse the built-in Azure App Service health check endpoint (which only returns 200 OK for the app's root) with the customizable ASP.NET Core Health Checks middleware that supports dependency monitoring and custom status codes.

How to eliminate wrong answers

Option B is wrong because the ASP.NET Core Diagnostics middleware is designed for developer exception pages and status code pages, not for implementing dependency-specific health checks with custom status codes like 503 or 400. Option C is wrong because Application Insights availability tests are used for monitoring the availability of a web endpoint from external locations, not for implementing an internal health endpoint that checks application dependencies and returns specific HTTP status codes. Option D is wrong because the built-in health check endpoint in Azure App Service only provides a basic ping check (returning 200 OK) and does not support custom dependency monitoring or returning 503 or 400 status codes.

326
MCQmedium

You are building an Azure Logic App that must call an external API secured with OAuth 2.0 Client Credentials flow. The external API is registered in a different Microsoft Entra ID tenant. You need to obtain an access token and add it to the request headers. Which action and authentication configuration should you use?

A.Use the HTTP action with Managed Identity authentication.
B.Use the HTTP + Swagger connector to import the API definition.
C.Use the HTTP action with Active Directory OAuth authentication, providing the tenant ID, client ID, and client secret.
D.Use the Azure Key Vault - Get secret action to retrieve a token.
AnswerC

This configuration allows the Logic App to obtain a token using Client Credentials flow and attach it to the request, even for a different tenant.

Why this answer

Option C is correct because the HTTP action's Active Directory OAuth authentication type directly supports the OAuth 2.0 Client Credentials flow for cross-tenant scenarios. By providing the tenant ID, client ID, and client secret, the Logic App runtime can obtain an access token from the external tenant's token endpoint and automatically inject it into the Authorization header as a Bearer token. This is the only built-in authentication option in the HTTP action that handles the client credentials grant without custom code.

Exam trap

The trap here is that candidates often confuse Managed Identity with cross-tenant authentication, assuming it works across tenants, when in fact Managed Identity is strictly scoped to the resource's home tenant.

How to eliminate wrong answers

Option A is wrong because Managed Identity authentication only works within the same tenant as the Logic App; it cannot be used to obtain tokens from a different Microsoft Entra ID tenant. Option B is wrong because the HTTP + Swagger connector is used to import an API definition for design-time validation and does not provide any OAuth 2.0 Client Credentials token acquisition capability. Option D is wrong because the Azure Key Vault - Get secret action retrieves a stored secret (like a client secret) but does not perform the OAuth 2.0 token exchange; you would still need a separate action to call the token endpoint and construct the Bearer token.

327
MCQeasy

You need to grant a user from another Microsoft Entra ID tenant access to a specific blob container in your Azure Storage account. The solution must use Azure RBAC and minimize administrative overhead. What should you do?

A.Generate a shared access signature (SAS) with read permissions for the container.
B.Invite the user as a guest in your Microsoft Entra ID tenant and assign the Storage Blob Data Reader role to the container.
C.Add the user as a Storage Blob Data Reader at the storage account level.
D.Share the storage account key with the user.
AnswerB

B2B collaboration enables cross-tenant RBAC.

Why this answer

Option B is correct because it uses Azure RBAC to grant cross-tenant access by inviting the user as a guest in your Microsoft Entra ID tenant, then assigning the Storage Blob Data Reader role at the container scope. This minimizes administrative overhead by leveraging existing role assignments without managing shared keys or SAS tokens, and it follows the principle of least privilege by scoping access to a specific container.

Exam trap

The trap here is that candidates often confuse RBAC with shared access signatures or account keys, assuming that any cross-tenant access requires a SAS token, when in fact Azure AD B2B collaboration with RBAC is the correct, low-overhead solution.

How to eliminate wrong answers

Option A is wrong because a shared access signature (SAS) does not use Azure RBAC; it uses a token-based delegation that requires manual token management and expiration, increasing administrative overhead. Option C is wrong because adding the user as a Storage Blob Data Reader at the storage account level grants access to all containers in the account, violating the requirement to scope access to a specific container. Option D is wrong because sharing the storage account key grants full administrative access to the entire storage account, bypassing RBAC entirely and creating a severe security risk.

328
MCQhard

A storage account for thumbnail metadata must allow an application to read only blobs under one container for two hours. The application should not receive the account key. What should be issued? The design must avoid adding custom operational scripts.

A.A public access level on the container
B.A service SAS scoped to the container with read permission and expiry
C.A management group assignment
D.The storage account access key
AnswerB

A service SAS can grant limited, time-bound permissions without exposing account keys.

Why this answer

A service SAS (Shared Access Signature) scoped to a specific container with read permission and an expiry time of two hours meets the requirement: it grants time-limited read access to blobs under that container without exposing the account key. The SAS token is issued to the application, which can then use it to authenticate requests directly to Azure Blob Storage, avoiding the need for custom scripts.

Exam trap

The trap here is that candidates may confuse a service SAS with a public access level (Option A) because both allow read access, but they fail to recognize that public access is permanent and unrestricted, whereas a SAS provides time-limited, scoped access without exposing the account key.

How to eliminate wrong answers

Option A is wrong because setting a public access level on the container would allow anonymous read access indefinitely, not for a limited two-hour period, and it does not control which application can read—it's open to anyone. Option C is wrong because a management group assignment is an Azure RBAC construct for organizing subscriptions and managing governance at scale; it does not provide time-bound, scoped access to blob containers. Option D is wrong because providing the storage account access key grants full administrative access to the entire storage account (including all containers, write/delete operations) and cannot be scoped to a single container or limited to two hours; it also violates the requirement that the application should not receive the account key.

329
MCQmedium

Your company has a set of REST APIs that are exposed through Azure API Management (APIM). One of the backend APIs is secured and requires an OAuth 2.0 access token from Microsoft Entra ID. The APIM instance has a system-assigned managed identity with permissions to request tokens for the backend API's scope. You need to configure APIM to automatically obtain a token and pass it to the backend API when requests come in. What should you do?

A.Add a set-backend-service policy with the authentication-managed-identity attribute
B.Configure the backend API's subscription key in policy
C.Use a validate-jwt policy to check incoming token
D.Create a named value with the token and reference it in policy
AnswerA

This policy automatically obtains a token using the managed identity and passes it to the backend as an Authorization header.

Why this answer

Option A is correct because the `set-backend-service` policy with the `authentication-managed-identity` attribute allows APIM to use its system-assigned managed identity to obtain an OAuth 2.0 access token from Microsoft Entra ID for the specified backend API scope. This token is automatically attached to the backend request as an Authorization header, enabling secure access without manual token management.

Exam trap

The trap here is that candidates confuse `validate-jwt` (which checks client tokens) with the need to obtain a new token for the backend, or they assume a static token stored in a named value is sufficient, ignoring the dynamic nature of OAuth 2.0 token expiry and managed identity capabilities.

How to eliminate wrong answers

Option B is wrong because subscription keys are used for APIM-level authentication and rate limiting, not for obtaining OAuth 2.0 tokens for backend APIs. Option C is wrong because `validate-jwt` only validates an incoming token from the client; it does not obtain or attach a token for the backend. Option D is wrong because named values store static secrets or configuration strings, not dynamically obtained tokens; manually storing a token would require frequent updates and defeats the purpose of managed identity.

330
MCQmedium

You are developing an IoT solution that stores device metadata (device ID, location, firmware version, last seen timestamp) in Azure Table Storage. Each device has a unique DeviceId and a Timestamp. You need to design the PartitionKey and RowKey to optimize query performance for the following query: Retrieve all firmware versions for devices in a specific city that were last seen within the last 24 hours. The query must be efficient (partition scan minimized). Which key design is most appropriate?

A.PartitionKey = City, RowKey = DeviceId_Timestamp (e.g., "device123_2023-10-01T12:00:00")
B.PartitionKey = City, RowKey = Inverted timestamp (e.g., DateTime.MaxValue.Ticks - Timestamp.Ticks)
C.PartitionKey = DeviceId, RowKey = Timestamp
D.PartitionKey = City, RowKey = DeviceId
AnswerB

This design keeps all devices from the same city in one partition (efficient for city filtering). The row key, when sorted in ascending order, brings the most recent timestamps first. You can use a range query on the row key to get devices with last seen within the last 24 hours by comparing against the inverted timestamp of 24 hours ago.

Why this answer

Option B is correct because it uses City as the PartitionKey, ensuring all devices in the same city are in a single partition, and an inverted timestamp as the RowKey, which allows efficient range queries for the last 24 hours. Azure Table Storage sorts entities by RowKey within a partition, so querying for RowKey values greater than the inverted timestamp for 24 hours ago retrieves only the relevant rows without scanning the entire partition.

Exam trap

The trap here is that candidates often choose Option D (PartitionKey = City, RowKey = DeviceId) because it groups by city, but they overlook that the timestamp filter would still require a full partition scan, failing the 'minimized partition scan' requirement.

How to eliminate wrong answers

Option A is wrong because using DeviceId_Timestamp as the RowKey does not support efficient range queries by timestamp; the query would need to scan all rows in the partition to filter by timestamp. Option C is wrong because PartitionKey = DeviceId scatters each device into its own partition, requiring a full table scan across all partitions to find devices in a specific city and timestamp range. Option D is wrong because RowKey = DeviceId does not allow efficient timestamp filtering; the query would still need to scan all rows in the city partition to find those within the last 24 hours.

331
MCQhard

Your application uses Azure Key Vault to store cryptographic keys. You need to ensure that keys are automatically rotated every 90 days without any manual intervention. Which Key Vault feature should you configure?

A.Set a key rotation policy
B.Configure a Key Vault firewall
C.Enable soft-delete on the key vault
D.Use a managed HSM instead of a standard vault
AnswerA

Key rotation policy automates key rotation based on defined schedule.

Why this answer

Key Vault key rotation policy allows automatic rotation of keys based on a time interval or expiration. Option A is wrong because Key Vault firewall controls network access, not rotation. Option B is wrong because soft-delete is for recovery, not rotation.

Option D is wrong because managed HSM supports rotation but requires more configuration and is not the standard feature for automatic rotation; the built-in rotation policy is the correct answer.

332
MCQhard

A company has an Azure App Service web app that reads from Azure Blob Storage. The app uses a connection string stored in app settings. Recently, the storage account key was rotated, and the app started throwing authentication errors. What should the developer do to resolve this issue without redeploying the app?

A.Change the app to use managed identity
B.Rotate the storage account key again
C.Update the connection string in the app settings to use the new key
D.Restart the app service
AnswerC

Updating the app settings will automatically restart the app with the new connection string.

Why this answer

Option D is correct because updating the connection string in the App Service app settings will take effect without redeployment (the app is restarted). Option A (update the key in the storage account) does not update the connection string; Option B (use managed identity) would require code changes; Option C (restart the app) would not fix the connection string.

333
MCQeasy

You are building an Azure Logic App that needs to call an external REST API. The API requires an API key to be passed in the 'X-API-Key' header. You have stored the API key as a secret in Azure Key Vault. The Logic App uses a managed identity that has read access to the Key Vault secret. You want to retrieve the API key securely at runtime and include it in the HTTP request. Which approach should you use?

A.Add a 'Get secret' action from Key Vault to retrieve the secret, then use the 'HTTP' action and set the 'X-API-Key' header to the secret value using a dynamic expression.
B.Configure the HTTP action to use managed identity authentication and set the 'Audience' to the Key Vault URL. This will automatically pass the API key as the Authorization header.
C.Store the API key in an Azure App Service application setting and reference it from the Logic App using the 'appsetting' function.
D.Use the 'Invoke an HTTP endpoint' action with Application Insights dependency tracking enabled. The API key is automatically logged by Application Insights.
AnswerA

This is the correct approach. The Logic App can use a managed identity to authenticate to Key Vault, retrieve the secret via the 'Get secret' action, and then use that value in the HTTP request header.

Why this answer

Option A is correct because it uses the native 'Get secret' action from Azure Key Vault to securely retrieve the API key at runtime, leveraging the Logic App's managed identity for authentication. The secret value can then be dynamically injected into the 'X-API-Key' header of the subsequent HTTP action using an expression like `@{outputs('Get_secret')?['value']}`. This approach follows the principle of least privilege and avoids hardcoding secrets or exposing them in configuration.

Exam trap

The trap here is that candidates may confuse managed identity authentication on an HTTP action (which is for authenticating to the target API) with the mechanism to retrieve secrets from Key Vault, leading them to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because managed identity authentication on an HTTP action is used to authenticate the Logic App to the target API (e.g., using OAuth 2.0), not to retrieve a secret from Key Vault; setting the 'Audience' to the Key Vault URL would attempt to authenticate to Key Vault, not pass the API key in the header. Option C is wrong because Azure App Service application settings are not accessible from a Logic App via the 'appsetting' function; that function is specific to Azure Functions and App Service code, not Logic App workflow expressions. Option D is wrong because the 'Invoke an HTTP endpoint' action with Application Insights dependency tracking does not automatically retrieve or inject API keys; it only enables telemetry logging of the HTTP call, and the API key would still need to be manually provided and could be exposed in logs.

334
Multi-Selecthard

Which TWO are best practices for securing an Azure API Management instance?

Select 2 answers
A.Expose the management endpoint publicly for easy configuration
B.Require subscription keys for all APIs
C.Set rate limits to prevent brute force attacks
D.Use OAuth 2.0 with Azure AD to authenticate API consumers
E.Share API keys with partners via email
AnswersB, D

Subscription keys provide a basic level of access control.

Why this answer

Options A and D are correct. Using subscription keys and OAuth 2.0 are best practices. Option B is wrong because sharing keys is insecure.

Option C is wrong because public endpoints are not recommended. Option E is wrong because rate limiting is for throttling, not security.

335
MCQhard

A microservices application deployed on Azure Kubernetes Service (AKS) needs to securely store and retrieve configuration settings. The configuration should be updated without redeploying containers. Which Azure service should be used?

A.Azure App Configuration
B.Azure Cosmos DB
C.Azure Key Vault
D.Azure Blob Storage
AnswerA

Azure App Configuration is a managed service for centralizing application configuration and feature flags, supporting dynamic updates.

Why this answer

Option D is correct because Azure App Configuration is designed for dynamic configuration management and supports feature flags, which can be updated without redeployment. Option A (Key Vault) is for secrets, not general configuration; Option B (Cosmos DB) is a database; Option C (Blob Storage) is for unstructured data, but not optimized for configuration.

336
MCQeasy

You are developing an app that processes orders. When an order is placed, you need to send a confirmation email and update an inventory database. The email service may be slow but must not delay the order processing. Which approach should you use?

A.Scale out the email service to handle the load.
B.Send the email asynchronously via a queue (e.g., Azure Queue Storage).
C.Use Azure Event Grid to trigger the email.
D.Call the email service synchronously and wait for the response.
AnswerB

Decouples slow email service from order processing.

Why this answer

Option A is correct because queuing the email send decouples the email service from the order processing, allowing the inventory update to proceed immediately. Option B is wrong because synchronous calls would block the order processing. Option C is wrong because the email service is external and cannot be scaled by your app.

Option D is wrong because Event Grid is for event-driven architectures but does not provide a queue for work items.

337
MCQmedium

A web app uses Azure Key Vault to store secrets. The app runs in a production environment and needs to authenticate to Key Vault without storing connection strings in configuration files. Which authentication method should be used?

A.Client secret stored in app settings
B.Managed identity
C.Storage account access keys
D.Certificate stored in Key Vault
AnswerB

Managed identity provides an automatically managed identity for the app to authenticate to Key Vault without secrets.

Why this answer

Option B is correct because managed identities allow Azure resources to authenticate to Azure services (like Key Vault) without storing credentials in code or config. Option A (client secret) requires storing a secret, violating the requirement; Option C (certificate) also requires managing certificates; Option D (access keys) is for storage accounts, not Key Vault.

338
Multi-Selectmedium

Which THREE components are required to implement Azure AD B2C custom policies for sign-up and sign-in? (Choose three.)

Select 3 answers
A.A user journey definition
B.An Azure AD (Microsoft Entra ID) tenant for employee identities
C.An Azure subscription
D.A trust framework policy (XML)
E.A relying party application registration
AnswersA, D, E

User journeys define the orchestration steps.

Why this answer

Options A, B, and D are correct. A trust framework policy (the XML base), a user journey (steps), and a relying party application (the app) are required. Option C is wrong because Azure AD is the identity provider for employees, not customers.

Option E is wrong because B2C uses a tenant, not a subscription.

339
MCQeasy

Refer to the exhibit. You are analyzing the Azure Blob Storage service properties configured for a storage account. A web application hosted at https://www.contoso.com attempts to make a PUT request to a blob. The request fails with a CORS error. What is the most likely cause?

A.The request includes a header that is not in the allowed headers list.
B.The request's Origin header does not match the allowed origin.
C.The CORS rule does not include the DELETE method.
D.The exposedHeaders list does not include a required response header.
AnswerB

CORS requires the Origin header to match an allowed origin.

Why this answer

The CORS error occurs because the request's Origin header (https://www.contoso.com) does not match any allowed origin in the CORS rule. Azure Blob Storage enforces exact string matching for the Origin header against the allowed origins list; a mismatch causes the browser to block the PUT request. Since the question states the request fails with a CORS error and the exhibit shows allowed origins that do not include https://www.contoso.com, this is the most likely cause.

Exam trap

The trap here is that candidates often assume CORS errors are always caused by missing methods or headers, but the most common cause is a mismatch between the request's Origin header and the allowed origins list, especially when the allowed origins are not configured to include the exact domain of the web application.

How to eliminate wrong answers

Option A is wrong because if a header not in the allowed headers list is included, the browser would send a preflight OPTIONS request and fail with a CORS error, but the question specifies a PUT request, which typically does not trigger a preflight unless custom headers are used; however, the exhibit shows allowed headers are set to '*', so header mismatch is unlikely. Option C is wrong because the CORS rule not including the DELETE method would only affect DELETE requests, not PUT requests; the error is for a PUT request, so method mismatch is irrelevant. Option D is wrong because exposedHeaders only controls which response headers the browser exposes to the client, not whether the request itself is allowed; missing exposed headers would not cause a CORS error on a PUT request.

340
MCQeasy

You are developing a serverless application using Azure Functions. The function must process messages from an Azure Storage Queue and write results to Azure Cosmos DB. Which binding should you use for the output?

A.Azure Blob Storage output binding
B.Azure Cosmos DB input binding
C.Azure Storage Queue output binding
D.Azure Cosmos DB output binding
AnswerD

Output binding writes data to Cosmos DB.

Why this answer

Option D is correct because the Azure Cosmos DB output binding allows you to write the results of queue-triggered function execution directly to a Cosmos DB container. The function processes messages from an Azure Storage Queue (input binding) and uses the output binding to insert or upsert documents into Cosmos DB without writing any SDK code.

Exam trap

The trap here is that candidates may confuse input and output bindings, selecting the Cosmos DB input binding (Option B) because they see 'Cosmos DB' and forget the direction, or choose the Blob Storage binding (Option A) because they associate storage with output without reading the requirement for Cosmos DB.

How to eliminate wrong answers

Option A is wrong because the Azure Blob Storage output binding writes data to blobs, not to Cosmos DB, so it cannot satisfy the requirement to write results to Cosmos DB. Option B is wrong because the Azure Cosmos DB input binding is used to read data from Cosmos DB before function execution, not to write output results. Option C is wrong because the Azure Storage Queue output binding writes messages to a queue, which is unrelated to writing results to Cosmos DB.

341
MCQmedium

Three analytics pipelines each need to read every event from the same Azure Event Hub: one pipeline archives events to cold storage, one computes real-time aggregations, and one feeds a machine learning model. How should the developer configure Event Hubs to allow all three to consume independently without interfering with each other?

A.Create a separate consumer group for each pipeline; each group tracks its own offset independently
B.Create three separate Event Hubs in the same namespace and replicate events between them with Event Hubs Capture
C.Use a single consumer group and route events to different pipelines by partition key prefix
D.Enable Event Hubs Capture for all three pipelines so they read from the captured Avro files in storage instead of the Event Hub directly
AnswerA

With three consumer groups, each pipeline reads the full stream from its own position. The archiving pipeline, aggregation pipeline, and ML pipeline each checkpoint independently. If one falls behind or restarts, it resumes from its own saved offset without disturbing the others.

Why this answer

A is correct because each consumer group in Event Hubs maintains its own independent offset and checkpoint, allowing multiple consumers to read the same event stream without interfering. By creating a separate consumer group for each pipeline (archival, real-time aggregation, ML), each pipeline can process events at its own pace and from its own position in the stream, ensuring no consumer's progress affects another.

Exam trap

The trap here is that candidates often confuse consumer groups with partitions, thinking that multiple consumers must use different partitions to avoid interference, but partitions are for scaling throughput, not for independent offset tracking—consumer groups are the correct abstraction for independent consumption.

How to eliminate wrong answers

Option B is wrong because creating three separate Event Hubs and replicating events between them is unnecessary overhead and does not solve the independent consumption requirement; each pipeline would still need its own consumer group within each hub, and replication introduces latency and complexity. Option C is wrong because using a single consumer group forces all pipelines to share the same offset, meaning one pipeline's consumption progress (e.g., fast real-time aggregation) would advance the offset, causing other pipelines (e.g., slower archival) to miss events. Option D is wrong because Event Hubs Capture writes events to Azure Blob Storage or Data Lake Store in Avro format, but it is a one-way archival feature, not a mechanism for multiple independent consumers; pipelines would still need to read from the Event Hub directly for real-time processing, and Capture does not provide independent offset tracking.

342
MCQhard

Refer to the exhibit. You deploy the ARM template to create an Azure Key Vault. After deployment, you attempt to add an access policy to grant a user 'Get' secret permissions using the Azure portal, but the option is grayed out. What is the most likely reason?

A.The vault is disabled due to 'enableSoftDelete'
B.The property 'enabledForDeployment' is set to false
C.Soft delete is enabled, which prevents access policy changes
D.RBAC authorization is enabled, so access policies are not used
AnswerD

With RBAC authorization, permissions are managed via RBAC roles, not access policies.

Why this answer

The property 'enableRbacAuthorization' is set to true, which means the Key Vault uses Azure RBAC for authorization instead of access policies. The access policies tab is disabled. Option A is wrong because soft delete does not affect access policies.

Option B is wrong because the vault is enabled. Option C is wrong because 'enabledForDeployment' is for Azure VMs, not access policies.

343
MCQeasy

You are developing an application that writes log entries to Azure Blob Storage. Each log entry is approximately 500 bytes, and you expect to generate millions of entries per day. The logs are rarely read, and when they are read, you need to retrieve ranges of logs sequentially. Which blob type should you use to minimize storage costs and maximize write throughput?

A.Block blobs
B.Append blobs
C.Page blobs
D.Azure Files shares
AnswerB

Append blobs are specifically designed for append operations, providing high write throughput and low cost per write. They are ideal for streaming log data where new entries are continuously added.

Why this answer

Append blobs are optimized for append operations, making them ideal for write-heavy, sequential logging scenarios. Each append operation adds data to the end of the blob, achieving high write throughput without the overhead of managing block lists. Since logs are rarely read and accessed sequentially, append blobs minimize storage costs compared to block blobs (which require block management overhead) and page blobs (which are designed for random access and are more expensive).

Exam trap

The trap here is that candidates often choose block blobs because they are the default and most familiar blob type, overlooking that append blobs are specifically designed for append-heavy workloads like logging and provide better write throughput without block management overhead.

How to eliminate wrong answers

Option A is wrong because block blobs require managing block IDs and committing block lists, which adds overhead for frequent small writes (500 bytes each) and reduces write throughput for high-volume logging. Option C is wrong because page blobs are designed for random read/write access (like VHDs) and are priced higher per GB, making them cost-inefficient for sequential log storage. Option D is wrong because Azure Files shares are a fully managed file share service based on SMB protocol, not a blob type, and are not optimized for high-frequency append operations or cost-effective log storage.

344
MCQhard

A Durable Functions workflow for a checkout API must call five independent activity functions and continue only after all results are available. Which pattern is appropriate?

A.Fan-out/fan-in
B.Human interaction
C.Function chaining
D.Monitor pattern
AnswerA

Fan-out/fan-in runs activities in parallel and aggregates results after all complete.

Why this answer

The fan-out/fan-in pattern is correct because Durable Functions provides the `CallActivityAsync` method in parallel to invoke multiple independent activity functions simultaneously, and the `Task.WhenAll` pattern waits for all results before proceeding. This matches the requirement to call five independent activities and continue only after all results are available, which is the exact definition of fan-out/fan-in.

Exam trap

The trap here is that candidates confuse function chaining (sequential execution) with fan-out/fan-in (parallel execution), failing to recognize that the requirement for 'independent' activities and 'continue only after all results are available' explicitly demands parallelism, not sequential chaining.

How to eliminate wrong answers

Option B (Human interaction) is wrong because it involves waiting for external human approval via `WaitForExternalEvent`, not parallel execution of independent activities. Option C (Function chaining) is wrong because it executes activities sequentially, each depending on the previous output, which does not allow parallel execution. Option D (Monitor pattern) is wrong because it polls an external resource on a timer, not orchestrating parallel activity calls.

345
Multi-Selecthard

You are designing a serverless application using Azure Functions. The application processes messages from Azure Service Bus. You need to ensure that processing is idempotent and that messages are not lost. Which THREE actions should you take?

Select 3 answers
A.Process messages in batches to improve throughput.
B.Implement idempotency in the function logic.
C.Use PeekLock mode and manually complete messages after processing.
D.Use the AutoComplete option to automatically mark messages as complete.
E.Set the max delivery count on the Service Bus queue to prevent infinite retries.
AnswersB, C, E

Idempotency ensures that duplicate messages do not cause side effects.

Why this answer

Option B is correct because idempotency ensures that processing the same message multiple times produces the same result, which is critical for serverless applications where retries or duplicate deliveries can occur. Azure Functions can receive the same Service Bus message more than once due to transient failures or redelivery, so the function logic must handle duplicates safely, often by checking a unique message ID or using a deduplication store.

Exam trap

The trap here is that candidates often confuse AutoComplete with reliability, but AutoComplete can lead to message loss if the function crashes after processing but before the completion is committed, whereas PeekLock with manual completion ensures messages are not lost.

346
Multi-Selecthard

A function consumes messages from Azure Service Bus. Which two settings help handle transient failures safely? The design must avoid adding custom operational scripts.

Select 2 answers
A.Configure max delivery count with a dead-letter queue
B.Make message processing idempotent
C.Disable lock renewal for long processing
D.Use anonymous sender access
AnswersA, B

Dead-lettering isolates messages after repeated delivery failures.

Why this answer

Option A is correct because configuring a max delivery count with a dead-letter queue allows the system to automatically move a message to the dead-letter queue after a specified number of failed delivery attempts. This prevents poison messages from being retried indefinitely, handling transient failures safely without custom scripts. Option B is correct because idempotent message processing ensures that if a message is processed more than once due to transient failures or retries, the system state remains consistent, avoiding duplicate side effects.

Exam trap

The trap here is that candidates often confuse disabling lock renewal as a way to handle long processing times, but it actually causes message abandonment and reprocessing, not safe transient failure handling.

347
MCQhard

Refer to the exhibit. You deployed an Azure Storage account with this ARM template. Users outside the allowed IP range receive '403 Forbidden' errors. What is the MOST likely cause?

A.The access tier is Cool
B.The minimum TLS version is set to TLS1_2
C.The IP rule allows only 203.0.113.0/24
D.The network ACL default action is Deny
AnswerD

Denies all traffic except from allowed IPs.

Why this answer

Option B is correct because the defaultAction is Deny, so only traffic from the specified IP range is allowed. Option A is wrong because TLS version is correct. Option C is wrong because Cool access tier doesn't affect access.

Option D is wrong because the IP rule allows the range.

348
MCQmedium

You are using Application Insights to monitor an ASP.NET Core web API. Users report that a specific endpoint is slow, but you cannot reproduce the issue in development. You need to identify which line of code is causing the delay in production. Which Application Insights feature should you use?

A.Use the Application Insights Map to visualize dependencies.
B.Enable Application Insights Profiler.
C.Use the Snapshot Debugger to capture debug snapshots on exceptions.
D.Create a custom telemetry event in the slow endpoint to log timing data.
AnswerB

Correct. Profiler captures detailed execution traces for requests and shows the time spent in each method, enabling you to pinpoint the slow code path.

Why this answer

Application Insights Profiler is designed specifically to trace code-level performance issues in production without requiring code changes or reproducing the problem. It captures detailed call stacks and timing for each request, allowing you to identify exactly which line of code is causing the delay. This makes it the correct choice for diagnosing a slow endpoint that cannot be reproduced in development.

Exam trap

The trap here is that candidates often confuse the Snapshot Debugger (for exceptions) with the Profiler (for performance), or assume custom telemetry is the only way to get timing data, missing that the Profiler provides automatic, line-level diagnostics without code changes.

How to eliminate wrong answers

Option A is wrong because the Application Insights Map visualizes dependencies between services (e.g., databases, external APIs) but does not provide line-by-line code execution timing. Option C is wrong because the Snapshot Debugger captures debug snapshots only when exceptions are thrown, not for slow performance without exceptions. Option D is wrong because creating a custom telemetry event requires modifying the application code and redeploying, which is not a built-in feature for diagnosing existing production slowness without prior instrumentation.

349
MCQmedium

You deploy a containerized background job to Azure Container Instances (ACI). The job should automatically restart only if it exits with a non-zero exit code (i.e., crashes). You want to minimize costs. Which restart policy should you configure?

A.Always
B.OnFailure
C.Never
D.Retry
AnswerB

This policy restarts only when the container exits with a non-zero exit code, which matches the requirement to restart on failure while minimizing costs.

Why this answer

The OnFailure restart policy is correct because it restarts the container only when it exits with a non-zero exit code, indicating a crash or error. This matches the requirement to automatically restart only on failure while minimizing costs, as it avoids unnecessary restarts on successful completions.

Exam trap

The trap here is that candidates may confuse the OnFailure policy with the Always policy, thinking that Always is needed for automatic restarts, but they overlook the cost implication and the specific requirement to restart only on failure.

How to eliminate wrong answers

Option A is wrong because the Always restart policy restarts the container regardless of the exit code, even on successful completions, which would incur unnecessary costs and is not aligned with the requirement to restart only on failure. Option C is wrong because the Never restart policy does not restart the container under any circumstances, so it would not automatically restart on a crash. Option D is wrong because Retry is not a valid restart policy for Azure Container Instances; the valid policies are Always, OnFailure, and Never.

350
Multi-Selectmedium

You need to secure access to an Azure Storage account that contains sensitive data. Which TWO of the following are recommended best practices?

Select 2 answers
A.Rotate storage account keys every 24 hours
B.Use managed identities to access storage from Azure services
C.Configure firewall rules to restrict access to specific IP addresses or VNets
D.Use SAS tokens with long expiry dates
E.Enable anonymous public access for all containers
AnswersB, C

Managed identities avoid storing credentials.

Why this answer

Option B is correct because limiting network access reduces attack surface. Option C is correct because using managed identities avoids storing credentials. Option A is wrong because SAS tokens with long expiry increase risk.

Option D is wrong because public access should be disabled except for specific containers when needed. Option E is wrong because storage account keys should be rotated regularly, but not necessarily every 24 hours.

351
MCQmedium

Twenty Azure Functions across different teams all need read access to the same Azure Cosmos DB account. The security team wants to revoke or modify this access for all twenty functions at once without visiting each Function App individually. What managed identity design satisfies this requirement?

A.Create one user-assigned managed identity, attach it to all twenty Function Apps, and grant it the Cosmos DB Built-in Data Reader role
B.Enable a system-assigned managed identity on each Function App and grant each identity the Cosmos DB Built-in Data Reader role
C.Create a service principal, store its client secret in Key Vault, and reference the secret from all twenty Function Apps via Key Vault references
D.Store the Cosmos DB connection string in Azure App Configuration and reference it from all twenty Function Apps
AnswerA

The role assignment on the user-assigned identity propagates instantly to all twenty Function Apps that reference it. Revoking the role assignment revokes access everywhere simultaneously. Adding a new Function App just requires attaching the existing identity — no new role grants are needed.

Why this answer

Option A is correct because a single user-assigned managed identity can be created once and then attached to all twenty Function Apps. Granting that identity the Cosmos DB Built-in Data Reader role at the Cosmos DB account scope means that revoking or modifying the role assignment centrally affects all functions simultaneously, without needing to visit each app individually.

Exam trap

The trap here is that candidates often confuse system-assigned managed identities (which are tied to a single resource) with user-assigned managed identities (which can be shared across resources), leading them to choose Option B because they think 'managed identity' automatically means system-assigned, missing the central management requirement.

How to eliminate wrong answers

Option B is wrong because each system-assigned managed identity is unique per Function App, so you would have to grant the Cosmos DB role to each identity individually, and revoking or modifying access would require updating each role assignment separately. Option C is wrong because using a service principal with a client secret stored in Key Vault introduces secret management overhead and does not leverage managed identities; revoking access would require rotating the secret or modifying the service principal, not a single role assignment. Option D is wrong because storing the Cosmos DB connection string in App Configuration and referencing it from each Function App does not provide a central point to revoke or modify access—each app still uses the same static connection string, and revoking access would require changing the connection string and redeploying or updating each app's configuration reference.

352
MCQmedium

Tailwind Traders uses Azure Logic Apps to orchestrate a multi-step business process. The workflow must call an external REST API that requires OAuth 2.0 authentication. The API is registered in Microsoft Entra ID. The Logic App must authenticate using a system-assigned managed identity. The API's app registration has been configured to accept tokens from the managed identity. Which connector should the team use in the Logic App to call the API, and how should they configure authentication?

A.Use the HTTP connector. In the connector's authentication settings, choose 'Managed Identity' and select the system-assigned identity. Set the audience to the API's Application ID URI.
B.Use the HTTP connector with 'Active Directory OAuth' authentication. Provide the client ID and client secret of a service principal.
C.Use the custom connector. In the custom connector's authentication, choose 'Managed Identity' and provide the managed identity's principal ID.
D.Use the Azure API Management connector. Configure it to use OAuth 2.0 with the managed identity.
AnswerA

Correct: HTTP connector supports managed identity authentication.

Why this answer

Use the HTTP connector with 'Managed Identity' authentication type. Select the system-assigned identity. Option A is correct.

Option B uses 'Active Directory OAuth' which requires client credentials. Option C uses API Management, unnecessary. Option D uses custom connector, overkill.

353
Multi-Selectmedium

Your company is deploying a multi-container application using Azure Container Instances (ACI) in a virtual network. You need to ensure that containers can communicate with each other using localhost. Which TWO actions should you take?

Select 2 answers
A.Define environment variables on each container with the hostnames.
B.Deploy all containers in the same container group.
C.Assign different private IP addresses to each container.
D.Deploy containers in separate container groups and use service discovery.
E.Use the container group's fully qualified domain name (FQDN) to communicate.
AnswersB, E

Containers in the same group share the same network stack.

Why this answer

Option B is correct because containers within the same container group in Azure Container Instances share the same network namespace, including the same IP address and port space. This allows them to communicate over localhost (127.0.0.1) without additional configuration, as they are essentially running on the same virtual machine.

Exam trap

The trap here is that candidates often confuse container groups with separate containers in a Docker Compose or Kubernetes pod context, assuming that localhost communication requires explicit network configuration or service discovery, when in fact ACI container groups inherently share the same network namespace.

354
Multi-Selecthard

Which THREE Azure services can be used to trigger an Azure Function when a new blob is uploaded to a storage account?

Select 3 answers
A.Azure Service Bus queue
B.Azure Logic Apps
C.Azure Blob Storage trigger (Event Grid based)
D.Azure Event Hubs
E.Azure Event Grid
AnswersC, D, E

The Blob Storage trigger uses Event Grid to notify the function.

Why this answer

Blob Storage trigger (Event Grid), Event Grid directly, and Event Hubs can all be used. Service Bus is not designed for blob events. Logic Apps is a different service that can trigger functions but is not a standalone trigger service.

355
MCQhard

You host a web application on Azure App Service using multiple deployment slots (production and staging). After swapping staging into production, users report errors. You need to ensure that the staging slot is warmed up before swapping and that any errors during swap cause an automatic rollback. What should you configure?

A.Configure deployment slot settings to be sticky.
B.Enable auto swap and configure a custom warm-up path.
C.Use swap with preview and complete the swap after verification.
D.Configure manual swap and run a warm-up script before swapping.
AnswerB

Auto swap with a custom warm-up path ensures the slot is warmed up; Azure automatically rolls back if the warm-up fails.

Why this answer

Option B is correct because enabling auto swap with a custom warm-up path ensures the staging slot is fully warmed up before the swap occurs, and if the warm-up fails or the application returns errors during the swap, Azure App Service automatically rolls back to the previous slot. This directly addresses the requirement for both pre-swap warm-up and automatic rollback on errors.

Exam trap

The trap here is that candidates often confuse 'swap with preview' (which requires manual completion) with automatic rollback, or think that sticky settings alone can handle warm-up and error recovery, when in fact auto swap with a custom warm-up path is the only built-in mechanism that combines both warm-up and automatic rollback.

How to eliminate wrong answers

Option A is wrong because making deployment slot settings sticky (slot-specific) only ensures that configuration and connection strings remain with the slot after a swap; it does not provide any warm-up or automatic rollback functionality. Option C is wrong because swap with preview allows you to validate the staging slot before completing the swap, but it does not automatically roll back on errors; you must manually complete or cancel the swap, which does not meet the 'automatic rollback' requirement. Option D is wrong because manual swap with a warm-up script requires custom scripting and does not provide built-in automatic rollback on swap errors; the rollback would need to be manually orchestrated.

356
MCQhard

Refer to the exhibit. You run this Azure CLI command to configure an Azure Web App for Containers. The web app fails to start, and the logs show 'unauthorized: authentication required'. What is the most likely cause?

A.The command did not include admin credentials or managed identity configuration
B.The image tag 'latest' does not exist
C.The web app is configured to use a deployment slot, but the slot is not specified
D.The --docker-registry-server-url is incorrect
AnswerA

Correct: Without credentials, the web app cannot authenticate to the registry.

Why this answer

Option A is correct because the Azure CLI command `az webapp config container set` without specifying `--docker-registry-server-user` and `--docker-registry-server-password` (or a managed identity configuration) means the web app cannot authenticate with a private container registry. The 'unauthorized: authentication required' error indicates the registry requires credentials, and the web app has none configured, so it fails to pull the image.

Exam trap

The trap here is that candidates assume the 'latest' tag always exists or that the registry URL is the only configuration needed, overlooking that private registries require explicit authentication credentials or managed identity setup.

How to eliminate wrong answers

Option B is wrong because if the 'latest' tag did not exist, the error would be 'manifest not found' or 'image not found', not 'unauthorized: authentication required'. Option C is wrong because deployment slots are unrelated to registry authentication; the error is about pulling the image, not routing traffic to a slot. Option D is wrong because an incorrect `--docker-registry-server-url` would cause a 'connection refused' or 'name resolution failure' error, not an authentication error.

357
MCQeasy

You need to secure access to an Azure Storage account that hosts sensitive data. The requirement is to restrict access to only requests originating from a specific virtual network. Which feature should you configure?

A.Customer-managed keys (CMK)
B.Azure AD authentication
C.Shared access signatures (SAS)
D.Storage firewall and virtual network rules
AnswerD

These rules allow you to limit access to specific VNets and subnets.

Why this answer

Storage firewalls and virtual networks allow you to restrict access to specific VNets and IPs.

358
MCQmedium

You are reviewing an Azure Policy definition that applies to storage accounts. The policy has an effect of 'deny' and specifies network ACLs. What is the intended behavior of this policy?

A.Allow all storage accounts to be created regardless of network rules
B.Deny all traffic to storage accounts
C.Deny creation of storage accounts that do not have a virtual network rule allowing vnet1 and default action set to Deny
D.Allow only traffic from the specified virtual network
AnswerC

The policy denies any storage account that does not meet the network ACL conditions.

Why this answer

Option A is correct. The policy denies storage accounts that do not have the specified virtual network rule and default action Deny. Option B is wrong because it allows all networks.

Option C is wrong because it denies all traffic. Option D is wrong because it only allows traffic from vnet1.

359
MCQhard

You are developing a microservices-based application deployed to Azure Kubernetes Service (AKS). One of the microservices needs to securely retrieve secrets (e.g., database connection strings) from Azure Key Vault. The application uses managed identity for authentication. You need to implement a solution that meets the following requirements: 1) The microservice should retrieve secrets from Key Vault without storing any credentials in the application code or configuration files. 2) The solution must support automatic rotation of secrets without application restart. 3) The solution should minimize latency and avoid direct calls to Key Vault on every request. 4) The application is written in .NET 8 and uses the Azure SDK. What should you do?

A.Store the connection string in an environment variable in the AKS pod spec and update the variable when the secret rotates.
B.Generate a client certificate in Key Vault and mount it as a volume in the AKS pod. Use the certificate to authenticate to Key Vault and retrieve secrets on each request.
C.Use the Azure Key Vault Secrets provider for the .NET Configuration API and set reloadOnChange to true to automatically reload secrets.
D.Use Azure.Identity.DefaultAzureCredential to authenticate to Key Vault and retrieve secrets on application startup, caching them in memory with a configurable expiration time. Use a background service to refresh the cache before expiration.
AnswerD

This approach uses managed identity, caches secrets, and refreshes them periodically without restarting the application.

Why this answer

Option C is correct because using Azure Key Vault with the Azure.Identity.DefaultAzureCredential and configuring the SecretClient to cache secrets with a configurable refresh interval meets all requirements: managed identity authentication, no credentials stored, automatic rotation via periodic refresh, and reduced latency by caching. Option A is incorrect because environment variables are not secure and require application restart on change. Option B is incorrect because the Key Vault Secrets provider for .NET Configuration can poll for changes, but it does not support automatic rotation without application restart by default and may cause high latency if configured to poll too frequently.

Option D is incorrect because client certificates still require certificate management and rotation, and the application would need to handle certificate renewal.

360
MCQeasy

You are building a web application that allows users to upload profile pictures. The images are up to 5 MB in size and must be stored durably. The images are accessed infrequently after upload (a few times per month). You want to minimize storage costs while ensuring the data is available within seconds when requested. Which Azure Blob Storage access tier should you use for the blob container?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerB

Cool tier is optimized for data that is accessed infrequently (a few times per month) but still needs immediate availability. It has lower storage cost than Hot tier and no retrieval delay.

Why this answer

The Cool tier is the optimal choice because the images are accessed infrequently (a few times per month) and are up to 5 MB in size. Cool tier offers lower storage cost than Hot tier while still providing sub-second latency for data retrieval, meeting the requirement of availability within seconds. Archive tier would have the lowest storage cost but incurs a multi-hour rehydration delay, violating the seconds-level availability requirement.

Exam trap

The trap here is that candidates often choose Archive tier thinking it is the cheapest option, overlooking the critical requirement that data must be available within seconds, which Archive cannot provide due to its mandatory rehydration latency.

How to eliminate wrong answers

Option A is wrong because the Hot tier is designed for frequently accessed data and has higher storage costs than Cool, making it cost-inefficient for data accessed only a few times per month. Option C is wrong because the Archive tier requires a rehydration process (taking up to 15 hours) before data can be read, which fails the requirement that data must be available within seconds when requested. Option D is wrong because the Premium tier is optimized for low-latency access (sub-millisecond) and high transaction rates, but it incurs significantly higher costs than Cool and is over-provisioned for infrequently accessed profile pictures.

361
MCQeasy

You are developing an API that will be hosted on Azure API Management (APIM). The API must be accessible only to clients that present a valid JSON Web Token (JWT) issued by Microsoft Entra ID. Which APIM policy should you use to validate the JWT?

A.<cors allow-credentials="true" />
B.<authenticate-basic />
C.<validate-jwt header-name="Authorization" failed-validation-httpcode="401" />
D.<check-header name="Authorization" failed-check-httpcode="401" />
AnswerC

The validate-jwt policy validates the JWT token.

Why this answer

Option B is correct because the validate-jwt policy is designed to check the validity of a JWT token. Option A is wrong because check-header only checks for the existence of a header, not validation. Option C is wrong because authenticate-basic is for basic authentication.

Option D is wrong because cors is for cross-origin requests.

362
MCQhard

You have a Durable Functions orchestration that calls an activity function which may throw an exception due to a transient network issue. You want to retry the activity up to 3 times with a 2-second delay between attempts and exponential backoff. Which method should you use in the orchestrator function?

A.await context.CallActivityAsync("MyActivity", input);
B.await context.CallActivityWithRetryAsync("MyActivity", new RetryOptions(TimeSpan.FromSeconds(2), 3), input);
C.await context.CallSubOrchestratorAsync("MyActivity", input);
D.await context.CallHttpAsync(HttpMethod.Get, new Uri("..."), input);
AnswerB

Correct. CallActivityWithRetryAsync with RetryOptions(TimeSpan.FromSeconds(2), 3) implements up to 3 attempts with a 2-second initial delay.

Why this answer

Option B is correct because the `CallActivityWithRetryAsync` method is specifically designed for retrying activity functions in Durable Functions. It accepts a `RetryOptions` object where you can configure the delay (`TimeSpan.FromSeconds(2)`) and the maximum number of retry attempts (3), and it automatically applies exponential backoff between retries. This directly satisfies the requirement to retry the activity up to 3 times with a 2-second initial delay and exponential backoff.

Exam trap

The trap here is that candidates may confuse `CallActivityWithRetryAsync` with `CallActivityAsync` or `CallSubOrchestratorAsync`, not realizing that only `CallActivityWithRetryAsync` provides the built-in retry mechanism with configurable delay and exponential backoff for activity functions.

How to eliminate wrong answers

Option A is wrong because `CallActivityAsync` does not support any retry logic; if the activity throws an exception, the orchestration will fail immediately without retrying. Option C is wrong because `CallSubOrchestratorAsync` is used to call another orchestrator function, not an activity function, and it does not provide built-in retry configuration for transient failures. Option D is wrong because `CallHttpAsync` is used for making HTTP calls from orchestrator functions, not for calling activity functions, and it does not support the retry policy described in the question.

363
MCQhard

Your company develops a REST API for a global e-commerce platform that stores product images in Azure Blob Storage. The API uses shared access signatures (SAS) to grant temporary read access to the images. The security team requires that SAS tokens be generated using a user delegation key derived from the application's Microsoft Entra ID credentials, not from the storage account key. Additionally, the SAS must be scoped to a specific container and have a maximum validity of 1 hour. You need to implement the SAS generation in the API using the Azure Storage SDK for .NET. The application authenticates with Microsoft Entra ID using a managed identity assigned to the Azure App Service hosting the API. Which approach should you use?

A.Use the managed identity credentials to create a BlobServiceClient, then call GetUserDelegationKeyAsync to get a key, and then call BlobSasBuilder.GenerateSas using the key.
B.Use the StorageSharedKeyCredential with the storage account key to create a BlobSasBuilder and generate a SAS token.
C.Use DefaultAzureCredential to authenticate, then call GenerateUserDelegationSas on the BlobContainerClient.
D.Use the managed identity credentials to create a BlobServiceClient, then call GetUserDelegationKeyAsync, then create a BlobSasBuilder with the key and call ToSasQueryParameters.
AnswerA

This correctly obtains the user delegation key and generates a SAS with it.

Why this answer

Option A is correct because it follows the required pattern for generating a user delegation SAS: authenticate with managed identity via a BlobServiceClient, call GetUserDelegationKeyAsync to obtain a key derived from Microsoft Entra ID (not the storage account key), then use BlobSasBuilder with that key to call GenerateSas, which produces a SAS token scoped to a specific container with a 1-hour validity. This meets the security team's requirement of using Entra ID credentials and avoids exposing the storage account key.

Exam trap

The trap here is that candidates confuse the user delegation SAS workflow with the simpler account-key-based SAS, or mistakenly think that GenerateUserDelegationSas is a direct method on a container client, when in fact the key must be obtained first from the service client and then used with BlobSasBuilder.

How to eliminate wrong answers

Option B is wrong because it uses StorageSharedKeyCredential with the storage account key, which violates the requirement to use Microsoft Entra ID credentials and exposes the account key. Option C is wrong because GenerateUserDelegationSas is not a method on BlobContainerClient; the correct approach requires explicitly calling GetUserDelegationKeyAsync on the BlobServiceClient and then building the SAS with BlobSasBuilder. Option D is wrong because ToSasQueryParameters returns a Uri query string, not a SAS token string; the correct method to generate the token string is GenerateSas on BlobSasBuilder.

364
MCQeasy

You are deploying a microservices application on Azure Kubernetes Service (AKS). You need to monitor the resource consumption of each pod and set up alerts when CPU usage exceeds 80% for 5 minutes. What should you use?

A.Azure Monitor VM Insights
B.Application Insights
C.Azure Service Health
D.Azure Monitor Container Insights
AnswerD

Container Insights is designed for AKS and supports metric alerts.

Why this answer

Option A is correct because Container Insights provides monitoring of AKS clusters and supports metric alerts. Option B (Azure Monitor VM Insights) is for VMs. Option C (Application Insights) is for application-level telemetry.

Option D (Azure Service Health) monitors Azure service availability.

365
MCQmedium

An Azure Container Instance running a claims processing function requires a password at startup. The password must not be visible in the portal or container logs. What should be used?

A.Plain environment variable
B.Secure environment variable
C.Public blob containing the password
D.Container command-line argument
AnswerB

Secure environment variables in ACI protect sensitive values and hide them from normal display.

Why this answer

Secure environment variables in Azure Container Instances are encrypted at rest and in transit, and are never exposed in the Azure portal, container logs, or to other users. This ensures the password remains confidential while being available to the container at startup, meeting the requirement of not being visible in the portal or logs.

Exam trap

The trap here is that candidates often confuse 'secure environment variables' with 'plain environment variables' or assume that command-line arguments are not logged, when in fact they are captured in container logs and visible in the portal.

How to eliminate wrong answers

Option A is wrong because plain environment variables are stored in plaintext and are visible in the Azure portal and container logs, violating the security requirement. Option C is wrong because a public blob containing the password would be accessible to anyone with the URL, completely compromising the password's confidentiality. Option D is wrong because container command-line arguments are logged in the container's startup logs and can be viewed in the portal, making them visible and insecure.

366
MCQmedium

You deploy a containerized application to Azure Container Instances (ACI). The application writes logs that must persist across container restarts and be accessible from a file system. The solution must minimize cost and complexity. Which configuration should you use?

A.Mount an Azure Files share as a volume
B.Store logs in Azure Container Registry
C.Use a Docker volume in the container
D.Pass log path via an environment variable
AnswerA

Correct. Azure Files provides SMB file shares that can be mounted as volumes in ACI, offering persistent storage at low cost with minimal complexity.

Why this answer

Mounting an Azure Files share as a volume in Azure Container Instances provides persistent, shared file storage that survives container restarts and is accessible via the container's file system. This approach minimizes cost by using standard Azure Files storage (pay only for consumed capacity) and complexity by leveraging ACI's native volume mount support without requiring additional orchestration or stateful infrastructure.

Exam trap

The trap here is that candidates confuse ephemeral Docker volumes (which are lost on restart) with persistent Azure Files shares, or mistakenly think Azure Container Registry can store runtime data like logs.

How to eliminate wrong answers

Option B is wrong because Azure Container Registry is a private registry for storing and managing container images, not a runtime storage location for application logs; logs written to ACR would not be accessible from the container's file system and would not persist across restarts. Option C is wrong because Docker volumes in ACI are ephemeral and tied to the container's lifecycle — they are lost when the container is restarted or recreated, failing the persistence requirement. Option D is wrong because an environment variable only passes configuration data (like a log path string) into the container; it does not provide any actual storage mechanism for log data to persist or be accessed from the file system.

367
MCQmedium

You need to store large binary files (up to 2 GB) that are frequently overwritten in place (entire file replaced). You want to minimize storage cost and write latency. Which Azure Blob Storage type should you use?

A.Block Blob
B.Page Blob
C.Append Blob
D.Archive Blob
AnswerA

Block Blobs allow you to upload large files in blocks and replace the entire blob by committing a new block list, providing low latency and cost efficiency.

Why this answer

Block blobs are optimized for storing large binary files (up to ~4.75 TB) and support high-throughput uploads via PutBlock and PutBlockList operations. They allow overwriting an entire blob by uploading a new set of blocks, which minimizes write latency compared to page blobs that require sector-aligned writes. Block blobs also offer lower storage cost than page blobs, making them the best choice for frequently overwritten large files.

Exam trap

The trap here is that candidates often confuse 'frequently overwritten' with 'random access' and choose Page Blob, forgetting that page blobs are optimized for small, random writes (like VHDs) and are more expensive, while block blobs are the correct choice for large file replacement with low latency and cost.

How to eliminate wrong answers

Option B (Page Blob) is wrong because page blobs are designed for random read/write access in 512-byte pages (e.g., VHDs for Azure VMs) and have higher storage costs and write latency due to sector alignment requirements, making them suboptimal for large file overwrites. Option C (Append Blob) is wrong because append blobs only support appending data to the end of the blob and do not allow overwriting existing content in place. Option D (Archive Blob) is wrong because archive blobs are for cold data with infrequent access, have high read latency (hours to rehydrate), and are not designed for frequent overwrites.

368
MCQmedium

You have an Azure Function with a Service Bus queue trigger. The function processes messages that must be handled in order within each partition of the queue. You need to ensure that the function does not process multiple messages from the same partition concurrently, while still allowing parallel processing across different partitions. Which setting should you configure?

A.Set the batch size to 1 in the function configuration.
B.Set the maxConcurrentCallsPerSession to 1, or use a session-enabled queue and set maxConcurrentSessions to 1 if using sessionId.
C.Use a consumption plan, which automatically limits concurrency.
D.Use a queue trigger instead of a Service Bus trigger.
AnswerB

This setting limits the number of concurrent calls per partition/session, ensuring sequential processing within a partition while allowing parallel processing across partitions.

Why this answer

Option B is correct because Service Bus sessions provide exactly-once-in-order message processing within a partition (session). Setting `maxConcurrentCallsPerSession` to 1 ensures that only one message from a given session is processed at a time, while `maxConcurrentSessions` controls how many different sessions can be processed in parallel. This allows concurrent processing across partitions but serializes processing within each partition.

Exam trap

The trap here is that candidates often confuse batch size with concurrency control, thinking that reducing batch size to 1 prevents parallel processing, when in fact it only limits the number of messages retrieved per fetch, not the number of concurrent executions.

How to eliminate wrong answers

Option A is wrong because setting batch size to 1 only limits how many messages are fetched at once, but does not prevent concurrent processing of multiple messages from the same partition—multiple function instances could still process them in parallel. Option C is wrong because the Consumption Plan does not automatically limit concurrency per partition; it only scales the number of function instances, which can still lead to concurrent processing of the same partition. Option D is wrong because a queue trigger (e.g., Storage Queue) does not support session-based ordering or partition-level concurrency control; it processes messages in a first-in-first-out manner but without guaranteed ordering or partition isolation.

369
MCQeasy

You are monitoring an Azure web application with Application Insights. You want to create a custom dashboard that shows the number of requests over time and the average server response time. Which Application Insights feature should you use to create this dashboard?

A.Metrics Explorer
B.Log Analytics
C.Application Map
D.Smart Detection
AnswerA

Correct. Metrics Explorer is designed for creating charts from metric data and pinning to dashboards.

Why this answer

Metrics Explorer in Application Insights is designed for visualizing pre-aggregated metrics like request count and server response time over time. It allows you to create custom charts and pin them to an Azure dashboard, making it the correct choice for this monitoring requirement.

Exam trap

The trap here is that candidates often confuse Log Analytics (which can also create charts from log queries) with Metrics Explorer, but Metrics Explorer is the correct tool for pre-aggregated, real-time metric visualization without writing KQL queries.

How to eliminate wrong answers

Option B is wrong because Log Analytics is used for querying raw log data with Kusto Query Language (KQL), not for directly creating real-time metric dashboards from pre-aggregated metrics. Option C is wrong because Application Map provides a visual topology of service dependencies and transaction flow, not time-series charts of request counts or response times. Option D is wrong because Smart Detection uses machine learning to automatically detect anomalies and performance issues, but it does not allow you to build custom metric dashboards.

370
MCQmedium

You are developing an application that writes logs to Azure Blob Storage. Each log entry is small (less than 1 KB) and you need to store millions of entries per day. You want to minimize storage costs and maximize write throughput. Which blob type should you use?

A.Block blobs with a high block size.
B.Append blobs.
C.Page blobs.
D.Block blobs with a low block size.
AnswerB

Correct. Append blobs are designed for frequent append operations and are ideal for logging.

Why this answer

Append blobs are optimized for append operations, making them ideal for logging scenarios where each log entry is appended to the blob. They provide high throughput for write-heavy, sequential append workloads and are cost-effective because they use the same block blob pricing but avoid the overhead of managing individual blocks for each small entry.

Exam trap

The trap here is that candidates often choose block blobs with a low block size (Option D) thinking it minimizes waste, but they overlook that append blobs are specifically designed for append-heavy workloads and eliminate the need for manual block management, offering better throughput and simplicity.

How to eliminate wrong answers

Option A is wrong because using a high block size (e.g., 100 MB) for small log entries (<1 KB) wastes storage and reduces write throughput due to the overhead of committing large blocks for tiny data. Option C is wrong because page blobs are designed for random read/write access (e.g., Azure VM disks) and are not optimized for append-only logging; they also incur higher costs due to premium storage pricing. Option D is wrong because while low block size reduces wasted space, block blobs still require each append to be staged as a separate block and then committed, adding latency and complexity compared to the native append operation of append blobs.

371
MCQmedium

A image resize worker runs in Azure App Service and must call a private API hosted inside a virtual network. Which feature allows outbound access from the app to the VNet?

A.Regional VNet integration
B.Azure CDN custom domain
C.Application Gateway path routing
D.Private Endpoint for the web app only
AnswerA

Regional VNet integration enables App Service outbound connectivity to resources in a virtual network.

Why this answer

Regional VNet integration enables an Azure App Service app to make outbound calls to resources in a virtual network (VNet) over the Microsoft backbone network. It uses a delegated subnet in the VNet to assign the app a network interface in the VNet, allowing it to reach private APIs without exposing them to the public internet.

Exam trap

The trap here is confusing inbound connectivity (Private Endpoint) with outbound connectivity (VNet integration), leading candidates to select Private Endpoint when the question asks for outbound access from the app to the VNet.

How to eliminate wrong answers

Option B is wrong because Azure CDN custom domain is a content delivery feature that caches and serves public endpoints, not a mechanism for outbound VNet access from an app. Option C is wrong because Application Gateway path routing is an inbound load-balancing and routing feature for HTTP traffic, not an outbound connectivity feature from App Service to a VNet. Option D is wrong because a Private Endpoint for the web app only provides inbound access from the VNet to the app, not outbound access from the app to resources in the VNet.

372
MCQmedium

You are developing a .NET Core application that needs to authenticate users via Microsoft Entra ID and call Microsoft Graph API. You register an app in the Microsoft Entra admin center and configure the necessary permissions. However, when the app tries to acquire a token, it receives an 'interaction_required' error. What is the most likely cause?

A.The client secret is expired or invalid.
B.The scope parameter is incorrectly formatted.
C.The application is requesting admin-restricted permissions without admin consent.
D.The redirect URI does not match the registered redirect URI.
AnswerC

Admin-restricted permissions require admin consent, otherwise user interaction is needed.

Why this answer

The 'interaction_required' error typically indicates that the token acquisition requires user interaction, often because the user has not granted consent or the permissions require admin consent. Option A is correct because if the app requests admin-restricted permissions (e.g., User.Read.All), the user must be an admin or consent must be pre-granted. Option B is incorrect; the redirect URI mismatch would cause a different error.

Option C is incorrect; a client secret issue would cause an authentication failure, not interaction_required. Option D is incorrect; the scope format is correct.

373
MCQmedium

A report export service hosted on App Service returns intermittent 502 errors during deployment. The team wants zero-downtime release with validation before traffic moves. What should be implemented?

A.Deploy to a staging slot, validate health, then swap
B.Deploy directly to production during business hours
C.Restart the App Service plan before each deployment
D.Disable health checks
AnswerA

Slot swaps allow pre-production validation and reduce deployment interruption.

Why this answer

Deploying to a staging slot and then swapping with production ensures zero-downtime because the swap operation warms up the target slot (staging) before routing traffic to it. The health check validation before swap confirms the new release is stable, preventing 502 errors from reaching users. This approach leverages Azure App Service deployment slots, which support traffic routing and warm-up during swap.

Exam trap

The trap here is that candidates may think restarting the plan or disabling health checks is a valid fix, but these actions cause downtime or remove safety nets, whereas deployment slots with health checks provide the required zero-downtime release and validation.

How to eliminate wrong answers

Option B is wrong because deploying directly to production during business hours risks exposing users to a faulty release, causing 502 errors and downtime without any validation or rollback safety. Option C is wrong because restarting the App Service plan before each deployment does not prevent 502 errors; it causes all instances to restart simultaneously, leading to downtime and potential request failures. Option D is wrong because disabling health checks removes the mechanism that detects unhealthy instances, allowing faulty deployments to serve traffic and worsen 502 errors.

374
MCQhard

You are deploying a microservice to Azure Container Apps. The service requires a custom domain and SSL/TLS certificate. Which resource should you configure to meet these requirements?

A.Azure Front Door with a custom domain
B.Azure Container Apps environment with a custom domain and certificate attached
C.Azure API Management in front of the Container App
D.Azure Application Gateway with SSL termination
AnswerB

Correct: Container Apps supports custom domains and managed certificates.

Why this answer

Option A is correct because Container Apps supports custom domains and certificates via the environment. Option B is wrong because API Management is a separate service. Option C is wrong because Front Door is for global load balancing.

Option D is wrong because App Gateway is for traditional web apps.

375
MCQeasy

You have an Azure Cosmos DB container with a high number of physical partitions. You observe that some partitions are hitting the request unit (RU) limit while others are underutilized. What should you do to better distribute the workload?

A.Add more composite indexes
B.Increase the total provisioned throughput
C.Choose a different partition key that evenly distributes workload
D.Change the default consistency level to eventual
AnswerC

A well-chosen partition key avoids hot partitions.

Why this answer

Option A is correct because a good partition key ensures even distribution of RU consumption. Option B (increasing throughput) doesn't fix skew. Option C (changing consistency) affects performance but not distribution.

Option D (adding indexes) increases RU consumption.

Page 4

Page 5 of 14

Page 6