Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 376450

997 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
Multi-Selecthard

Your Azure Container Apps solution uses Dapr for microservices communication. Which THREE Dapr building blocks are essential for service-to-service invocation and state management?

Select 3 answers
A.Service Invocation
B.Bindings
C.Pub/Sub
D.Actors
E.State Management
AnswersA, C, E

Service Invocation is the building block for direct service-to-service calls.

Why this answer

Service Invocation (A) is correct because Dapr's service invocation building block enables direct, secure service-to-service communication using gRPC or HTTP, with built-in mTLS, retries, and observability. State Management (E) is correct because it provides a key-value store abstraction for managing state across microservices, supporting pluggable state stores like Redis, Cosmos DB, or SQL Server. Pub/Sub (C) is correct because it enables asynchronous event-driven communication between services, decoupling producers and consumers via message brokers like Kafka, RabbitMQ, or Azure Service Bus.

Exam trap

The trap here is that candidates often confuse Bindings with service invocation (both involve external communication) or assume Actors are required for state management, but Dapr separates these concerns into distinct building blocks with specific use cases.

377
MCQhard

You have a web application that writes user-uploaded images to Azure Blob Storage. The application uses a shared access signature (SAS) token with read and write permissions. Users report that sometimes they receive 'AuthorizationFailure' errors when uploading images, but the issue is intermittent. What is the most likely cause?

A.The blob container has a soft-delete policy that is preventing uploads
B.The storage account firewall is blocking requests from the web application's IP
C.The SAS token has expired and the application is not regenerating it before it expires
D.The SAS token was generated with an incorrect IP range restriction
AnswerC

Intermittent failures are a classic symptom of an expiring SAS token. The application should refresh the token or use a stored access policy with longer validity.

Why this answer

Option C is correct because SAS tokens have a defined expiration time. If the application does not regenerate the token before it expires, uploads will intermittently fail with 'AuthorizationFailure' errors. The intermittent nature is explained by the token being valid for some requests and expired for others, depending on when the token was last refreshed.

Exam trap

The trap here is that candidates may confuse intermittent failures with network or firewall issues, but the key clue is 'intermittent' — which points to a time-based expiry rather than a static configuration problem like IP restrictions or soft-delete policies.

How to eliminate wrong answers

Option A is wrong because soft-delete policies do not prevent uploads; they only mark blobs as deleted after a delete operation, and uploads are unaffected. Option B is wrong because a storage account firewall blocking the web application's IP would cause persistent, not intermittent, failures for all requests from that IP. Option D is wrong because an incorrect IP range restriction would cause consistent authorization failures for all requests from outside the allowed range, not intermittent ones.

378
MCQhard

A company uses Azure API Management (APIM) to expose APIs to external partners. They want to validate JSON Web Tokens (JWTs) from partners' Microsoft Entra ID tenants before requests reach the backend. The solution must support multiple partner tenants and minimize latency. What should you implement?

A.Use Azure AD B2C as a token broker between partners and the API.
B.Configure OAuth 2.0 authorization server in APIM for each partner tenant.
C.Use client certificate authentication in APIM to map certificates to partner tenants.
D.Use APIM inbound policy with validate-jwt and specify openid-config URL for each partner tenant.
AnswerD

This validates JWTs from multiple issuers efficiently.

Why this answer

Option C is correct because APIM inbound policy with validate-jwt can use openid-config to dynamically fetch signing keys from multiple issuers. Option A is wrong because client certificates are for certificate-based auth, not JWT. Option B is wrong because OAuth2 in APIM is for authorization server integration but does not validate JWT for multiple tenants easily.

Option D is wrong because Azure AD B2C is for customer identities, not partner tenants.

379
MCQmedium

Your company develops a microservices-based application deployed on Azure Kubernetes Service (AKS). One of the microservices is a web API that processes user uploads and stores them in Azure Blob Storage. The API is stateless and scales horizontally. You need to implement authentication and authorization for the API using Microsoft Entra ID. The API should validate tokens issued by Entra ID and allow only users with the 'Files.Upload' scope. You need to configure the API's code and AKS deployment accordingly. Which approach should you use?

A.Use Azure AD pod identity in AKS to assign a managed identity to the pod, and implement token validation in the API code using the Microsoft.Identity.Web library.
B.Store the storage account access keys in the API configuration and validate requests using shared access signatures.
C.Configure the API to use client certificate authentication instead of tokens.
D.Expose the API through Azure API Management (APIM) and configure APIM to validate tokens and check scope.
AnswerA

Pod identity provides managed identity; API validates tokens and checks scope.

Why this answer

Option A is correct because Azure AD pod identity allows you to assign a managed identity to the pod, which the API can use to authenticate with Microsoft Entra ID. The Microsoft.Identity.Web library simplifies token validation and scope checking in ASP.NET Core applications, enabling the API to validate tokens issued by Entra ID and enforce the 'Files.Upload' scope. This approach aligns with the stateless, horizontally scalable nature of the microservice and avoids managing secrets.

Exam trap

The trap here is that candidates may think Azure API Management (APIM) is required for token validation in AKS, but the question explicitly asks for configuring the API's code and AKS deployment, making the pod identity and library approach the correct in-code solution without an extra gateway.

How to eliminate wrong answers

Option B is wrong because storage account access keys are shared secrets that do not provide user-level authentication or authorization; they grant full access to the storage account, not per-user scope validation. Option C is wrong because client certificate authentication does not involve tokens issued by Microsoft Entra ID and cannot validate the 'Files.Upload' scope; it is a different authentication mechanism. Option D is wrong because while APIM can validate tokens and check scopes, the question specifies configuring the API's code and AKS deployment, not introducing an additional APIM layer; APIM would add latency and complexity not required by the scenario.

380
MCQeasy

You need to authenticate an Azure Function to an Azure SQL Database using a managed identity. The function has a system-assigned managed identity enabled. Which connection string setting should you use in the function's application settings?

A.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Password;
B.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Managed Identity;
C.Server=tcp:myserver.database.windows.net;Database=mydb;User Id=myuser;Password=mypassword;
D.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Managed Identity;User Id=<client-id>;
AnswerB

This connection string uses managed identity authentication.

Why this answer

When using managed identity, you do not include User ID and Password. Instead, you set 'Authentication=Active Directory Managed Identity' in the connection string. Option A is for SQL authentication, B uses the client ID of a user-assigned managed identity, and D uses a service principal.

381
MCQmedium

A table stores session records in Azure Table Storage. Queries frequently retrieve all records for one customer in a time range. What key design is best?

A.RowKey as a constant value
B.PartitionKey as a random GUID for every record
C.PartitionKey as customer ID and RowKey based on sortable timestamp
D.PartitionKey as the full JSON payload
AnswerC

This supports efficient partition filtering and range scans by time.

Why this answer

Option C is correct because Azure Table Storage queries are most efficient when they target a single partition key. Using the customer ID as the PartitionKey ensures all records for a customer are in the same partition, and using a sortable timestamp (e.g., inverted ticks) as the RowKey allows efficient range queries within that partition, leveraging the table's natural index order.

Exam trap

The trap here is that candidates may think randomizing the PartitionKey improves load balancing, but for query-heavy workloads targeting a single entity group, a fixed PartitionKey is essential for performance, and Azure Table Storage handles hot partitions through other mechanisms like entity-level throttling.

How to eliminate wrong answers

Option A is wrong because using a constant RowKey value would cause all records to share the same RowKey, violating the uniqueness requirement and preventing efficient range queries. Option B is wrong because using a random GUID as the PartitionKey scatters each record across different partitions, forcing full table scans for customer-specific queries and eliminating the benefit of partition-level querying. Option D is wrong because storing the full JSON payload as the PartitionKey is not a valid key design; PartitionKey must be a string that identifies the partition, and a large payload would be inefficient and break the key's purpose of grouping related entities.

382
MCQeasy

You need to deploy an Azure App Service web app that uses a custom domain (www.contoso.com) and SSL/TLS certificate. The certificate is stored in Azure Key Vault. What should you use to bind the certificate to the App Service?

A.Configure Azure Front Door to terminate SSL and forward traffic to App Service.
B.Use an App Service Managed Certificate for the custom domain.
C.Import the certificate from Key Vault into App Service using the 'Key Vault Certificate' option.
D.Export the certificate from Key Vault as a PFX file and upload it to App Service.
AnswerC

This integrates directly with Key Vault and allows SSL binding.

Why this answer

Option C is correct because Azure App Service supports direct integration with Azure Key Vault to import a certificate using the 'Key Vault Certificate' option. This allows you to bind an SSL/TLS certificate stored in Key Vault to your custom domain without manually exporting or managing the PFX file, ensuring secure and seamless certificate lifecycle management.

Exam trap

The trap here is that candidates may confuse the manual PFX export and upload method (Option D) as the only way to use a Key Vault certificate, missing the native 'Key Vault Certificate' integration that is more secure and automated.

How to eliminate wrong answers

Option A is wrong because Azure Front Door terminates SSL at the edge and forwards traffic to App Service over HTTP or HTTPS, but it does not bind the certificate directly to the App Service custom domain; the certificate must still be bound to the App Service for end-to-end SSL. Option B is wrong because an App Service Managed Certificate is a free, built-in certificate for custom domains, but it cannot be imported from Key Vault; it is automatically provisioned and managed by App Service, not sourced from an external Key Vault. Option D is wrong because while you can export a certificate from Key Vault as a PFX file and upload it to App Service, this is a manual, less secure approach that bypasses the native Key Vault integration; the recommended and more secure method is to use the 'Key Vault Certificate' option to directly reference the certificate without exporting.

383
MCQhard

You have an Azure Function that processes messages from an Event Hubs event stream. The function is failing with 'Message lock lost' errors. The processing time per event is about 10 minutes. What should you do to resolve the errors?

A.Increase the function's timeout duration
B.Configure the EventProcessorOptions with a longer lease duration
C.Increase the number of partitions in the Event Hub
D.Decrease the batch size to process events faster
AnswerB

Increasing the lease duration prevents the lock from expiring during long processing.

Why this answer

Event Hubs capture does not have a lock mechanism; the error is likely due to the checkpoint store. However, the issue is that the function is using Event Hubs with a consumer group that has a short lease duration. Increasing the 'maxReceiveWaitTime' or 'prefetch count' might help, but the best solution is to increase the 'eventProcessorOptions' for the lease duration.

Option A is wrong because partition count does not affect lock loss. Option B is wrong because batch size is not the issue. Option D is wrong because increasing function timeout does not affect the Event Hubs lease.

384
Multi-Selecteasy

Your company wants to implement a zero-trust security model for its Azure resources. Which THREE practices should you adopt? (Choose three.)

Select 3 answers
A.Implement just-in-time (JIT) access for administrative roles
B.Require multi-factor authentication (MFA) for all users
C.Place all resources behind a firewall
D.Enable micro-segmentation between application tiers
E.Use a VPN to connect to the corporate network
AnswersA, B, D

JIT reduces standing privileges, aligning with zero-trust.

Why this answer

Option A is correct because just-in-time (JIT) access for administrative roles reduces the attack surface by granting elevated permissions only when needed and for a limited time. In Azure, JIT is implemented via Azure AD Privileged Identity Management (PIM), which enforces activation requests, approval workflows, and automatic deactivation. This aligns with the zero-trust principle of 'never trust, always verify' by minimizing standing privileges.

Exam trap

The trap here is that candidates often confuse traditional network security controls (like firewalls and VPNs) with zero-trust principles, mistakenly thinking perimeter defenses are sufficient, while zero-trust requires identity-based, least-privilege access and micro-segmentation regardless of network location.

385
MCQmedium

Your company has an Azure Logic App that processes orders by calling a third-party REST API using an HTTP trigger. Recently, the API provider changed their authentication to require OAuth 2.0 with client credentials. The Logic App currently uses a basic authentication header. What should you do to update the Logic App?

A.Use Azure API Management to proxy the API and add OAuth support
B.Add the client ID and client secret as query parameters
C.Configure the Logic App to use a managed identity and update the HTTP action authentication to 'Active Directory OAuth'
D.Replace the HTTP trigger with a Service Bus queue
AnswerC

Managed identity allows secure OAuth 2.0 authentication without managing secrets.

Why this answer

Azure Logic Apps can use managed identities to authenticate to services that support Microsoft Entra ID. For third-party APIs, you can configure the authentication type to 'Active Directory OAuth' and use the managed identity. Option A is wrong because the API key is not OAuth 2.0.

Option B is wrong because API Management can be used but adds unnecessary complexity. Option D is wrong because connection strings are not relevant.

386
MCQhard

You are developing a solution that processes large files uploaded to Azure Blob Storage. Each file must be processed by a long-running operation that may take up to 30 minutes. You need to use Azure Functions with a consumption plan. How should you handle the processing?

A.Use a Blob trigger function with a retry policy
B.Increase the function timeout to 30 minutes
C.Use an Event Grid trigger function to process the blob
D.Use Durable Functions with a blob-triggered client function
AnswerD

Durable Functions can persist state and run longer.

Why this answer

D is correct because Azure Functions on a Consumption Plan have a default timeout of 5 minutes and a maximum of 10 minutes. A blob-triggered client function can start a Durable Functions orchestration, which can run for up to 30 minutes (or longer) by using the orchestration's timeout and retry capabilities, avoiding the Consumption Plan's timeout limit.

Exam trap

The trap here is that candidates assume increasing the function timeout or using a retry policy can solve long-running operations, but they overlook the hard 10-minute limit on Consumption Plan and the need for a stateful orchestration pattern like Durable Functions.

How to eliminate wrong answers

Option A is wrong because a retry policy does not extend the function's execution timeout; it only retries the function on failure, but the function still cannot run longer than the Consumption Plan's maximum timeout (10 minutes). Option B is wrong because the maximum timeout for Azure Functions on a Consumption Plan is 10 minutes (configurable up to 10 minutes), not 30 minutes; increasing the timeout beyond 10 minutes is not supported on Consumption Plan. Option C is wrong because an Event Grid trigger function still runs under the same Consumption Plan timeout constraints (max 10 minutes) and does not inherently support long-running operations beyond that limit.

387
MCQmedium

You are developing a web application that will be deployed to Azure App Service. The application allows users to upload files, which are stored in Azure Blob Storage. You need to ensure that only authenticated users can upload files and that each user can only see their own files. You plan to use shared access signatures (SAS) for secure access. The application uses Microsoft Entra ID for authentication. You want to generate SAS tokens on the server after the user authenticates. Which approach should you use?

A.After user authentication, have the client generate a SAS token using the storage account key retrieved from a secure endpoint.
B.After user authentication, use the server-side code to generate a user delegation SAS for a specific blob container path that includes the user's identifier. Store the SAS in the user's session and return it to the client. The client then uses the SAS to upload the file directly to Blob Storage.
C.After user authentication, use the server-side code to generate a service SAS for the entire blob container. Return the SAS to the client. The client uploads the file, and the server later moves the file to a user-specific folder.
D.After user authentication, use the server to upload the file to Blob Storage using the storage account key. Then return the URL of the uploaded blob to the client.
AnswerB

User delegation SAS is scoped to the user and can be generated without exposing the account key.

Why this answer

Option A is correct because generating a user delegation SAS with the user's identity ensures that the SAS token is scoped to that user. Storing the SAS in the user's session and returning it to the client for direct upload is secure and efficient. Option B is wrong because a service SAS is not tied to the user's identity and would allow cross-user access.

Option C is wrong because using the storage account key directly from the server is a security risk and does not tie the SAS to the user. Option D is wrong because client-side generation of SAS tokens requires the storage account key to be exposed to the client.

388
MCQhard

You are designing an ASP.NET Core web API that authenticates users via Microsoft Entra ID. The application needs to authorize access to resources based on custom roles (e.g., 'Admin', 'Editor') that are not defined in Microsoft Entra ID app roles or groups. The role mappings are dynamic and stored in an application database. How should you implement authorization in the API?

A.Define the roles as Microsoft Entra ID app roles and assign them to users. This is the standard way to handle roles.
B.Use the OnTokenValidated event in OpenID Connect middleware to query the database and add custom role claims to the identity.
C.Store the roles in the Microsoft Entra ID token by customizing the token issuance in Microsoft Entra ID.
D.Use the [Authorize] attribute with a custom authorization filter that checks the database on every request without modifying the claims.
AnswerB

Correct. By subscribing to the OnTokenValidated event, you can retrieve roles from the database and add them as claims to the principal. Then you can use standard authorization policies based on those claims.

Why this answer

Option B is correct because it uses the OnTokenValidated event in OpenID Connect middleware to enrich the user's identity with custom role claims from the application database after token validation. This approach allows dynamic role mappings stored externally to be injected into the ClaimsPrincipal, which can then be evaluated by the standard [Authorize] attribute with role policies. It avoids modifying Entra ID configuration and keeps role management flexible within the application.

Exam trap

The trap here is that candidates often assume Entra ID app roles or groups are the only way to implement role-based authorization, overlooking the flexibility of the OnTokenValidated event to inject custom claims from external sources.

How to eliminate wrong answers

Option A is wrong because defining roles as Entra ID app roles requires static assignment in the directory, which contradicts the requirement for dynamic role mappings stored in an application database. Option C is wrong because customizing token issuance in Entra ID is not feasible for dynamic, database-driven roles; Entra ID tokens are issued based on directory configuration, not external databases. Option D is wrong because using a custom authorization filter that checks the database on every request without modifying claims is inefficient and bypasses the standard claims-based authorization pipeline, leading to poor performance and complexity.

389
MCQmedium

You are developing a microservices application on Azure Kubernetes Service (AKS). One of the services needs to securely access Azure SQL Database without storing connection strings in the application code. You need to use managed identities. What should you do?

A.Store the connection string in Azure Key Vault and use the Key Vault FlexVolume driver.
B.Use the AKS cluster's managed identity to access Azure SQL.
C.Create a service principal and use its credentials in the pod.
D.Enable Azure AD Pod Identity and assign a managed identity to the pod.
AnswerD

Pod Identity allows the pod to authenticate to Azure SQL using managed identity.

Why this answer

Option D is correct because Azure AD Pod Identity allows you to assign an Azure Active Directory (Azure AD) managed identity directly to a pod in AKS. The pod can then use that identity to authenticate to Azure SQL Database without storing any connection strings or secrets in the code. This is the recommended approach for pod-level managed identity access to Azure resources.

Exam trap

The trap here is that candidates often confuse the AKS cluster's managed identity (which is for cluster-level operations like load balancers) with pod-level managed identities, leading them to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because storing the connection string in Key Vault and using the FlexVolume driver still requires the pod to retrieve a secret, which does not eliminate the need for a connection string; it only moves it to a vault. Option B is wrong because the AKS cluster's managed identity is a system-assigned identity for the cluster itself, not for individual pods, and it cannot be used directly by a pod to access Azure SQL. Option C is wrong because creating a service principal and using its credentials in the pod would require storing the service principal's secret (password or certificate) in the pod, which defeats the purpose of avoiding stored credentials.

390
MCQmedium

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?

A.Authorization code flow with PKCE
B.Client credentials flow
C.Resource owner password credentials
D.Implicit flow
AnswerA

Correct. This flow is secure, supports delegated permissions, and with PKCE it reduces consent prompts through silent token refresh.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth 2.0 grant type for public clients (like a web app) that need delegated user authentication and consent. It allows the app to obtain an access token to read the user's profile and a refresh token to send emails on their behalf, while minimizing consent prompts by using a single consent request for both permissions. PKCE adds a cryptographic challenge to prevent authorization code interception attacks, making it secure for web apps without a client secret.

Exam trap

The trap here is that candidates often choose the client credentials flow (B) thinking it minimizes prompts because it doesn't involve user interaction, but they overlook that the app needs to act on behalf of a specific user, which requires delegated permissions and user consent, not application permissions.

How to eliminate wrong answers

Option B is wrong because the client credentials flow is designed for server-to-server (daemon) scenarios where no user is present; it cannot act on behalf of a specific user to read their profile or send emails as them. Option C is wrong because the resource owner password credentials flow requires the user to provide their username and password directly to the app, which is insecure and not recommended for modern apps; it also does not minimize consent prompts as it bypasses the consent UI entirely. Option D is wrong because the implicit flow is deprecated in OAuth 2.0 Security Best Current Practice (BCP) due to security risks like access token leakage in the browser; it also cannot issue refresh tokens, so the app would need repeated consent prompts for long-lived access.

391
MCQmedium

You are deploying a container group to Azure Container Instances that runs a stateful application. The application writes data to the /data directory. You need to ensure that the data is preserved if the container restarts. Which volume mount type should you use?

A.EmptyDir
B.Azure Files share
C.Secret
D.ConfigMap
AnswerB

An Azure Files share is a durable, managed file share that persists data independently of the container lifecycle.

Why this answer

Azure Files shares provide persistent, shared storage that can be mounted into Azure Container Instances (ACI) using the SMB 3.0 protocol. This ensures that data written to the /data directory survives container restarts because the share exists independently of the container lifecycle. EmptyDir volumes are ephemeral and tied to the pod's lifetime, making them unsuitable for stateful applications that require data persistence across restarts.

Exam trap

The trap here is that candidates often confuse EmptyDir with persistent storage, assuming it survives restarts because it is used in Kubernetes pods, but in ACI, EmptyDir is ephemeral and tied to the container group's lifecycle, not the container's restart policy.

How to eliminate wrong answers

Option A is wrong because EmptyDir volumes are created empty when a container starts and are deleted when the container is removed or restarted, so they do not preserve data across restarts. Option C is wrong because Secret volumes are used to inject sensitive data (e.g., passwords, certificates) as read-only files, not for persistent application data storage. Option D is wrong because ConfigMap volumes are designed to inject non-sensitive configuration data (e.g., key-value pairs) as read-only files, and they do not support write operations or persistence across restarts.

392
MCQmedium

A web app for a webhook processor needs separate staging and production environments. The team must warm up the new version before swapping traffic. Which App Service feature should be used?

A.Deployment slots
B.Backup and restore
C.App Service access restrictions
D.Always On only
AnswerA

Deployment slots provide separate environments and support warm-up before swap.

Why this answer

Deployment slots are the correct feature because they enable separate staging and production environments within the same App Service plan, allowing you to warm up the new version in a staging slot before performing a zero-downtime swap with the production slot. This directly supports the requirement for traffic swapping after warm-up, which is a core capability of slot-swapping in Azure App Service.

Exam trap

The trap here is that candidates may confuse Always On with a warm-up mechanism, but Always On only prevents idle unload and does not provide environment separation or traffic swapping capabilities.

How to eliminate wrong answers

Option B is wrong because Backup and restore is a disaster recovery feature that creates snapshots of app content and configuration, not a mechanism for staging or traffic swapping. Option C is wrong because App Service access restrictions control inbound network access via IP rules or service endpoints, not environment separation or traffic routing. Option D is wrong because Always On only prevents the app from being unloaded after idle time, ensuring it stays warm but does not provide separate environments or the ability to swap traffic between versions.

393
MCQhard

Refer to the exhibit. An Azure Function is configured with an Event Hub trigger to process telemetry data. The function uses the EventProcessorHost to read events. The developer notices that the function is not processing all events; some events are skipped. What is the most likely cause?

A.The event hub name is misspelled
B.The cardinality is set to 'many' causing batch processing issues
C.The consumer group is set to $Default
D.The connection string is stored as a securestring parameter
AnswerB

Batch processing may cause timeouts or checkpoint issues leading to skipped events.

Why this answer

Option C is correct because the cardinality is set to 'many', which means the function receives a batch of events. If the batch size is too large, some events may be skipped due to timeouts. Option A is incorrect because the connection string is secure.

Option B is incorrect because $Default is a valid consumer group. Option D is incorrect because the event hub name is correct.

394
MCQhard

A Kubernetes-based IoT command API on AKS must pull images from Azure Container Registry without storing registry passwords in Kubernetes secrets. What should be used?

A.Use an App Service deployment slot
B.Store the ACR admin password in every deployment manifest
C.Attach the ACR to AKS or grant the kubelet managed identity AcrPull
D.Make the container registry public
AnswerC

AKS can authenticate to ACR through managed identity permissions such as AcrPull.

Why this answer

Option C is correct because attaching an ACR to an AKS cluster or granting the kubelet managed identity the AcrPull role enables Azure AD-based authentication without storing credentials in Kubernetes secrets. The kubelet on each node uses its managed identity to obtain an ACR access token via Azure AD, allowing secure image pulls. This approach eliminates the need for manual password management and follows security best practices for Azure-integrated workloads.

Exam trap

The trap here is that candidates may confuse AKS authentication with App Service features or assume that making the registry public is acceptable for development, when in fact Azure AD managed identity with AcrPull is the secure, recommended approach for production workloads.

How to eliminate wrong answers

Option A is wrong because App Service deployment slots are a feature for staging and swapping web app versions, not for authenticating Kubernetes to a container registry. Option B is wrong because storing the ACR admin password in every deployment manifest violates security best practices by exposing static credentials in plaintext, and the admin account is intended for emergency use only, not routine automation. Option D is wrong because making the container registry public exposes all images to the internet, creating a severe security risk and violating the principle of least privilege.

395
MCQhard

You are developing a .NET Core application that uses Azure Service Bus queues. You need to implement a dead-lettering mechanism for messages that cannot be processed after 5 delivery attempts. Which property should you set on the queue to automate this?

A.defaultMessageTimeToLive
B.maxDeliveryCount
C.lockDuration
D.requiresDuplicateDetection
AnswerB

maxDeliveryCount sets the maximum number of delivery attempts before dead-lettering.

Why this answer

The 'maxDeliveryCount' property on a Service Bus queue defines the maximum number of times a message can be delivered before it is automatically dead-lettered. Setting it to 5 meets the requirement. Option A is wrong because 'defaultMessageTimeToLive' controls time-based expiration, not delivery count.

Option B is wrong because 'lockDuration' is for peek-lock, not retry count. Option D is wrong because 'requiresDuplicateDetection' is for deduplication, not dead-lettering.

396
MCQeasy

You need to deploy a microservice that runs a long-running background job (up to 30 minutes). The job should not be affected by App Service recycling. Which Azure technology should you use?

A.Azure Automation Runbook
B.Azure WebJobs with Always On enabled
C.Azure Functions (Consumption plan)
D.Azure Kubernetes Service (AKS)
AnswerB

WebJobs run in App Service background and with Always On, they persist.

Why this answer

Option B is correct because Azure WebJobs with Always On enabled ensures the WebJob runs continuously on a dedicated App Service instance, preventing it from being unloaded during idle periods or App Service recycling. This allows the long-running background job (up to 30 minutes) to complete without interruption, as the WebJob runs in the same process as the web app and is not subject to the 5-minute timeout of the Consumption plan.

Exam trap

The trap here is that candidates often choose Azure Functions (Consumption plan) because of its simplicity, forgetting that the Consumption plan has a hard 5-minute execution timeout, making it unsuitable for long-running jobs, while WebJobs with Always On is the correct choice for persistent background processing within App Service.

How to eliminate wrong answers

Option A is wrong because Azure Automation Runbooks are designed for short-lived, automated tasks (up to 3 hours) but are not optimized for continuous background jobs within an App Service context; they run in a sandbox that can be recycled and lack the tight integration with App Service recycling behavior. Option C is wrong because Azure Functions on the Consumption plan have a maximum execution timeout of 5 minutes (10 minutes for the Premium plan), which is insufficient for a job that runs up to 30 minutes; the function host can also be recycled during idle periods. Option D is wrong because Azure Kubernetes Service (AKS) is a container orchestration platform that adds unnecessary complexity and cost for a single long-running background job; while it can handle long-running tasks, it is overkill compared to the simpler WebJobs solution, and the question specifically asks for a technology that is not affected by App Service recycling, which AKS does not directly address.

397
MCQeasy

Your web app hosted on Azure App Service is experiencing high memory usage. You need to capture a memory dump for analysis without restarting the app. Which diagnostic feature should you use?

A.Application Insights Profiler
B.Snapshot Debugger
C.Diagnostic settings
D.Azure App Service Diagnostics (Diagnose and solve problems)
AnswerD

The 'Diagnose and solve problems' blade allows you to collect memory dumps and analyze memory issues without restarting the app.

Why this answer

Azure App Service Diagnostics (Diagnose and solve problems) provides a built-in 'Memory Dump' tool that allows you to capture a full or mini memory dump of your app's process without requiring a restart. This is accessed through the Azure portal under the 'Diagnose and solve problems' blade, specifically via the 'Collect Memory Dump' diagnostic tool, which uses the Windows Debugging Tools to snapshot the w3wp.exe process while the app continues running.

Exam trap

The trap here is that candidates often confuse the 'Diagnose and solve problems' blade with 'Diagnostic settings' or assume that only Application Insights tools (Profiler or Snapshot Debugger) can capture runtime diagnostic data, but the memory dump feature is a distinct, restart-free tool available directly under the App Service's diagnostic portal.

How to eliminate wrong answers

Option A is wrong because Application Insights Profiler is designed to trace and analyze performance bottlenecks by capturing CPU and request execution timelines, not to capture memory dumps for analyzing memory leaks or high memory usage. Option B is wrong because Snapshot Debugger captures snapshots of application state when exceptions occur, focusing on debugging code logic errors, not on collecting full memory dumps for memory analysis. Option C is wrong because Diagnostic settings are used to stream platform logs and metrics to destinations like Storage Accounts, Event Hubs, or Log Analytics, but they do not provide a mechanism to capture on-demand memory dumps of the running process.

398
MCQmedium

You are running an Azure App Service web app on the Basic tier. Users report slow initial responses due to cold starts. You need to keep the app warm without upgrading the hosting plan. Which feature should you enable?

A.Enable 'Always On' in the App Service configuration.
B.Upgrade to a Premium plan to get pre-warmed instances.
C.Implement an auto-scaling rule to maintain a minimum instance count.
D.Reduce the web app's idle timeout via application code.
AnswerA

Always On ensures the app is continuously running, eliminating cold starts. It is available on Basic tier.

Why this answer

The 'Always On' feature prevents the App Service from being unloaded after periods of inactivity, eliminating cold starts by keeping the application loaded in memory. This is available on the Basic tier and above, so it solves the problem without requiring a plan upgrade.

Exam trap

The trap here is that candidates often confuse auto-scaling (which handles load distribution) with keeping a single instance warm, or incorrectly assume that 'Always On' requires a Premium plan when it is actually available from the Basic tier upward.

How to eliminate wrong answers

Option B is wrong because upgrading to a Premium plan is unnecessary and violates the constraint of not upgrading the hosting plan; 'Always On' is already available on the Basic tier. Option C is wrong because auto-scaling rules maintain a minimum instance count but do not prevent individual instances from being unloaded due to idle timeouts; cold starts still occur on each instance after idle. Option D is wrong because reducing idle timeout via application code does not affect the App Service platform's idle unloading behavior, which is controlled by the 'Always On' setting.

399
MCQhard

You are a security engineer for a large enterprise that uses Microsoft Entra ID. The company deploys a custom web application in Azure that authenticates users via the OAuth 2.0 authorization code flow with PKCE. The application is registered in Microsoft Entra ID. Recently, security auditors discovered that a compromised client secret was used to obtain tokens without user consent. You must update the application registration to prevent this type of attack. The application should still work with the authorization code flow and PKCE. You need to ensure that only interactive user authentication can obtain tokens, and that client secrets cannot be used to request tokens directly. Which option meets these requirements?

A.Remove the client secret from the app registration and configure the application to use a client certificate for authentication. Set the application type to 'Public client/native' and disable 'Allow public client flows' (if needed).
B.Keep the client secret but enable 'Allow public client flows' and set the redirect URI to use a custom scheme.
C.Change the authentication flow to client credentials grant and assign a managed identity to the application.
D.Increase the client secret expiration to 2 years and rotate the secret monthly.
AnswerA

Removing the secret eliminates the compromised secret. Using a certificate ensures secure authentication, and setting as public client (with PKCE) prevents use of client secrets.

Why this answer

Option A is correct: By disabling the 'Allow public client flows' setting and removing the client secret, the application becomes a confidential client that still uses the authorization code flow, but the client secret is not used because PKCE with client assertion (certificate) replaces it. However, the key point is to prevent client secret misuse. In Microsoft Entra ID, you can mark the application as a public client (which disables client secrets) or use client certificates instead.

Option A describes removing the secret and using a certificate, which ensures that only interactive flows (which require user authentication) are possible. Option B is incorrect because enabling 'Allow public client flows' would allow non-interactive flows. Option C is incorrect because using client credentials grant is for non-interactive scenarios.

Option D is incorrect because adjusting token lifetime does not prevent client secret misuse.

400
MCQhard

You are designing a solution to send email notifications from an Azure App Service web app. The app must use a third-party email service that requires an API key. You need to minimize management overhead and ensure the key is rotated automatically. What should you do?

A.Use a system-assigned managed identity to authenticate to the email service
B.Store the API key in the App Service application settings
C.Create an Azure Logic App to send emails and call it from the web app
D.Store the API key in Azure Key Vault and use a managed identity to retrieve it
AnswerD

Key Vault provides secure storage and automatic rotation; managed identity provides secure access.

Why this answer

Azure Key Vault can store the API key, and the app can use a managed identity to retrieve it. Key Vault supports automatic rotation of secrets. Option A is wrong because storing in app settings is not secure and does not rotate automatically.

Option B is wrong because managed identities do not store secrets directly. Option D is wrong because the Logic App adds unnecessary overhead.

401
MCQeasy

You are migrating an on-premises application to Azure. The application uses a network file share (NFS) to store files. You need to minimize code changes. Which Azure storage service should you use?

A.Azure Files
B.Azure Disk Storage
C.Azure Blob Storage
D.Azure Queue Storage
AnswerA

Fully managed file share with NFS support.

Why this answer

Azure Files provides fully managed file shares in the cloud that support the Server Message Block (SMB) protocol and the Network File System (NFS) protocol. Since your on-premises application already uses an NFS share, migrating to Azure Files with NFS support allows you to mount the share directly with minimal code changes, as the application can continue to use the same file system semantics and NFS client calls.

Exam trap

The trap here is that candidates often confuse Azure Files with Azure Blob Storage, assuming both are 'file storage' in the cloud, but Blob Storage is object storage with a flat namespace and REST-based access, not a network file share that supports NFS or SMB protocols without significant code changes.

How to eliminate wrong answers

Option B (Azure Disk Storage) is wrong because it provides block-level storage volumes attached to a single virtual machine, not a network-accessible file share; migrating to disks would require refactoring the application to use a different storage interface and managing the file system yourself. Option C (Azure Blob Storage) is wrong because it is an object storage service accessed via REST APIs or SDKs, not a POSIX-compliant file system; using it would require rewriting the application to use blob APIs instead of NFS file operations. Option D (Azure Queue Storage) is wrong because it is a messaging service for asynchronous communication between application components, not a file storage solution; it cannot store or serve files over NFS.

402
MCQmedium

Wide World Importers has an Azure API Management (APIM) instance that exposes several APIs. One API is a custom REST API hosted on an Azure App Service. The API requires authentication via a subscription key. APIM is configured to require subscription keys for all APIs. The team wants to offload authentication to APIM so that backend services do not need to validate keys. However, the backend API also needs to know the identity of the calling application for logging. The team decides to use APIM's OAuth 2.0 authorization with Microsoft Entra ID. The backend API should receive the JWT token from APIM. How should the team configure APIM to pass the token to the backend?

A.In the inbound processing policy, add a 'validate-jwt' policy to validate the token. Then add a 'set-header' policy to copy the token from the Authorization header (or from the context) and forward it to the backend.
B.Use the 'ip-filter' policy to restrict access to known IPs. The backend trusts requests from APIM's IP.
C.Remove the subscription key requirement for that API. APIM will not pass any authentication information to the backend.
D.Configure APIM to use client certificate authentication for the backend. The certificate is presented to the backend, which extracts the identity from the certificate.
AnswerA

Correct: APIM validates and forwards JWT.

Why this answer

Use the 'validate-jwt' policy to validate the token, and then use 'set-header' policy to forward the token in the Authorization header. Option A is correct. Option B uses client certificate, not token.

Option C removes subscription key but not pass token. Option D uses IP filtering, not token.

403
Matchingmedium

Match each Azure monitoring tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collect, analyze, and act on telemetry data

Application performance monitoring (APM)

Query and analyze log data

Personalized recommendations for best practices

Why these pairings

These tools help monitor and optimize Azure resources and applications.

404
MCQhard

You are implementing a Durable Functions orchestration that calls an activity function which may fail transiently. You want to retry the activity up to 3 times with a 5-second delay and exponential backoff. Which code snippet should you use?

A.await context.CallActivityAsync("Activity", input);
B.await context.CallActivityWithRetryAsync("Activity", new RetryOptions(TimeSpan.FromSeconds(5), 3), input);
C.await context.CallActivityAsync("Activity", input, new RetryOptions(TimeSpan.FromSeconds(5), 3));
D.Use a durable timer and a loop to retry manually.
AnswerB

This uses the built-in retry support in Durable Functions with the specified first retry interval and maximum number of attempts.

Why this answer

Option B is correct because the Durable Functions SDK provides the `CallActivityWithRetryAsync` method, which accepts a `RetryOptions` object to configure retry count and delay. The `RetryOptions` constructor takes `TimeSpan.FromSeconds(5)` as the first retry interval and `3` as the maximum number of attempts, including the initial call. This built-in method handles exponential backoff automatically, eliminating the need for manual retry logic.

Exam trap

The trap here is that candidates may confuse `CallActivityAsync` with `CallActivityWithRetryAsync`, assuming that retry options can be passed as an additional parameter to the former, or they may underestimate the value of the built-in retry mechanism and opt for a manual loop, which is less robust and not idiomatic in Durable Functions.

How to eliminate wrong answers

Option A is wrong because `CallActivityAsync` does not accept retry parameters and will only execute the activity once, failing immediately on transient errors. Option C is wrong because `CallActivityAsync` does not have an overload that accepts `RetryOptions`; the retry mechanism is only available via `CallActivityWithRetryAsync`. Option D is wrong because while a manual loop with a durable timer could technically work, it is not the recommended or idiomatic approach in Durable Functions, and it would require additional code to implement exponential backoff correctly, making it less reliable and more error-prone than the built-in method.

405
MCQmedium

Refer to the exhibit. You have an Azure Policy definition as shown. Your team creates a storage account with network rules set to 'Deny' by default, and then adds an IP rule to allow traffic from a specific IP range. What compliance state will this storage account be reported as?

A.Error
B.Compliant
C.Exempt
D.Non-compliant
AnswerB

Condition is not met (defaultAction is 'Deny'), so audit effect does not apply.

Why this answer

The policy audits if the storage account type is 'Microsoft.Storage/storageAccounts' AND defaultAction equals 'Allow'. Since the defaultAction is 'Deny', the condition is false, so the resource is compliant. Option B is correct.

406
MCQeasy

You are developing a solution that processes messages from an Azure Storage Queue. Each message triggers a long-running operation that may take up to 30 minutes. You need to ensure that if the processing fails, the message is not lost and can be retried later. The current implementation uses a console application that polls the queue and deletes messages after processing. What should you change?

A.Move the message to a poison queue after the first failure.
B.After processing fails, update the message's visibility timeout to a later time so it becomes visible again for retry.
C.Increase the polling interval to reduce the chance of missing messages.
D.Delete the message only if processing succeeds; otherwise, leave it in the queue.
AnswerB

This allows the message to be retried after a delay without loss.

Why this answer

The correct approach is to update the message's visibility timeout to a later time when processing fails. This makes the message reappear in the queue after the specified timeout, allowing another consumer to retry processing. Azure Storage Queue messages have a default visibility timeout of 30 seconds, but you can extend it to up to 7 days.

This ensures the message is not lost and can be retried without being deleted or moved prematurely.

Exam trap

The trap here is that candidates often think leaving the message in the queue (Option D) is sufficient, but they forget that the message remains invisible after being dequeued unless its visibility timeout is explicitly updated to make it visible again for retries.

How to eliminate wrong answers

Option A is wrong because moving a message to a poison queue after the first failure would prevent retries; poison queues are typically used after a maximum number of retries (e.g., 5) have been exhausted, not after a single failure. Option C is wrong because increasing the polling interval does not address the need to retry failed messages; it only reduces how often the queue is checked, which could delay processing but does not handle failure recovery. Option D is wrong because simply leaving the message in the queue without updating its visibility timeout means it will remain invisible (due to the default visibility timeout) and never be reprocessed; the message must be made visible again for retries.

407
MCQeasy

You need to monitor the real-time CPU utilization of an Azure virtual machine. Which Azure Monitor feature is designed for this purpose?

A.Metrics
B.Logs
C.Alerts
D.Workbooks
AnswerA

Metrics provide real-time numerical values such as CPU usage, ideal for monitoring performance.

Why this answer

Azure Monitor Metrics is the correct feature because it collects and stores numeric time-series data from Azure resources, including CPU utilization, at near-real-time intervals (typically every 1 minute for Azure VMs). Metrics are lightweight, low-latency, and designed for real-time monitoring and alerting, making them ideal for tracking CPU usage without the overhead of log ingestion.

Exam trap

The trap here is that candidates often confuse 'real-time monitoring' with 'log-based analysis' and select Logs (Option B), not realizing that Metrics are specifically designed for low-latency, numeric performance data like CPU utilization, while Logs are for text-based events with higher latency.

How to eliminate wrong answers

Option B (Logs) is wrong because Azure Monitor Logs collects and stores textual, event-based data (e.g., system logs, application traces) with higher latency and is not optimized for real-time numeric performance counters like CPU utilization; it requires Log Analytics queries and is better suited for troubleshooting and historical analysis. Option C (Alerts) is wrong because Alerts are a notification mechanism that can be triggered by metric thresholds or log queries, but they are not a data collection or visualization feature themselves—they depend on Metrics or Logs as data sources. Option D (Workbooks) is wrong because Workbooks are interactive dashboards that combine data from multiple sources (Metrics, Logs, etc.) for visualization and reporting, but they do not natively collect or provide real-time CPU utilization data on their own.

408
MCQeasy

You need to deploy a containerized application to Azure that must be restarted automatically if it crashes. The solution should minimize management overhead. Which compute service should you use?

A.Azure Container Instances
B.Azure Functions
C.Azure Kubernetes Service (AKS)
D.Azure Virtual Machines
AnswerA

ACI provides simple container deployment with restart policy.

Why this answer

Azure Container Instances (ACI) is the correct choice because it provides a serverless container platform that automatically restarts containers if they crash when configured with a restart policy of 'Always' or 'OnFailure'. This minimizes management overhead by eliminating the need to manage underlying infrastructure, orchestration, or virtual machines, making it ideal for simple, stateless containerized applications that require automatic recovery.

Exam trap

The trap here is that candidates often choose AKS because of its robust orchestration and self-healing capabilities, but they overlook the explicit requirement to minimize management overhead, which AKS does not satisfy due to the need to manage clusters, node pools, and networking.

How to eliminate wrong answers

Option B (Azure Functions) is wrong because it is a serverless compute service designed for event-driven, short-lived code execution, not for hosting long-running containerized applications; it does not natively support running arbitrary containers with automatic restart on crash. Option C (Azure Kubernetes Service) is wrong because while it can restart crashed containers via pod health probes and replica sets, it introduces significant management overhead for cluster configuration, node pools, and orchestration, which contradicts the requirement to minimize management overhead. Option D (Azure Virtual Machines) is wrong because it requires manual configuration of container runtime, restart policies, and VM health monitoring, resulting in high management overhead and no built-in automatic container restart without additional tooling like Azure Monitor or custom scripts.

409
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The architecture review board prefers a managed AWS-native control.

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the correct choice because it is designed for public clients (like single-page apps) that cannot securely store a client secret. PKCE uses a dynamically generated cryptographic code verifier and challenge to prevent authorization code interception attacks, making it the recommended OAuth 2.0 flow for SPAs calling protected APIs in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse the implicit flow (which was historically used for SPAs) with the modern PKCE-enhanced authorization code flow, not realizing that the implicit flow is now deprecated and the authorization code flow with PKCE is the current best practice for public clients.

How to eliminate wrong answers

Option A is wrong because the implicit flow is deprecated by OAuth 2.0 Security Best Current Practice (BCP) and Microsoft Entra ID recommends against it for SPAs due to security risks like access token leakage in the browser history. Option B is wrong because the client credentials flow is intended for server-to-server (confidential client) scenarios where no user is involved, not for a single-page app that signs in users. Option C is wrong because the resource owner password credentials flow requires the app to handle user credentials directly, which is insecure and violates the principle of delegated authentication; it is also not recommended by Microsoft Entra ID for modern applications.

410
MCQeasy

A company exposes an internal REST API to external partners using Azure API Management. They need to enforce a rate limit of 100 requests per minute per subscription. Which policy should they add?

A.CORS policy
B.Rate limit policy
C.Throttling policy
D.Validate JWT policy
AnswerB

The rate-limit policy limits API call rates per subscription or key, enforcing the specified limit per time window.

Why this answer

The Rate limit policy (option B) is correct because it enforces a per-subscription key rate limit of 100 requests per minute, which is exactly what the scenario requires. Azure API Management's rate-limit policy counts requests against the specified duration and blocks additional calls once the limit is exceeded, returning a 429 Too Many Requests response.

Exam trap

The trap here is that candidates confuse the 'rate-limit' policy (per-subscription, fixed window) with the 'throttling' policy (rate-limit-by-key, per-key or per-identity), but the question's requirement for 'per subscription' directly maps to the rate-limit policy, not the throttling policy.

How to eliminate wrong answers

Option A is wrong because the CORS policy handles cross-origin resource sharing (HTTP headers like Access-Control-Allow-Origin) and does not enforce any request rate limits. Option C is wrong because the throttling policy (rate-limit-by-key) is designed for per-key rate limiting but is typically used for more granular scenarios like per-IP or per-claim, and the question explicitly asks for per-subscription enforcement, which is the standard rate-limit policy. Option D is wrong because the Validate JWT policy validates JSON Web Tokens for authentication/authorization and has no mechanism to control request frequency.

411
MCQhard

Your company has an Azure Kubernetes Service (AKS) cluster. You need to deploy a containerized application that requires persistent storage across pod restarts. The storage must be backed by Azure Disk and support ReadWriteOnce access mode. Which volume type should you use?

A.Azure Disk
B.Azure Blob Storage
C.EmptyDir
D.Azure Files
AnswerA

Azure Disk supports ReadWriteOnce, suitable for persistent storage for one pod.

Why this answer

Azure Disk is the correct volume type because it provides a durable block storage device that can be attached to a pod in an AKS cluster. It supports the ReadWriteOnce (RWO) access mode, meaning the disk can be mounted as read-write by a single node, which aligns with the requirement for persistent storage that survives pod restarts. Azure Disk is ideal for stateful applications that need high-performance, low-latency storage and do not require concurrent access from multiple pods.

Exam trap

The trap here is that candidates often confuse Azure Files (which supports ReadWriteMany) with Azure Disk (which supports ReadWriteOnce), or they mistakenly choose EmptyDir thinking it provides persistence, when in fact it is temporary and tied to the pod's lifecycle.

How to eliminate wrong answers

Option B is wrong because Azure Blob Storage is object storage, not block storage, and it does not support the ReadWriteOnce access mode; it is typically accessed via REST APIs or Azure Blob CSI driver with different access modes (e.g., ReadWriteMany for multiple clients). Option C is wrong because EmptyDir is ephemeral storage that is created when a pod is assigned to a node and is deleted when the pod is removed, so it does not persist across pod restarts. Option D is wrong because Azure Files supports ReadWriteMany (RWX) access mode, not ReadWriteOnce, and is designed for concurrent access from multiple pods across nodes, which is not required here.

412
MCQeasy

You are developing a background job that runs every hour on Azure App Service. The job must be resilient to restarts and should not affect the web app's performance. Which technology should you use?

A.A background thread in the web application
B.Azure Logic Apps
C.WebJobs (triggered)
D.Azure Functions (Consumption plan)
AnswerC

Correct: WebJobs run in the same App Service plan and can be scheduled.

Why this answer

WebJobs (triggered) are designed specifically for running background tasks on Azure App Service. They run as separate processes from the web app, ensuring they do not affect the web app's performance, and they are resilient to restarts because the Azure WebJobs SDK automatically handles restart and retry logic. This makes them the ideal choice for a scheduled hourly job that must survive App Service restarts.

Exam trap

The trap here is that candidates often confuse Azure Functions with WebJobs, not realizing that WebJobs run inside the App Service sandbox and share the same scaling and restart behavior, whereas Functions on the Consumption plan are independent and subject to cold starts and different billing models.

How to eliminate wrong answers

Option A is wrong because a background thread in the web application runs within the same process as the web app, so if the App Service restarts, the thread is lost, and it can also degrade the web app's performance by competing for CPU and memory resources. Option B is wrong because Azure Logic Apps is a serverless workflow orchestrator that runs outside of App Service and is not designed to be a background job directly attached to a specific web app; it introduces additional latency and cost for a simple hourly task. Option D is wrong because Azure Functions on the Consumption plan can have cold start delays and are not directly tied to the App Service's lifecycle, meaning they do not benefit from the same restart resilience and shared resource management as WebJobs running within the same App Service plan.

413
MCQmedium

You are developing an ASP.NET Core web API hosted on Azure App Service. The API needs to read secrets from Azure Key Vault at startup. You have enabled a system-assigned managed identity for the App Service. Which code should you use to create the Key Vault SecretClient?

A.new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential())
B.new SecretClient(new Uri(keyVaultUrl), new ClientSecretCredential(tenantId, clientId, clientSecret))
C.new SecretClient(new Uri(keyVaultUrl), new ChainedTokenCredential())
D.new SecretClient(new Uri(keyVaultUrl), new InteractiveBrowserCredential())
AnswerA

DefaultAzureCredential attempts to authenticate using the environment's managed identity (among others). In an App Service with system-assigned managed identity, it will use that identity.

Why this answer

Option A is correct because `DefaultAzureCredential` automatically attempts to authenticate using the environment's managed identity when running on Azure App Service. Since a system-assigned managed identity is enabled, `DefaultAzureCredential` will chain through available credential sources and successfully use the managed identity endpoint to obtain a token for Key Vault, without requiring any explicit tenant ID, client ID, or secret.

Exam trap

The trap here is that candidates often choose `ClientSecretCredential` (Option B) because they are accustomed to using service principals with secrets, forgetting that managed identities eliminate the need for any hardcoded credentials.

How to eliminate wrong answers

Option B is wrong because `ClientSecretCredential` requires a client secret, which defeats the purpose of using a managed identity—it introduces a secret that must be stored and rotated, increasing security risk. Option C is wrong because `ChainedTokenCredential` is not a concrete credential class; it is a base class for building custom credential chains, and cannot be instantiated directly with `new`. Option D is wrong because `InteractiveBrowserCredential` is designed for interactive user authentication via a browser, which is not suitable for a server-side, unattended startup scenario in Azure App Service.

414
Drag & Dropmedium

Arrange the steps to configure auto-scaling for an Azure App Service in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First navigate to App Service, then scale out, enable autoscale, configure rules, set limits.

415
Multi-Selectmedium

You are deploying an Azure App Service that must be accessible only from your corporate network via a VPN. You need to restrict inbound traffic. Which TWO actions should you take?

Select 2 answers
A.Use Azure Front Door with WAF
B.Deploy the App Service inside a VNet using an App Service Environment
C.Configure a service endpoint
D.Enable VNet integration for the App Service
E.Configure IP address restrictions in the App Service
AnswersB, E

ASE can be deployed inside a VNet, ensuring only VNet traffic reaches it.

Why this answer

Option B is correct because deploying the App Service inside a VNet using an App Service Environment (ASE) places the App Service on dedicated infrastructure that is fully integrated into your virtual network. This ensures that inbound traffic is only possible from within the VNet, which is accessible via your corporate VPN, effectively isolating the App Service from the public internet.

Exam trap

The trap here is that candidates often confuse VNet integration (which only handles outbound traffic) with the ability to restrict inbound traffic, leading them to select Option D instead of recognizing that only an App Service Environment (ASE) provides full inbound isolation within a VNet.

416
MCQmedium

Your Azure Functions app (running on the Consumption plan) processes messages from an Azure Storage queue. Occasionally, the function fails due to a timeout after 5 minutes. You need to increase the maximum execution time without changing the plan. What should you do?

A.Set the functionTimeout property in host.json to 10 minutes
B.Migrate the function app to the Premium or Dedicated plan
C.Use Durable Functions to split the work
D.Increase the visibility timeout of the queue message
AnswerB

Premium and Dedicated plans support longer execution times.

Why this answer

Option C is correct because on the Consumption plan, the maximum execution time is 5 minutes by default and cannot be increased; you must upgrade to the Premium or Dedicated plan to have longer timeouts. Option A is wrong because the Consumption plan does not allow increasing functionTimeout beyond 10 minutes (actually 5 minutes for the Consumption plan). Option B is wrong because adjusting the queue message visibility timeout does not affect function execution time.

Option D is wrong because Azure Durable Functions can orchestrate longer workflows but the function itself still has a timeout.

417
MCQeasy

You have an application that stores user profile pictures in Azure Blob Storage. Users upload images via a web app. You need to ensure that the images are served securely over HTTPS and that only authenticated users can access them. The web app uses Azure App Service with built-in authentication. You want to avoid storing any access keys in the web app's configuration. What should you do to grant the web app access to the blobs?

A.Store the storage account access key in the web app's configuration.
B.Enable system-assigned managed identity on the App Service and assign the 'Storage Blob Data Reader' role on the blob container.
C.Enable anonymous public read access on the blob container.
D.Generate a SAS token with long expiration and store it in the web app's configuration.
AnswerB

Managed identity provides secure, keyless access.

Why this answer

Option B is correct because enabling a system-assigned managed identity on the App Service allows it to authenticate to Azure Storage without storing any credentials. By assigning the 'Storage Blob Data Reader' role on the blob container, the web app can securely access blobs using Azure AD authentication, which is the recommended approach for server-side access. This avoids storing access keys or SAS tokens in configuration, meeting the security requirement.

Exam trap

The trap here is that candidates may think a SAS token or access key is necessary for programmatic access, but Azure AD authentication via managed identity is the secure, keyless method that satisfies the 'no stored keys' requirement while still enforcing authentication.

How to eliminate wrong answers

Option A is wrong because storing the storage account access key in the web app's configuration violates the requirement to avoid storing access keys, and exposes the key to potential leakage via configuration management or logs. Option C is wrong because enabling anonymous public read access would allow any user (authenticated or not) to access the blobs, which contradicts the requirement that only authenticated users can access them. Option D is wrong because generating a SAS token with long expiration and storing it in configuration still requires managing a secret in the app settings, which violates the 'avoid storing any access keys' requirement and introduces risk of token leakage or expiration issues.

418
MCQeasy

You are using Azure CLI to upload a blob using your Azure AD credentials (--auth-mode login). The command fails with an authorization error. What is the most likely cause?

A.The user does not have the 'Storage Blob Data Contributor' role on the storage account
B.The Azure CLI version is outdated
C.The storage account key is not provided
D.The container name does not exist
AnswerA

Azure RBAC role assignment is required for Azure AD authentication.

Why this answer

Option B is correct. The user must have the 'Storage Blob Data Contributor' role to upload blobs. Option A is wrong because the storage account key is not needed when using Azure AD.

Option C is wrong because the container exists. Option D is wrong because the CLI version is fine.

419
Multi-Selecteasy

Which TWO of the following are features of Azure Blob Storage lifecycle management? (Choose two.)

Select 2 answers
A.Automatically delete blobs after a specified number of days.
B.Automatically move blobs to a cooler tier after a specified number of days.
C.Automatically apply legal hold to blobs.
D.Automatically replicate blobs to another region.
E.Automatically encrypt blobs at rest.
AnswersA, B

Lifecycle management can delete blobs based on age.

Why this answer

Option A is correct because Azure Blob Storage lifecycle management policies allow you to define rules that automatically delete blobs after a specified number of days. This is commonly used to enforce data retention policies or clean up temporary data without manual intervention.

Exam trap

The trap here is that candidates confuse lifecycle management with other Azure Blob Storage features like immutability policies (legal hold), replication, or encryption, which are separate capabilities with different purposes and configurations.

420
MCQeasy

A company stores secrets in Azure Key Vault. Developers need to retrieve secrets from a web app without storing connection strings in code. Which authentication method should the web app use?

A.Register a service principal and use a client secret
B.Enable a managed identity for the web app
C.Use a shared access signature (SAS) token
D.Use a certificate thumbprint in the app settings
AnswerB

Managed identities allow the app to authenticate to Key Vault without storing credentials.

Why this answer

Managed identities provide an automatically managed identity in Microsoft Entra ID for the app to authenticate to any service supporting Entra ID authentication, including Key Vault, without storing credentials. Option A is wrong because SAS tokens are for storage accounts, not Key Vault. Option B is wrong because service principals require managing secrets or certificates.

Option D is wrong because certificate thumbprints are used with service principals, not directly.

421
MCQmedium

You have an Azure Event Grid topic that receives storage blob created events. You only want to process events for files with a '.jpg' extension. You need to minimize cost and latency. How should you filter the events?

A.Configure a subject filter in the Event Grid subscription with suffix '.jpg'
B.Filter inside the Azure Function code by checking the blob name extension
C.Use Azure Service Bus topics instead of Event Grid, with a filter on message properties
D.Create separate Event Grid topics for JPEG files and route only JPEG events
AnswerA

Subject suffix filtering ensures only events with blob names ending in '.jpg' are delivered, avoiding unnecessary function invocations.

Why this answer

Option A is correct because Event Grid subscriptions support subject filtering with prefix and suffix matching, allowing you to filter events at the Event Grid service level before they are delivered to your endpoint. By configuring a subject filter with suffix '.jpg', only blob created events for files ending in '.jpg' are sent to your Azure Function, minimizing both cost (fewer invocations) and latency (no unnecessary processing). This approach avoids the overhead of receiving and discarding unwanted events in your function code.

Exam trap

The trap here is that candidates often assume filtering in code is simpler or more flexible, but they overlook that Event Grid's built-in subject filtering is the most cost-effective and low-latency approach because it prevents unwanted events from ever reaching the function endpoint.

How to eliminate wrong answers

Option B is wrong because filtering inside the Azure Function code still incurs the cost of every event being delivered to the function and the latency of function invocations for unwanted events, defeating the purpose of minimizing cost and latency. Option C is wrong because Azure Service Bus topics are designed for message queuing and pub/sub with message properties, but Event Grid is the native service for reacting to Azure storage blob events with built-in subject filtering; using Service Bus adds unnecessary complexity and cost. Option D is wrong because creating separate Event Grid topics for JPEG files requires additional management overhead and does not leverage the built-in filtering capability of Event Grid subscriptions, leading to higher cost and complexity without benefit.

422
MCQeasy

You are deploying a containerized application to Azure Container Instances (ACI). The application writes temporary data to a local disk that must persist across container restarts (e.g., after a crash). Which configuration should you use?

A.Mount an Azure Files share as a volume in the container group.
B.Use the temporary disk automatically allocated by ACI.
C.Store data in an Azure Cosmos DB database.
D.Use an emptyDir volume as available in Kubernetes.
AnswerA

Azure Files shares are persistent and can be mounted across container restarts, providing durable storage.

Why this answer

Option A is correct because Azure Container Instances (ACI) supports mounting an Azure Files share as a persistent volume. When a container restarts (e.g., after a crash), the temporary disk is wiped, but data written to an Azure Files share persists independently of the container's lifecycle. This meets the requirement for data to survive container restarts.

Exam trap

The trap here is that candidates often confuse the temporary disk (which is ephemeral) with persistent storage, or they incorrectly assume Kubernetes concepts like emptyDir apply to ACI, when ACI has its own volume mounting mechanisms (Azure Files, secrets, empty directories).

How to eliminate wrong answers

Option B is wrong because the temporary disk automatically allocated by ACI is ephemeral; its contents are lost when the container restarts or is redeployed, so it cannot persist data across restarts. Option C is wrong because Azure Cosmos DB is a globally distributed NoSQL database designed for structured data and high availability, not for temporary local disk storage; it introduces unnecessary latency and cost for simple temporary data persistence. Option D is wrong because emptyDir volumes are a Kubernetes concept and are not available in Azure Container Instances; ACI does not support Kubernetes-native volume types like emptyDir.

423
MCQmedium

An application uses Azure Functions with a Durable Functions extension to orchestrate a workflow. The workflow calls multiple external APIs. The developer needs to handle transient failures when calling these APIs. Which pattern should the developer implement?

A.Implement retry logic with exponential backoff
B.Use a saga pattern
C.Use a request-reply pattern
D.Use a circuit breaker pattern
AnswerA

Exponential backoff is a standard approach for handling transient failures.

Why this answer

Option A is correct because automatic retry with exponential backoff is a best practice for transient faults. Option B is incorrect because circuit breaker is for preventing repeated calls to a failing service, but it doesn't handle retries. Option C is incorrect because the request-reply pattern is for messaging, not for handling failures.

Option D is incorrect because the saga pattern is for distributed transactions, not for retries.

424
Matchingmedium

Match each Azure container service to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Run containers on demand without orchestration

Managed Kubernetes cluster for orchestration

Serverless containers for microservices

Platform for building and managing microservices

Why these pairings

Azure provides multiple container services for different scenarios.

425
MCQhard

Your application writes millions of small records (each under 1 KB) to Azure Table Storage every day. You notice that query performance degrades over time. Which design change would most improve performance?

A.Store all records in a single blob and use Blob Storage.
B.Use a hash of the timestamp as the PartitionKey to distribute writes evenly.
C.Increase the storage account's throughput limits.
D.Use a single PartitionKey and a sequential RowKey.
AnswerB

Distributes data across partitions, avoiding hot partitions.

Why this answer

Option B is correct because using a hash of the timestamp as the PartitionKey distributes writes evenly across partition ranges, preventing hot partitions. Azure Table Storage scales by splitting partitions across storage nodes; sequential timestamps create a hot partition on the last node, degrading throughput. A hash ensures uniform load, maximizing the account's 20,000 IOPS per partition target.

Exam trap

The trap here is that candidates assume increasing throughput limits (Option C) or using a single partition key (Option D) will fix performance, but Azure's per-partition scaling constraints mean only distributing the partition key (Option B) addresses the hot partition bottleneck.

How to eliminate wrong answers

Option A is wrong because storing all records in a single blob eliminates the query and indexing capabilities of Table Storage, making record-level retrieval impractical and introducing a single point of contention for writes. Option C is wrong because increasing storage account throughput limits does not resolve the root cause of hot partitions; Azure enforces per-partition scaling limits (up to 2,000 entities per second) regardless of account-level limits. Option D is wrong because using a single PartitionKey with a sequential RowKey creates a hot partition on the last partition server, exactly the pattern that causes the observed degradation over time.

426
Multi-Selectmedium

You are developing a solution that uses Azure Container Instances (ACI) to run a batch processing job. The job runs for approximately 30 minutes and requires access to a configuration file stored in Azure Files. You need to ensure the container instance can access the file share securely without using a public endpoint. Which TWO actions should you take?

Select 2 answers
A.Mount the Azure Files share using the storage account name and key.
B.Use a managed identity assigned to the container group to authenticate to the storage account.
C.Deploy the container group in an Azure virtual network that has a service endpoint to Azure Storage.
D.Use a shared access signature (SAS) token to mount the file share.
E.Enable the storage account's firewall to allow access from the container group's public IP.
AnswersA, C

Mount requires key, which can be securely passed via environment variables.

Why this answer

Option A is correct because mounting an Azure Files share using the storage account name and key is a supported method in Azure Container Instances. This approach uses the SMB protocol to directly attach the file share to the container, providing access to the configuration file without requiring a public endpoint. The storage account key is passed securely as part of the container group configuration, and the mount is handled internally within the Azure infrastructure.

Exam trap

The trap here is that candidates often assume managed identities can be used for any Azure resource authentication, but Azure Container Instances does not support managed identities for Azure Files mounts, and they may overlook that service endpoints provide private connectivity without needing to change the authentication method.

427
MCQmedium

A company integrates an Azure Logic App with Microsoft Teams to send notifications when a new file is added to an Azure Blob storage container. The Logic App currently polls the blob container every minute. They want to reduce latency and avoid polling. What should they do?

A.Increase the polling frequency to every 10 seconds.
B.Add an Event Grid subscription to the blob storage.
C.Use Azure Data Factory to monitor the storage.
D.Use Azure Service Bus topics for file notifications.
AnswerB

Event Grid pushes events to Logic App, eliminating polling.

Why this answer

Using an Event Grid subscription (option B) triggers the Logic App on blob creation events, eliminating polling. Option A increases frequency but still polls. Option C uses Service Bus which adds overhead.

Option D is for data factory, not Logic Apps.

428
Multi-Selecteasy

You need to grant a user access to read and write blobs in a specific container for exactly 24 hours. The user is external to your organization. Which two methods can you use? (Choose two.)

Select 2 answers
A.Create a shared access signature (SAS) token with an expiry time of 24 hours
B.Share the storage account access key with the user
C.Create an account SAS token with read and write permissions
D.Generate a user delegation SAS key using Azure AD credentials
E.Assign the 'Storage Blob Data Contributor' role to the user's Microsoft account
AnswersA, D

A service SAS can be generated for the container with read and write permissions and a 24-hour expiry.

Why this answer

Option A is correct because a shared access signature (SAS) token can be scoped to a specific container and granted read and write permissions, with an expiry time set to exactly 24 hours. This allows the external user to access only that container for the specified duration without exposing the storage account key or requiring Azure AD authentication.

Exam trap

The trap here is that candidates often confuse an account SAS with a service SAS, assuming an account SAS can be scoped to a single container, but in reality, an account SAS applies to the entire storage account and cannot be restricted to a specific container.

429
MCQeasy

You need to securely connect an on-premises application to Azure Blob Storage without exposing data to the public internet. Which feature should you use?

A.IP firewall rules on the storage account
B.Azure Private Endpoint
C.Storage account access keys
D.Shared access signature (SAS) with stored access policy
AnswerB

Private Endpoint uses private IP within a VNet, no internet exposure.

Why this answer

Azure Private Endpoint uses a private IP address from your virtual network to connect to Azure Blob Storage over the Microsoft backbone network, ensuring traffic never traverses the public internet. This provides a secure, private connection for on-premises applications via VPN or ExpressRoute, meeting the requirement to avoid public exposure.

Exam trap

The trap here is that candidates often confuse IP firewall rules or SAS tokens as providing private connectivity, when in fact they only control access or authentication but still route traffic over the public internet.

How to eliminate wrong answers

Option A is wrong because IP firewall rules restrict access based on public IP addresses, but traffic still flows over the public internet, failing the 'no public internet' requirement. Option C is wrong because storage account access keys are shared secrets that authenticate requests over HTTPS, but they do not prevent data from traversing the public internet; they also pose security risks if leaked. Option D is wrong because a shared access signature (SAS) with a stored access policy provides time-limited, delegated access over HTTPS, but the data path still uses the public internet endpoint, not a private connection.

430
MCQmedium

A company deploys an Azure App Service web app that stores sensitive data in Azure Blob Storage. The security team requires that all access to the blob storage must be authenticated and authorized via Microsoft Entra ID, and that no anonymous access is permitted. The web app must also be able to access the storage using its managed identity. Which configuration should the company implement?

A.Create a custom RBAC role that allows full access to the storage account and assign it to the web app's service principal.
B.Enable the web app's system-assigned managed identity, assign the Storage Blob Data Contributor role to the identity, and disable anonymous access on the storage account.
C.Use storage account access keys and store them in Key Vault, then configure the web app to retrieve them at runtime.
D.Generate a shared access signature (SAS) token with read permissions, store it in App Settings, and configure the web app to use it.
AnswerB

Managed identity provides Entra ID authentication and RBAC authorization.

Why this answer

Option B is correct because enabling managed identity and assigning the Storage Blob Data Contributor role ensures the web app can access blobs via Entra ID authentication. Disabling anonymous access is a separate step. Option A is wrong because storage account keys bypass Entra ID.

Option C is wrong because SAS tokens do not use managed identity. Option D is wrong because shared access policy is not used for managed identity access.

431
Multi-Selecthard

Your company uses Azure API Management to manage APIs. You need to implement policies that ensure only authenticated requests from partners are allowed, and that responses are cached to improve performance. Which THREE policies should you configure?

Select 3 answers
A.set-header
B.rate-limit
C.cache-store
D.validate-jwt
E.cache-lookup
AnswersC, D, E

Stores responses in cache.

Why this answer

The validate-jwt policy is used to authenticate requests by validating JSON Web Tokens. The cache-store and cache-lookup policies work together to cache responses. Option A is correct for authentication.

Option B is correct for storing cache. Option C is correct for looking up cache. Option D is incorrect because rate-limit is for throttling, not authentication.

Option E is incorrect because set-header is for modifying headers.

432
Matchingmedium

Match each Azure security feature to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Securely store and manage secrets, keys, and certificates

Cloud workload protection with threat detection

Enforce organizational standards and compliance rules

Fine-grained access management for Azure resources

Why these pairings

These are essential security and governance tools in Azure.

433
MCQmedium

Refer to the exhibit. An Azure App Service deployment is configured using this ARM template snippet. The web app is built from a GitHub repository. However, when a pull request is merged to main, the app does not automatically deploy. What is the most likely cause?

A.The isManualIntegration property is set to false.
B.The runtime stack is incorrect for the application.
C.The branch is set to main, but the deployments only trigger on a different branch.
D.The GitHub Actions workflow file is missing from the repository.
AnswerD

The ARM template only enables the integration; the actual workflow file must exist in the repo.

Why this answer

The GitHub Actions configuration is set but the ARM template does not include a workflow file path. The most likely issue is missing a GitHub Actions workflow file in the repo (option C). Option A: isManualIntegration is false, so it should be automated.

Option B: runtime is correct. Option D: branch is main, which is typical.

434
MCQhard

You are using Azure API Management to expose a legacy SOAP API as a RESTful API. The SOAP API has complex XML schemas. You need to transform the SOAP response to JSON. Which policy should you use?

A.transform-body
B.return-response
C.convert-to-json
D.set-body
AnswerD

set-body policy allows you to transform the response body using Liquid templates or XSLT to convert SOAP XML to JSON.

Why this answer

Option D is correct because the set-body policy allows you to transform the response body using a Liquid template or XSLT, which can convert SOAP XML to JSON. Option A is wrong because the convert-to-json policy is not a standard API Management policy; it does not exist. Option B is wrong because the transform-body policy does not exist; the correct policy is set-body.

Option C is wrong because the return-response policy is for returning a custom response, not for transforming the body.

435
MCQmedium

Your IoT solution generates billions of small telemetry entries (each ~100 bytes). Data is written once and rarely updated. You need to run analytical queries on the last 30 days of data daily, scanning large ranges by timestamp, requiring sub-second response times. You want the lowest storage cost. Which Azure Storage solution should you use?

A.Azure Blob Storage
B.Azure Table Storage
C.Azure Cosmos DB
D.Azure Data Lake Storage
AnswerB

Table Storage is a NoSQL key-value store that handles massive amounts of structured data with low cost and supports fast range queries on RowKey, making it ideal for time-series telemetry.

Why this answer

Azure Table Storage is correct because it is a NoSQL key-value store optimized for high-volume, low-cost storage of structured data like telemetry entries. It supports efficient range queries on the partition key (e.g., timestamp) and row key, enabling sub-second scans of large date ranges. Its storage cost is the lowest among Azure storage options for this workload, as it charges only for consumed capacity with no minimum throughput commitments.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB for its low-latency queries, overlooking the explicit 'lowest storage cost' requirement, which Table Storage satisfies due to its simpler architecture and lack of provisioned throughput costs.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage is designed for unstructured binary or text data, not for efficient range queries on structured fields like timestamps; scanning billions of small entries would require costly and slow blob listing or external indexing. Option C is wrong because Azure Cosmos DB, while supporting fast queries, has significantly higher storage and throughput costs compared to Table Storage, making it unsuitable for the lowest storage cost requirement. Option D is wrong because Azure Data Lake Storage is optimized for big data analytics on large files (e.g., petabytes) and hierarchical namespaces, not for sub-second range queries on billions of tiny records; its cost per GB is higher than Table Storage for this scale.

436
Multi-Selectmedium

Which TWO approaches can be used to securely connect an Azure web app to an on-premises database without exposing it to the internet?

Select 2 answers
A.Azure API Management
B.Public IP address with firewall rules
C.Azure VPN Gateway
D.Azure App Service Hybrid Connections
E.Azure ExpressRoute
AnswersC, E

VPN Gateway creates a secure site-to-site VPN.

Why this answer

Azure VPN Gateway and Azure ExpressRoute create secure connections between Azure and on-premises networks. Option B is wrong because Hybrid Connections require a relay agent. Option D is wrong because App Service Hybrid Connections are for specific services, not general connectivity.

Option E is wrong because public endpoints expose the database to internet.

437
Multi-Selectmedium

A company is designing a serverless application using Azure Functions. They need to orchestrate multiple functions in a workflow, handle errors, and manage state. Which TWO features should they use?

Select 2 answers
A.Fan-out/Fan-in pattern
B.Azure Event Grid
C.Durable Functions
D.Azure Logic Apps
E.Azure Data Factory
AnswersA, C

This pattern is used in Durable Functions for parallel processing.

Why this answer

Option A is correct because the Fan-out/Fan-in pattern is a core feature of Durable Functions that allows you to execute multiple functions in parallel (fan-out) and then aggregate their results (fan-in). This pattern is essential for orchestrating workflows, handling errors via retry policies, and managing state across function executions. Durable Functions provide built-in state management and checkpointing, making them ideal for serverless orchestration scenarios.

Exam trap

The trap here is that candidates may confuse Azure Logic Apps with Durable Functions, but Logic Apps is a separate service with its own pricing and execution model, not a feature of Azure Functions, and the question explicitly asks for features within a serverless application using Azure Functions.

438
MCQhard

Refer to the exhibit. You are deploying an ARM template that assigns the 'Storage Blob Data Contributor' role to the managed identity of an App Service named 'myapp' at the storage account 'mystorageacct' scope. The deployment fails with an error that 'principalId' is null. What is the most likely cause?

A.The role definition ID is incorrect.
B.The storage account name 'mystorageacct' does not exist.
C.The role assignment name is not unique.
D.The App Service 'myapp' does not have a managed identity enabled.
AnswerD

Without managed identity, principalId is null.

Why this answer

The reference function retrieves the App Service resource after it has been created, but if the App Service does not have a managed identity enabled, the 'identity.principalId' will be null. The template likely did not enable the managed identity on the App Service. Option B is correct.

Option A is wrong because the role definition ID is correct. Option C is wrong because the scope is correct. Option D is wrong because the name is unique.

439
MCQmedium

You are developing a web application that processes images uploaded by users. The images must be resized and analyzed for offensive content before being stored. You need to implement the solution with minimal latency and cost. What should you do?

A.Use Azure Batch to process images in parallel.
B.Use Durable Functions to orchestrate the resizing and analysis.
C.Use Azure Logic Apps with a trigger for each upload.
D.Use an Azure Function triggered by Blob Storage, with Consumption plan.
AnswerD

Functions with Consumption plan are event-driven, cost-effective, and scale automatically.

Why this answer

Option D is correct because using an Azure Function triggered by Blob Storage on a Consumption plan provides a serverless, event-driven architecture that automatically scales to process each image upload with minimal latency and cost. The Consumption plan charges only for execution time and resources used, making it cost-effective for sporadic workloads, while the Blob Storage trigger ensures immediate processing upon upload without polling or additional infrastructure.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing orchestration tools like Durable Functions or Logic Apps for simple sequential tasks, missing that a single Azure Function triggered by Blob Storage is the simplest, lowest-latency, and most cost-effective approach for event-driven image processing.

How to eliminate wrong answers

Option A is wrong because Azure Batch is designed for large-scale, compute-intensive batch jobs with job scheduling and pool management, which introduces overhead and latency unsuitable for real-time, per-upload processing. Option B is wrong because Durable Functions are meant for orchestrating long-running, stateful workflows with checkpoints and retries, adding unnecessary complexity and latency for simple, sequential operations like resizing and analysis. Option C is wrong because Azure Logic Apps incur higher per-action costs and introduce connector-based latency compared to a direct Azure Function trigger, and they are better suited for enterprise integration workflows rather than lightweight, event-driven image processing.

440
MCQmedium

You are monitoring a web application with Application Insights. The application occasionally returns HTTP 500 errors. You want to be notified immediately when the error rate exceeds 5% of all requests in a rolling 5-minute window. Which feature of Application Insights should you configure?

A.Create a Smart Detection rule for anomalous failures.
B.Create a metric alert on the 'Failed requests' metric with a threshold of 5%.
C.Create a log alert using a Kusto query that calculates the percentage of failed requests over the last 5 minutes, with an alert condition when the result exceeds 0.05.
D.Create an availability test that checks for HTTP 200 responses and alert on failures.
AnswerC

Log alerts allow complex queries. For example: 'requests | where timestamp > ago(5m) | summarize total=count(), failures=countif(success == false) | extend percent = failures * 100.0 / total | where percent > 5'. This triggers an alert when the condition is met.

Why this answer

Option C is correct because a log alert using a Kusto query allows you to calculate the exact percentage of failed requests over a rolling 5-minute window and trigger when that percentage exceeds 0.05 (5%). This is the only option that supports a dynamic, percentage-based threshold on a rolling time window, which is required for the stated condition. Metric alerts on 'Failed requests' measure absolute counts, not percentages, and Smart Detection does not allow custom percentage thresholds.

Exam trap

The trap here is that candidates confuse metric alerts (which work on absolute counts or rates) with log alerts (which can compute custom ratios like percentages), leading them to choose Option B without realizing that the 'Failed requests' metric cannot be configured to alert on a percentage threshold.

How to eliminate wrong answers

Option A is wrong because Smart Detection for anomalous failures uses machine learning to detect unusual patterns in failure rates, not a fixed 5% threshold over a 5-minute window; it cannot be configured to alert on a specific percentage. Option B is wrong because a metric alert on the 'Failed requests' metric measures the absolute count or rate of failed requests, not the percentage of failed requests relative to total requests; you cannot set a threshold of 5% on this metric directly. Option D is wrong because an availability test checks specific URLs for HTTP 200 responses and alerts on individual test failures, not on the aggregate error rate across all requests in a rolling time window.

441
MCQmedium

You are building an API that needs to send notifications to multiple subscribers. Each subscriber has a different callback URL, and you need to ensure each notification is sent exactly once and retried on failure. Which Azure service should you use?

A.Azure Event Grid.
B.Azure Service Bus.
C.Azure Notification Hubs.
D.Azure Queue Storage.
AnswerA

Correct. Event Grid delivers events to multiple subscribers with retry and exactly-once semantics.

Why this answer

Azure Event Grid is the correct choice because it is a fully managed event routing service that uses a publish-subscribe model with built-in retry logic and exactly-once delivery semantics. It supports multiple subscribers with distinct callback URLs (webhooks) and automatically retries delivery on failure, making it ideal for sending notifications to multiple endpoints with guaranteed delivery.

Exam trap

The trap here is that candidates often confuse Azure Event Grid with Azure Service Bus, mistakenly thinking a message broker is needed for multiple subscribers, but Event Grid's native webhook delivery and built-in retry make it the correct choice for this exact scenario.

How to eliminate wrong answers

Option B (Azure Service Bus) is wrong because it is a message broker designed for point-to-point or competing consumer patterns, not for broadcasting to multiple subscribers with individual callback URLs; it lacks native webhook delivery and requires custom polling or relay logic. Option C (Azure Notification Hubs) is wrong because it is optimized for push notifications to mobile devices (e.g., iOS, Android) and does not support arbitrary HTTP callback URLs or exactly-once delivery to multiple webhook subscribers. Option D (Azure Queue Storage) is wrong because it is a simple message queue for decoupling components with at-least-once delivery and no built-in retry or webhook subscription model; it cannot directly send notifications to multiple callback URLs.

442
MCQhard

Your application uses Azure Key Vault to store cryptographic keys used for signing. You need to ensure that the keys can be used by multiple applications, but only one application should be able to delete the key. What should you do?

A.Assign the 'Key Vault Crypto Officer' role to the application that needs to delete, and 'Key Vault Crypto User' to others.
B.Enable soft-delete and purge protection on the key vault.
C.Create a key rotation policy that automatically deletes old keys.
D.Configure the key vault firewall to allow only the authorized application's IP.
AnswerA

RBAC roles provide fine-grained permissions for key operations.

Why this answer

Key Vault access policies and RBAC allow granular permissions. You can assign the 'Key Vault Crypto Officer' role to the application that needs delete permissions, and assign 'Key Vault Crypto User' to other applications. Option A is correct.

Option B is wrong because key rotation does not affect delete permissions. Option C is wrong because soft-delete protects against accidental deletion but does not control who can delete. Option D is wrong because key vault firewall controls network access, not permissions.

443
MCQmedium

Your API is secured using Azure AD (now Microsoft Entra ID) tokens. You need to validate the token in your custom code. Which library should you use to validate the token's signature, issuer, and audience?

A.ASP.NET Core Identity
B.Microsoft Graph SDK
C.Microsoft Authentication Library (MSAL)
D.Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt
AnswerD

These libraries provide token validation methods.

Why this answer

Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt are the standard .NET libraries for JWT token validation. Option A is correct. Option B is wrong because MSAL is for acquiring tokens, not validation.

Option C is wrong because Graph API is for accessing Microsoft Graph. Option D is wrong because ASP.NET Core Identity is for user management.

444
MCQhard

You deploy a microservices architecture on Azure Kubernetes Service (AKS). Some pods report OOMKilled errors. Which diagnostic step should you take first?

A.Enable cluster autoscaler to add more nodes
B.Review container resource requests and limits in the pod YAML
C.Check node memory utilization with kubectl top nodes
D.Configure horizontal pod autoscaler based on memory
AnswerB

OOMKilled indicates the container exceeded its memory limit.

Why this answer

Option D is correct because reviewing container resource limits in the pod spec directly addresses memory constraints. Option A is wrong because nodes may have enough memory. Option B is wrong because cluster autoscaler adds nodes, not memory to existing pods.

Option C is wrong because HPA scales replicas, not memory limits.

445
MCQeasy

You are using Azure Application Insights to monitor a web application. You need to create a custom dashboard that shows the number of failed requests per endpoint over the last 24 hours. Which query language should you use?

A.Python
B.Kusto Query Language (KQL)
C.SQL
D.PowerShell
AnswerB

KQL is the query language for Azure Data Explorer and Application Insights.

Why this answer

Option B is correct because Application Insights uses Kusto Query Language (KQL) for querying telemetry. Options A, C, D are wrong because SQL, PowerShell, and Python are not supported in Application Insights for querying.

446
MCQhard

Your application uses Azure Queue Storage to process orders. Occasionally, messages are not processed and remain in the queue. You need to ensure that messages are automatically retried after a specified time if they are not deleted. What should you configure?

A.Set the message visibility timeout to a small value
B.Configure a dead-letter queue
C.Enable queue storage logging
D.Increase the message time-to-live (TTL)
AnswerA

After visibility timeout, message reappears for retry.

Why this answer

Option A is correct because setting the message visibility timeout to a small value ensures that if a message is not deleted after processing (i.e., the worker fails or crashes), the message becomes visible again in the queue after the short timeout. This allows other queue consumers to retry processing the message automatically. The visibility timeout controls how long a message is hidden from other consumers after being dequeued, and a small value reduces the delay before a retry occurs.

Exam trap

The trap here is that candidates often confuse the visibility timeout with the message time-to-live (TTL) or think that logging or dead-letter queues directly enable automatic retries, when in fact the visibility timeout is the key mechanism for controlling retry timing.

How to eliminate wrong answers

Option B is wrong because a dead-letter queue is used to isolate messages that have exceeded their maximum delivery count or failed processing repeatedly, not to automatically retry messages after a specified time. Option C is wrong because enabling queue storage logging only records operations for auditing and diagnostics; it does not affect message retry behavior. Option D is wrong because increasing the message time-to-live (TTL) only extends how long a message can remain in the queue before expiring; it does not control when or how messages are retried after a processing failure.

447
MCQeasy

You deploy a container to Azure Container Instances. The container needs to persist data when it restarts. You mount an Azure Files share to a directory inside the container. Which volume type is this?

A.emptyDir
B.gitRepo
C.azureFile
D.secret
AnswerC

Correct. azureFile volume mounts an Azure Files share, which persists data across container restarts.

Why this answer

Option C is correct because Azure Container Instances supports mounting an Azure Files share as a volume to persist data across container restarts. The `azureFile` volume type references a pre-created Azure storage account and file share, which is mounted into the container's filesystem using SMB 3.0 protocol. This ensures data survives container crashes or restarts, as it is stored externally in Azure Files.

Exam trap

The trap here is that candidates may confuse `emptyDir` with persistent storage because it is commonly used in Kubernetes for temporary data, but in Azure Container Instances, `emptyDir` does not survive container restarts, whereas `azureFile` is the correct choice for persistence.

How to eliminate wrong answers

Option A is wrong because `emptyDir` is a temporary volume that exists only as long as the container runs; it is created empty when a container starts and is deleted when the container stops, so it does not persist data across restarts. Option B is wrong because `gitRepo` is a volume type used to clone a Git repository into the container at startup, not for persistent storage of application data. Option D is wrong because `secret` is used to inject sensitive data (e.g., certificates, keys) into a container as files, not for general-purpose persistent data storage.

448
MCQmedium

You are building an Azure Logic App that must send a confirmation email to users after a purchase. Your company uses Office 365 for email and you want to use the corporate email address. Which connector should you use?

A.Office 365 Outlook
B.SMTP
C.SendGrid
D.Outlook.com
AnswerA

Correct. This connector integrates with Office 365 and uses the sender's corporate email account.

Why this answer

The Office 365 Outlook connector is the correct choice because it provides direct, managed integration with Office 365 email services, allowing the Logic App to send emails using the corporate email address without needing to configure SMTP server details or handle authentication manually. This connector supports OAuth 2.0 authentication, which is the recommended and secure method for accessing Office 365 resources, and it is specifically designed for enterprise Office 365 accounts.

Exam trap

The trap here is that candidates confuse the Outlook.com connector (for personal accounts) with the Office 365 Outlook connector (for enterprise accounts), or they assume SMTP is always the simplest choice without considering authentication and security requirements in a cloud-native service.

How to eliminate wrong answers

Option B (SMTP) is wrong because while SMTP can technically send emails, it requires manual configuration of server, port, and credentials, and does not natively support OAuth 2.0 for Office 365, making it less secure and more complex to maintain in a Logic App. Option C (SendGrid) is wrong because SendGrid is a third-party email delivery service, not designed for sending emails directly from a corporate Office 365 mailbox; it would require a separate SendGrid account and API key. Option D (Outlook.com) is wrong because the Outlook.com connector is intended for personal Microsoft accounts (e.g., @outlook.com, @hotmail.com), not for corporate Office 365 accounts, and it does not support enterprise features like shared mailboxes or Exchange Online policies.

449
MCQmedium

Refer to the exhibit. You are deploying an ARM template that includes the above network security group rule. The rule is intended to block all outbound internet traffic from a virtual network. However, after deployment, virtual machines in the subnet still have outbound internet access. What is the most likely reason?

A.The destination port range '*' is invalid; you must specify explicit ports.
B.The source address prefix should be '*' instead of 'VirtualNetwork'.
C.The network security group is not associated with the subnet or network interface.
D.The rule priority is too low; it should be lower than the default allow rule.
AnswerC

Without association, the rule does not take effect.

Why this answer

Option C is correct because the rule has a priority of 100, which is a high priority number (lowest priority). By default, Azure NSGs allow outbound internet traffic with a default rule (AllowInternetOutbound) that has a priority of 65001. Since 100 is lower than 65001, the deny rule should take precedence.

However, the issue is that the rule uses 'VirtualNetwork' as the source address prefix, which means it only applies to traffic from the virtual network itself, not to traffic originating from VMs. Actually, the exhibit shows sourceAddressPrefixes as 'VirtualNetwork', which is correct for traffic from the VNet. But the problem is that the rule's priority is 100, which is higher than the default allow rule (65001), so it should work.

Wait, let's re-evaluate: priority numbers are lower = higher priority. A priority of 100 means it is evaluated before the default rule (65001). So the rule should block outbound internet.

However, the rule might not be applied because the NSG is not associated with the subnet or NIC. But the exhibit only shows the rule definition. The most likely reason from the options is that the NSG is not associated with the subnet or NIC.

Option A is wrong because priority 100 is higher than default rules. Option B is wrong because the rule does apply to VMs in the VNet. Option D is wrong because the rule does not need to specify source port ranges.

So Option C is correct.

450
MCQhard

Your application uses Azure Functions and needs to authenticate to a downstream API using OAuth 2.0. The function app uses a system-assigned managed identity. Which token endpoint should the function app call to get a token for the downstream API?

A.https://{function-app}.azurewebsites.net/.auth/login
B.https://{downstream-api}.azurewebsites.net/.auth/me
C.https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
D.http://169.254.169.254/metadata/identity/oauth2/token
AnswerD

This is the IMDS endpoint used by managed identities to get tokens.

Why this answer

The managed identity endpoint (http://169.254.169.254/metadata/identity/oauth2/token) is the Azure Instance Metadata Service (IMDS) endpoint that provides tokens for managed identities. Option A is wrong because the Entra ID token endpoint is for client credentials flow without managed identity. Option B is wrong because the function app's own endpoint is irrelevant.

Option D is wrong because the downstream API's endpoint is not for token acquisition.

Page 5

Page 6 of 14

Page 7