Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 451525

997 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQeasy

You need to store millions of small JSON documents (each ~1 KB) that are frequently updated by multiple concurrent users. You require low-latency access to individual documents. Which Azure Storage solution should you use?

A.Azure Blob Storage with Block blobs
B.Azure Table Storage
C.Azure Files with SMB protocol
D.Azure Cosmos DB for NoSQL
AnswerB

Table Storage is a NoSQL store designed for large quantities of small entities with partition key and row key, ideal for this scenario.

Why this answer

Azure Table Storage is a NoSQL key-value store optimized for storing large volumes of structured, non-relational data with low-latency access by partition key and row key. It supports millions of small JSON documents (~1 KB) and handles frequent concurrent updates via optimistic concurrency control using ETags, making it ideal for this scenario.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB for NoSQL because it is a more feature-rich document database, but the question emphasizes cost-effectiveness and simplicity for high-volume, low-latency key-value access, which is exactly where Azure Table Storage excels.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with Block blobs is designed for large, unstructured binary or text objects (up to ~4.7 TB per blob) and does not provide native key-value lookup for individual small documents; it also lacks built-in optimistic concurrency for frequent updates by multiple users. Option C is wrong because Azure Files with SMB protocol provides file-level access with network shares, not a document store; it introduces protocol overhead and is not optimized for low-latency access to millions of individual small JSON documents. Option D is wrong because Azure Cosmos DB for NoSQL, while capable of storing JSON documents, is a premium, globally distributed database service with higher cost and complexity; for this specific requirement of millions of small, frequently updated documents with low-latency access, Azure Table Storage is the more cost-effective and purpose-built solution.

452
MCQmedium

Refer to the exhibit. You have an HTTP-triggered Azure Function that writes the request body to a blob in the 'samples-workitems' container. The function runs successfully but does not create a blob. What is the most likely cause?

A.The container name 'samples-workitems' is invalid
B.The blob name pattern {rand-guid} is not supported
C.The storage account connection string is not set in the function app settings
D.The blob output binding syntax is incorrect
AnswerC

Correct: Without the connection string, the binding cannot connect to storage.

Why this answer

The most likely cause is that the storage account connection string is not set in the function app settings. Azure Functions require the connection string for the storage account to be configured via the `AzureWebJobsStorage` app setting (or a custom connection setting referenced in the binding). Without it, the runtime cannot authenticate or communicate with Blob Storage, so the output binding silently fails to write the blob, even though the function executes successfully.

Exam trap

The trap here is that candidates assume the function code itself must be wrong (e.g., invalid container name or binding syntax) when the issue is a missing configuration setting that the Azure Functions runtime requires to connect to storage.

How to eliminate wrong answers

Option A is wrong because 'samples-workitems' is a valid container name; Azure Blob Storage allows lowercase letters, numbers, and hyphens, and this name follows those rules. Option B is wrong because the `{rand-guid}` pattern is a supported binding expression in Azure Functions that generates a random GUID for the blob name. Option D is wrong because the binding syntax shown (using `direction`, `type`, `name`, `path`, and `connection`) is correct for a blob output binding in a function.json file.

453
MCQhard

You are developing an application that writes blobs to Azure Blob Storage. The application requires high throughput and must handle transient failures. You need to implement a retry policy. Which approach should you use?

A.Use a circuit breaker pattern
B.Implement a custom retry loop with Thread.Sleep
C.Generate a SAS token with a long expiry
D.Configure the retry policy in the Azure.Storage.Blobs SDK
AnswerD

SDK provides built-in retry with exponential backoff.

Why this answer

The Azure.Storage.Blobs SDK provides built-in retry policies (e.g., ExponentialRetry, FixedRetry) that handle transient failures automatically with configurable delays, retry counts, and backoff strategies. This is the recommended approach because it integrates directly with the SDK's client pipeline, respects service throttling, and avoids blocking threads or reinventing error handling logic.

Exam trap

The trap here is that candidates confuse the circuit breaker pattern (a resilience pattern for preventing cascading failures) with a retry policy, or they incorrectly assume that a custom Thread.Sleep loop is acceptable in modern asynchronous Azure SDK applications.

How to eliminate wrong answers

Option A is wrong because the circuit breaker pattern is designed to prevent repeated calls to a failing service by opening the circuit, not to handle transient failures with retries; it is a complementary pattern, not a retry policy. Option B is wrong because Thread.Sleep blocks the current thread synchronously, which reduces throughput and scalability in an asynchronous application; it also lacks exponential backoff and integration with Azure SDK retry logic. Option C is wrong because a SAS token with a long expiry addresses authentication and access duration, not transient failure handling; retry policies are independent of token expiry.

454
MCQeasy

You need to diagnose why an Azure App Service web app returns HTTP 503 errors during peak traffic. Which Application Insights feature should you use?

A.Availability tests
B.Log Analytics query for failed requests
C.Application Map
D.Live Metrics
AnswerD

Monitors real-time performance and errors.

Why this answer

Option B is correct because Live Metrics shows real-time performance and can pinpoint issues. Option A is wrong because it's for code-level exceptions. Option C is wrong because it's for deployment-related issues.

Option D is wrong because it's for log search, not real-time monitoring.

455
Multi-Selecthard

Which THREE measures can you use to protect data at rest in Azure Cosmos DB? (Choose three.)

Select 3 answers
A.Enable encryption at rest using Microsoft-managed keys.
B.Use Azure RBAC to restrict access to the Cosmos DB account and data.
C.Configure customer-managed keys (CMK) in Azure Key Vault.
D.Enforce TLS 1.2 for all client connections.
E.Deploy Azure Firewall in front of the Cosmos DB account.
AnswersA, B, C

Cosmos DB encrypts data at rest by default.

Why this answer

Options A, B, and C are correct. Cosmos DB encrypts all data at rest by default using Microsoft-managed keys. Customer-managed keys (CMK) add an extra layer of protection.

RBAC ensures only authorized principals can access data. Option D is wrong because Azure Firewall is for network security, not data at rest. Option E is wrong because TLS protects data in transit.

456
MCQmedium

You are deploying an Azure Functions app that processes messages from an Azure Storage queue. The function must ensure that each message is processed at least once, and if processing fails, the message should be retried up to 5 times before being moved to a poison queue. Which configuration should you set?

A.Set the maxDequeueCount property in the host.json for the queue trigger to 5.
B.Manually implement a retry loop in the function code.
C.Set the visibility timeout to 5 minutes in the queue.
D.Set the message time-to-live to 5 in the queue.
AnswerA

The maxDequeueCount property defines the number of times a message is tried before moving to poison queue.

Why this answer

Option A is correct because the Azure Storage queue trigger's `maxDequeueCount` property in `host.json` controls the maximum number of times a message is dequeued for processing before it is moved to the poison queue. Setting it to 5 ensures that after 5 failed processing attempts, the message is automatically moved to the poison queue, satisfying the at-least-once processing and retry requirements without custom code.

Exam trap

The trap here is that candidates often confuse the `maxDequeueCount` property with other queue settings like visibility timeout or TTL, mistakenly thinking those control retry behavior, when in fact only `maxDequeueCount` governs the number of retries before poison queue escalation.

How to eliminate wrong answers

Option B is wrong because manually implementing a retry loop in the function code is unnecessary and error-prone; the Azure Functions runtime already provides built-in retry logic via the `maxDequeueCount` property, and manual loops can lead to infinite retries or improper poison message handling. Option C is wrong because setting the visibility timeout to 5 minutes only controls how long a message remains invisible after being dequeued, not the number of retry attempts; it does not limit retries or move messages to a poison queue. Option D is wrong because setting the message time-to-live (TTL) to 5 (likely meaning 5 seconds or 5 minutes) controls how long a message stays in the queue before expiring, not the retry count; expired messages are simply deleted, not moved to a poison queue.

457
Multi-Selectmedium

You are planning to migrate an on-premises application to Azure App Service. The application consists of a web frontend and a background worker that processes messages from a queue. Which TWO Azure services should you use to implement this solution?

Select 2 answers
A.Azure Kubernetes Service
B.Azure Batch
C.Azure Functions
D.Azure App Service
E.Azure Logic Apps
AnswersC, D

Can process queue messages as background worker.

Why this answer

Azure Functions (C) is correct because it provides a serverless compute service that can be triggered by queue messages, making it ideal for the background worker that processes messages from a queue. Azure App Service (D) is correct because it hosts the web frontend, providing a fully managed platform for web applications with built-in scaling and load balancing.

Exam trap

The trap here is that candidates often confuse Azure Functions with Azure Logic Apps, but Logic Apps is a workflow orchestration service (not a compute service) and cannot run arbitrary code like a background worker processing queue messages.

458
MCQeasy

Contoso is building a serverless application using Azure Functions. One function needs to read messages from an Azure Event Hub and store them in Azure Blob Storage. The function uses the Event Hubs trigger. The team wants to authenticate to both Event Hubs and Blob Storage using managed identities. The Function app has system-assigned managed identity enabled. Which role assignments are required on the Event Hubs namespace and the storage account?

A.Assign the 'Azure Event Hubs Data Sender' role and 'Storage Blob Data Reader' role.
B.Assign the 'Azure Event Hubs Data Reader' role (which does not exist) and 'Storage Blob Data Contributor' role.
C.Assign the 'Azure Event Hubs Data Receiver' role to the managed identity on the Event Hubs namespace. Assign the 'Storage Blob Data Contributor' role to the managed identity on the storage account.
D.Assign the 'Azure Event Hubs Data Owner' role and 'Storage Blob Data Owner' role.
AnswerC

Correct: correct roles for reading from Event Hubs and writing to Blob.

Why this answer

For Event Hubs, the managed identity needs 'Azure Event Hubs Data Receiver' role. For Blob Storage, it needs 'Storage Blob Data Contributor' role. Option A is correct.

Option B has wrong roles. Option C uses wrong roles. Option D has wrong roles.

459
Multi-Selecthard

Which THREE are benefits of using Azure API Management for consuming third-party APIs? (Choose three.)

Select 3 answers
A.Transforming request and response formats (e.g., XML to JSON).
B.Implementing rate limiting and throttling to avoid exceeding API quotas.
C.Automatically scaling the third-party API based on demand.
D.Caching responses to reduce latency and load on the third-party API.
E.Providing a global load balancer for the third-party API.
AnswersA, B, D

APIM policies can transform data formats.

Why this answer

APIM provides caching, transformation, and rate limiting. Option A (caching) reduces latency; Option B (transformation) allows modifying requests/responses; Option D (rate limiting) protects backend. Option C is not a typical benefit; Option E is a feature of Azure Front Door, not APIM.

460
MCQhard

You deploy a microservices application to Azure Kubernetes Service (AKS). The application uses Azure Cache for Redis to store session state. Users report that they are frequently logged out. You suspect that the session data is being evicted from the cache. Which configuration change should you make to reduce evictions?

A.Enable clustering for the cache
B.Enable data persistence using RDB or AOF
C.Increase the maxmemory-reserved setting or change eviction policy
D.Upgrade to a higher-tier Azure Cache for Redis
AnswerC

Increasing reserved memory or using a more suitable eviction policy reduces evictions.

Why this answer

Option B is correct because increasing the maxmemory-policy to 'allkeys-lru' or increasing memory allocation reduces evictions. Option A is wrong because enabling persistence (RDB/AOF) does not prevent evictions. Option C is wrong because enabling clustering adds complexity and does not directly reduce evictions.

Option D is wrong because using a different tier with more memory is a valid solution, but the question asks for a configuration change within the existing cache instance.

461
MCQmedium

A developer is implementing Key Vault certificate retrieval. The application runs on Azure App Service and must avoid stored credentials. Which design should be used? The design must avoid adding custom operational scripts.

A.Use a shared administrator account
B.Store a client secret in source control
C.Enable managed identity and grant least-privilege access to the target resource
D.Disable authentication for the target resource
AnswerC

Managed identity lets Azure-hosted apps authenticate without stored secrets.

Why this answer

Managed identity (system-assigned or user-assigned) allows the App Service to authenticate to Key Vault without any stored credentials, because Azure automatically rotates the identity's service principal and provides an access token via the Azure Instance Metadata Service (IMDS) endpoint. By granting least-privilege access (e.g., a Key Vault access policy with only 'Get' on secrets), the design meets the requirement to avoid stored credentials and custom operational scripts.

Exam trap

The trap here is that candidates may think storing a client secret in Azure App Service application settings (Option B) is acceptable because it's not in source control, but the question explicitly requires avoiding stored credentials entirely, and managed identity is the only zero-credential solution.

How to eliminate wrong answers

Option A is wrong because using a shared administrator account requires storing credentials (username/password or certificate) in the application configuration or code, violating the 'avoid stored credentials' requirement. Option B is wrong because storing a client secret in source control is a security anti-pattern that exposes credentials in the codebase, and it still requires manual secret rotation and management. Option D is wrong because disabling authentication for the target resource (Key Vault) would allow anonymous access, which is a severe security vulnerability and contradicts the principle of least privilege.

462
Multi-Selecteasy

Which TWO Azure services can be used to implement serverless event-driven architectures?

Select 2 answers
A.Azure Batch
B.Azure Logic Apps
C.Azure Functions
D.Azure Container Instances
E.Azure Virtual Machines
AnswersB, C

Logic Apps are serverless workflows that integrate with various services.

Why this answer

Azure Logic Apps is correct because it provides a fully managed integration platform for orchestrating workflows that respond to events from various sources, such as HTTP requests, Azure services, or third-party apps, using a visual designer and connectors. Azure Functions is correct because it offers event-driven compute capabilities where code executes in response to triggers like HTTP requests, queue messages, or timer events, enabling serverless architectures without managing infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Batch or Azure Container Instances as serverless event-driven services because they are 'serverless' in some sense, but they lack the native event-triggering and orchestration capabilities that define serverless event-driven architectures.

463
Multi-Selecteasy

Which TWO Azure services can be used to store application configuration settings?

Select 2 answers
A.Azure App Configuration
B.Azure Queue Storage
C.Azure Blob Storage
D.Azure Cosmos DB
E.Azure Key Vault
AnswersA, E

Azure App Configuration is a managed service for configuration settings.

Why this answer

Options B and C are correct. Azure App Configuration is purpose-built for configuration. Azure Key Vault can store secrets that are part of configuration.

Option A (Cosmos DB) is a database; Option D (Blob Storage) can store config files but is not a managed configuration service; Option E (Queue Storage) is for messages.

464
MCQmedium

A company uses Azure Logic Apps to integrate with a third-party SaaS application. The Logic App must send an HTTP request to the SaaS API and handle pagination. Which connector should be used?

A.API Connection
B.HTTP + Swagger
C.HTTP
D.HTTP Webhook
AnswerC

The HTTP connector allows full control over requests and responses, enabling custom pagination logic.

Why this answer

Option C is correct because the HTTP connector allows custom HTTP requests, including handling pagination manually. Option A (HTTP + Swagger) is for APIs with Swagger definitions; Option B (HTTP Webhook) is for subscriptions; Option D (API Connection) requires a pre-built connector, which may not support custom pagination.

465
MCQeasy

A developer needs to deploy a web app that uses Azure SQL Database. They want to connect to the database using a connection string without storing it in code. Which feature of Azure App Service should they use?

A.Key Vault references
B.Environment variables
C.Application settings
D.Azure App Configuration
AnswerC

App settings can securely store connection strings.

Why this answer

App Settings in Azure App Service allow storing connection strings securely. Option B is wrong because Key Vault references are used but require additional setup. Option C is wrong because App Configuration is for configuration management.

Option D is wrong because Environment variables are not persistent in App Service.

466
MCQmedium

You are deploying a containerized application to Azure Container Instances. The application must restart automatically if it crashes. You set the restart policy to 'Always'. However, the container keeps restarting continuously even when there is no crash. What is the most likely cause?

A.The container is configured with an Azure Files volume that is not accessible.
B.The application inside the container exits with a non-zero exit code on startup.
C.The container is trying to bind to a port that is already in use on the host.
D.The container is exceeding the allocated CPU or memory limits.
AnswerB

Non-zero exit triggers restart; if immediate, leads to loop.

Why this answer

Option B is correct because if the application exits with a non-zero exit code, the 'Always' restart policy treats it as a failure and restarts it. This can lead to a continuous restart loop if the application fails immediately on startup. Option A is wrong because CPU/memory limits don't cause restart loops unless the container is repeatedly terminated (OOMKilled), but that would show a crash.

Option C is wrong because volumes causing crashes would exit with non-zero, same as B. Option D is wrong because public IP assignment doesn't affect restart behavior.

467
Multi-Selecthard

Which THREE components are required to implement a secure authentication flow for a single-page application (SPA) using Microsoft Entra ID to call Microsoft Graph? (Choose three.)

Select 3 answers
A.Client certificate
B.Authorization endpoint
C.Client ID (Application ID)
D.Client secret
E.Token endpoint
AnswersB, C, E

To obtain authorization code.

Why this answer

Options A, B, and D are correct. A SPA needs a client ID, authorization endpoint, and token endpoint. Option C is wrong because client secret is not used in public clients like SPAs.

Option E is wrong because certificate is for confidential clients.

468
MCQhard

You are deploying a containerized application on Azure Container Instances (ACI) that needs to run as a background job every hour. The job processes data from an Azure SQL Database and sends a report via email. You need to minimize costs while ensuring the job runs reliably on schedule. The job takes about 10 minutes to complete. What should you do?

A.Use Azure Batch with a job schedule to run the container as a task.
B.Create an Azure Logic App with a recurrence trigger that starts the container group using the 'Start Container Group' action, and stop it after completion.
C.Deploy the container on a single Azure virtual machine and schedule it using Windows Task Scheduler.
D.Use an Azure Function with a timer trigger that uses the Azure Container Instances SDK to start the container group.
AnswerB

Logic App can start and stop ACI on schedule, minimizing cost.

Why this answer

Option B is correct because it uses Azure Logic Apps with a recurrence trigger to start the container group only when needed, and stops it after the job completes. This minimizes costs by avoiding continuous running charges for the container, while the Logic App itself incurs minimal execution cost. The job's 10-minute duration fits well within the 1-hour recurrence window, ensuring reliable scheduling without idle compute time.

Exam trap

The trap here is that candidates may assume an Azure Function with a timer trigger is the cheapest option, but they overlook the Function's execution timeout limits and the need to manage container lifecycle, making Logic Apps the more reliable and cost-effective choice for this specific scenario.

How to eliminate wrong answers

Option A is wrong because Azure Batch is designed for large-scale parallel batch processing across multiple nodes, which is overkill and more expensive for a single container running a 10-minute job every hour. Option C is wrong because deploying a dedicated Azure VM incurs continuous compute costs even when the job is not running, and Windows Task Scheduler does not natively manage container lifecycle or provide the same reliability as Azure-native scheduling. Option D is wrong because an Azure Function with a timer trigger using the ACI SDK to start the container group would still require the container to run continuously or incur additional complexity for stopping it, and the Function's execution time limit (default 5 minutes, max 10 minutes) may not reliably accommodate the job's 10-minute duration without premium plans.

469
MCQmedium

You are building an Azure Logic App that must call a third-party REST API secured with OAuth 2.0 Client Credentials flow. The client ID and client secret are stored in Azure Key Vault. You need to securely obtain an access token and include it in requests to the API. Which approach should you use in the Logic App?

A.Use the HTTP action with 'Active Directory OAuth' authentication and hardcode the client secret in the connection parameters.
B.Create an Azure API connection (custom connector) with the OAuth 2.0 settings and store the secret in the connector's definition.
C.Enable a system-assigned managed identity for the Logic App, grant it access to Key Vault, use the 'Get secret' action to retrieve the client secret into a variable, then use the HTTP action with 'Active Directory OAuth' authentication referencing that variable for the secret.
D.Store the client secret in an Azure App Service application setting and reference it in the Logic App via a connector.
AnswerC

This approach uses managed identity to securely access Key Vault, and the secret is passed at runtime without being exposed in the workflow definition. The HTTP action's OAuth authentication can use a variable for the client secret.

Why this answer

Option C is correct because it securely retrieves the client secret from Azure Key Vault at runtime using a managed identity, avoiding any hardcoded secrets. The Logic App's system-assigned managed identity is granted access to Key Vault, then the 'Get secret' action fetches the secret into a variable, which is passed to the HTTP action's 'Active Directory OAuth' authentication. This approach follows the principle of least privilege and eliminates secret exposure in connection definitions or source code.

Exam trap

The trap here is that candidates may think a custom connector (Option B) is the correct way to handle OAuth 2.0, but they overlook that storing the secret in the connector definition is not secure and that managed identities with Key Vault provide a more robust and auditable solution.

How to eliminate wrong answers

Option A is wrong because hardcoding the client secret in the HTTP action's connection parameters violates security best practices and exposes the secret in the Logic App's definition and runtime history. Option B is wrong because storing the secret in the custom connector's definition embeds it in the connector metadata, which is not secure and cannot be dynamically rotated without redeploying the connector. Option D is wrong because Azure App Service application settings are not designed for Logic Apps (they are for App Service apps) and referencing them via a connector still exposes the secret in the Logic App's configuration, lacking the secure retrieval and dynamic secret management that Key Vault provides.

470
MCQmedium

You are building a serverless workflow using Azure Logic Apps. The workflow must start when a new blob is uploaded to a specific container in Azure Blob Storage. Which trigger should you configure?

A.When a blob is created or modified (blob trigger)
B.HTTP request trigger
C.Recurrence trigger
D.Service Bus trigger
AnswerA

This trigger monitors a blob storage container and fires when a new blob is added or an existing blob is updated.

Why this answer

Option A is correct because the 'When a blob is created or modified (blob trigger)' is the native Azure Logic Apps trigger designed to start a workflow automatically when a new blob is uploaded or an existing blob is modified in a specified Azure Blob Storage container. This trigger uses the Azure Blob Storage event subscription to detect changes and is the appropriate choice for event-driven serverless workflows that respond to blob storage events.

Exam trap

The trap here is that candidates often confuse the Blob Storage trigger with the HTTP trigger, thinking they can manually invoke the workflow via a URL, but the question specifically requires an event-driven start from a blob upload, which only the blob trigger supports.

How to eliminate wrong answers

Option B is wrong because the HTTP request trigger is used to start a workflow when an external HTTP request is received, not when a blob is uploaded to Blob Storage. Option C is wrong because the Recurrence trigger runs the workflow on a fixed schedule (e.g., every hour) and does not respond to real-time blob upload events. Option D is wrong because the Service Bus trigger is designed to start a workflow when a message is received from an Azure Service Bus queue or topic, not from Blob Storage.

471
MCQmedium

Your company is building a real-time dashboard that displays sales data from multiple stores. The data is generated as events from point-of-sale systems and must be ingested with low latency. The dashboard needs to display aggregated data (e.g., total sales per store per minute) with a maximum delay of 5 seconds from event generation. You have decided to use Azure Event Hubs for ingestion and Azure Stream Analytics for real-time processing. The processed data will be stored in Azure Cosmos DB for the dashboard to query. However, the dashboard requires that the data in Cosmos DB be updated as soon as new aggregations are available. You need to design the output from Azure Stream Analytics to Cosmos DB. Which output configuration should you use?

A.Configure the output to use Cosmos DB MongoDB API and use a unique index on store ID and timestamp.
B.Output to Azure Cosmos DB Table API with a partition key of store ID.
C.Write the output to Azure Blob Storage and use an Azure Function triggered by blob creation to update Cosmos DB.
D.Configure the output to use Cosmos DB SQL API with the document ID set to a concatenation of store ID and minute timestamp, and enable upsert.
AnswerD

SQL API with upsert provides low-latency updates.

Why this answer

Azure Stream Analytics can output to Cosmos DB. To ensure low latency and upserts, you should configure the output to use the Cosmos DB SQL API with a document ID that is a composite key (e.g., storeId + timestamp) to enable upserts. Option A is correct because it specifies the correct API and upsert configuration.

Option B is incorrect because the MongoDB API may not support the same performance guarantees. Option C is incorrect because writing to Blob Storage and then using a trigger introduces additional latency. Option D is incorrect because Table API is not suitable for the required query patterns.

472
MCQmedium

You are investigating a slow API call in your Azure web app. Application Insights shows that the request took 10 seconds. You need to view all the dependencies (database calls, external HTTP requests) that contributed to this request. What should you use?

A.Application Map
B.Live Metrics
C.Transaction Search
D.Usage Analysis
AnswerC

Transaction Search lets you find a specific request by its ID or properties and view the full transaction trace including all dependencies.

Why this answer

Transaction Search (now part of the 'Search' experience in Application Insights) allows you to query individual requests and drill into their correlated dependency calls, such as SQL queries or external HTTP requests, showing the exact duration and sequence of each dependency. This is the correct tool to identify which specific dependencies contributed to the 10-second request latency.

Exam trap

The trap here is that candidates often confuse Application Map (a high-level topology view) with the detailed dependency drill-down available in Transaction Search, leading them to choose A when they need to see the specific calls and timings for a single request.

How to eliminate wrong answers

Option A is wrong because Application Map provides a topological view of your application's components and their health, but it does not show the detailed dependency call list or timing for a specific request. Option B is wrong because Live Metrics shows real-time performance data (e.g., request rate, failure count) but does not allow you to inspect historical dependency details for a past slow request. Option D is wrong because Usage Analysis focuses on user behavior metrics (e.g., page views, sessions) and is not designed for diagnosing dependency-level performance issues.

473
MCQmedium

You are troubleshooting an Azure App Service that runs a Node.js application. The application returns HTTP 500 errors intermittently. Application Insights is configured. Which telemetry item should you examine first to find the root cause?

A.Exceptions
B.Traces
C.Dependencies
D.Requests
AnswerA

Exceptions telemetry captures detailed error information.

Why this answer

Option D is correct because exceptions telemetry captures unhandled exceptions and stack traces. Option A (traces) may not include errors. Option B (requests) shows success/failure but not details.

Option C (dependencies) shows external calls.

474
MCQeasy

You need to restrict access to an Azure web app so that only traffic from a specific virtual network (VNet) can reach it. The web app is already deployed. What should you configure on the web app?

A.VNet integration
B.Access restrictions
C.Network Security Group (NSG) on the subnet
D.Point-to-Site VPN
AnswerB

Access restrictions can deny all traffic except from a specific VNet.

Why this answer

Access restrictions (also known as IP restrictions) allow you to define allow/deny rules based on source IP addresses or Virtual Network (VNet) service endpoints. By configuring a service endpoint-based rule that permits traffic only from your specific VNet, you can block all other inbound traffic to the web app. This is the correct mechanism for restricting access at the web app level without modifying the underlying infrastructure.

Exam trap

The trap here is confusing VNet integration (outbound) with access restrictions (inbound), leading candidates to select VNet integration when the question asks about restricting incoming traffic from a VNet.

How to eliminate wrong answers

Option A is wrong because VNet integration enables the web app to access resources inside a VNet (outbound connectivity), not to restrict inbound traffic from that VNet. Option C is wrong because an NSG on the subnet controls traffic to and from resources within that subnet, but it cannot directly filter traffic to an Azure App Service, which is a PaaS service not hosted in your VNet. Option D is wrong because Point-to-Site VPN is used for individual client machines to connect to a VNet, not for restricting inbound access to a web app from an entire VNet.

475
Multi-Selecthard

Which THREE actions should you take to optimize cost for an Azure Functions app that processes messages from a queue?

Select 3 answers
A.Use Consumption plan instead of Premium
B.Implement batch processing to reduce the number of function executions
C.Use Premium plan only during peak hours with auto-scale
D.Enable Always On to keep the app warm
E.Increase function timeout to reduce retries
AnswersA, B, C

Pay-per-execution is cost-effective for variable workloads.

Why this answer

Options A, C, and E are correct. Using Consumption plan scales costs with usage, batching reduces executions, and using Premium only when needed avoids fixed costs. Option B is wrong because Always On keeps app running.

Option D is wrong because increased timeout doesn't reduce cost.

476
MCQhard

You are optimizing an Azure SQL Database that runs a heavy reporting workload. Queries are slow due to high logical reads. Which index strategy should you recommend?

A.Use columnstore indexes on fact tables
B.Create nonclustered indexes with included columns
C.Disable auto-update statistics
D.Rebuild clustered indexes with higher fill factor
AnswerB

Included columns create covering indexes that reduce logical reads.

Why this answer

Option D is correct because covering indexes include all columns needed by queries, reducing reads. Option A is wrong because it's for key lookups, not covering. Option B is wrong because clustered index doesn't cover all columns.

Option C is wrong because columnstore indexes are for large scans, not OLTP.

477
MCQmedium

Your company has an application running on Azure Virtual Machines that needs to access secrets in Azure Key Vault. You want to restrict network access to the Key Vault so that only the virtual network/subnet containing the VMs can reach it. You also want to ensure that the solution works with the least management overhead. Which configuration should you use?

A.Configure Key Vault firewall with IP-based rules that allow the VM's public IP address.
B.Configure a Private Endpoint for the Key Vault in the same virtual network as the VMs.
C.Configure Key Vault firewall to allow access from the virtual network and subnet using service endpoints.
D.Use a shared access signature (SAS) to access Key Vault secrets.
AnswerC

Enabling service endpoints on the subnet and adding the VNet/Subnet to the Key Vault firewall rules restricts traffic to only that subnet. It is easy to configure and provides secure network isolation.

Why this answer

Option C is correct because configuring Key Vault firewall with virtual network service endpoints allows you to restrict access to the Key Vault to a specific virtual network and subnet without exposing the VMs to the internet. This approach leverages Azure's backbone network for traffic, providing secure and direct connectivity with minimal management overhead, as service endpoints are automatically maintained by Azure.

Exam trap

The trap here is that candidates often confuse Private Endpoints with service endpoints, assuming Private Endpoints are always the best choice for network isolation, but service endpoints are simpler and have less management overhead when you only need to restrict access to a specific virtual network/subnet without requiring private IP connectivity.

How to eliminate wrong answers

Option A is wrong because using IP-based rules with the VM's public IP address exposes the VM to the internet and requires managing public IP changes, increasing management overhead and security risk. Option B is wrong because a Private Endpoint uses a private IP from the virtual network, which is more complex to set up and manage than service endpoints for this scenario, and it incurs additional costs for the private endpoint resource. Option D is wrong because shared access signatures (SAS) are used for granting delegated access to Azure Storage resources, not for accessing Key Vault secrets; Key Vault uses Azure AD authentication and access policies.

478
MCQeasy

Your company uses Azure Key Vault to store secrets. You need to ensure that if a secret is deleted, it can be recovered within 30 days. Which Key Vault feature should you enable?

A.Soft-delete
B.Purge protection
C.RBAC (Role-Based Access Control)
D.Access policies
AnswerA

Correct. Soft-delete retains deleted secrets for a specified period, allowing recovery.

Why this answer

Soft-delete is the correct feature because it allows you to recover a deleted secret within a configurable retention period (default 90 days, but can be set to as low as 1 day). When soft-delete is enabled, a deleted secret is marked as deleted but remains recoverable until the retention period expires. This directly meets the requirement to recover a secret within 30 days.

Exam trap

The trap here is that candidates often confuse purge protection with soft-delete, thinking that purge protection alone allows recovery, when in fact purge protection only prevents permanent deletion after soft-delete has already occurred.

How to eliminate wrong answers

Option B (Purge protection) is wrong because purge protection only prevents the permanent deletion of a soft-deleted secret until the retention period ends; it does not by itself enable recovery of a deleted secret. Option C (RBAC) is wrong because RBAC controls access permissions to Key Vault resources but has no effect on secret recovery after deletion. Option D (Access policies) is wrong because access policies define which users or applications can read, write, or delete secrets, but they do not provide any recovery capability for deleted secrets.

479
MCQeasy

A company deploys a stateful application as a container in Azure Container Instances (ACI). They need persistent storage that can be shared across multiple container instances and retain data after container restarts. Which volume mount should they use?

A.emptyDir
B.Azure Files share
C.Host path
D.Secret volume
AnswerB

Azure Files share volumes provide durable, shared storage that persists beyond container restarts and can be used by multiple container groups.

Why this answer

Azure Files shares provide fully managed SMB file shares in the cloud that can be mounted as volumes in Azure Container Instances. This allows multiple container instances to read and write to the same persistent storage concurrently, and data persists independently of container lifecycles, surviving restarts or deletions. The scenario requires shared, persistent storage across instances, which Azure Files uniquely supports among the given options.

Exam trap

The trap here is that candidates often confuse emptyDir (which is ephemeral and pod-scoped) with persistent storage, or assume host path works in ACI because it works in Kubernetes, but ACI does not expose host filesystem access.

How to eliminate wrong answers

Option A is wrong because emptyDir volumes are ephemeral and tied to a pod's lifecycle; data is lost when the container or pod is deleted, and it cannot be shared across separate container instances. Option C is wrong because host path volumes mount a directory from the underlying host node's filesystem, which is not supported in Azure Container Instances (ACI is a serverless container service without direct host node access) and would not provide shared access across multiple instances. Option D is wrong because secret volumes are used to inject sensitive data (e.g., certificates, keys) into containers as files, not for persistent or shared storage; they are read-only and ephemeral.

480
MCQeasy

You need to ensure that secrets stored in Azure Key Vault are automatically rotated every 90 days. Which feature should you configure?

A.Set an access policy for the secret
B.Enable soft delete and purge protection
C.Set a secret expiration date
D.Use Key Vault secret rotation with Event Grid and Azure Functions
AnswerD

This is the recommended approach to automate secret rotation.

Why this answer

Key Vault does not support automatic rotation natively; you need to use a manual or custom solution. However, the question asks for 'automatically', and the closest built-in feature is the 'Create a key rotation policy' for keys, but for secrets, there is no automatic rotation. The answer is that there is no built-in automatic rotation for secrets; you must use a custom solution or Azure Event Grid with a function.

But since the options must be plausible, the correct answer here is that you need to implement a custom solution using Azure Functions and Event Grid.

481
MCQmedium

You have an Azure App Service web app that experiences high CPU usage during peak hours. You need to scale out automatically based on CPU load. Which scaling solution should you use?

A.Manual scaling
B.Traffic Manager
C.Autoscale with a CPU percentage rule
D.Scale sets autoscale
AnswerC

Autoscale can scale out when CPU exceeds a threshold.

Why this answer

Autoscale with a CPU percentage rule is the correct solution because Azure App Service supports built-in autoscaling that can automatically increase or decrease the number of instances based on a metric like CPU percentage. This allows the web app to handle peak-hour traffic by scaling out when CPU usage exceeds a defined threshold, ensuring performance without manual intervention.

Exam trap

The trap here is that candidates may confuse 'scale sets autoscale' (which is for VMs) with App Service autoscale, or think Traffic Manager can scale resources, when it only distributes traffic.

How to eliminate wrong answers

Option A is wrong because manual scaling requires human intervention to adjust instance counts, which cannot automatically respond to CPU load during peak hours. Option B is wrong because Traffic Manager is a DNS-based traffic load balancer that routes traffic across endpoints but does not scale the underlying compute resources based on CPU metrics. Option D is wrong because 'Scale sets autoscale' refers to Virtual Machine Scale Sets, which are used for scaling VMs, not for Azure App Service web apps; App Service has its own autoscale feature that does not require scale sets.

482
MCQhard

You are designing a serverless architecture using Azure Functions for a data processing pipeline. The pipeline must process messages from an Azure Service Bus queue. Each message can take up to 5 minutes to process. You need to ensure that if a function fails, the message is not lost and is retried after a delay. What should you configure?

A.Use the PeekLock message receive mode and manually complete the message only after successful processing.
B.Use Durable Functions with a retry policy.
C.Set the Azure Functions retry policy in the host.json file.
D.Configure the Service Bus queue to dead-letter messages after a specified number of delivery attempts.
AnswerD

Prevents message loss and allows retries via MaxDeliveryCount.

Why this answer

Option C is correct because Service Bus queue dead-lettering automatically moves poison messages after exceeding MaxDeliveryCount. Enabling dead-lettering ensures failed messages are preserved for later investigation. Option A is wrong because Durable Functions are for orchestrating long-running workflows, not for simple retry logic.

Option B is wrong because Azure Functions host-level retry policy doesn't apply to Service Bus triggers; Service Bus itself handles retries via MaxDeliveryCount. Option D is wrong because using PeekLock mode with automatic completion on success is the default; if the function fails without calling complete, the lock expires and the message becomes visible again, which can cause infinite retries without dead-lettering.

483
MCQhard

You are designing a solution that uses Azure Event Hubs to ingest telemetry data. The data must be encrypted at rest and in transit. Additionally, you need to ensure that only authorized applications can publish messages to the event hub. Which combination of features should you use?

A.Use managed identities for applications and enable encryption at rest using customer-managed keys.
B.Use SAS tokens or managed identities for authentication, and rely on default encryption at rest and in transit.
C.Use Azure Private Link to connect applications to Event Hubs.
D.Enable Azure Firewall on the Event Hubs namespace and use IP filtering.
AnswerB

Event Hubs encrypts at rest by default and in transit via TLS; SAS or managed identities authorize publishers.

Why this answer

Option D is correct because Event Hubs enables encryption at rest by default (Azure Storage Service Encryption) and in transit via TLS, and uses shared access signatures (SAS) or managed identities for authorization. Option A is wrong because firewall restricts network access, not authorization. Option B is wrong because private endpoints are for network isolation.

Option C is wrong because managed identity provides authorization, but encryption at rest is default.

484
Multi-Selecteasy

Which TWO Azure services can be used to securely store and retrieve secrets, such as API keys and connection strings, for use in cloud applications?

Select 2 answers
A.Azure Cosmos DB
B.Azure Key Vault
C.Azure Blob Storage
D.Azure App Configuration
E.Azure SQL Database
AnswersB, D

Dedicated secrets management service.

Why this answer

A and D are correct. Azure Key Vault is designed for secrets management. Azure App Configuration can store Key Vault references, effectively storing secrets securely.

Option B is wrong because Azure Blob Storage is not designed for secrets; it stores blobs. Option C is wrong because Azure Cosmos DB is a NoSQL database. Option E is wrong because Azure SQL Database is a relational database.

485
MCQeasy

You are building a solution that needs to process large CSV files uploaded to Azure Blob Storage. Each file can be up to 1 GB. You want to minimize processing time and cost. Which approach should you recommend?

A.Use Azure Data Factory to copy the data from Blob Storage to Azure SQL Database and perform transformations.
B.Use Azure Logic Apps to trigger a function that parses the CSV and inserts into Cosmos DB.
C.Download the file to an Azure VM and use a custom script to parse and insert into a database.
D.Use Azure Stream Analytics to read the CSV from Blob Storage and output to a data warehouse.
AnswerA

Data Factory is optimized for large-scale data movement and transformation.

Why this answer

Azure Data Factory (ADF) is the correct choice because it is a fully managed, serverless data integration service designed for high-scale data movement and transformation. ADF can directly read large CSV files from Blob Storage using Copy Activity with built-in parallelization and chunking, then transform the data using Mapping Data Flows or stored procedures in Azure SQL Database, all without provisioning VMs or managing infrastructure. This minimizes both processing time (via scale-out) and cost (pay-per-use, no idle compute).

Exam trap

The trap here is that candidates often choose Logic Apps or Stream Analytics because they are 'serverless' and 'low-code', but they fail to recognize that these services are optimized for small payloads or real-time streams, not for batch processing of multi-gigabyte files.

How to eliminate wrong answers

Option B is wrong because Azure Logic Apps is a workflow orchestration service, not a data processing engine; it would require pulling the entire 1 GB CSV into memory via a trigger, causing timeouts (default 2-min timeout) and high memory consumption, making it unsuitable for large files. Option C is wrong because downloading a 1 GB file to an Azure VM introduces network transfer latency, VM provisioning costs, and manual scaling overhead, which increases both time and cost compared to serverless alternatives. Option D is wrong because Azure Stream Analytics is designed for real-time streaming data (e.g., IoT events) and cannot efficiently process batch-oriented, large CSV files; it lacks native CSV parsing and batch transformation capabilities, leading to poor performance and higher cost.

486
MCQmedium

Refer to the exhibit. You deploy an Azure Storage account using the ARM template snippet. A developer reports that they cannot connect to the storage account from their machine with IP 10.0.0.5, even though they have the proper RBAC role. What is the most likely reason?

A.The storage account is configured to bypass Azure Services, which blocks non-Azure clients.
B.The developer does not have the Storage Blob Data Contributor role.
C.The storage account firewall is configured to deny all traffic except from the 192.168.1.0/24 IP range.
D.The minimum TLS version is set to TLS 1.2, but the developer's client uses TLS 1.0.
AnswerC

The developer's IP is not allowed.

Why this answer

Option A is correct because the network ACLs have a default deny and only allow traffic from 192.168.1.0/24. The IP 10.0.0.5 is not in that range. Option B is wrong because TLS 1.2 is a requirement, but the error is network access.

Option C is wrong because RBAC is correctly configured. Option D is wrong because Azure Services bypass is for Azure services, not the developer's machine.

487
MCQmedium

A developer writes an Azure Function that uses the Azure.Storage.Blobs SDK to upload a file to Blob Storage. The function runs locally but fails when deployed to Azure with a '403 Forbidden' error. What is the most likely cause?

A.The function app does not have the correct RBAC role on the storage account
B.The Azure.Storage.Blobs SDK version is deprecated
C.The function runtime version is incompatible
D.The storage account is behind a firewall and the function app's outbound IP is not whitelisted
AnswerA

Managed identity needs Storage Blob Data Contributor role to write blobs.

Why this answer

The function app in Azure needs a managed identity with the appropriate RBAC role (e.g., Storage Blob Data Contributor) to access the storage account. Locally, the developer might be using their own credentials. Option A is wrong because the function runtime is not the issue.

Option B is wrong because firewall rules would affect both local and cloud. Option D is wrong because the SDK version is unlikely to cause a 403.

488
MCQhard

You are developing a solution that uses Azure Container Apps. Your application is a microservice that needs to expose a gRPC endpoint. The service must scale to zero when idle. What should you do?

A.Use Azure Functions with a gRPC trigger.
B.Deploy the microservice to Azure Container Apps and configure a scale rule with minReplicas set to 0.
C.Deploy the microservice to Azure Kubernetes Service with a virtual node.
D.Deploy the microservice to Azure Container Instances with a scale rule.
AnswerB

Container Apps supports scaling to zero and gRPC.

Why this answer

Azure Container Apps natively supports gRPC endpoints and can scale to zero by setting `minReplicas` to 0 in a scale rule. This configuration allows the microservice to run only when there are active requests, reducing costs during idle periods. The combination of gRPC support and dynamic scaling makes Container Apps the correct choice for this scenario.

Exam trap

The trap here is that candidates may assume Azure Functions can handle gRPC via custom handlers or that ACI supports autoscaling, but neither service provides native gRPC support or the scale-to-zero capability required for this specific workload.

How to eliminate wrong answers

Option A is wrong because Azure Functions does not have a native gRPC trigger; it supports HTTP, timer, and other triggers, but gRPC is not a supported binding, and Functions cannot scale to zero for gRPC workloads. Option C is wrong because Azure Kubernetes Service (AKS) with virtual nodes does not support scaling to zero; virtual nodes enable burst scaling but maintain a minimum number of pods, and AKS typically incurs cluster management overhead. Option D is wrong because Azure Container Instances (ACI) does not support scale rules or automatic scaling to zero; it is designed for single-instance containers with manual scaling or restart policies, not dynamic scale-to-zero behavior.

489
Multi-Selectmedium

Which TWO actions can you take to improve the performance of an Azure App Service web app that makes calls to an external API? (Choose two.)

Select 2 answers
A.Use a connection pool to reuse connections to the API.
B.Send multiple requests in parallel to the API.
C.Scale out the App Service to more instances.
D.Use async/await patterns in the code to avoid blocking threads.
E.Implement caching of API responses using Azure Cache for Redis.
AnswersD, E

Async/await improves scalability and responsiveness.

Why this answer

Options B and D are correct. Caching responses reduces redundant calls, and using async/await frees up threads. Option A is wrong because increasing instance count adds cost but may not improve per-request latency.

Option C is wrong because multiple API calls per request increase latency. Option E is wrong because keeping a persistent connection may help but is not a direct performance improvement for the described issue.

490
MCQeasy

You are developing a mobile app backend using Azure Functions. The app allows users to upload profile pictures. The pictures are stored in Azure Blob Storage and the metadata (user ID, blob URL, upload timestamp) is stored in Azure SQL Database. You need to implement a process that automatically generates a thumbnail for each uploaded picture and updates the metadata with the thumbnail URL. The thumbnail generation is CPU-intensive and may take up to 30 seconds per image. The solution should be serverless and cost-effective. Which combination of Azure services should you use?

A.Use an Azure VM with a scheduled task to poll for new blobs and generate thumbnails.
B.Use an Azure Queue Storage trigger to invoke an Azure Function that processes the image and updates Azure SQL Database.
C.Use an Azure Blob Storage trigger to invoke an Azure Function that generates the thumbnail and updates Azure SQL Database.
D.Use Azure Event Grid to trigger an Azure Logic App that generates the thumbnail and updates Azure SQL Database.
AnswerC

Blob Storage trigger is serverless and cost-effective.

Why this answer

An Azure Blob Storage trigger can start an Azure Function on blob creation. The function can generate the thumbnail and then update the metadata in Azure SQL Database. This is serverless and scales automatically.

Option A is correct. Option B is incorrect because Event Grid can also trigger a function, but the Blob Storage trigger is simpler and directly tied to blob events. Option C is incorrect because using a queue adds unnecessary complexity.

Option D is incorrect because using a VM is not serverless.

491
Multi-Selecthard

Which THREE metrics should you monitor to determine if an Azure Kubernetes Service (AKS) cluster is running optimally? (Choose three.)

Select 3 answers
A.Node CPU usage percentage
B.API server request latency
C.Network bytes sent and received
D.Disk I/O throughput
E.Pod memory usage percentage
AnswersA, D, E

High CPU may indicate need to scale.

Why this answer

Option A (Node CPU), Option B (Pod memory), and Option D (Disk I/O) are correct because they directly affect pod performance and cluster health. Option C (API server latency) is important but not a direct indicator of cluster workload optimization. Option E (Network bytes) is less critical for optimization.

492
MCQhard

You are troubleshooting a containerized application running on Azure Kubernetes Service (AKS). The application logs indicate that it cannot connect to an Azure SQL Database using a managed identity. The pod is configured with a user-assigned managed identity. Which step is most likely missing?

A.The Azure SQL Database firewall is blocking the pod IP
B.The pod's service account is not linked to the managed identity
C.The managed identity is not in the same Microsoft Entra ID tenant as the AKS cluster
D.The AKS cluster does not have the Azure AD Pod Identity add-on enabled
AnswerD

Correct: The add-on is required to assign the identity to pods.

Why this answer

The AKS cluster requires the Azure AD Pod Identity add-on (or the newer Workload Identity) to enable pods to authenticate to Azure resources using managed identities. Without this add-on, the pod's user-assigned managed identity cannot be used to obtain tokens for connecting to Azure SQL Database, even if the identity is correctly assigned to the pod.

Exam trap

The trap here is that candidates often assume assigning a managed identity to a pod is sufficient, but they overlook the requirement for the AKS cluster to have the Azure AD Pod Identity add-on enabled to bridge the pod and the identity for token acquisition.

How to eliminate wrong answers

Option A is wrong because the pod's IP is not the issue; Azure SQL Database firewall rules block IP addresses, but managed identity authentication uses Azure AD tokens, not the pod's IP, so the firewall is not the missing step. Option B is wrong because the pod's service account does not need to be linked to the managed identity; instead, the pod is assigned the identity via Azure AD Pod Identity or Workload Identity, not through a service account binding. Option C is wrong because the managed identity must be in the same Microsoft Entra ID tenant as the AKS cluster for authentication to work; if it were in a different tenant, the token request would fail, but the question implies the identity is correctly assigned, so this is not the missing step.

493
MCQmedium

A developer exposes several backend APIs through Azure API Management. Clients must be throttled by subscription to protect the backend. What should be configured? The architecture review board prefers a managed AWS-native control.

A.Blob soft delete
B.Application Insights sampling
C.Private DNS zone only
D.API Management rate-limit or quota policy
AnswerD

APIM policies can enforce rate limits and quotas per subscription or caller.

Why this answer

Option D is correct because Azure API Management provides built-in rate-limit and quota policies that allow you to throttle client requests based on the subscription key. This directly protects backend services from excessive traffic by enforcing per-subscription call rates and quotas, which aligns with the requirement to throttle clients by subscription.

Exam trap

The trap here is that candidates may confuse Application Insights sampling (a telemetry feature) with API throttling, or think Blob soft delete or DNS zones could somehow limit API calls, when only API Management policies directly enforce subscription-based rate limits.

How to eliminate wrong answers

Option A is wrong because Blob soft delete is a data protection feature for Azure Blob Storage that recovers accidentally deleted blobs; it has no role in API throttling or subscription-based rate limiting. Option B is wrong because Application Insights sampling reduces the volume of telemetry data collected for monitoring, not API request throttling; it controls data ingestion, not client access rates. Option C is wrong because a Private DNS zone only manages custom DNS resolution within a virtual network; it does not enforce any rate limits or quotas on API calls.

494
MCQmedium

Your Azure Kubernetes Service (AKS) cluster experiences node failures. Which Azure service provides automated node repair?

A.Azure Sentinel
B.Microsoft Defender for Cloud
C.AKS node auto-repair
D.Azure Monitor
AnswerC

Automatically repairs unhealthy nodes.

Why this answer

Option B is correct because AKS node auto-repair is a built-in feature. Option A is wrong because Azure Monitor only provides observability. Option C is wrong because it's a security solution.

Option D is wrong because it's a SIEM/SOAR solution.

495
Drag & Dropmedium

Arrange the steps to deploy an Azure App Service using Azure CLI in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

To deploy an App Service, first create a resource group, then an App Service plan, then the web app, deploy code, and finally verify.

496
MCQmedium

Your Azure App Service web app experiences slow response times during peak hours. You suspect the App Service plan is under-provisioned. You need to scale out the app automatically based on CPU usage. What should you configure?

A.Configure scheduled scaling in the app
B.Manually increase instance count
C.Configure scale up in the App Service plan
D.Configure autoscale rules in the App Service plan
AnswerD

Autoscale can scale out based on CPU usage.

Why this answer

Autoscale rules in the App Service plan allow you to automatically scale out (increase instance count) based on metrics like CPU usage. This is the correct solution because it dynamically adjusts capacity in response to demand during peak hours without manual intervention.

Exam trap

The trap here is confusing 'scale up' (vertical scaling, changing plan tier) with 'scale out' (horizontal scaling, adding instances), and assuming scheduled scaling can react to real-time CPU spikes.

How to eliminate wrong answers

Option A is wrong because scheduled scaling is used for predictable load patterns (e.g., time-of-day), not for reactive scaling based on CPU usage. Option B is wrong because manually increasing the instance count is a one-time action and does not provide automatic scaling based on CPU metrics. Option C is wrong because scale up increases the size (tier) of the App Service plan (e.g., from S1 to S2), not the number of instances; it does not address horizontal scaling (scale out).

497
Multi-Selectmedium

Which TWO authentication mechanisms can be used to securely connect an Azure Function app to an Azure SQL Database using managed identities?

Select 2 answers
A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal with client secret
D.Certificate-based authentication
E.Connection string with access key
AnswersA, B

Correct: a type of managed identity.

Why this answer

System-assigned managed identity and user-assigned managed identity are both supported for Azure SQL Database connections. Service principal and connection strings with keys are not managed identities. Certificate-based authentication is not a managed identity type.

498
MCQeasy

You are developing a solution that stores user-uploaded profile pictures. Users upload pictures that are then displayed on their profile page. After 30 days, if the user hasn't logged in, the system moves the picture to cold storage. You need to choose the initial access tier for the container to optimize cost and performance for frequently accessed pictures. Which tier should you use?

A.Hot
B.Cool
C.Archive
D.Premium
AnswerA

Hot tier is for frequently accessed data with low latency and is the optimal initial tier for profile pictures.

Why this answer

The Hot tier is the correct initial access tier because the profile pictures are frequently accessed immediately after upload (e.g., displayed on profile pages). The Hot tier is optimized for high-frequency read/write operations with the lowest latency, making it cost-effective for data that is accessed often. After 30 days of inactivity, the system moves the picture to cold storage, so the initial tier should prioritize performance for active data, not long-term archival cost savings.

Exam trap

The trap here is that candidates often choose Cool or Archive thinking they are 'cost-saving' upfront, but they overlook that the Hot tier is actually the most cost-effective for frequently accessed data because it avoids per-access fees and latency penalties, while lifecycle management handles the eventual move to cheaper storage.

How to eliminate wrong answers

Option B (Cool) is wrong because the Cool tier is designed for data that is infrequently accessed (e.g., once a month or less) and has higher access costs and latency compared to Hot, making it suboptimal for frequently accessed profile pictures. Option C (Archive) is wrong because the Archive tier is for data that is rarely accessed (e.g., once a year) and has the highest retrieval latency (up to 15 hours for rehydration), which is unacceptable for immediate display on a profile page. Option D (Premium) is wrong because the Premium tier is for block blobs with low-latency requirements (e.g., for Azure Virtual Desktop or high-performance computing) and incurs significantly higher storage costs, making it overkill and cost-inefficient for standard user-uploaded profile pictures.

499
MCQhard

You are a developer at Contoso Ltd. The company has an existing .NET Core web application hosted on Azure App Service that allows users to upload images. The application currently stores images directly to Azure Blob Storage using connection strings stored in the Web.config file. The security team has mandated that all secrets must be stored in Azure Key Vault and rotated automatically. Additionally, the application must be able to access the Key Vault without storing any credentials in the application code or configuration files. The application uses Microsoft Entra ID for user authentication. You need to modify the application to meet these requirements with minimal changes to the application code. You have the following resources: an Azure Key Vault instance with the secrets (storage account connection string) already stored; a managed identity enabled for the App Service. You want to use the Key Vault references feature of Azure App Configuration or direct Key Vault access. Which approach should you take?

A.Set the connection string as an environment variable in the App Service using the Azure CLI and rely on the Key Vault backup.
B.Create an Azure App Configuration store, import the secrets from Key Vault, and change the application to use the App Configuration provider.
C.In the Azure portal, update the App Service application settings to reference the Key Vault secrets using the Key Vault references feature. Enable the system-assigned managed identity for the App Service and grant it Get and List permissions on the Key Vault.
D.Modify the application code to use the Azure Identity SDK to authenticate to Key Vault via managed identity and retrieve the connection string.
AnswerC

Key Vault references allow secure access without code changes and support automatic rotation.

Why this answer

The correct approach is to use Key Vault references in the App Service application settings. This allows you to reference a secret stored in Key Vault using a syntax like @Microsoft.KeyVault(SecretUri=...). The App Service will automatically retrieve the secret using the system-assigned managed identity, and no code changes are required.

Option A is correct. Option B is incorrect because using App Configuration would require additional setup and code changes to reference the configuration. Option C is incorrect because manually retrieving secrets via SDK requires code changes.

Option D is incorrect because environment variables set directly are not rotated automatically.

500
Drag & Dropmedium

Arrange the steps to implement Azure AD authentication in an ASP.NET Core web app in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First register the app in Azure AD, then configure settings, add NuGet, configure middleware, and secure endpoints.

501
MCQmedium

A company stores sensitive data in an Azure Storage account. They need to restrict access based on the client's IP address and require that clients use a valid SAS token. Which mechanism should they use?

A.Microsoft Entra ID authentication.
B.Shared Key.
C.SAS token with IP ACL.
D.Firewall and virtual networks.
AnswerC

Correct. A SAS token can specify an allowed IP address range.

Why this answer

A SAS token with an IP ACL (access control list) allows you to restrict access to a specific client IP address or range of IP addresses while also requiring a valid SAS token for authentication. This meets both requirements: IP-based restriction and SAS token validation. The IP ACL is specified as part of the SAS token's signed IP (sip) parameter, which enforces that requests must originate from the allowed IP range.

Exam trap

The trap here is that candidates often confuse network-level IP restrictions (firewall/VNet) with SAS-level IP restrictions, not realizing that only a SAS token with an IP ACL can enforce both a valid token and a specific client IP address simultaneously.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID authentication does not use SAS tokens; it relies on Azure AD identities and RBAC roles, which cannot enforce a client IP restriction at the SAS token level. Option B is wrong because Shared Key authentication uses the storage account key directly, which does not support IP-based restrictions and does not involve a SAS token. Option D is wrong because Firewall and virtual networks can restrict access by IP address, but they do not require a SAS token; they operate at the network layer and can be bypassed if the SAS token is not enforced.

502
MCQeasy

An application uses Azure Application Insights for monitoring. You need to write a query to analyze the number of failed requests and exceptions over the past hour. Which query language should you use?

A.SQL
B.Kusto Query Language (KQL)
C.PowerShell
D.Azure CLI
AnswerB

KQL is the native query language for Azure Monitor Logs and Application Insights.

Why this answer

Azure Application Insights stores telemetry data in a Log Analytics workspace, which is queried using Kusto Query Language (KQL). KQL is the native query language for Azure Data Explorer and is specifically designed for time-series analysis, filtering, and aggregation of log data. To analyze failed requests and exceptions over the past hour, you would use KQL operators like `where`, `summarize`, and `bin` to filter by timestamp and count events.

Exam trap

The trap here is that candidates may confuse KQL with SQL due to superficial similarities in syntax (e.g., `where` clauses), but Azure Application Insights exclusively uses KQL, not SQL, for log queries.

How to eliminate wrong answers

Option A is wrong because SQL is not supported for querying Application Insights data; the underlying storage is a column-store optimized for KQL, not a relational database. Option C is wrong because PowerShell is a scripting language used for automation and resource management, not for querying telemetry data directly from Application Insights. Option D is wrong because Azure CLI is a command-line tool for managing Azure resources, not a query language for analyzing log data.

503
Multi-Selectmedium

Which THREE are valid ways to authenticate to Azure Blob Storage from an application? (Choose three.)

Select 3 answers
A.Use the storage account access key.
B.Use an OAuth2 token obtained from Microsoft Entra ID for a user.
C.Use a shared access signature (SAS) token.
D.Use a client certificate.
E.Use a managed identity assigned to an Azure resource.
AnswersA, C, E

Access key is a shared key authentication method.

Why this answer

Option A is correct because the storage account access key provides full administrative access to the storage account, including Blob Storage. It is a simple, shared-key authentication method using HMAC-SHA256 to sign requests, and is commonly used for development or scenarios where fine-grained access control is not required.

Exam trap

The trap here is that candidates may incorrectly assume OAuth2 tokens from Microsoft Entra ID for a user are a valid standalone method, but Azure Blob Storage requires the user to be authenticated via Azure AD first, and the token is obtained as part of that flow, not as a direct authentication mechanism like a key or SAS.

504
MCQmedium

You have an Azure Function app that uses Durable Functions. You notice that some orchestrations are taking longer than expected. You need to monitor the history of orchestration instances. What should you use?

A.Application Insights
B.Azure Monitor Metrics
C.Azure Storage Explorer
D.Durable Functions HTTP management APIs
AnswerD

The management APIs provide orchestration instance history.

Why this answer

Option B is correct because the Durable Functions management APIs provide instance history. Option A (Application Insights) can show telemetry but not orchestration history directly. Option C (Azure Monitor) is for infrastructure.

Option D (Azure Storage Explorer) shows raw storage data.

505
MCQeasy

You need to secure a web API that is called from a single-page application (SPA). The API uses Microsoft Entra ID for authentication. Which OAuth 2.0 flow should the SPA use?

A.Authorization code flow with PKCE
B.Resource owner password credentials flow
C.Client credentials flow
D.Implicit flow
AnswerA

This flow is secure for SPAs as it uses a code exchange and PKCE to prevent interception.

Why this answer

The authorization code flow with PKCE is recommended for SPAs because it provides better security than implicit flow. Option A is wrong because client credentials flow is for server-to-server communication. Option B is wrong because implicit flow is deprecated.

Option D is wrong because resource owner password credentials flow is not recommended for SPAs.

506
MCQhard

You are designing a solution that uses Azure Container Instances (ACI) to run a batch job. The job must run only once a day and should not incur costs when idle. Which configuration should you use?

A.Use Azure Kubernetes Service with a node pool that scales to zero
B.Deploy a container group with a restart policy of Always
C.Use a scheduled job that creates a container group with restart policy Never and delete after completion
D.Use Azure Container Apps with scale-to-zero minimum replicas
AnswerC

Correct: This runs once and stops, minimizing cost.

Why this answer

Option C is correct because Azure Container Instances (ACI) supports a restart policy of 'Never' for one-off batch jobs, and you can orchestrate the creation and deletion of the container group using a scheduled job (e.g., Azure Logic Apps, Azure Functions, or a cron-based trigger). This ensures the container runs exactly once per day and incurs no cost when idle, as the container group is deleted after completion.

Exam trap

The trap here is that candidates may confuse the 'restart policy' with cost management, assuming 'Always' or 'OnFailure' are acceptable, or they may overcomplicate the solution by choosing AKS or Container Apps, which introduce unnecessary complexity and cost for a simple scheduled batch job.

How to eliminate wrong answers

Option A is wrong because Azure Kubernetes Service (AKS) with a node pool that scales to zero still incurs costs for the control plane and requires more complex orchestration than needed for a simple daily batch job; AKS is overkill and not the simplest solution for a single container. Option B is wrong because a restart policy of 'Always' would cause the container to restart continuously after completion, incurring ongoing costs and not meeting the requirement to run only once a day. Option D is wrong because Azure Container Apps with scale-to-zero minimum replicas still incurs costs for the underlying infrastructure (e.g., the environment and networking) and is designed for HTTP-triggered workloads, not scheduled batch jobs; it also does not natively support a 'run once and delete' pattern without additional orchestration.

507
MCQmedium

You are deploying a microservice that needs to read secrets (e.g., connection strings) from Azure Key Vault. The service runs on Azure Kubernetes Service (AKS). You want to minimize code changes and automatically rotate secrets. Which approach should you use?

A.Use the Azure Key Vault SDK in the application code to fetch secrets.
B.Store secrets as environment variables in the container image.
C.Use the Azure Key Vault Provider for Secrets Store CSI Driver on AKS.
D.Use Azure App Configuration with Key Vault references.
AnswerC

Mounts secrets as volumes or env vars, supports rotation.

Why this answer

Option B is correct because the CSI driver allows mounting secrets as volumes or environment variables with automatic rotation without code changes. Option A is wrong because it requires code changes to call the SDK. Option C is wrong because storing secrets in environment variables is insecure.

Option D is wrong because Azure App Configuration is for configuration, not secrets.

508
MCQeasy

You are deploying a new version of an ASP.NET Core web application to Azure App Service. You want to test the new version with a subset of users before making it available to everyone. You also need to be able to switch back instantly if issues are found. Which App Service feature should you use?

A.Create a separate App Service plan and deploy the new version there.
B.Use Azure DevOps deployment pipelines with deployment gates.
C.Use Azure Traffic Manager to route traffic between the old and new versions.
D.Use deployment slots with swapping.
AnswerD

Deployment slots allow you to deploy to a staging slot, test it, and then swap with the production slot. You can also route a percentage of traffic to the staging slot for A/B testing. Swapping back is immediate and provides a fast rollback.

Why this answer

Deployment slots in Azure App Service allow you to deploy a new version of your application to a staging slot, then gradually route a subset of user traffic to it using slot-specific routing rules (e.g., cookie-based affinity). If issues arise, you can instantly revert by swapping the slots back, which requires no redeployment and preserves the previous version's warm instances.

Exam trap

The trap here is that candidates confuse Azure Traffic Manager (DNS-level routing) with deployment slots (App Service–level routing), not realizing that Traffic Manager cannot provide instant rollback or cookie-based traffic splitting within a single App Service instance.

How to eliminate wrong answers

Option A is wrong because creating a separate App Service plan does not provide built-in traffic splitting or instant rollback; you would need additional load-balancing logic and manual DNS changes, which are slower and more complex. Option B is wrong because Azure DevOps deployment gates control when a release proceeds (e.g., based on monitoring), but they do not natively route a subset of live traffic to a new version or support instant rollback without redeployment. Option C is wrong because Azure Traffic Manager operates at the DNS level, routing traffic between entire App Service instances (not slots within the same app), and it cannot provide instant rollback (DNS propagation delays) or cookie-based session affinity for a subset of users.

509
MCQmedium

An application calls a third-party shipping API through HTTP. The developer must implement retries without overwhelming the remote system during partial outages. Which retry pattern is best?

A.Immediate infinite retries
B.Retry only after restarting the application
C.Exponential backoff with jitter and a maximum retry limit
D.Disable all timeout settings
AnswerC

Backoff with jitter reduces retry storms and gives the remote service time to recover.

Why this answer

Exponential backoff with jitter and a maximum retry limit is the best pattern because it progressively increases the delay between retries, preventing the client from overwhelming the third-party shipping API during partial outages. Jitter randomizes the delay to avoid thundering herd problems where multiple clients retry simultaneously, and the maximum retry limit ensures the system does not retry indefinitely, preserving resources and allowing for graceful degradation.

Exam trap

The trap here is that candidates may choose immediate infinite retries (Option A) thinking it ensures delivery, but they overlook the risk of overwhelming the remote system and violating rate limits, which is explicitly tested in the context of third-party API consumption.

How to eliminate wrong answers

Option A is wrong because immediate infinite retries would flood the third-party API with requests during a partial outage, likely exacerbating the outage or triggering rate limiting and throttling responses (e.g., HTTP 429). Option B is wrong because retrying only after restarting the application introduces unnecessary downtime and delays recovery; the application should handle transient faults programmatically without requiring a restart. Option D is wrong because disabling all timeout settings would cause the application to hang indefinitely on unresponsive requests, leading to resource exhaustion (e.g., thread pool starvation) and no mechanism to detect or recover from failures.

510
MCQeasy

You are developing a web app that uses Azure Key Vault to retrieve secrets. The app must authenticate using a system-assigned managed identity. Which endpoint should you use to get an access token for Key Vault?

A.https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
B.http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.azure.net&api-version=2018-02-01
C.https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{vaultName}
D.https://graph.microsoft.com/v1.0/me
AnswerB

This is the Azure Instance Metadata Service endpoint for managed identity token requests.

Why this answer

The correct endpoint for getting a token via managed identity on Azure App Service is http://169.254.169.254/metadata/identity/oauth2/token (the Instance Metadata Service endpoint). Option A is the Azure CLI login endpoint, B is the Graph API token endpoint, and D is the ARM token endpoint, which do not use managed identity for Key Vault.

511
MCQeasy

You are building a web application that stores user-uploaded images in Azure Blob Storage. The application requires that images be accessible only via a time-limited URL. Which security mechanism should you use?

A.Use storage account access keys in the application code.
B.Generate a shared access signature (SAS) token for each blob.
C.Assign the 'Storage Blob Data Reader' role to the application's managed identity.
D.Use Azure Key Vault to store and retrieve the storage account key.
AnswerB

SAS tokens allow time-limited access to specific blobs.

Why this answer

A shared access signature (SAS) token provides delegated, time-limited access to a specific blob without exposing the storage account key. By generating a SAS token with an expiration time, you can enforce that the image URL is only valid for a limited period, meeting the requirement exactly. This is the standard Azure mechanism for granting granular, time-bound access to blob storage resources.

Exam trap

The trap here is that candidates often confuse persistent access control methods (like RBAC roles or account keys) with the time-limited, delegated access that only a SAS token provides, leading them to pick options that secure the key but do not enforce an expiration on the URL.

How to eliminate wrong answers

Option A is wrong because embedding storage account access keys in application code grants full, unrestricted access to the entire storage account and never expires, violating the time-limited requirement. Option C is wrong because assigning the 'Storage Blob Data Reader' role via managed identity provides persistent, role-based access without any built-in time limitation, so it cannot enforce a time-bound URL. Option D is wrong because storing the storage account key in Azure Key Vault secures the key but does not create a time-limited URL; you would still need to generate a SAS token from that key to achieve the time-bound requirement.

512
MCQmedium

A long-running claims processing function must process thousands of independent files. The developer wants status tracking, checkpoints, and replay-safe orchestration. Which Azure Functions capability should be used?

A.Durable Functions orchestrator
B.Timer trigger only
C.Azure Policy remediation
D.Blob lifecycle management
AnswerA

Durable Functions provides stateful orchestration, checkpointing, and durable execution history.

Why this answer

Durable Functions orchestrator is correct because it provides built-in support for status tracking, checkpoints (via event sourcing), and replay-safe orchestration, which are essential for a long-running claims processing function that must handle thousands of independent files reliably. The orchestrator function manages state and execution flow, automatically saving progress and allowing replay from checkpoints in case of failures, ensuring exactly-once processing semantics.

Exam trap

The trap here is that candidates may confuse a simple timer-triggered function (which can process files on a schedule) with the need for stateful orchestration, overlooking that Durable Functions is the only option that provides built-in checkpointing and replay safety for long-running, fault-tolerant workflows.

How to eliminate wrong answers

Option B is wrong because a Timer trigger only invokes a function on a schedule and does not provide any state management, checkpointing, or replay capabilities for long-running workflows. Option C is wrong because Azure Policy remediation is designed for enforcing compliance rules and automatically remediating non-compliant resources, not for orchestrating business logic or tracking processing status. Option D is wrong because Blob lifecycle management automates tiering or deletion of blobs based on age or tags, but it cannot manage orchestration state, checkpoints, or replay logic for a claims processing workflow.

513
MCQhard

Refer to the exhibit. A developer deploys this ARM template to create a blob container. Later, they attempt to upload a file to the container using a SAS token. What is the result?

A.The upload succeeds only if the SAS token includes read permission.
B.The container is not created because publicAccess is set to None.
C.The upload succeeds if the SAS token has write permission.
D.The upload fails because the container is private.
AnswerC

A SAS token with write permission allows upload to a private container.

Why this answer

Option C is correct. The container has publicAccess set to None, meaning no anonymous access. However, a SAS token provides delegated access, so uploads with a valid SAS token will succeed.

Option A is wrong because SAS tokens are still valid; Option B is wrong because SAS does not require public access; Option D is wrong because the container is created.

514
MCQhard

A storage account for thumbnail metadata must allow an application to read only blobs under one container for two hours. The application should not receive the account key. What should be issued?

A.A public access level on the container
B.A service SAS scoped to the container with read permission and expiry
C.A management group assignment
D.The storage account access key
AnswerB

A service SAS can grant limited, time-bound permissions without exposing account keys.

Why this answer

A service SAS scoped to a container with read permission and an expiry of two hours is the correct approach because it provides delegated, time-limited access to specific blobs under that container without exposing the storage account key. The SAS token is generated using the account key but the application only receives the token, not the key itself, ensuring the key remains secure. This meets the requirement for read-only access to a single container for a limited duration.

Exam trap

The trap here is that candidates often confuse a service SAS with a public access level or account key, failing to recognize that a SAS provides granular, time-bound delegation without exposing the account key, while public access is permanent and account keys grant full control.

How to eliminate wrong answers

Option A is wrong because setting a public access level on the container grants anonymous read access to all blobs in that container indefinitely, with no time restriction and no way to revoke access without changing the container's ACL, which violates the two-hour limit and the requirement to avoid exposing the account key. Option C is wrong because a management group assignment controls access at the Azure subscription or management group level for administrative operations, not at the blob or container level for data operations, and it cannot grant time-limited read access to blobs. Option D is wrong because providing the storage account access key grants full administrative access to all storage account operations (read, write, delete) across all containers and services, with no time restriction, which is excessive and insecure for the stated requirement.

515
Multi-Selecthard

An Azure Functions report export service processes Service Bus messages. The function sometimes fails after partially completing work. Which two practices improve correctness?

Select 2 answers
A.Use dead-letter handling for repeatedly failing messages
B.Store connection strings in source code
C.Disable retries for all messages
D.Make the handler idempotent
AnswersA, D

Dead-letter queues isolate messages that cannot be processed after retries.

Why this answer

Option A is correct because Azure Functions can use dead-letter handling to isolate messages that repeatedly fail processing, preventing them from blocking the queue and allowing investigation without data loss. This is a standard pattern for Service Bus triggered functions to manage poison messages gracefully.

Exam trap

The trap here is that candidates often confuse disabling retries with improving correctness, when in fact retries with dead-lettering and idempotent handlers are the correct reliability patterns for Service Bus triggered functions.

516
MCQeasy

You are configuring an Azure App Service web app to authenticate users with Microsoft Entra ID. You need to ensure that only users from your organization's tenant can access the app. Which setting should you configure?

A.Set the Issuer URL to https://login.microsoftonline.com/common/v2.0
B.Set the Client ID to the application's Application ID.
C.Set the Allowed token audiences to include the app's Application ID URI.
D.Set the Issuer URL to https://login.microsoftonline.com/{tenant-id}/v2.0
AnswerD

This restricts authentication to the specified tenant.

Why this answer

Option B is correct because setting Issuer URL to the tenant-specific endpoint ensures only users from that tenant can sign in. Option A is wrong because Allowed token audiences control which tokens are accepted, not tenant restriction. Option C is wrong because Client ID is for the application identity.

Option D is wrong because it allows any Microsoft identity.

517
MCQhard

You are designing a microservices solution using Azure Container Apps. One service must be exposed externally via HTTPS, while others should only be accessible within the environment. You need to configure networking for this scenario. What should you do?

A.Enable external ingress at the environment level and use network policies to restrict access.
B.Deploy the external service in a different environment and use an internal load balancer.
C.Configure each container app's ingress: set the external service to 'External' and the internal services to 'Internal'.
D.Use a Dapr sidecar to route requests between services.
AnswerC

Container Apps support per-app ingress configuration.

Why this answer

Option C is correct because Azure Container Apps allows you to control ingress at the individual container app level. Setting the external service's ingress to 'External' makes it reachable from the internet via HTTPS, while setting internal services to 'Internal' restricts access to only within the Container Apps environment, using the internal FQDN. This provides the required isolation without needing separate environments or complex network policies.

Exam trap

The trap here is that candidates may think network policies or separate environments are needed for isolation, but Azure Container Apps provides per-app ingress control as a simpler and more direct solution.

How to eliminate wrong answers

Option A is wrong because Azure Container Apps does not support network policies at the environment level; ingress is configured per container app, not globally. Option B is wrong because deploying the external service in a different environment would require separate management and an internal load balancer is not used for external HTTPS exposure; the external service should be in the same environment with external ingress enabled. Option D is wrong because Dapr sidecars handle service-to-service communication and state management, not ingress or network exposure control.

518
MCQhard

A company uses Azure Cosmos DB for a global e-commerce platform. They need to query product inventory across multiple regions with low latency. The data is partitioned by product category. Some queries filter on category and price range. What indexing policy should be configured to optimize these queries?

A.Use a wildcard index for all properties.
B.Create a composite index with (category, price).
C.Add a hash index on category and a range index on price.
D.Enable spatial index on price.
AnswerB

Composite index supports efficient filtering on both fields.

Why this answer

A composite index on (category, price) (option B) allows efficient range queries on price within a category. Option A uses separate indexes which may require composite index for range. Option C is too broad.

Option D is not a valid index type.

519
MCQeasy

You are developing an application that needs to retrieve secrets from Azure Key Vault. The application will run as an Azure Functions app. Which authentication method should you use to access Key Vault?

A.Use a client certificate stored in the function app
B.Use a system-assigned managed identity
C.Use the Key Vault connection string from app settings
D.Use the storage account access key from the function app
AnswerB

Managed identities provide a secure, passwordless authentication method directly integrated with Microsoft Entra ID.

Why this answer

Managed identities provide an automatically managed identity in Microsoft Entra ID for the Azure Functions app to authenticate to Key Vault without storing credentials in code. Option A is wrong because client certificates require certificate management. Option B is wrong because connection strings are not used for authentication to Key Vault.

Option D is wrong because access keys are for storage accounts, not Key Vault.

520
MCQmedium

You need to securely transfer an on-premises database backup to Azure Blob Storage. The backup file is 500 GB. You have limited bandwidth (10 Mbps) and need the transfer to complete within 24 hours. What is the best solution?

A.Use Azure File Sync to replicate the backup to Azure Files.
B.Use Azure Data Box to physically ship the data to Azure.
C.Use AzCopy to copy the backup file directly to Blob Storage.
D.Set up an ExpressRoute connection and use AzCopy.
AnswerB

Data Box is designed for large data transfers when network is slow.

Why this answer

Given the 500 GB backup file and a 10 Mbps bandwidth limit, the theoretical maximum transfer time over the internet is approximately 500 GB * 8 bits/byte / (10 Mbps) = 400,000 seconds ≈ 111 hours, far exceeding the 24-hour requirement. Azure Data Box is the best solution because it allows you to physically ship the data on a secure, ruggedized device, bypassing network constraints entirely and ensuring the transfer completes within the required timeframe.

Exam trap

The trap here is that candidates may overlook the bandwidth calculation and assume AzCopy or ExpressRoute can handle the transfer within 24 hours, failing to recognize that even with a dedicated connection, the raw throughput is insufficient for 500 GB at 10 Mbps.

How to eliminate wrong answers

Option A is wrong because Azure File Sync is designed for synchronizing file shares over a network, not for bulk data transfer of a single large backup file; it would still be constrained by the 10 Mbps bandwidth and would not meet the 24-hour deadline. Option C is wrong because AzCopy relies on network bandwidth; at 10 Mbps, transferring 500 GB would take over 111 hours, far exceeding the 24-hour limit. Option D is wrong because ExpressRoute provides a dedicated private connection but does not increase bandwidth beyond the 10 Mbps limit; the transfer would still take over 111 hours, failing the time constraint.

521
MCQmedium

You are deploying an Azure App Service using an ARM template. After deployment, you find that the application settings are not applied. What is the most likely issue?

A.The resource is missing a dependsOn property for the parent site
B.The resource type should be 'Microsoft.Web/sites/appsettings'
C.The apiVersion is outdated, use '2021-02-01'
D.The property 'MyApp:Setting1' uses a colon, which is not allowed
AnswerA

Without dependsOn, the config resource may be deployed before the site exists, causing failure.

Why this answer

When deploying application settings via an ARM template, the 'Microsoft.Web/sites/config' resource (which contains the appsettings) must have a 'dependsOn' property referencing the parent 'Microsoft.Web/sites' resource. Without this dependency, Azure Resource Manager may attempt to apply the settings before the site exists, causing the settings to be silently ignored or not applied. This is a common deployment ordering issue.

Exam trap

The trap here is that candidates often focus on syntax errors (like colons or resource types) rather than the implicit deployment ordering requirement, missing that the 'dependsOn' property is mandatory for child resources to ensure they are applied after the parent site exists.

How to eliminate wrong answers

Option B is wrong because the correct resource type for application settings is 'Microsoft.Web/sites/config' with the name 'appsettings', not 'Microsoft.Web/sites/appsettings'. Option C is wrong because while apiVersion matters, an outdated version would typically cause a validation error, not silent failure of settings application; the core issue is the missing dependency. Option D is wrong because colons are allowed in App Service application setting names; they are commonly used for .NET Core configuration keys like 'MyApp:Setting1'.

522
Multi-Selectmedium

Which TWO services can be used to implement a publish-subscribe messaging pattern in Azure?

Select 2 answers
A.Azure Storage Queues
B.Azure Event Hubs
C.Azure Service Bus Topics
D.Azure Event Grid
E.Azure Queue Storage
AnswersC, D

Service Bus Topics support pub-sub with subscriptions.

Why this answer

Azure Service Bus Topics and Azure Event Grid both support publish-subscribe. Option B is wrong because Storage Queues use point-to-point. Option D is wrong because Event Hubs is for event ingestion, not pub-sub.

Option E is wrong because Azure Queue Storage is point-to-point.

523
MCQeasy

You need to send email notifications from an Azure Function app when a new user registers in your application hosted on Azure App Service. Which Azure service should you use to send the emails?

A.Microsoft 365 SMTP relay
B.Azure Communication Services
C.SendGrid
D.Azure Logic Apps
AnswerC

SendGrid is a cloud-based email service suitable for transactional emails.

Why this answer

SendGrid is a third-party email delivery service available as an Azure Marketplace solution that integrates with Azure Functions. Option A is correct. Option B is incorrect; Azure Communication Services is for SMS, chat, and voice, not primarily email.

Option C is incorrect; Azure Logic Apps is a workflow service, not an email service. Option D is incorrect; Microsoft 365 SMTP is not recommended for automated transactional emails due to sending limits and authentication complexity.

524
MCQhard

You query Application Insights with the KQL query in the exhibit. The chart shows a spike in 500 errors at 2:00 PM. What is the next step to diagnose the cause?

A.Check availability tests for the same period
B.Query exceptions and traces for the 2:00 PM hour
C.Scale up the App Service plan
D.Run a profiler on the 2:00 PM time range
AnswerB

Correlating exceptions and traces helps find the root cause of errors.

Why this answer

Option C is correct because drilling into traces and exceptions around that time can pinpoint the specific error. Option A (profiler) is for slow requests. Option B (availability tests) check endpoints.

Option D (scaling) is not diagnostic.

525
MCQeasy

You are deploying a function app that processes sensitive data. You need to ensure that all function app secrets (e.g., connection strings) are stored securely and automatically rotated. Which service should you use?

A.Azure Key Vault
B.Azure Managed Identity
C.Azure App Configuration
D.Azure DevOps Variable Groups
AnswerA

Key Vault securely stores secrets and supports automatic rotation.

Why this answer

Azure Key Vault is the service designed to securely store and manage secrets, keys, and certificates. It supports automatic rotation for secrets. Option A is correct.

Option B is wrong because App Configuration is for configuration, not secret rotation. Option C is wrong because Azure DevOps is for CI/CD. Option D is wrong because Managed Identity is an identity mechanism, not a secret store.

Page 6

Page 7 of 14

Page 8