Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 526600

997 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQmedium

An application stores sensor readings in Azure Table Storage. Each sensor produces thousands of readings per hour. Queries always filter by sensor ID and time range. A developer needs to choose the partition key and row key. Which design best balances query performance and write throughput?

A.Partition key: sensor ID; row key: ISO timestamp of the reading
B.Partition key: a single constant ('all-sensors'); row key: sensor ID + timestamp
C.Partition key: timestamp (rounded to the hour); row key: sensor ID
D.Partition key: random GUID per reading; row key: timestamp
AnswerA

Co-locating readings by sensor ID allows the storage engine to scan only that partition for time-range queries. Timestamp row keys are naturally ordered, so range queries resolve efficiently without scanning unrelated partitions.

Why this answer

Option A is correct because it uses sensor ID as the partition key, which ensures all readings for a given sensor are stored in the same partition, enabling efficient range queries by row key (timestamp). This design avoids hot partitions by distributing writes across different sensors, while the row key allows fast point lookups and range scans within a time window, balancing query performance and write throughput.

Exam trap

The trap here is that candidates often choose a partition key that groups data by time (Option C) to optimize time-range queries, but they overlook that this creates a hot partition for all sensors in that time window, severely limiting write throughput.

How to eliminate wrong answers

Option B is wrong because using a single constant partition key ('all-sensors') forces all writes and queries into one partition, creating a hot partition that throttles throughput and degrades performance. Option C is wrong because using timestamp rounded to the hour as the partition key can cause all sensors' data for the same hour to land in the same partition, leading to write contention and poor query performance when filtering by sensor ID (which requires a full partition scan). Option D is wrong because using a random GUID as the partition key scatters each reading across partitions, making queries that filter by sensor ID and time range inefficient (they must scan all partitions) and defeating the purpose of partition key design.

527
Multi-Selecthard

Which THREE of the following are true about Azure Storage queues? (Choose three.)

Select 3 answers
A.Messages are processed in strict FIFO order.
B.The maximum time-to-live for a message is 7 days.
C.Messages can be up to 1 MB in size.
D.Messages can be up to 64 KB in size.
E.The visibility timeout allows a consumer to hide a message from other consumers while processing it.
AnswersB, D, E

Default TTL is 7 days, but it can be set up to 7 days maximum.

Why this answer

Option B is correct because Azure Storage queue messages have a configurable time-to-live (TTL) with a maximum value of 7 days. Once the TTL expires, the message is automatically deleted from the queue. This is a hard limit enforced by the Azure Storage service, not a default setting.

Exam trap

The trap here is that candidates often confuse Azure Storage queues with Azure Service Bus queues, leading them to select the 1 MB message size limit (which applies to Service Bus) instead of the correct 64 KB limit for Storage queues.

528
MCQhard

You are developing a .NET Core API that uses Azure AD for authentication. You want to restrict access to specific claims. Which middleware component should you use to check claims?

A.Use the UseAuthorization middleware in the pipeline
B.Use the UseAuthentication middleware to validate tokens
C.Use the [Authorize] attribute with a policy that requires a specific claim
D.Manually parse the JWT in a custom middleware
AnswerC

Policy-based authorization with claims is the standard approach in ASP.NET Core.

Why this answer

The [Authorize] attribute with policy-based authorization allows checking claims via policies configured in Startup.

529
MCQeasy

Your company stores API keys and connection strings in Azure Key Vault. You need to grant an Azure Function read access to these secrets using the principle of least privilege. Which identity type should you assign to the Function App?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal
D.Access policy on the Key Vault
AnswerA

Correct. A system-assigned managed identity is automatically managed by Azure and can be granted precise Key Vault permissions, meeting least privilege.

Why this answer

A system-assigned managed identity is the correct choice because it is directly tied to the lifecycle of the Azure Function, automatically managed by Azure, and requires no manual credential rotation. It provides the most restrictive scope (only that specific Function App) and adheres to the principle of least privilege by granting access only to the identity that needs it, without the overhead of managing a separate identity or service principal.

Exam trap

The trap here is that candidates often confuse 'access policy' (a permission assignment) with an 'identity type,' or they incorrectly assume a user-assigned managed identity is always more flexible and thus better, overlooking that a system-assigned identity is more restrictive and simpler for a single-resource scenario.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity is a standalone resource that can be shared across multiple Azure services, which violates the principle of least privilege by potentially granting broader access than necessary. Option C is wrong because a service principal requires manual credential management (secrets or certificates) and is typically used for external applications or automation, not for a first-party Azure resource like a Function App where a managed identity is simpler and more secure. Option D is wrong because an access policy on the Key Vault is not an identity type; it is a permission assignment mechanism that must be applied to an identity (such as a managed identity or service principal), so it cannot be the identity type itself.

530
MCQmedium

You are building an Azure Logic App that must call an external API that uses the OAuth 2.0 authorization code grant. The API requires the user to sign in interactively to grant consent. You want to minimize development effort and securely manage the token lifecycle. Which built-in action and authentication method should you use?

A.Use the 'HTTP' action with 'OAuth 2.0' authentication and configure the authorization endpoint, client ID, and client secret.
B.Use the 'HTTP + Swagger' action with 'Identity Provider' authentication.
C.Use the 'API Connection' action with a custom connector that uses OAuth 2.0.
D.Use the 'HTTP' action with 'Managed identity' authentication.
AnswerA

Correct. The HTTP action's OAuth2 authentication supports the authorization code grant, including interactive user consent.

Why this answer

Option A is correct because the 'HTTP' action with 'OAuth 2.0' authentication type in Azure Logic Apps is specifically designed to handle the authorization code grant flow, including interactive user consent. It manages the token lifecycle (acquisition, refresh, and storage) automatically, minimizing development effort. You only need to configure the authorization endpoint, client ID, and client secret, and the runtime handles the redirect and token exchange.

Exam trap

The trap here is that candidates often confuse 'Managed identity' (which is for Azure AD resources without user interaction) with OAuth 2.0 flows that require interactive consent, or they overcomplicate the solution by choosing a custom connector when the built-in 'HTTP' action already supports the authorization code grant natively.

How to eliminate wrong answers

Option B is wrong because the 'HTTP + Swagger' action with 'Identity Provider' authentication is used for calling APIs described by a Swagger/OpenAPI definition, not for OAuth 2.0 authorization code grant with interactive consent; it relies on a pre-configured identity provider (like Azure AD) and does not support the interactive user consent flow. Option C is wrong because using an 'API Connection' action with a custom connector that uses OAuth 2.0 requires you to build and manage a custom connector, which increases development effort and does not minimize it; the built-in 'HTTP' action is simpler. Option D is wrong because 'Managed identity' authentication is intended for authenticating to Azure resources (e.g., Azure Key Vault, Azure SQL) without user interaction, and it cannot handle the OAuth 2.0 authorization code grant that requires interactive user consent.

531
MCQhard

You are querying Azure Monitor metrics using Kusto Query Language (KQL). The query is supposed to return average metric values per hour per resource provider, but it returns no results. What is the most likely issue?

A.The ORDER BY clause should be before GROUP BY.
B.The 'bin' function is used incorrectly; it should be 'bin(TimeGenerated, 1h)' without the alias.
C.The table name should be 'AzureMetrics' instead of 'metrics'.
D.The GROUP BY clause cannot include a computed column like 'bin'.
AnswerC

Azure Monitor metrics are stored in the 'AzureMetrics' table in Log Analytics.

Why this answer

The query uses 'metrics' table, but Azure Monitor metrics are stored in the 'AzureMetrics' table. Option C is correct. Option A is incorrect because bin is valid; Option B is incorrect because GROUP BY works with bin; Option D is incorrect because ORDER BY is fine.

532
MCQhard

You are designing a solution that requires asynchronous processing of messages from an Azure Service Bus queue. The solution must guarantee at-least-once delivery and handle poison messages automatically. Which combination of Service Bus features should you use?

A.ReceiveAndDelete mode with a separate dead-letter queue
B.ReceiveAndDelete mode with automatic forwarding
C.PeekLock mode with sessions
D.PeekLock mode with dead-letter queue
AnswerD

PeekLock ensures at-least-once delivery; dead-letter queue captures poison messages after max delivery count.

Why this answer

Option D is correct because PeekLock mode locks the message during processing, preventing other consumers from processing it; if processing fails, the lock expires and the message becomes available again, achieving at-least-once delivery. The dead-letter queue automatically captures messages that exceed the maximum delivery count (poison messages). Option A is wrong because ReceiveAndDelete does not guarantee at-least-once delivery; if processing fails after deletion, the message is lost.

Option B is wrong because sessions are for ordered processing, not poison handling. Option C is wrong because automatic forwarding is for routing, not poison handling.

533
MCQeasy

You are developing a solution that needs to perform a multi-step workflow. The workflow involves calling several third-party APIs, and some steps may require waiting for a human approval via email. The workflow may run for hours. You want to use Azure Functions to implement this orchestration. Which Azure Functions feature should you use?

A.Durable Functions
B.Timer trigger functions
C.Service Bus queue trigger functions
D.Blob storage trigger functions
AnswerA

Durable Functions is designed for stateful orchestrations, supporting long-running workflows, waiting for external events, and managing multi-step processes.

Why this answer

Durable Functions is the correct choice because it is an extension of Azure Functions that enables stateful, long-running orchestration workflows. It supports waiting for external events (like human approval via email), managing multi-step API calls, and handling execution that may run for hours, all while preserving state through checkpoints and replay.

Exam trap

The trap here is that candidates may confuse trigger-based functions (like Timer or Queue triggers) with orchestration capabilities, not realizing that Durable Functions is the only Azure Functions feature that provides built-in state management and external event waiting for long-running workflows.

How to eliminate wrong answers

Option B is wrong because Timer trigger functions are designed for scheduled, time-based execution and cannot handle multi-step orchestration or wait for external events like human approval. Option C is wrong because Service Bus queue trigger functions process individual messages and do not provide built-in orchestration capabilities for chaining steps or pausing for external input. Option D is wrong because Blob storage trigger functions react to blob creation or updates and are not suited for orchestrating multi-step workflows with human interaction.

534
MCQeasy

Messages failing to process are redelivered by Azure Service Bus. After a message has been delivered and abandoned the maximum number of times (MaxDeliveryCount), where does Service Bus move the message?

A.The message is moved to the dead-letter sub-queue of the original queue
B.The message is permanently deleted from the queue
C.The message is returned to the front of the queue with its DeliveryCount reset to zero
D.The message expires and is discarded according to the Time-to-Live setting
AnswerA

Dead-lettering on MaxDeliveryCount is automatic. The message's DeliveryCount property increments on each delivery attempt. When DeliveryCount exceeds MaxDeliveryCount, Service Bus moves the message to the /<queue>/$deadletterqueue path with a DeadLetterReason of 'MaxDeliveryCountExceeded'.

Why this answer

When a message in Azure Service Bus is delivered and abandoned the maximum number of times (as defined by the MaxDeliveryCount property, default 10), the message is automatically moved to the dead-letter sub-queue of the original queue. This dead-letter sub-queue stores messages that cannot be processed successfully, allowing you to inspect and handle them separately without losing the message entirely.

Exam trap

The trap here is that candidates often assume messages are simply deleted or returned to the queue when the delivery count is exceeded, but Azure Service Bus explicitly moves them to a dead-letter sub-queue to ensure no data loss and to provide a mechanism for manual handling.

How to eliminate wrong answers

Option B is wrong because Service Bus does not permanently delete messages that exceed MaxDeliveryCount; instead, it moves them to the dead-letter sub-queue to preserve them for later analysis. Option C is wrong because returning the message to the front of the queue with a reset DeliveryCount would defeat the purpose of the MaxDeliveryCount limit and could cause infinite processing loops. Option D is wrong because the Time-to-Live (TTL) setting controls message expiration independently of MaxDeliveryCount; a message that exceeds MaxDeliveryCount is moved to the dead-letter sub-queue regardless of its TTL, unless the TTL expires first.

535
MCQmedium

Your team is using Azure DevOps to deploy an Azure Kubernetes Service (AKS) cluster. You want to automatically roll back a deployment if the new version causes a high error rate. Which Azure service should you use to implement this?

A.Azure Service Health
B.Azure Monitor
C.Azure Traffic Manager
D.Azure Policy
AnswerB

Azure Monitor can detect error rates and trigger alerts that can be used by Azure DevOps for rollback.

Why this answer

Option D is correct because Azure Monitor autoscale is not for rollback; you need to use a deployment strategy with health probes and maybe a tool like Azure Deployment Manager or progressive exposure in Azure DevOps. However, the most direct answer for automated rollback based on metrics is to configure a canary deployment with Azure App Configuration or use Azure DevOps release gates. The question asks for a service, and Azure Monitor can detect errors, but for automated rollback, you typically use Azure DevOps with monitoring.

Among the options, Azure Monitor combined with Azure DevOps release gates is the best. But given the limited options, 'Azure Monitor' is the core service for error detection. The correct answer is 'Azure Monitor' because it provides the metrics that trigger the rollback.

Option A is wrong because Azure Policy is for compliance. Option B is wrong because Azure Service Health is for Azure platform issues. Option C is wrong because Azure Traffic Manager is for DNS traffic routing.

536
MCQhard

Your company has an Azure Kubernetes Service (AKS) cluster that hosts multiple microservices. You are tasked with deploying a new microservice that processes incoming HTTP requests and publishes messages to an Azure Service Bus topic. The microservice must scale based on the number of messages in the topic, and it must support graceful shutdown to complete in-flight requests. You need to choose the appropriate compute platform. The microservice is stateless and can be containerized. You want to minimize operational overhead and cost. The solution must automatically scale to zero when there are no messages. Which option should you choose? Option A: Deploy the microservice as an Azure Function with a Service Bus trigger on the Consumption plan. Option B: Deploy the microservice as a container in AKS with a Horizontal Pod Autoscaler based on Service Bus queue length. Option C: Deploy the microservice as an Azure Container App with a Service Bus scale rule. Option D: Deploy the microservice as an Azure App Service WebJob with continuous mode.

A.Azure Container App with Service Bus scale rule
B.AKS with HPA based on Service Bus queue length
C.Azure Function with Service Bus trigger on Consumption plan
D.Azure App Service WebJob with continuous mode
AnswerA

Container Apps support scale-to-zero and custom scale rules based on Service Bus message count.

Why this answer

Azure Container Apps (ACA) with a Service Bus scale rule is the correct choice because it provides event-driven scaling based on the number of messages in a Service Bus topic, can scale to zero when there are no messages, supports graceful shutdown via terminationGracePeriodSeconds, and minimizes operational overhead compared to AKS. ACA is a serverless container platform that abstracts Kubernetes complexity while still allowing containerized workloads, making it ideal for stateless microservices that need to scale on demand.

Exam trap

The trap here is that candidates often choose Azure Functions for event-driven scaling, but the requirement for containerization and graceful shutdown makes Azure Container Apps the better fit, as Functions are not containerized and have limited control over shutdown behavior.

How to eliminate wrong answers

Option B (AKS with HPA based on Service Bus queue length) is wrong because the Horizontal Pod Autoscaler (HPA) in AKS cannot natively scale based on Service Bus queue length; it requires a custom metrics adapter or KEDA, and AKS does not scale to zero pods (minimum replica count is typically 1). Option C (Azure Function with Service Bus trigger on Consumption plan) is wrong because Azure Functions are not containerized; the requirement states the microservice must be containerized, and Functions run as code, not containers. Option D (Azure App Service WebJob with continuous mode) is wrong because WebJobs run in an App Service plan that cannot scale to zero (always has at least one instance) and does not support containerized deployments natively.

537
Multi-Selectmedium

Which THREE Azure services can be used to send email notifications from an application?

Select 3 answers
A.Azure Event Grid
B.Azure Logic Apps
C.Azure Communication Services Email
D.Azure Functions (with SendGrid binding)
E.Azure Service Bus
AnswersB, C, D

Correct: has connectors for email (e.g., Office 365).

Why this answer

Azure Logic Apps, Azure Functions (with SendGrid), and Azure Communication Services Email can send emails. Azure Event Grid and Azure Service Bus are messaging/event services, not email.

538
MCQmedium

You are designing a solution that uses Azure Container Instances (ACI) to run a batch processing job. The job is expected to run for up to 2 hours. You need to minimize costs. Which ACI configuration should you use?

A.Use a container group with a restart policy of 'OnFailure' or 'Never'.
B.Use GPU-enabled containers for faster processing.
C.Deploy the container group in a virtual network.
D.Use a container group with a restart policy of 'Always'.
AnswerA

The container stops after the job completes, reducing cost.

Why this answer

Option A is correct because setting the restart policy to 'OnFailure' or 'Never' ensures that the container does not restart after the batch job completes, avoiding unnecessary compute charges. ACI bills per second of container runtime, so any idle or restarted container time directly increases cost. For a finite batch job, a restart policy that prevents automatic restarts is the most cost-effective choice.

Exam trap

The trap here is that candidates often assume 'Always' is safer for reliability, but for batch jobs that complete successfully, 'Always' causes continuous restarts and unbounded costs, while 'OnFailure' or 'Never' align with the cost-minimization goal.

How to eliminate wrong answers

Option B is wrong because GPU-enabled containers incur significantly higher costs per second and are unnecessary for standard batch processing jobs that do not require GPU acceleration. Option C is wrong because deploying a container group in a virtual network adds networking overhead and does not reduce compute costs; it is typically used for security or integration, not cost minimization. Option D is wrong because a restart policy of 'Always' causes the container to restart indefinitely after the job completes, leading to continuous billing for idle runtime, which directly contradicts the goal of minimizing costs.

539
MCQmedium

You are designing a solution that requires atomic operations on a counter stored in Azure Blob Storage. The counter must be updated by multiple instances without conflicts. Which approach should you use?

A.Store the counter in Azure Cosmos DB and use stored procedures to increment atomically.
B.Use Azure Queue Storage to queue increment messages.
C.Store the counter in Azure Table Storage and use optimistic concurrency with ETags.
D.Use Append Blob to append each increment as a new block and sum them later.
AnswerA

Cosmos DB supports atomic operations via stored procedures.

Why this answer

Option A is correct because Azure Cosmos DB stored procedures execute within the database engine's transactional scope, providing ACID-compliant atomic operations. This ensures that concurrent increments from multiple instances are serialized without conflicts, which is not natively supported by Azure Blob Storage's eventual consistency model.

Exam trap

The trap here is that candidates assume Azure Blob Storage's lease or append features can provide atomicity, but Blob Storage lacks server-side atomic read-modify-write operations, making Cosmos DB the only Azure service among the options that natively supports atomic counter updates with stored procedures.

How to eliminate wrong answers

Option B is wrong because Azure Queue Storage decouples message processing but does not guarantee atomic updates to a counter; multiple workers can process messages concurrently, leading to race conditions unless additional locking is implemented. Option C is wrong because Azure Table Storage's optimistic concurrency with ETags only detects conflicts after the fact (via HTTP 412 Precondition Failed), requiring retry logic and still allowing lost updates under high contention. Option D is wrong because Append Blob appends data sequentially but does not provide atomic read-modify-write semantics; summing blocks later is an offline batch operation that cannot ensure real-time atomicity.

540
Multi-Selectmedium

Which TWO Azure services can be used to monitor and diagnose performance issues in an Azure Kubernetes Service (AKS) cluster?

Select 2 answers
A.Microsoft Defender for Cloud
B.Azure Network Watcher
C.Application Insights for AKS
D.Azure SQL Analytics
E.Azure Monitor Container Insights
AnswersC, E

Provides distributed tracing and diagnostics.

Why this answer

Options A and C are correct. Container Insights monitors container workload performance, and Azure Monitor for AKS (part of Container Insights) provides diagnostics. Option B is wrong because it's for databases.

Option D is wrong because it's a security solution. Option E is wrong because it's for network management.

541
MCQmedium

You are monitoring an Azure App Service using Application Insights. You notice that the server response time is high for certain requests. You need to drill down to see which external dependencies (like databases or APIs) are causing the delay. Which Application Insights feature should you use?

A.Live Metrics
B.Application Map
C.Profiler
D.Snapshot Debugger
AnswerC

Profiler captures per-request execution traces, including time spent in external dependencies, helping identify which dependency is slow.

Why this answer

Profiler (C) is correct because it provides a detailed, code-level view of request processing, including the time spent on each external dependency call (e.g., SQL queries, HTTP calls to APIs). It captures execution traces that break down the total server response time into individual dependency durations, allowing you to pinpoint which external service is causing the delay.

Exam trap

The trap here is that candidates confuse Application Map (which shows dependency relationships) with Profiler (which shows per-request timing), leading them to select a visualization tool instead of a performance-analysis tool.

How to eliminate wrong answers

Option A is wrong because Live Metrics shows real-time telemetry (e.g., request rate, failure count) but does not provide dependency-level breakdowns or call-duration details. Option B is wrong because Application Map visualizes the topology of your application and its dependencies but does not drill into per-request timing or trace individual dependency calls. Option D is wrong because Snapshot Debugger captures debug snapshots on exceptions, not for analyzing response-time delays caused by dependencies.

542
MCQhard

Refer to the exhibit. You run these Azure CLI commands for an Azure Function app. When the app is accessed from https://app.contoso.com, what is the expected behavior?

A.Only GET requests are allowed
B.Requests from the allowed origin are accepted
C.Requests are blocked because FTPS is required
D.All requests are blocked because no origins are allowed
AnswerB

CORS allows requests from https://app.contoso.com.

Why this answer

Option B is correct because CORS allows the origin, so requests from that origin will succeed. Option A is wrong because FTPS is not related to CORS. Option C is wrong because CORS allows all methods by default.

Option D is wrong because CORS is configured correctly.

543
MCQmedium

Your application stores sensitive data in Azure Table Storage. You need to encrypt the data at rest. What should you do?

A.Implement client-side encryption using Azure Key Vault.
B.Enable server-side encryption with customer-managed keys in Azure Key Vault.
C.No action needed; Azure Storage Service Encryption (SSE) is enabled by default.
D.Enable Azure Disk Encryption on the virtual machines accessing the storage.
AnswerC

SSE encrypts data at rest automatically.

Why this answer

Option C is correct because Azure Storage Service Encryption (SSE) automatically encrypts all data at rest in Azure Table Storage using 256-bit AES encryption, and it is enabled by default for all new and existing storage accounts. Since the question asks about encrypting data at rest and does not specify a need for customer-managed keys or client-side control, the default SSE meets the requirement without any additional configuration.

Exam trap

The trap here is that candidates often overthink and assume they need to take explicit action (like client-side encryption or customer-managed keys) to encrypt data at rest, when in fact Azure Storage Service Encryption is enabled by default and requires no configuration.

How to eliminate wrong answers

Option A is wrong because client-side encryption is an additional layer that encrypts data before it is sent to Azure Storage, but it is not required for data at rest encryption since SSE already provides that; implementing it would add unnecessary complexity and is not the default or simplest solution. Option B is wrong because server-side encryption with customer-managed keys (CMK) is an optional feature that allows you to use your own key in Azure Key Vault, but it is not needed when the default SSE (which uses Microsoft-managed keys) already encrypts data at rest; enabling CMK is an extra step for specific compliance requirements, not the default action. Option D is wrong because Azure Disk Encryption encrypts the OS and data disks of virtual machines using BitLocker or DM-Crypt, but it does not encrypt the data stored in Azure Table Storage, which is a PaaS service separate from VM disks.

544
Drag & Dropmedium

Arrange the steps to create a CI/CD pipeline using Azure DevOps for an Azure App Service in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create repo and push code, then build pipeline, release pipeline, CI trigger, approval gates.

545
MCQmedium

A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run? The architecture review board prefers a managed AWS-native control.

A.Logs in Application Insights or the associated Log Analytics workspace
B.Microsoft Entra audit logs
C.Azure Key Vault diagnostic settings
D.Azure Resource Graph only
AnswerA

Application Insights stores telemetry that can be queried with KQL in Logs.

Why this answer

Application Insights stores telemetry data, including request latency, in a Log Analytics workspace. Kusto queries against this data can compute percentiles (e.g., 95th) using the `percentile()` function. This is the correct location because the architecture review board prefers a managed AWS-native control, and Log Analytics is the native Azure monitoring service for running such queries.

Exam trap

The trap here is that candidates may confuse Azure Resource Graph with Log Analytics, thinking it can query telemetry data, but Resource Graph only returns resource inventory and configuration state, not performance metrics.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra audit logs contain sign-in and directory activity, not application request latency data. Option C is wrong because Azure Key Vault diagnostic settings capture vault access logs (e.g., get, list, delete operations), not application performance metrics like latency. Option D is wrong because Azure Resource Graph only queries Azure resource metadata and configurations, not telemetry or performance data from applications.

546
MCQeasy

Your company has an Azure App Service web app that runs on a Standard App Service plan. You need to scale out the app to handle increased traffic during business hours and scale in during off-hours. What should you configure?

A.Configure autoscale rules on the App Service plan to scale out and in based on CPU usage.
B.Manually increase the instance count during business hours.
C.Scale up the App Service plan to a Premium plan.
D.Use Azure Traffic Manager to distribute load.
AnswerA

Autoscale can adjust instance count automatically based on metrics or schedule.

Why this answer

Option A is correct because Azure App Service autoscale rules allow you to automatically scale out (increase instance count) and scale in (decrease instance count) based on metrics like CPU usage. This meets the requirement to handle increased traffic during business hours and reduce costs during off-hours without manual intervention. Autoscale is configured at the App Service plan level, not the web app itself, and works with the Standard tier and above.

Exam trap

The trap here is confusing 'scaling up' (increasing the plan tier or instance size) with 'scaling out' (increasing the number of instances), and assuming that manual scaling or Traffic Manager can achieve automatic scaling based on load.

How to eliminate wrong answers

Option B is wrong because manually increasing the instance count during business hours does not automate the process; the requirement is to scale out and in automatically based on traffic patterns, not manually. Option C is wrong because scaling up to a Premium plan increases the resources (e.g., CPU, memory) of each instance but does not scale out (add more instances) to handle increased traffic; autoscale is already available on the Standard plan. Option D is wrong because Azure Traffic Manager distributes traffic across endpoints for global load balancing and failover, but it does not scale the number of instances in an App Service plan; it works at the DNS level, not the compute scaling level.

547
MCQeasy

You run the above PowerShell script to upload a blob to Azure Storage. The script fails with an error. Which part of the script is causing the failure?

A.The storage account name 'mystorageaccount' is invalid.
B.The connection string format is incorrect.
C.The -File parameter should be a file path, not a string.
D.The container name 'mycontainer' does not exist.
AnswerC

Set-AzStorageBlobContent expects a local file path; to upload a string, you should use -Value parameter.

Why this answer

The Set-AzStorageBlobContent -File parameter expects a file path, not a string. Option B is correct. Option A is fine; Option C is fine; Option D is fine.

548
MCQmedium

A queue-processing application stores work items in Azure Queue Storage. A worker crashes after receiving a message. What determines when the message becomes available for another worker?

A.Blob lease duration
B.Visibility timeout
C.Message TTL only
D.Poison queue threshold only
AnswerB

The visibility timeout hides a received message temporarily; it reappears if not deleted before the timeout expires.

Why this answer

When a worker receives a message from Azure Queue Storage, the message becomes invisible to other workers for a period defined by the visibility timeout. If the worker crashes without deleting or updating the message, the visibility timeout expires and the message reappears in the queue, making it available for another worker to process. This mechanism ensures at-least-once processing and prevents message loss on worker failure.

Exam trap

The trap here is confusing the visibility timeout with message TTL or poison queue handling, leading candidates to overlook the specific mechanism that controls message reavailability after a worker crash.

How to eliminate wrong answers

Option A is wrong because blob lease duration applies to Azure Blob Storage leases for exclusive write access, not to queue messages. Option C is wrong because Message TTL (Time-to-Live) only sets the maximum time a message stays in the queue before being deleted, not when it becomes visible after a worker crash. Option D is wrong because the poison queue threshold defines how many times a message can be dequeued before being moved to a poison queue, not when it becomes available after a crash.

549
MCQeasy

You need to store and retrieve large binary files (up to 100 GB each) with low latency. The files will be accessed by multiple geographic regions. Which Azure storage solution should you recommend?

A.Azure Queue Storage with messages.
B.Azure Files with Azure File Sync.
C.Azure Blob Storage with geo-redundant storage (GRS).
D.Azure SQL Database with file tables.
AnswerC

Azure Blob Storage is designed for large binary objects and supports geo-replication.

Why this answer

Azure Blob Storage is designed for storing large binary objects (up to 4.7 TB per blob) and offers low-latency access via HTTP/HTTPS. Geo-redundant storage (GRS) replicates data to a paired secondary region, providing durability and availability for multi-region access. This combination meets the requirements for large files (up to 100 GB) and low-latency retrieval from multiple geographic regions.

Exam trap

The trap here is that candidates may confuse Azure Files (SMB shares) with Blob Storage for large binary files, not realizing that Azure Files has a 1 TB file size limit and is optimized for shared file access, not for high-throughput blob storage with geo-replication.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage is a messaging service for decoupling application components, not for storing or retrieving large binary files; messages are limited to 64 KB each. Option B is wrong because Azure Files provides SMB file shares with a maximum file size of 1 TB (not 100 GB per file) and Azure File Sync is for caching on-premises, not optimized for low-latency multi-region blob access. Option D is wrong because Azure SQL Database with file tables stores file metadata in a relational database, but the actual binary data is stored in Azure Blob Storage behind the scenes, and SQL Database is not designed for direct high-throughput binary access with low latency for files up to 100 GB.

550
MCQeasy

You are developing an Azure Function that runs on a Consumption plan. The function needs to process a large file uploaded to Azure Blob Storage. The processing is CPU-intensive and may take up to 30 minutes. What should you use to implement the function?

A.Use a blob trigger and set the batchSize to 1 to avoid timeouts.
B.Configure the function app to use a Premium plan to allow longer execution times.
C.Set the functionTimeout in host.json to 30 minutes on the Consumption plan.
D.Create an orchestrator function using Durable Functions to manage the processing.
AnswerB

Premium plan allows up to 60 minutes execution time.

Why this answer

Azure Functions on a Consumption plan have a maximum execution timeout of 10 minutes (or 5 minutes by default). For CPU-intensive processing that may take up to 30 minutes, you must use a Premium plan, which supports unlimited execution duration (subject to the functionTimeout setting, which can be set up to 60 minutes by default and up to unlimited if configured). The Premium plan also provides dedicated instances and pre-warmed workers, which are suitable for long-running, resource-intensive workloads.

Exam trap

The trap here is that candidates often assume they can simply increase the functionTimeout in host.json on a Consumption plan, not realizing that the Consumption plan enforces a hard cap of 10 minutes regardless of the setting.

How to eliminate wrong answers

Option A is wrong because a blob trigger on a Consumption plan still enforces the 10-minute timeout; setting batchSize to 1 only controls concurrency, not execution duration, and does not prevent timeout. Option C is wrong because the functionTimeout setting on a Consumption plan cannot exceed 10 minutes (the maximum allowed is 10 minutes, and the default is 5 minutes); setting it to 30 minutes would be ignored or cause an error. Option D is wrong because Durable Functions are designed for orchestrating stateful workflows and fan-out/fan-in patterns, not for simply extending the execution timeout of a single CPU-intensive function; they add complexity and overhead without solving the fundamental timeout limitation on a Consumption plan.

551
Multi-Selecthard

Which THREE factors should you consider when choosing between Azure Container Instances (ACI) and Azure Kubernetes Service (AKS) for a containerized workload? (Choose three.)

Select 3 answers
A.The need for orchestration of multiple containers
B.The restart policy for containers
C.The need for GPU-accelerated compute
D.The availability of Azure Application Gateway Ingress Controller
E.The maximum resource limits per container instance
AnswersA, B, E

ACI is suitable for single-container deployments or simple multi-container groups; AKS is better for complex orchestration.

Why this answer

Option A is correct because AKS provides full orchestration capabilities for managing multiple containers across a cluster, including service discovery, load balancing, and scaling. ACI is designed for single-container or simple multi-container groups without native orchestration, making AKS the appropriate choice when complex orchestration is required.

Exam trap

The trap here is that candidates mistakenly think GPU support is exclusive to AKS, but ACI also supports GPU-accelerated compute, making it a non-differentiating factor; similarly, the Application Gateway Ingress Controller is an AKS-only feature, so it is not a factor to 'consider when choosing' but rather a feature that only exists in one service.

552
MCQeasy

A company has an Azure App Service web app that occasionally returns 500 errors. You need to diagnose the root cause without impacting production traffic. Which feature should you use?

A.Kudu console
B.Deployment slots
C.Application Insights
D.Autoscaling rules
AnswerB

Slots allow you to test changes in staging before swapping to production.

Why this answer

Deployment slots allow you to route a copy of your production traffic to a staging slot for debugging without affecting the live site. By swapping the staging slot into production after testing, you can reproduce and diagnose 500 errors in an isolated environment. This feature provides zero-downtime deployment and traffic routing, making it ideal for diagnosing production issues safely.

Exam trap

The trap here is that candidates often confuse monitoring tools like Application Insights with the ability to safely reproduce and debug issues in an isolated environment, overlooking the slot-swapping and traffic-routing capabilities of deployment slots.

How to eliminate wrong answers

Option A is wrong because the Kudu console provides direct file system access and command-line tools for debugging, but it operates on the live production site and can impact traffic if misused, and it does not isolate traffic for safe diagnosis. Option C is wrong because Application Insights is a monitoring and telemetry service that helps identify performance issues and errors after they occur, but it does not provide an isolated environment to reproduce and debug errors without affecting production traffic. Option D is wrong because Autoscaling rules automatically adjust the number of instances based on load, but they do not help diagnose the root cause of 500 errors and may even mask underlying issues by scaling out.

553
MCQeasy

Your application uses Azure App Service and needs to authenticate users via Microsoft Entra ID. You want to minimize code changes. Which feature should you use?

A.Azure AD B2C
B.Microsoft.Identity.Web library
C.App Service Authentication (Easy Auth)
D.MSAL.js
AnswerC

Easy Auth integrates with Microsoft Entra ID with minimal code.

Why this answer

App Service Authentication (Easy Auth) provides built-in authentication with Microsoft Entra ID without requiring code changes. Option A is correct. Option B is wrong because Microsoft.Identity.Web requires code changes.

Option C is wrong because MSAL requires code. Option D is wrong because Azure AD B2C is for external identities.

554
MCQmedium

You have a web application monitored by Application Insights. You want to receive an alert when the average server response time exceeds 2 seconds for a rolling 5-minute period. Which alert rule type should you create?

A.Application Insights metric alert on 'Server response time' with condition 'Greater than 2' and evaluation frequency 5 minutes
B.Log alert based on a Kusto query that measures average response time in 5-minute windows
C.Smart Detection alert on response time degradation
D.Availability test alert for HTTP response time
AnswerA

Metric alerts are designed for threshold-based monitoring; this configuration will fire if the 5-minute average exceeds 2 seconds.

Why this answer

A metric alert on 'Server response time' is the correct choice because it continuously evaluates the average server response time over a rolling 5-minute window and triggers when the value exceeds 2 seconds. Metric alerts are designed for near-real-time monitoring of performance counters like response time, with a fixed evaluation frequency that matches the aggregation window, making them ideal for this scenario.

Exam trap

The trap here is confusing metric alerts (which evaluate pre-aggregated performance counters in near-real-time) with log alerts (which require querying raw telemetry data and have higher latency), leading candidates to incorrectly choose the log-based option for a simple threshold-based metric condition.

How to eliminate wrong answers

Option B is wrong because a Log alert based on a Kusto query is designed for analyzing log data (e.g., traces, exceptions) and incurs ingestion latency, making it unsuitable for low-latency, rolling-window performance thresholds like server response time. Option C is wrong because Smart Detection alerts use machine learning to detect anomalies in response time patterns, not a fixed threshold of 2 seconds over a 5-minute period. Option D is wrong because Availability test alerts monitor the availability and responsiveness of an endpoint from multiple locations, not the average server response time for all requests over a rolling window.

555
MCQhard

Your application uses Azure Cosmos DB for NoSQL. You need to implement server-side computed properties that depend on multiple document fields. The computation must be performed atomically. Which approach should you use?

A.Use a pre-trigger to compute the property on write
B.Use the change feed to compute the property asynchronously
C.Use a user-defined function (UDF) in queries
D.Use a stored procedure to compute and update the property in a single transaction
AnswerD

Stored procedures provide atomic transactional execution within a partition.

Why this answer

Stored procedures in Azure Cosmos DB for NoSQL execute within a transactional scope, allowing you to atomically compute a property based on multiple document fields and update the document in a single operation. This ensures that the computation and update are performed as an all-or-nothing unit, which is required for atomicity. Pre-triggers, change feeds, and UDFs do not provide atomic read-modify-write semantics across multiple fields.

Exam trap

The trap here is that candidates often confuse the atomic execution of a stored procedure with the eventual consistency of the change feed or the query-time computation of a UDF, failing to recognize that only stored procedures provide a transactional scope for read-modify-write operations on the same document.

How to eliminate wrong answers

Option A is wrong because pre-triggers run before a write operation but cannot atomically read the existing document fields, compute a new property, and update the same document in a single transaction—they only modify the document being written. Option B is wrong because the change feed processes changes asynchronously, which breaks atomicity; the computed property would be applied in a separate operation, not within the same transaction as the original write. Option C is wrong because user-defined functions (UDFs) are stateless and only compute values at query time; they cannot persist computed properties back to the document or guarantee atomic updates.

556
MCQeasy

You are developing an application that stores user secrets. You need to ensure that the secrets are encrypted at rest and rotated automatically. Which Azure service should you integrate?

A.Azure Storage.
B.Azure Key Vault.
C.Azure Security Center.
D.Microsoft Entra ID.
AnswerB

Correct. Key Vault is designed for secret management with encryption and rotation capabilities.

Why this answer

Azure Key Vault is the correct choice because it provides centralized management of secrets, keys, and certificates with built-in encryption at rest using FIPS 140-2 Level 2 validated hardware security modules (HSMs). It also supports automatic rotation of secrets through integration with Azure Event Grid and Azure Functions, enabling you to schedule or trigger key rotation policies without manual intervention.

Exam trap

The trap here is that candidates often confuse Azure Storage's built-in encryption at rest with the need for a dedicated secrets management service, overlooking that Key Vault alone provides both encryption at rest and automated rotation for secrets.

How to eliminate wrong answers

Option A is wrong because Azure Storage encrypts data at rest by default using server-side encryption (SSE) but does not provide native secret rotation capabilities or a dedicated secrets management interface. Option C is wrong because Azure Security Center is a unified security management and threat protection service that monitors security posture and provides recommendations, but it does not store or rotate secrets. Option D is wrong because Microsoft Entra ID (formerly Azure AD) is an identity and access management service that handles authentication and authorization, not the storage or rotation of application secrets.

557
MCQeasy

You are developing a web application that runs on Azure App Service. The application needs to store session state. Which Azure service provides the best performance and reliability for session state storage?

A.Azure Table Storage
B.Azure Blob Storage
C.Azure Cache for Redis
D.Azure SQL Database
AnswerC

Correct: Redis is the recommended session state provider for performance.

Why this answer

Azure Cache for Redis provides the best performance and reliability for session state storage because it is an in-memory data store with sub-millisecond latency, designed for high-throughput, low-latency scenarios like session caching. It supports session state providers natively in ASP.NET and ASP.NET Core, ensuring fast reads and writes for each user request without the overhead of disk I/O or network latency associated with other storage options.

Exam trap

The trap here is that candidates often choose Azure SQL Database or Table Storage because they are familiar with them for data storage, but they overlook that session state is a transient, high-frequency access pattern that demands an in-memory cache like Redis, not a durable or relational store.

How to eliminate wrong answers

Option A is wrong because Azure Table Storage is a NoSQL key-value store optimized for structured, non-relational data at scale, but it has higher latency (typically 10-50 ms per operation) and lacks the in-memory speed needed for session state, which requires frequent, fast reads and writes. Option B is wrong because Azure Blob Storage is designed for storing large unstructured data like images and videos, not for high-frequency, low-latency access patterns; its latency (often 50-100+ ms) and lack of native session state provider support make it unsuitable for session state. Option D is wrong because Azure SQL Database is a relational database with transactional consistency, but its disk-based storage and connection overhead (e.g., TCP handshake, query parsing) introduce higher latency (typically 5-50 ms) compared to Redis, and it is overkill for simple key-value session data, leading to unnecessary cost and complexity.

558
MCQeasy

You need to monitor the performance of an Azure App Service web app. You want to track the number of HTTP 500 errors over the last hour. Which Azure Monitor metric should you use?

A.Data In
B.Average Response Time
C.Http5xx
D.Requests
AnswerC

Http5xx metric tracks number of server error responses.

Why this answer

The Http5xx metric in Azure Monitor tracks the count of HTTP 500-level server error responses returned by your App Service. Since the question specifically asks for the number of HTTP 500 errors over the last hour, this metric directly provides that count without any aggregation or filtering needed.

Exam trap

The trap here is that candidates may confuse 'Http5xx' with 'Requests' or 'Average Response Time', thinking that a high error count would be reflected in those metrics, but they do not directly count error status codes.

How to eliminate wrong answers

Option A is wrong because Data In measures the amount of incoming data (in bytes) to the app, not error counts. Option B is wrong because Average Response Time measures the average time taken to serve requests, not the count of specific HTTP status codes. Option D is wrong because Requests tracks the total number of HTTP requests received, regardless of their response status, so it does not isolate 500 errors.

559
Multi-Selecteasy

Which TWO of the following are valid authentication options for accessing Azure Storage from an application? (Choose TWO.)

Select 2 answers
A.Storage account key (Shared Key).
B.Microsoft Entra ID (formerly Azure AD) authentication.
C.Certificate-based authentication.
D.Managed Service Identity (MSI).
E.Shared access signature (SAS) token.
AnswersA, B

Shared Key is a valid authentication method.

Why this answer

Option A is correct because the storage account key (Shared Key) provides full administrative access to the storage account, allowing the application to authenticate requests via the Authorization header using HMAC-SHA256. Option B is correct because Microsoft Entra ID (formerly Azure AD) supports role-based access control (RBAC) for Azure Storage, enabling applications to authenticate using OAuth 2.0 tokens for fine-grained access without exposing account keys.

Exam trap

The trap here is that candidates often confuse Managed Service Identity (MSI) as a standalone authentication method, when in reality it is an identity provider that relies on Entra ID tokens, and they may also mistake SAS tokens as an authentication option rather than a delegated authorization mechanism.

560
MCQmedium

You are developing a microservice that processes images. After processing, it needs to store the result in Azure Blob Storage and send a message to Azure Service Bus for further processing. Which Azure SDK client should you use to minimize overhead?

A.Use the Azure.Storage.Blobs and Azure.Messaging.ServiceBus NuGet packages
B.Deploy the microservice as an Azure Function
C.Call the Azure REST APIs directly using HttpClient
D.Use Azure SignalR Service for messaging
AnswerA

These SDK packages provide efficient, high-level APIs for Blob Storage and Service Bus.

Why this answer

The Azure SDK for .NET provides client libraries for Blob Storage and Service Bus that are optimized for performance and low overhead. Option A is wrong because REST APIs require manual HTTP handling. Option B is wrong because SignalR is for real-time messaging, not queues.

Option C is wrong because Functions are compute, not client libraries.

561
MCQeasy

You deploy a web app to Azure App Service. Users report intermittent 500 errors. How should you enable detailed error logging?

A.Configure Azure Storage account diagnostics
B.Set up Azure DNS logging
C.Enable Application Insights for the web app
D.Enable Azure Front Door logging
AnswerC

Captures exceptions and traces.

Why this answer

Option A is correct because Application Insights provides detailed error tracking. Option B is wrong because it's for storage. Option C is wrong because it's a CDN.

Option D is wrong because it's for DNS.

562
MCQmedium

A company uses Azure Logic Apps to integrate with a third-party CRM system. The CRM API requires OAuth 2.0 authentication. The developer needs to securely store the client secret and refresh token. Which Azure service should the developer use?

A.Azure App Configuration
B.Azure Key Vault
C.Azure Managed Identity
D.Azure SQL Database
AnswerB

Key Vault securely stores secrets and credentials, and Logic Apps can reference them.

Why this answer

Option A is correct because Azure Key Vault securely stores secrets and credentials, and Logic Apps can reference them. Option B is incorrect because Azure App Configuration is for configuration settings, not secrets. Option C is incorrect because Azure SQL Database is not a secret store.

Option D is incorrect because Azure Managed Identity is for Azure AD authentication, not for third-party OAuth secrets.

563
MCQmedium

You need to deploy an Azure Functions app that runs on a dedicated App Service plan. The function must be triggered by an HTTP request and call a downstream API that requires OAuth 2.0 authentication. Which approach should you use to store the API credentials securely?

A.Use Azure App Configuration with plain text
B.Store credentials in a configuration file in the deployment package
C.Use Key Vault references in the function app settings
D.Store credentials in the function code as constants
AnswerC

Key Vault references securely inject secrets.

Why this answer

Option C is correct because Azure Key Vault references in function app settings allow you to securely store and retrieve sensitive information like OAuth 2.0 credentials (client ID, client secret) without exposing them in code or configuration files. The function app resolves these references at runtime using a managed identity, ensuring credentials are never stored in plaintext or accessible via source control.

Exam trap

The trap here is that candidates may confuse Azure App Configuration (a configuration store) with Azure Key Vault (a secrets store), assuming both are equally secure for credentials, but App Configuration does not natively encrypt values or support managed identity-based access for secrets without Key Vault integration.

How to eliminate wrong answers

Option A is wrong because Azure App Configuration is a service for managing application settings and feature flags, but storing credentials as plain text there violates security best practices and does not provide encryption at rest or access control for secrets. Option B is wrong because storing credentials in a configuration file within the deployment package exposes them to anyone with access to the package or source repository, and they are not encrypted or managed centrally. Option D is wrong because hardcoding credentials as constants in function code makes them visible in source control, difficult to rotate, and a severe security risk; Azure Functions should never embed secrets directly in code.

564
MCQhard

A Durable Functions workflow for a booking backend must call five independent activity functions and continue only after all results are available. Which pattern is appropriate?

A.Monitor pattern
B.Fan-out/fan-in
C.Human interaction
D.Function chaining
AnswerB

Fan-out/fan-in runs activities in parallel and aggregates results after all complete.

Why this answer

The fan-out/fan-in pattern is designed for scenarios where multiple independent tasks must execute in parallel, and the workflow must wait for all results before proceeding. In Durable Functions, this is implemented using `Task.WhenAll()` to fan out activity function calls and then aggregate their results, which matches the requirement of calling five independent activities and continuing only after all results are available.

Exam trap

The trap here is that candidates often confuse the fan-out/fan-in pattern with function chaining, mistakenly thinking that sequential execution is sufficient, or they incorrectly apply the Monitor pattern when the requirement is simply parallel execution without polling.

How to eliminate wrong answers

Option A is wrong because the Monitor pattern is used for polling an external resource until a specific condition is met, not for parallel execution of independent tasks. Option C is wrong because the Human Interaction pattern involves waiting for manual input or approval, which is not applicable to automated parallel activity calls. Option D is wrong because Function chaining executes activities sequentially, one after another, which does not achieve the parallel execution required here.

565
MCQhard

You have an Azure App Service web app that uses a custom domain with TLS/SSL binding. You need to migrate the app to a new App Service plan in a different region. What is the correct order of steps?

A.Create the new plan, deploy the app, export the current plan, bind the domain
B.Export the current plan, create the new plan, bind the domain, deploy the app
C.Bind the domain to the new plan, export the current plan, create the new plan, deploy the app
D.Export the current plan, create the new plan, deploy the app, bind the domain and certificate
AnswerD

Correct order: export configuration, create new plan, deploy app, then bind domain and TLS.

Why this answer

First export the current App Service plan (or scale up), then create the new plan, deploy the app, and finally bind the custom domain and TLS certificate. Option D is the correct sequence. Option A misses the certificate binding.

Option B is out of order. Option C exports after creating the new plan.

566
MCQhard

You are designing a solution that requires storing millions of small (1-5 KB) messages from IoT devices. Each message has a unique device ID and timestamp. You need to support efficient point queries by device ID and time range, and also support aggregation queries (e.g., count of messages per device per hour). Which Azure storage solution should you use?

A.Azure Cosmos DB for NoSQL
B.Azure Table Storage
C.Azure Queue Storage
D.Azure Blob Storage with JSON files
AnswerB

Table Storage supports efficient point queries and is cost-effective for small entities.

Why this answer

Azure Table Storage is the correct choice because it is a NoSQL key-value store optimized for storing large volumes of structured, non-relational data. It supports efficient point queries using the PartitionKey (device ID) and RowKey (timestamp), enabling fast retrieval by device ID and time range. Additionally, it allows aggregation queries like counting messages per device per hour via partition-scanned queries or client-side aggregation, and it is cost-effective for storing millions of small (1-5 KB) messages.

Exam trap

The trap here is that candidates often choose Azure Cosmos DB for NoSQL because of its query flexibility and indexing, overlooking the cost implications and the fact that Azure Table Storage provides sufficient query capabilities for simple key-value and range queries at a fraction of the cost.

How to eliminate wrong answers

Option A is wrong because Azure Cosmos DB for NoSQL, while capable of similar queries, is significantly more expensive and over-provisioned for storing millions of small messages; its throughput-based pricing model makes it cost-prohibitive for high-volume, low-value IoT data. Option C is wrong because Azure Queue Storage is a message queuing service for asynchronous communication, not a durable storage solution for point queries or aggregation; it does not support querying by device ID or time range. Option D is wrong because Azure Blob Storage with JSON files is designed for unstructured blob data and lacks native indexing for efficient point queries by device ID and timestamp; querying millions of small JSON files would require scanning all blobs or using external indexing, which is inefficient and costly.

567
MCQmedium

Your application uses Azure App Configuration with Microsoft Entra ID authentication. You want to ensure that only authorized services can read configuration values. What is the recommended approach?

A.Enable public network access only from trusted IPs
B.Use access keys and rotate them frequently
C.Store connection strings in Azure Key Vault and retrieve them at runtime
D.Assign the App Configuration Data Reader role to the managed identity of the consuming service
AnswerD

This grants least-privilege access using RBAC and the service's managed identity.

Why this answer

Using managed identities with role-based access control (RBAC) is the recommended way to grant access to Azure App Configuration without managing credentials.

568
Multi-Selectmedium

Which TWO actions should you take to ensure high availability for a stateful ASP.NET application deployed on Azure App Service?

Select 2 answers
A.Enable ARR Affinity (client affinity) to maintain session state.
B.Scale up the App Service plan to a higher tier.
C.Deploy the application to multiple regions and use Traffic Manager.
D.Store session state in Azure Files share.
E.Disable session state to allow any instance to handle requests.
AnswersA, C

ARR affinity ensures requests from same client go to same instance.

Why this answer

Option A is correct because enabling ARR Affinity (client affinity) ensures that all requests from a given client session are routed to the same instance, preserving in-memory session state. Without this, a stateful ASP.NET application would lose session data if subsequent requests are load-balanced to different instances, causing session state errors.

Exam trap

The trap here is that candidates often confuse scaling up (Option B) with high availability, not realizing that scaling up only adds resources to a single instance, whereas high availability requires redundancy across instances or regions.

569
MCQeasy

You are designing a solution to store large amounts of unstructured data that is accessed infrequently (once a quarter). You need to minimize storage costs. Which Azure storage tier should you use?

A.Cold
B.Hot
C.Archive
D.Cool
AnswerD

For infrequently accessed data (30+ days).

Why this answer

The Cool tier is designed for data that is accessed infrequently (about once a quarter) and stored for at least 30 days, offering lower storage costs than Hot while still providing low-latency access. Since the data is unstructured and accessed only quarterly, Cool balances cost and availability without the long retrieval time or minimum storage duration of Archive.

Exam trap

The trap here is that candidates confuse 'Cold' with 'Cool' or assume 'Archive' is always the cheapest option without considering retrieval latency and minimum storage duration penalties.

How to eliminate wrong answers

Option A (Cold) is wrong because Azure Storage does not have a 'Cold' tier; the correct tiers are Hot, Cool, and Archive. Option B (Hot) is wrong because it is optimized for frequent access (multiple times per day) and has the highest storage cost, making it unsuitable for infrequently accessed data. Option C (Archive) is wrong because while it has the lowest storage cost, it requires a retrieval time of up to 15 hours and a minimum storage duration of 180 days, which is excessive for quarterly access and would increase total cost due to early deletion fees.

570
MCQeasy

You are developing a solution that needs to run a background task every 10 minutes to clean up temporary files in Azure Blob Storage. You want to use Azure Functions with the Consumption Plan to minimize cost. Which trigger type should you use?

A.HTTPTrigger
B.TimerTrigger
C.BlobTrigger
D.ServiceBusTrigger
AnswerB

TimerTrigger is specifically designed for running functions on a schedule using a CRON expression. It is ideal for periodic tasks every 10 minutes.

Why this answer

B is correct because TimerTrigger is designed for scheduled execution of background tasks at fixed intervals, such as every 10 minutes. It uses a cron expression to define the schedule and runs on the Consumption Plan, which scales to zero when idle, minimizing cost. This makes it the ideal choice for periodic cleanup of temporary files in Azure Blob Storage.

Exam trap

The trap here is that candidates may confuse BlobTrigger (event-driven on blob changes) with a scheduled cleanup task, not realizing that TimerTrigger is the only trigger that natively supports recurring time-based execution without external dependencies.

How to eliminate wrong answers

Option A is wrong because HTTPTrigger requires an incoming HTTP request to invoke the function, making it unsuitable for a scheduled background task that must run autonomously every 10 minutes. Option C is wrong because BlobTrigger fires only when a new or updated blob is detected in a container, not on a fixed time schedule, so it cannot enforce a periodic cleanup routine. Option D is wrong because ServiceBusTrigger responds to messages arriving on a Service Bus queue or topic, which would require an external sender to produce messages every 10 minutes, adding unnecessary complexity and cost compared to a simple TimerTrigger.

571
MCQhard

A system receives high-volume event notifications from Azure resources and routes them to serverless handlers. Events are lightweight and should use native event routing. Which service should be used? The architecture review board prefers a managed AWS-native control.

A.Azure DNS
B.Azure Event Grid
C.Azure Files
D.Azure Service Bus queue
AnswerB

Event Grid is designed for reactive event routing from Azure services and custom publishers.

Why this answer

Azure Event Grid is the correct choice because it is a fully managed event routing service designed for high-volume, lightweight event notifications using native event routing (HTTP push). It directly supports Azure resource events and serverless handlers like Azure Functions, aligning with the requirement for native event routing without polling or queuing overhead.

Exam trap

The trap here is confusing Azure Event Grid (push-based, lightweight event routing) with Azure Service Bus (pull-based, durable messaging), leading candidates to choose Service Bus for its familiarity with queuing, despite the requirement for native event routing.

How to eliminate wrong answers

Option A is wrong because Azure DNS is a domain name resolution service, not an event routing service; it cannot handle event notifications or trigger serverless handlers. Option C is wrong because Azure Files provides managed file shares via SMB/NFS protocols, which are unsuitable for event-driven, lightweight event routing. Option D is wrong because Azure Service Bus queue is a message broker for ordered, durable messaging with pull-based consumption, not a native event routing service for lightweight, push-based events.

572
MCQeasy

You are building a serverless application that needs to store user profile data. The data includes simple fields like name, email, and preferences. The data is frequently accessed by user ID. You need a schema-less, low-latency storage solution that is cost-effective for millions of small records. Which Azure Storage solution should you use?

A.Azure Blob Storage
B.Azure Queue Storage
C.Azure Table Storage
D.Azure File Storage
AnswerC

Table Storage is a NoSQL key-value store optimized for structured data. It supports schema-less entities and fast access by partition key and row key, making it suitable for user profiles keyed by user ID.

Why this answer

Azure Table Storage is a NoSQL key-value store that is schema-less, making it ideal for storing user profile data with varying fields like name, email, and preferences. It offers low-latency access by user ID via the PartitionKey and RowKey, and it is cost-effective for millions of small records because you pay only for the storage consumed, with no minimum charge per record.

Exam trap

The trap here is that candidates often confuse Azure Table Storage with Azure Cosmos DB for Table API, but the question specifically asks for a cost-effective solution for millions of small records, and Azure Table Storage (part of Azure Storage account) is the cheaper, schema-less option without the premium features and higher cost of Cosmos DB.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage is designed for unstructured binary or text data (e.g., images, videos, documents) and does not provide native key-value querying by user ID; it requires a separate index or metadata system for such lookups. Option B is wrong because Azure Queue Storage is a messaging service for asynchronous communication between application components, not a persistent storage solution for user profile data. Option D is wrong because Azure File Storage provides fully managed file shares accessible via SMB protocol, which is overkill for simple key-value records and incurs higher costs due to per-GB pricing and minimum share size requirements.

573
MCQhard

You have a blob as shown in the exhibit. You need to read the content of this blob. What must you do first?

A.Convert the blob to an AppendBlob type.
B.Use the Get-AzStorageBlobContent cmdlet to download the blob directly.
C.Set the access tier of the blob to Hot or Cool using Set-AzStorageBlobTier.
D.Use the storage account key to access the blob.
AnswerC

Rehydrating the blob makes it accessible for reading.

Why this answer

The blob in the exhibit is an archived blob, which is offline and cannot be read directly. You must first rehydrate it by setting its access tier to Hot or Cool using Set-AzStorageBlobTier, which initiates an asynchronous copy from the archive tier to an online tier. Only after rehydration completes can you read the blob content.

Exam trap

The trap here is that candidates assume a storage account key or a direct download cmdlet can access any blob, but Azure enforces the archive tier's offline state, requiring explicit rehydration before any read operation.

How to eliminate wrong answers

Option A is wrong because converting the blob to an AppendBlob type does not change its offline archive state; AppendBlob is a blob type for append operations, not a tier change, and the blob remains inaccessible. Option B is wrong because Get-AzStorageBlobContent attempts to download the blob directly, but an archived blob is offline and returns a 409 error (BlobArchived) until rehydrated. Option D is wrong because using the storage account key provides authentication but does not bypass the archive tier restriction; the blob is still offline and cannot be accessed regardless of credentials.

574
MCQeasy

You are developing a containerized application that will be deployed to Azure Container Instances (ACI). The application consists of a web front-end and a background worker that processes messages from an Azure Storage Queue. You need to ensure that the worker container runs continuously and processes messages as they arrive. The solution must minimize cost and management overhead. What should you do?

A.Use Azure Container Apps with a scale rule that triggers on queue length.
B.Run the worker inside an Azure virtual machine with a container runtime.
C.Deploy the worker as a container in ACI with the restart policy set to OnFailure.
D.Deploy the worker as a container group in ACI with the restart policy set to Always.
AnswerD

ACI with Always restart ensures the worker keeps running and is cost-effective with no orchestration overhead.

Why this answer

Option D is correct because ACI with a restart policy of Always ensures the worker container restarts immediately after it finishes processing a message, allowing it to continuously poll the Azure Storage Queue for new messages. This minimizes cost by using a serverless container model without provisioning VMs or managing orchestration, and it reduces management overhead compared to alternatives like Azure Container Apps or VMs.

Exam trap

The trap here is that candidates mistakenly choose the OnFailure restart policy (Option C) thinking it will restart the container after each message, but they overlook that a successful exit (exit code 0) does not trigger a restart, causing the worker to stop after processing one message.

How to eliminate wrong answers

Option A is wrong because Azure Container Apps introduces additional orchestration and scaling complexity, which increases cost and management overhead unnecessarily for a simple background worker that can run continuously in ACI. Option B is wrong because running the worker inside an Azure VM with a container runtime requires managing the VM, patching, and scaling, which increases cost and overhead compared to a serverless ACI solution. Option C is wrong because the OnFailure restart policy only restarts the container if it exits with a non-zero exit code, but a worker that processes messages successfully will exit with code 0 and stop, preventing it from continuously polling the queue.

575
Multi-Selecteasy

Which TWO actions can you perform using Azure Container Registry (ACR) tasks?

Select 2 answers
A.Schedule a task to patch base images
B.Automatically build a container image on code commit
C.Import images from another registry
D.Deploy images to AKS
E.Automatically scan images for vulnerabilities
AnswersA, B

ACR Tasks can run on schedule to rebuild images.

Why this answer

ACR Tasks supports automated patching of base images through the 'base image update' trigger. When a base image in a public or private registry is updated, ACR Tasks can automatically rebuild any container images that depend on it, ensuring security patches are applied without manual intervention. This is configured via the `--base-image-trigger-enabled` flag in the `az acr task create` command.

Exam trap

The trap here is that candidates confuse ACR Tasks with the broader Azure Container Registry feature set, assuming that import, deployment, or scanning are part of ACR Tasks when they are separate services or commands.

576
MCQmedium

Your organization uses Azure Policy to enforce compliance. You need to ensure that all Azure SQL databases have Advanced Data Security (ADS) enabled. What type of Azure Policy effect should you use to automatically enable ADS if it is not already enabled?

A.Audit
B.Modify
C.Deny
D.DeployIfNotExists
AnswerD

Deploys the ADS configuration if missing, ensuring automatic remediation.

Why this answer

DeployIfNotExists effect can deploy a resource or configuration if it does not exist. Option A is correct. Option B audits but doesn't remediate.

Option C denies non-compliant resources but does not automatically enable. Option D is for removing resources.

577
Multi-Selectmedium

Which THREE of the following are true about Azure Blob Storage lifecycle management?

Select 3 answers
A.It can be defined at the container level.
B.It can automatically move blobs to the Cool tier after a specified number of days.
C.It can be applied to general-purpose v2 and Blob Storage accounts.
D.It can delete blob snapshots after a specified number of days.
E.It can change the replication type of the storage account.
AnswersB, C, D

Lifecycle management can move blobs to Cool or Archive tiers.

Why this answer

Option B is correct because Azure Blob Storage lifecycle management policies can automatically transition blobs to the Cool tier after a specified number of days. This is achieved by defining a rule with a 'tierToCool' action and a 'daysAfterModificationGreaterThan' filter, allowing cost optimization based on data access patterns.

Exam trap

The trap here is that candidates may think lifecycle policies can be applied at the container level (Option A) because they often use container-scoped filters, but the policy definition itself is always at the storage account level.

578
MCQhard

Your company deploys a microservices architecture on Azure Kubernetes Service (AKS). The application consists of a frontend service, an order service, and a payment service. The order service writes messages to an Azure Service Bus queue, and the payment service processes them. You need to ensure that the payment service can scale independently based on the queue length, and that the processing is fault-tolerant: if the payment service crashes during message processing, the message should not be lost and should be retried. You also need to minimize cost by reducing the number of idle instances. You configure the payment service as an Azure Function triggered by the Service Bus queue. Which configuration options should you set?

A.Use an Azure Storage Queue instead of Service Bus. Set the function's batchSize to 10.
B.Disable retries completely to avoid duplicate processing.
C.Set the function to run on a fixed instance count of 3.
D.Set maxDeliveryCount to 5 in the Service Bus queue. Configure the Azure Function's scaling mode to 'Scale based on the number of messages in the queue'.
AnswerD

maxDeliveryCount provides retries; scaling based on queue length optimizes cost.

Why this answer

Setting maxDeliveryCount to 5 ensures that messages are retried up to 5 times if processing fails, which provides fault tolerance. Setting the function scaling mode to 'Scale based on the number of messages in the queue' allows the function to scale out based on queue length, reducing idle instances. Option A is the correct combination.

Option B is wrong because using a storage queue instead of Service Bus would require different scaling. Option C is wrong because a fixed instance count would not minimize cost. Option D is wrong because disabling retries would lead to message loss.

579
Multi-Selecteasy

You are developing an Azure Functions app that processes events from an Event Hubs instance. The function must scale out automatically based on the number of partitions in the Event Hub. You need to ensure that each function instance processes events from at least one partition. Which THREE configurations should you use?

Select 3 answers
A.Set the function app to use the 'Event Scale' mode with a target of one instance per partition.
B.Set the 'MaxBatchSize' property to 1 to ensure even distribution.
C.Configure the function to use an event processor host with blob storage for checkpointing.
D.Select the Premium App Service plan for the function app.
E.Use the EventHubs trigger with the 'PartitionKey' parameter set to the partition ID.
AnswersA, C, E

Event Scale mode maximizes parallelism per partition.

Why this answer

Option A is correct because the 'Event Scale' mode with a target of one instance per partition ensures that the function app scales out to match the number of Event Hub partitions, with each instance processing events from at least one partition. This mode is specifically designed for event-driven scaling with Event Hubs, guaranteeing that each partition is processed by a dedicated instance for optimal throughput and ordering.

Exam trap

The trap here is that candidates confuse batch size configuration (MaxBatchSize) with scaling behavior, or assume a Premium plan is mandatory for partition-level scaling, when in fact the Event Scale mode and checkpointing are the key mechanisms.

580
MCQeasy

You need to grant access to a blob stored in Azure Blob Storage for 30 minutes to a user who does not have an Azure account. Which security mechanism should you use?

A.Azure RBAC roles
B.Storage account access keys
C.Managed identity
D.Shared Access Signature (SAS) token
AnswerD

Time-limited access without Azure account.

Why this answer

A Shared Access Signature (SAS) token is the correct choice because it provides delegated, time-limited access to a specific blob resource without requiring the user to have an Azure account. You can set the token's expiry to 30 minutes, granting temporary access via a URI that includes the necessary authentication parameters. This mechanism is designed for scenarios where you need to grant granular, time-bound access to external users or clients.

Exam trap

The trap here is that candidates often confuse SAS tokens with storage account access keys, mistakenly thinking keys can be scoped or time-limited, or they assume RBAC can be used for external users without understanding the Azure AD dependency.

How to eliminate wrong answers

Option A is wrong because Azure RBAC roles require the user to have an Azure Active Directory identity and an Azure subscription, which is not the case here. Option B is wrong because storage account access keys grant full administrative access to the entire storage account and cannot be scoped to a single blob or time-limited; sharing keys also exposes the account to security risks. Option C is wrong because managed identity is intended for Azure resources (e.g., VMs, App Services) to authenticate to Azure services without storing credentials, not for granting access to external users without an Azure account.

581
MCQmedium

You are monitoring an Azure web app using Application Insights. You need to create a query that returns the average duration of requests for each HTTP method (GET, POST, etc.) over the last hour, sorted by duration. Which Kusto query should you use?

A.requests | summarize avg(duration) by method | order by avg_duration desc
B.requests | summarize avg(duration) by method | sort by method asc
C.requests | where timestamp > ago(1h) | summarize avg(duration) by method | order by avg_duration desc
D.requests | where timestamp > ago(1h) | summarize avg(duration) by method | sort by method
AnswerC

Correct. Filters to the last hour, summarizes by method with average duration, and orders descending by that average.

Why this answer

Option C is correct because it first filters requests to only those from the last hour using `where timestamp > ago(1h)`, then calculates the average duration grouped by HTTP method with `summarize avg(duration) by method`, and finally orders the results by the computed average duration in descending order using `order by avg_duration desc`. This matches the requirement exactly: last hour, average duration per method, sorted by duration.

Exam trap

The trap here is that candidates often forget to apply the time filter (`where timestamp > ago(1h)`) or mistakenly sort by the method name instead of the computed average duration, because the question explicitly says 'sorted by duration' but the options include plausible but incorrect sort columns.

How to eliminate wrong answers

Option A is wrong because it omits the time filter (`where timestamp > ago(1h)`), so it would return average durations across all historical data, not just the last hour. Option B is wrong because it also lacks the time filter and sorts by method name ascending instead of by average duration, which does not satisfy the 'sorted by duration' requirement. Option D is wrong because although it correctly filters to the last hour and summarizes by method, it sorts by the method name (alphabetically) rather than by the average duration, failing the 'sorted by duration' condition.

582
MCQhard

You are designing a solution that uses Azure Batch for parallel processing of large datasets. Each task requires significant CPU and memory. You need to minimize compute costs while ensuring tasks complete within a deadline. Which pool configuration should you use?

A.A mix of dedicated and low-priority VMs without retry
B.Low-priority VMs with a task retry policy
C.Use Azure Container Instances instead of Batch
D.Dedicated VMs only
AnswerB

Low-priority VMs reduce cost and retry ensures completion.

Why this answer

Low-priority VMs (now called Spot VMs) offer significant cost savings but can be preempted. Using them with a task retry policy ensures completion. Dedicated VMs are more expensive.

583
MCQmedium

You are building a solution that uploads large files (up to 100 GB) to Azure Blob Storage. Users frequently experience timeout errors when uploading files over slow network connections. Which approach should you use to maximize reliability?

A.Upload the file as a page blob in 512-byte chunks.
B.Use the Azure Storage SDK to upload the file as a block blob with multiple parallel blocks and implement retry logic with exponential backoff.
C.Increase the client-side timeout value to 10 minutes.
D.Use AzCopy with the /Z parameter to enable checkpointing.
AnswerB

SDK provides automatic retry and parallel upload for block blobs, improving reliability.

Why this answer

Option B is correct because uploading a large file as a block blob with multiple parallel blocks maximizes throughput and reliability over slow networks. The Azure Storage SDK automatically splits the file into blocks (up to 100 MB each), uploads them concurrently, and implements retry logic with exponential backoff to handle transient failures. This approach is specifically designed for large file uploads and mitigates timeout errors by keeping individual block transfers small and resumable.

Exam trap

The trap here is that candidates may confuse AzCopy's checkpointing (Option D) as the only reliable method for large uploads, but the question specifies building a solution (SDK-based), not using a standalone tool, and AzCopy cannot be programmatically embedded in an application.

How to eliminate wrong answers

Option A is wrong because page blobs are optimized for random read/write access (e.g., VHDs), not for large file uploads; they require 512-byte alignment and do not support parallel upload with retry logic for slow networks. Option C is wrong because simply increasing the client-side timeout to 10 minutes does not address the root cause of timeouts over slow connections; it only delays the failure and does not provide resumability or parallelism. Option D is wrong because AzCopy with the /Z parameter enables checkpointing for resuming interrupted transfers, but it is a command-line tool, not a programmatic SDK approach; the question asks for a solution you are building, implying code-level integration, and AzCopy is not suitable for embedding in an application.

584
MCQeasy

A company deploys an Azure Function app that processes orders. The function needs to scale out automatically when the queue length grows and be billed only for execution time. Which hosting plan should you use?

A.App Service Plan
B.Consumption Plan
C.Premium Plan
D.Dedicated Plan
AnswerB

Consumption Plan scales automatically based on demand and charges only for execution time (per-second billing).

Why this answer

The Consumption Plan is correct because it automatically scales out the function app based on the length of the Azure Storage queue trigger, and you are billed only for the execution time (per-second billing) and resources consumed. This plan is ideal for event-driven workloads like order processing, where scaling is demand-driven and idle time incurs no cost.

Exam trap

The trap here is that candidates often confuse the Premium Plan's pre-warmed instances and VNET support with the Consumption Plan's true pay-per-execution model, mistakenly thinking Premium is required for auto-scaling, when in fact the Consumption Plan handles queue-length-based scaling natively and is the only plan with pure execution-time billing.

How to eliminate wrong answers

Option A is wrong because the App Service Plan runs on dedicated VMs and incurs continuous billing even when the function is idle, and it does not provide automatic scale-out based solely on queue length without manual configuration or auto-scale rules. Option C is wrong because the Premium Plan, while offering pre-warmed instances and VNET connectivity, incurs a baseline cost for always-ready instances and is not billed purely on execution time like the Consumption Plan. Option D is wrong because the Dedicated Plan is essentially the same as the App Service Plan, running on reserved instances with continuous billing and no built-in queue-length-based auto-scaling without additional setup.

585
MCQhard

A system receives high-volume event notifications from Azure resources and routes them to serverless handlers. Events are lightweight and should use native event routing. Which service should be used?

A.Azure DNS
B.Azure Event Grid
C.Azure Files
D.Azure Service Bus queue
AnswerB

Event Grid is designed for reactive event routing from Azure services and custom publishers.

Why this answer

Azure Event Grid is the correct choice because it is a fully managed event routing service designed for high-volume, lightweight event notifications using native event routing (HTTP-based push model). It supports serverless handlers like Azure Functions and automatically delivers events to subscribers with built-in retry and dead-lettering, making it ideal for reacting to Azure resource state changes.

Exam trap

The trap here is confusing Azure Event Grid (push-based, lightweight event routing) with Azure Service Bus (pull-based, message queuing), leading candidates to choose Service Bus for event scenarios when Event Grid is the native, serverless-optimized choice.

How to eliminate wrong answers

Option A is wrong because Azure DNS is a domain name resolution service (translates domain names to IP addresses) and does not handle event routing or serverless event processing. Option C is wrong because Azure Files provides fully managed file shares accessible via SMB or NFS protocols, not event notification or routing capabilities. Option D is wrong because Azure Service Bus queue is a message broker designed for reliable, ordered message delivery with features like sessions and transactions, but it uses pull-based messaging and is not optimized for lightweight, native event routing; it is better suited for decoupled messaging with complex processing requirements.

586
MCQmedium

You have an Azure App Service web app that experiences high CPU usage during peak hours. You need to scale out automatically based on CPU load. What should you configure?

A.Manually increase the instance count during peak hours.
B.Configure an autoscale rule to scale up the App Service plan.
C.Configure an autoscale rule to scale out based on CPU percentage.
D.Use Azure Front Door to distribute load across multiple instances.
AnswerC

Autoscale can add instances when CPU exceeds a threshold.

Why this answer

Option C is correct because Azure App Service autoscale rules allow you to scale out (increase instance count) based on a metric like CPU percentage. This automatically adds more instances when CPU exceeds a threshold, distributing the load and reducing CPU usage per instance during peak hours.

Exam trap

The trap here is that candidates often confuse 'scale up' (changing the plan tier) with 'scale out' (adding instances), and may incorrectly select Option B thinking it addresses CPU load, but scaling up does not increase instance count.

How to eliminate wrong answers

Option A is wrong because manually increasing the instance count is not an automatic solution; it requires human intervention and does not meet the requirement to scale automatically. Option B is wrong because 'scale up' refers to increasing the resources (e.g., SKU size) of the App Service plan, not adding more instances; scaling up changes the plan tier (e.g., from Standard to Premium) and does not directly address high CPU load via horizontal scaling. Option D is wrong because Azure Front Door is a global load balancer and CDN service that distributes traffic at the application layer, but it does not automatically scale the number of instances; it can route traffic to multiple instances but does not configure autoscaling rules based on CPU load.

587
MCQmedium

You are monitoring an Azure Web App with Application Insights. You notice that the dependency duration for a SQL database call has significantly increased. You need to identify the specific SQL query that is causing the slowness. Which Application Insights feature should you use?

A.Application Map
B.Performance blade and drill into Dependencies
C.Live Metrics Stream
D.Smart Detection
AnswerB

The Performance blade shows dependency details including SQL query text, duration, and count, allowing you to identify slow queries.

Why this answer

The Performance blade in Application Insights allows you to drill into specific operations, including dependencies. By selecting the SQL dependency with increased duration, you can view the 'Dependencies' tab to see the exact SQL query text, duration, and other details. This directly identifies the slow query without needing to instrument code changes.

Exam trap

The trap here is that candidates often confuse the high-level monitoring view (Application Map) or real-time streaming (Live Metrics) with the diagnostic drill-down capability of the Performance blade, which is specifically designed for root-cause analysis of slow operations.

How to eliminate wrong answers

Option A is wrong because Application Map provides a visual overview of component interactions and dependency health, but it does not show the specific SQL query text or allow drilling into individual slow queries. Option C is wrong because Live Metrics Stream shows real-time performance data but does not retain historical query details or allow deep analysis of specific slow dependencies. Option D is wrong because Smart Detection proactively alerts on anomalies but does not provide the raw query text or a drill-down interface to identify the specific SQL statement causing slowness.

588
MCQeasy

You need to send notifications to mobile devices when a new file is uploaded to Azure Blob Storage. Which Azure service should you use to route the event to a notification hub?

A.Azure Service Bus
B.Azure Queue Storage
C.Azure Event Grid
D.Azure Event Hubs
AnswerC

Event routing service.

Why this answer

Option B is correct because Azure Event Grid is designed for event routing from Azure services to handlers like Azure Notification Hubs. Option A is wrong because Azure Service Bus is for messaging. Option C is wrong because Azure Queue Storage is for storage queues.

Option D is wrong because Azure Event Hubs is for big data streaming.

589
MCQeasy

You are developing an Azure Function that processes messages from an Azure Storage queue. The function must handle transient failures when writing to a downstream database. You need to implement a retry policy. What is the recommended approach?

A.Do nothing; Azure Functions automatically retries failed executions indefinitely.
B.Use a try-catch block in the function code to retry on failure.
C.Configure the retry policy in the function's host.json file.
D.Use Durable Functions with a retry policy.
AnswerC

Built-in retry supports exponential backoff and is easy to configure.

Why this answer

Option A is correct because the built-in retry policy for Azure Functions (in host.json) allows you to specify retry count and strategy (fixed delay or exponential backoff) for Storage queue triggers. Option B is wrong because implementing retry logic inside the function code is less maintainable and duplicates built-in functionality. Option C is wrong because Durable Functions are for orchestrating long-running workflows, not for simple retries.

Option D is wrong because the built-in retry policy is configurable.

590
Multi-Selecthard

Which TWO actions should you take to ensure data durability for a storage account using LRS? (Choose two.)

Select 2 answers
A.Enable soft delete for blobs.
B.Assign RBAC roles to users.
C.Enable blob versioning.
D.Change replication to GRS.
E.Configure network firewall rules.
AnswersA, C

Soft delete protects data from accidental deletion.

Why this answer

Enabling soft delete for blobs protects data by retaining deleted blobs for a specified retention period, allowing recovery from accidental deletion or overwrite. This directly enhances data durability within a single data center under LRS, as it provides an additional layer of protection beyond the three synchronous replicas.

Exam trap

The trap here is that candidates often confuse replication (GRS) with data protection features like soft delete and versioning, but the question explicitly asks for actions that ensure durability while keeping LRS, not changing the replication strategy.

591
MCQeasy

You need to run a batch job every night that processes data from Azure Blob Storage and writes results to Azure SQL Database. The job may run for up to 2 hours. Which Azure service should you use?

A.Azure Logic Apps.
B.Azure Batch.
C.Azure Functions (Consumption plan).
D.Azure Container Instances.
AnswerD

ACI can run containers for up to 2 hours.

Why this answer

Azure Container Instances (ACI) is the correct choice because it allows you to run a containerized batch job on-demand without managing underlying infrastructure. The job's duration of up to 2 hours fits well within ACI's default timeout of 60 minutes (configurable up to 24 hours), and you can trigger it nightly via a scheduler like Azure Logic Apps or a timer-triggered Azure Function. ACI provides fast startup, per-second billing, and direct access to Azure Blob Storage and SQL Database via connection strings or managed identities.

Exam trap

The trap here is that candidates often choose Azure Functions (Consumption plan) for batch jobs because of its serverless appeal, but they overlook the strict 10-minute execution timeout, which makes it impossible for a 2-hour job without switching to the Premium plan or using Durable Functions.

How to eliminate wrong answers

Option A is wrong because Azure Logic Apps is a workflow orchestration service, not a compute runtime for long-running batch jobs; it has a built-in action timeout of 2 minutes for HTTP requests and 1 minute for API connections, making it unsuitable for a 2-hour processing job. Option B is wrong because Azure Batch is designed for large-scale parallel and high-performance computing (HPC) workloads, not a simple nightly batch job; it requires creating a pool of VMs, managing job scheduling, and is overkill for a single containerized task. Option C is wrong because Azure Functions on the Consumption plan has a maximum execution timeout of 10 minutes (configurable up to 60 minutes for the Premium plan), so it cannot handle a job that may run for up to 2 hours.

592
MCQmedium

You have an App Service web app with Application Insights configured. You want to create an alert that fires when the server response time exceeds 2 seconds for a rolling 10-minute window. Which type of alert rule should you create?

A.Log alert
B.Metric alert
C.Activity log alert
D.Smart detection alert
AnswerB

Correct. Metric alerts monitor a single metric (like server response time) over a rolling window and trigger when the threshold is breached.

Why this answer

Metric alerts in Azure Monitor evaluate resource-level performance counters at regular intervals, making them ideal for threshold-based conditions like server response time. Application Insights automatically collects server response time as a pre-aggregated metric, so a metric alert can check whether the average exceeds 2 seconds over a rolling 10-minute window without needing to query raw log data.

Exam trap

The trap here is that candidates confuse log-based queries (Log Analytics) with metric-based thresholds, assuming that any Application Insights data must be queried via logs, when in fact common performance counters like server response time are exposed as metrics for simpler and faster alerting.

How to eliminate wrong answers

Option A is wrong because log alerts run Kusto queries against log data (e.g., requests table) and are better suited for complex patterns or correlation across multiple signals, not for simple, low-latency threshold checks on a single metric. Option C is wrong because activity log alerts fire only on Azure resource management events (e.g., create, delete, scale) and cannot monitor application performance metrics like server response time. Option D is wrong because smart detection alerts use machine learning to automatically detect anomalies in telemetry patterns (e.g., sudden failure spikes) and cannot be configured with a fixed threshold of 2 seconds.

593
MCQmedium

You are developing an API that processes sensitive personal data. The API is exposed via Azure API Management (APIM). You need to ensure that only authorized applications can call the API, and you want to validate the token at the APIM gateway without modifying the backend code. What is the most efficient approach?

A.Implement token validation in the backend API code
B.Use APIM's OAuth 2.0 authorization server
C.Use subscription keys in APIM
D.Configure a validate-jwt policy in APIM inbound processing
AnswerD

Validates JWT token at APIM gateway without backend changes.

Why this answer

The validate-jwt policy in APIM's inbound processing validates the OAuth 2.0 token at the gateway level, ensuring only authorized applications can call the API without modifying backend code. This is the most efficient approach because it offloads token validation to APIM, reducing backend complexity and centralizing security enforcement.

Exam trap

The trap here is that candidates confuse APIM's OAuth 2.0 authorization server (which issues tokens) with the validate-jwt policy (which validates tokens), leading them to choose Option B instead of D.

How to eliminate wrong answers

Option A is wrong because implementing token validation in the backend API code requires modifying the backend, which contradicts the requirement to avoid backend changes. Option B is wrong because APIM's OAuth 2.0 authorization server is used to issue tokens, not to validate them at the gateway; validation is done via policies like validate-jwt. Option C is wrong because subscription keys provide API-level access control but do not validate token claims or enforce OAuth 2.0 authorization; they are not suitable for validating sensitive personal data access.

594
MCQmedium

You are building an Azure Logic App that must send email notifications via Office 365 when a new order is placed. You need to securely store the Office 365 credentials and reference them in the Logic App. Which approach should you use?

A.Store the credentials in a variable within the Logic App designer
B.Use an Azure Key Vault action with a connection that uses a username and password
C.Use an Azure Key Vault connector with a managed identity assigned to the Logic App
D.Store the credentials in an Azure Storage table and fetch them in the Logic App
AnswerC

The managed identity authenticates to Key Vault without any stored credentials, allowing the Logic App to retrieve the Office 365 credentials securely at runtime.

Why this answer

Option C is correct because using an Azure Key Vault connector with a managed identity assigned to the Logic App allows you to securely store Office 365 credentials in Key Vault and authenticate to it without hardcoding secrets or managing credentials. The managed identity provides an Azure AD-backed identity for the Logic App, eliminating the need for username/password in connection strings and enabling secure, auditable access to secrets.

Exam trap

The trap here is that candidates often confuse using a Key Vault action with a username/password connection (Option B) as secure, when in fact the connection itself still stores credentials, whereas a managed identity eliminates credential storage entirely.

How to eliminate wrong answers

Option A is wrong because storing credentials in a variable within the Logic App designer exposes them in plain text in the workflow definition and logs, violating security best practices. Option B is wrong because using an Azure Key Vault action with a connection that uses a username and password still requires you to store and manage those credentials in the connection definition, defeating the purpose of Key Vault and introducing a security risk. Option D is wrong because storing credentials in an Azure Storage table is insecure (data is not encrypted at rest by default unless client-side encryption is used) and introduces unnecessary complexity and latency when fetching secrets at runtime.

595
MCQmedium

A company deploys a microservices application on Azure Kubernetes Service (AKS). They need to automatically scale individual microservices based on custom metrics (e.g., queue depth). Which feature should they use?

A.Horizontal Pod Autoscaler
B.Virtual Node
C.Vertical Pod Autoscaler
D.Cluster Autoscaler
AnswerA

HPA can scale pods based on custom metrics from Azure Monitor or Prometheus.

Why this answer

The Horizontal Pod Autoscaler (HPA) is the correct choice because it automatically scales the number of pod replicas in a deployment or replica set based on observed metrics, including custom metrics like queue depth. HPA queries the Kubernetes Metrics API, which can be extended with custom metrics adapters (e.g., Prometheus Adapter) to support application-specific metrics, enabling fine-grained scaling for each microservice.

Exam trap

The trap here is that candidates often confuse Horizontal Pod Autoscaler (scaling replicas) with Cluster Autoscaler (scaling nodes) or Vertical Pod Autoscaler (scaling pod resources), but only HPA supports custom metrics for per-microservice replica scaling.

How to eliminate wrong answers

Option B (Virtual Node) is wrong because it enables serverless compute by provisioning pods on Azure Container Instances (ACI) to handle burst capacity, not for scaling based on custom metrics. Option C (Vertical Pod Autoscaler) is wrong because it adjusts CPU/memory resource requests and limits of existing pods, not the number of replicas, and does not respond to custom metrics like queue depth. Option D (Cluster Autoscaler) is wrong because it scales the number of AKS nodes (VMs) in the cluster based on pending pod resource requests, not individual microservice replicas based on custom application metrics.

596
MCQhard

Refer to the exhibit. The exhibit shows an Azure Event Grid subscription configuration. You notice that the webhook endpoint is not receiving events when a .png file is uploaded to the 'images' container. What is the most likely reason?

A.The subscription is disabled
B.The destination endpoint type is incorrect
C.The webhook endpoint requires authentication
D.The subject filter excludes .png files
AnswerD

The filter 'subjectEndsWith' is '.jpg', so .png files are filtered out.

Why this answer

The filter 'subjectEndsWith' is set to '.jpg', so only .jpg files trigger events. .png files do not match. Option A is wrong because the subscription is enabled. Option B is wrong because the endpoint type is WebHook.

Option D is wrong because there is no authentication configured in the exhibit, but that would affect all events, not just .png.

597
MCQmedium

An Azure web app is experiencing high memory usage. You want to collect memory dumps periodically to analyze the issue without restarting the app. Which Azure App Service diagnostic feature should you use?

A.Application Insights Profiler
B.Diagnostic Settings
C.Application Snapshot Debugger
D.Auto-healing
AnswerC

Application Snapshot Debugger captures memory snapshots or dumps on demand without restarting the app, enabling analysis of memory issues.

Why this answer

The Application Snapshot Debugger is the correct feature because it captures memory dumps (snapshots) of a production web app at the point of an exception or high memory usage without restarting the app. It is specifically designed for debugging memory leaks and high CPU/memory issues in Azure App Service, providing a periodic snapshot of the process heap.

Exam trap

The trap here is that candidates confuse Application Insights Profiler (which profiles CPU/request timing) with the Snapshot Debugger (which captures memory dumps), or they assume Diagnostic Settings can collect in-process memory dumps when it only handles log streaming.

How to eliminate wrong answers

Option A is wrong because Application Insights Profiler is a performance tracing tool that captures CPU and request execution time profiles, not memory dumps; it does not capture heap snapshots. Option B is wrong because Diagnostic Settings is used to stream platform logs and metrics to destinations like Log Analytics or Storage, not to collect in-process memory dumps. Option D is wrong because Auto-healing is a recovery feature that restarts or recycles the app based on conditions like memory thresholds, but it does not collect memory dumps for analysis and would restart the app, which contradicts the requirement to avoid restarting.

598
MCQhard

You are using Azure Logic Apps to orchestrate a workflow that calls a third-party API. The API occasionally returns HTTP 429 (Too Many Requests). How should you handle this to ensure the workflow completes successfully without manual intervention?

A.Increase the timeout value for the HTTP request.
B.Change the concurrency setting to 1 to avoid multiple requests.
C.Use a webhook action instead of HTTP.
D.Configure a retry policy on the HTTP action with exponential backoff.
AnswerD

Automatically retries on 429 with backoff.

Why this answer

Option A is correct because Logic Apps built-in retry policy with exponential backoff handles 429 automatically. Option B is wrong because changing to sequential calls reduces throughput but does not handle retries. Option C is wrong because increasing timeout does not retry.

Option D is wrong because using webhook is for async patterns, not retry.

599
MCQmedium

A company deploys a microservices application on Azure Kubernetes Service (AKS). They need to securely store configuration settings such as database connection strings and API keys. The solution must minimize administrative overhead and automatically rotate keys. What should they use?

A.Store secrets as Kubernetes Secrets objects with base64 encoding.
B.Use Azure Key Vault with the Secrets Store CSI driver.
C.Use Azure App Configuration with feature flags.
D.Store secrets as environment variables in the container's deployment YAML.
AnswerB

This integrates with AKS, supports automatic rotation, and reduces overhead.

Why this answer

Option B is correct because Azure Key Vault with the Secrets Store CSI driver allows you to mount secrets as volumes or environment variables in AKS pods without exposing them in plaintext or requiring manual rotation. The CSI driver synchronizes secrets from Key Vault to a Kubernetes volume, and Key Vault supports automatic key rotation policies, minimizing administrative overhead while ensuring security.

Exam trap

The trap here is that candidates often confuse Azure App Configuration (which is for non-sensitive config and feature flags) with Azure Key Vault (which is the correct service for secrets), or they assume base64 encoding in Kubernetes Secrets provides security, when it is merely obfuscation.

How to eliminate wrong answers

Option A is wrong because Kubernetes Secrets with base64 encoding are not encrypted by default; base64 is merely an encoding, not encryption, and secrets can be easily decoded, plus they lack automatic rotation capabilities. Option C is wrong because Azure App Configuration is designed for feature flags and application configuration management, not for securely storing sensitive secrets like connection strings and API keys; it does not natively support automatic key rotation. Option D is wrong because storing secrets as environment variables in deployment YAML exposes them in plaintext within the YAML file and pod specifications, violating security best practices and providing no automatic rotation mechanism.

600
MCQeasy

You are building a solution that processes real-time telemetry from IoT devices. The telemetry data must be ingested, processed with minimal latency, and stored in Azure Blob Storage for long-term analytics. You need to choose the serverless compute service that is best suited for this scenario. What should you use?

A.Azure Functions with Event Hubs trigger
B.Azure Batch with Event Hubs input
C.Azure Logic Apps with Event Hubs connector
D.Azure WebJobs with Event Hubs SDK
AnswerA

Functions are serverless and the Event Hubs trigger is designed for high-throughput, low-latency event ingestion.

Why this answer

Azure Functions with an Event Hubs trigger is the best choice because it provides a serverless, event-driven compute model that can process high-throughput telemetry data with minimal latency. The Event Hubs trigger scales automatically based on the number of partitions and events, ensuring real-time processing, and the output can directly write to Azure Blob Storage for long-term analytics.

Exam trap

The trap here is that candidates often confuse Azure Logic Apps (which also has an Event Hubs connector) with Azure Functions, but Logic Apps are designed for orchestration and have higher latency, making them inappropriate for real-time, high-throughput telemetry processing.

How to eliminate wrong answers

Option B is wrong because Azure Batch is designed for large-scale parallel batch processing (e.g., HPC, rendering) and is not optimized for real-time, low-latency event ingestion; it requires explicit job scheduling and is not event-triggered. Option C is wrong because Azure Logic Apps are workflow orchestrators with higher latency and overhead, making them unsuitable for high-throughput, real-time telemetry processing; they are better for business process automation. Option D is wrong because Azure WebJobs run in the context of an App Service plan, which is not serverless and incurs ongoing costs even when idle; they lack the automatic scaling and event-driven triggers of Functions for Event Hubs.

Page 7

Page 8 of 14

Page 9