Microsoft Azure Developer Associate AZ-204 (AZ-204) — Questions 601675

997 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQeasy

You are monitoring an Azure App Service with Application Insights. You need to create a custom dashboard that shows the number of requests over time and the average server response time. Which Application Insights feature should you use to create this dashboard?

A.Live Metrics Stream
B.Metrics Explorer
C.Analytics (Logs)
D.Availability Tests
AnswerB

Metrics Explorer lets you select metrics like 'Requests' and 'Average server response time', configure aggregation, and chart them over a time range. Charts can be pinned to a dashboard for continuous monitoring.

Why this answer

Metrics Explorer is the correct feature because it allows you to create custom charts and dashboards by selecting specific metrics like 'Requests' and 'Server response time' from your Application Insights resource. You can aggregate these metrics over time and pin them to an Azure dashboard for monitoring. Live Metrics Stream shows real-time data but cannot be used for historical charting or dashboard pinning, while Analytics (Logs) requires Kusto queries for custom visualizations and is not optimized for simple metric dashboards.

Exam trap

The trap here is that candidates often confuse Live Metrics Stream (real-time) with Metrics Explorer (historical and dashboard-capable), or assume that Analytics (Logs) is the only way to create custom visualizations, overlooking the simpler and more appropriate Metrics Explorer for pre-aggregated metric dashboards.

How to eliminate wrong answers

Option A is wrong because Live Metrics Stream displays real-time telemetry with near-zero latency but does not support historical data aggregation or pinning to a persistent dashboard; it is designed for live debugging, not for creating a dashboard of requests over time. Option C is wrong because Analytics (Logs) uses Kusto Query Language (KQL) to query raw log data and can build charts, but it is not the primary feature for simple metric-based dashboards; Metrics Explorer is the dedicated tool for pre-aggregated metrics with built-in charting and dashboard integration. Option D is wrong because Availability Tests are used to monitor the uptime and responsiveness of your web application from multiple locations, generating test results and alerts, but they do not provide the request count or server response time metrics needed for the described dashboard.

602
MCQhard

Your application uses Azure Cache for Redis to cache session state. You notice that after a scaling operation, some users are prompted to log in again. What is the most likely cause?

A.The cache's connection string changed, causing applications to connect to a new cache.
B.The cache was scaled to a tier that does not support session state.
C.The cache was scaled without enabling data persistence, causing session data to be lost.
D.The cache's primary key changed during scaling, invalidating existing sessions.
AnswerC

Without persistence, scaling can cause data loss.

Why this answer

Azure Cache for Redis can be configured with clustering, and when scaling, data may be redistributed among shards. If the session data is not stored persistently, scaling can cause data loss. Option A is correct.

Option B is incorrect because scaling does not change the primary key. Option C is incorrect because scaling does not change the access key. Option D is incorrect because scaling does not change the connection timeout.

603
MCQhard

You are implementing an Azure Durable Functions orchestration. The orchestration calls several activity functions that may fail transiently. You need to retry an activity up to 3 times with a 5-second delay, doubling the delay each time (exponential backoff). Which method should you use to call the activity?

A.CallActivityAsync with a try-catch loop that implements retry logic
B.CallActivityWithRetryAsync with RetryOptions(maxAttempts: 3, firstRetryInterval: TimeSpan.FromSeconds(5), backoffCoefficient: 2)
C.Use a timer trigger to schedule retries after failure
D.Set the activity function's retry policy in the function.json file
AnswerB

This uses the native retry mechanism: 3 attempts, 5s initial delay, doubled each time (5, 10, 20 seconds approximate).

Why this answer

Option B is correct because `CallActivityWithRetryAsync` is the built-in method in Durable Functions for calling activity functions with automatic retry policies, including exponential backoff. The `RetryOptions` object allows you to specify `maxAttempts` (3), `firstRetryInterval` (5 seconds), and `backoffCoefficient` (2) to double the delay each time, exactly matching the requirement without custom code.

Exam trap

The trap here is that candidates may think manual retry logic (Option A) is acceptable, but Durable Functions orchestrators must be deterministic and cannot use custom retry loops that introduce non-deterministic behavior like random delays or external state.

How to eliminate wrong answers

Option A is wrong because manually implementing retry logic with a try-catch loop inside the orchestrator function violates the deterministic replay requirement of Durable Functions, leading to potential runtime errors or infinite replays. Option C is wrong because using a timer trigger to schedule retries after failure is an external, non-orchestration approach that bypasses the built-in retry capabilities and adds unnecessary complexity, failing to leverage Durable Functions' native support for retries. Option D is wrong because activity functions do not have a retry policy configurable in `function.json`; retry policies are defined at the orchestration level via `RetryOptions` when calling the activity, not in the activity's metadata.

604
Multi-Selectmedium

You are designing a solution that uses Azure Functions to process events from Azure Event Hubs. Which TWO features should you enable to ensure the function processes events in order and exactly once?

Select 2 answers
A.Durable Functions
B.Process events in batches
C.Implement checkpointing in the function
D.Enable session support on Event Hubs and use the session-enabled trigger
E.Use a retry policy in the function
AnswersC, D

Checkpointing stores the last processed event offset, ensuring exactly-once processing.

Why this answer

Option C is correct because checkpointing in Azure Functions allows the function to record the last successfully processed event offset and partition. When the function resumes, it reads from that checkpoint, ensuring that events are processed exactly once within the partition, even if the function restarts or scales.

Exam trap

The trap here is that candidates often think Durable Functions or retry policies guarantee exactly-once processing, but they do not address the fundamental need for checkpointing and session-aware consumption to maintain order and prevent duplicates in a distributed event processing system.

605
MCQeasy

Your organization has a custom application that stores customer data in Azure Cosmos DB. You need to encrypt the data at rest using a customer-managed key stored in Azure Key Vault. Which type of Cosmos DB encryption should you configure?

A.Enable Azure Disk Encryption on the Cosmos DB instance
B.Enable Transparent Data Encryption (TDE)
C.Use customer-managed keys (CMK) with Azure Key Vault
D.Implement client-side encryption using the SDK
AnswerC

Cosmos DB supports CMK for encryption at rest.

Why this answer

Option A is correct because Cosmos DB supports encryption at rest with customer-managed keys (CMK) via Azure Key Vault. Option B is wrong because TDE is for SQL Server, not Cosmos DB. Option C is wrong because client-side encryption is separate.

Option D is wrong because Azure Disk Encryption is for VMs.

606
MCQhard

Your team uses Azure DevOps to deploy a web app to Azure App Service. The deployment fails intermittently with a '500 Internal Server Error' after successful code upload. You want to capture a memory dump of the process when the error occurs. What should you configure?

A.Configure an autoscale rule in Azure Monitor
B.Use App Service Diagnostics to collect a memory dump
C.Set up Azure API Management policies
D.Enable Application Insights Snapshot Debugger
AnswerB

App Service Diagnostics can capture memory dumps on demand.

Why this answer

Option D is correct because App Service Diagnostics provides the ability to collect memory dumps and procdumps for crash analysis. Options A, B, C are wrong because Application Insights Snapshot Debugger, Azure Monitor autoscale, and Azure API Management do not capture memory dumps on the App Service.

607
Multi-Selecthard

Which THREE factors should you consider when choosing between Azure Functions (Consumption plan) and Azure Container Instances for running a background job that processes messages from Azure Service Bus?

Select 3 answers
A.Scaling behavior (automatic vs. manual).
B.Cost model (per execution vs. per second).
C.Ability to use custom base images.
D.Native support for Service Bus trigger.
E.Cold start latency.
AnswersA, B, E

Functions auto-scale; ACI may need manual scaling or scale rules.

Why this answer

Option A is correct because Azure Functions on the Consumption plan automatically scales out based on the number of incoming Service Bus messages, handling up to 200 concurrent instances per function app, while Azure Container Instances require manual scaling or external orchestration (e.g., KEDA) to adjust the number of container groups. This makes scaling behavior a key differentiator when choosing between the two services for a background job.

Exam trap

The trap here is that candidates often assume Azure Container Instances are always cheaper or more flexible for custom images, but they overlook the critical operational difference in scaling behavior and native trigger support, which are primary decision factors for event-driven background jobs.

608
MCQhard

You deploy the above ARM template resource. After deployment, the web app cannot connect to Application Insights. The Application Insights resource exists in the same region. What is the most likely cause?

A.The dependsOn is incorrect; it should reference the Application Insights resource ID.
B.The app setting 'APPINSIGHTS_INSTRUMENTATIONKEY' is deprecated; you should use 'APPLICATIONINSIGHTS_CONNECTION_STRING' instead.
C.The web app needs a user-assigned managed identity to access Application Insights.
D.The instrumentation key must be set under a different name, like 'APPINSIGHTS_KEY'.
AnswerB

Application Insights now requires the connection string for authentication.

Why this answer

Option B is correct because the ARM template likely sets the 'APPINSIGHTS_INSTRUMENTATIONKEY' app setting, which is deprecated. Application Insights now requires the 'APPLICATIONINSIGHTS_CONNECTION_STRING' app setting for authentication and telemetry ingestion, as the instrumentation key alone is no longer sufficient for newer SDK versions and regional endpoints.

Exam trap

The trap here is that candidates assume the instrumentation key is still the primary connection method, but Microsoft deprecated it in favor of the connection string, which is required for newer SDK versions and regional routing.

How to eliminate wrong answers

Option A is wrong because the dependsOn property in ARM templates controls deployment order, not runtime connectivity; even if the dependency is missing, the web app can still connect to Application Insights after both resources are deployed. Option C is wrong because a managed identity is not required for Application Insights access; the connection string or instrumentation key provides direct authentication without identity. Option D is wrong because 'APPINSIGHTS_KEY' is not a recognized app setting name; the correct deprecated key is 'APPINSIGHTS_INSTRUMENTATIONKEY', and the modern replacement is 'APPLICATIONINSIGHTS_CONNECTION_STRING'.

609
Drag & Dropmedium

Arrange the steps to secure an Azure API Management API using OAuth 2.0 with Azure AD in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First register app in Azure AD, configure API Management with OAuth, add validate-jwt policy, configure product, test.

610
MCQhard

You need to store billions of small log entries (each ~200 bytes) written in chronological order from multiple producers. The logs are read sequentially in bulk once per day. You need to maximize write throughput and minimize storage costs. Which Azure Storage solution should you choose?

A.Append Blob in Blob Storage
B.Block Blob in Blob Storage with high block count
C.Azure Data Lake Storage Gen2 with hierarchical namespace
D.Azure Files with SMB protocol
AnswerA

Append Blob is optimized for append operations and can handle high write throughput for sequential logs. It supports atomic appends and has a simple programming model.

Why this answer

Append Blob in Blob Storage is optimized for append operations, making it ideal for writing small log entries in chronological order from multiple producers. It provides high write throughput because each append operation is atomic and can be performed concurrently, and it minimizes storage costs by storing data in a cost-effective blob tier without the overhead of indexing or metadata management required by other solutions.

Exam trap

The trap here is that candidates often confuse Append Blob with Block Blob, assuming high block count can achieve similar append performance, but Block Blob requires explicit block management and cannot guarantee atomic append operations, making Append Blob the only correct choice for this workload.

How to eliminate wrong answers

Option B is wrong because Block Blob with high block count is designed for uploading large files in parallel, not for frequent small appends; each block must be committed in a final block list, which adds overhead and does not support true append semantics. Option C is wrong because Azure Data Lake Storage Gen2 with hierarchical namespace is optimized for big data analytics workloads with directory-level operations and POSIX permissions, which adds unnecessary complexity and cost for simple sequential log storage. Option D is wrong because Azure Files with SMB protocol is a fully managed file share designed for shared access and SMB-based applications, not for high-throughput append-only log ingestion, and it incurs higher costs per GB compared to blob storage.

611
MCQmedium

You develop an app that uses Azure Cosmos DB for NoSQL. The app requires reading a specific item by ID with low latency. You need to ensure the query is as fast as possible. What should you use?

A.Use a stored procedure that reads the item.
B.Use a SQL query filtering by ID without partition key.
C.Use a point read with the item's ID and partition key.
D.Use a SQL query with a composite index on ID.
AnswerC

Point reads are the fastest operation in Cosmos DB.

Why this answer

Option A is correct because a point read by ID and partition key is the fastest operation in Cosmos DB, directly accessing the item without query engine overhead. Option B is wrong because cross-partition queries add latency. Option C is wrong because even with indexing, point reads are faster.

Option D is wrong because stored procedures run on the server but still involve query processing.

612
MCQeasy

You need to store a large number of small files (each < 100 KB) that will be accessed frequently from a web application. The files are static assets (CSS, JavaScript, images). Which Azure storage option provides the best performance for serving these files directly to users?

A.Azure Queue Storage
B.Azure Blob Storage with Azure CDN
C.Azure Table Storage
D.Azure Files
AnswerB

CDN caches content at edge nodes, providing fast access worldwide.

Why this answer

Azure Blob Storage is optimized for storing large volumes of unstructured data, including small static files. By integrating Azure CDN, you cache these files at edge nodes closer to users, drastically reducing latency and offloading origin requests. This combination provides the best performance for frequently accessed static assets served directly to a web application's users.

Exam trap

The trap here is that candidates may choose Azure Files (Option D) because it resembles a traditional file server, but it lacks the global caching and low-latency edge delivery that CDN provides for static web assets.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage is a messaging service for asynchronous communication between application components, not designed for serving static files to users. Option C is wrong because Azure Table Storage is a NoSQL key-value store for structured data, not optimized for storing or serving binary files like CSS, JavaScript, or images. Option D is wrong because Azure Files provides SMB file shares primarily for lift-and-shift scenarios or shared file access, not for high-performance, direct-to-user serving of static web assets.

613
MCQhard

You are developing a real-time analytics application that ingests IoT sensor data every second. The data is written to Azure Blob Storage as small JSON files (each ~1 KB). The application also needs to query the data based on device ID and timestamp. You need to design a storage solution that allows efficient querying without writing custom code for indexing. You have decided to use Azure Data Lake Storage Gen2. What should you do to optimize query performance?

A.Use Append Blobs to combine small writes into larger blobs.
B.Use a folder structure like /deviceid/yyyy/mm/dd/hh/ and set the device ID as the partition key.
C.Store all JSON files in a single folder and use Azure Data Lake Analytics to query.
D.Store the data in Azure SQL Database instead of Blob Storage.
AnswerB

Hierarchical partitioning allows query engines to skip irrelevant data.

Why this answer

Azure Data Lake Storage Gen2 supports hierarchical namespaces, which allow you to organize data into folders and subfolders. By structuring the path as /deviceid/yyyy/mm/dd/hh/, you effectively partition the data by device ID and time, enabling efficient querying with tools like Azure Synapse or PolyBase without custom indexing. This leverages the directory structure as a natural partition key, minimizing the data scanned during queries.

Exam trap

The trap here is that candidates may confuse the need for efficient querying with data ingestion optimization (e.g., Append Blobs) or assume that a relational database is always required for querying, overlooking that Data Lake Storage Gen2's hierarchical namespace provides built-in partition elimination without custom indexing.

How to eliminate wrong answers

Option A is wrong because Append Blobs are designed for append-only operations (e.g., logging) and do not improve query performance; they still require scanning all blobs. Option C is wrong because storing all files in a single folder eliminates the benefits of partition elimination, forcing full scans even with Azure Data Lake Analytics. Option D is wrong because Azure SQL Database is a relational store that requires schema definition and indexing, contradicting the requirement to avoid custom indexing and to use Azure Data Lake Storage Gen2 as the chosen solution.

614
MCQhard

Your team is migrating a legacy application to Azure. The application uses a proprietary database that is not supported by Azure SQL or Cosmos DB. You need to provide a managed database service with minimal rearchitecture. Which Azure service should you use?

A.Azure Virtual Machines with the database software installed
B.Azure Database for MySQL
C.Azure Database Migration Service
D.Azure SQL Database
AnswerA

IaaS allows you to run any database software on a VM.

Why this answer

Azure Database Migration Service helps migrate databases to Azure, but for unsupported databases, you can use Azure Virtual Machines to host the database. Option B is correct. Option A is for SQL servers; Option C is for PostgreSQL/MySQL; Option D is a migration tool, not a hosting service.

615
MCQhard

Your Azure Functions app uses a consumption plan and processes messages from an Azure Service Bus queue. You notice that message processing takes up to 10 minutes, and some messages are being processed multiple times. What is the most likely cause?

A.The max delivery count for the queue is set too low.
B.The function host is configured with a low maximum instance count.
C.The lock duration on the Service Bus queue is shorter than the processing time.
D.The function does not handle poison messages correctly.
AnswerC

When lock expires, the message becomes available again and is reprocessed.

Why this answer

Option C is correct because the default lock duration for a Service Bus queue is 30 seconds, which is far shorter than the 10-minute processing time. When the lock expires, the message becomes visible to other consumers, causing duplicate processing. The function host does not extend the lock automatically unless the client explicitly renews it, leading to multiple deliveries.

Exam trap

The trap here is that candidates often assume duplicate processing is caused by scaling or retry policies, when in fact it is the lock duration being shorter than the processing time that directly leads to message re-delivery.

How to eliminate wrong answers

Option A is wrong because the max delivery count controls how many times a message can be delivered before being moved to the dead-letter queue; a low value would cause premature dead-lettering, not duplicate processing. Option B is wrong because a low maximum instance count limits scaling but does not cause duplicate processing; it might increase latency but not reprocessing of the same message. Option D is wrong because poison message handling (dead-lettering after exceeding max delivery count) is a consequence of repeated failures, not the root cause of duplicate processing; the function is not handling poison messages incorrectly—it is processing them multiple times due to lock expiration.

616
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used? The team wants the control to be enforceable during normal operations.

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish/subscribe pattern where multiple independent subscribers can each receive a copy of every published message. Subscribers can be added later without modifying the publisher, and the team can enforce control during normal operations using topic-level authorization rules and subscription filters.

Exam trap

The trap here is that candidates often confuse Azure Storage Queue (point-to-point) with Service Bus topics (pub/sub), missing the requirement for multiple independent subscribers that can be added later without changing the publisher.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policies automate tiering or deletion of blobs based on age, not message delivery to multiple subscribers. Option B is wrong because Azure Storage Queue implements a point-to-point messaging model where each message is consumed by a single consumer, not broadcast to multiple independent subscribers. Option C is wrong because Azure Cache for Redis list only provides a simple list data structure for ordered storage, not a managed pub/sub messaging system with durable delivery and subscriber management.

617
MCQeasy

You are troubleshooting a slow web application hosted on Azure App Service. The application uses Azure SQL Database. You suspect that the database queries are taking too long. Which Azure Monitor feature should you use to identify slow queries?

A.Azure Activity Log
B.Azure Advisor
C.Azure Monitor Metrics
D.Azure SQL Analytics
AnswerD

Azure SQL Analytics provides query performance insights.

Why this answer

Option C is correct because Azure SQL Analytics (now part of Azure Monitor) provides query performance insights. Option A is wrong because Azure Monitor Metrics does not include query details. Option B is wrong because Azure Activity Log tracks control plane operations.

Option D is wrong because Azure Advisor provides recommendations, not detailed query performance.

618
MCQhard

A Blob-triggered function processing audit documents fires multiple times for the same blob after retries. What should the function design include?

A.Disable all logging
B.Idempotent processing based on blob name/version or metadata
C.Assume each event is delivered exactly once
D.Use public blob access
AnswerB

Idempotent logic prevents duplicate side effects when events are retried or delivered more than once.

Why this answer

Azure Blob Storage triggers can cause multiple function invocations for the same blob due to retries, internal queue processing, or event-driven architecture guarantees. Designing the function to be idempotent—using the blob name, version, or metadata as a unique identifier—ensures that duplicate processing does not produce side effects like duplicate audit records or data corruption. This aligns with the at-least-once delivery semantics of Azure Blob Storage triggers.

Exam trap

The trap here is that candidates assume Azure Blob Storage triggers guarantee exactly-once delivery, similar to some queue-based triggers, but they actually follow at-least-once semantics, making idempotency essential for correct processing.

How to eliminate wrong answers

Option A is wrong because disabling logging does not prevent duplicate invocations; it only hides the evidence of retries, violating observability and debugging best practices. Option C is wrong because Azure Blob Storage triggers do not guarantee exactly-once delivery; they operate with at-least-once semantics, meaning the same blob can trigger the function multiple times due to retries or internal queue delays. Option D is wrong because public blob access does not affect invocation behavior; it only controls anonymous read access and introduces security risks without addressing duplicate processing.

619
MCQeasy

Refer to the exhibit. You created a custom RBAC role definition. A user assigned this role at the subscription scope. What can the user do?

A.Read any resource in the subscription
B.Write to Azure SQL Databases
C.Read Azure SQL Database configurations and data
D.Create new Azure SQL Databases
AnswerC

The role grants read access to databases.

Why this answer

Option A is correct. The role includes the 'read' action for Azure SQL Databases, allowing read-only access to databases. Option B is wrong because the role does not include write actions.

Option C is wrong because the role does not include server-level actions. Option D is wrong because the role only applies to SQL Database, not all resources.

620
MCQhard

A company uses Azure Service Bus to receive order messages. Each order message must be processed exactly once, and duplicate messages are not tolerated due to financial transactions. However, the order processing system sometimes fails and retries, leading to potential duplicates. What Service Bus feature should be enabled on the message to support idempotent processing?

A.Scheduled delivery
B.Duplicate detection
C.Message sessions
D.Auto-forwarding
AnswerB

Duplicate detection uses the MessageId property to identify and discard duplicate messages sent within the detection window, ensuring exactly-once processing.

Why this answer

B is correct because Azure Service Bus's duplicate detection feature uses a user-defined MessageId to identify and discard duplicate messages within a specified time window (default 10 minutes, configurable up to 7 days). This ensures exactly-once processing by preventing the same order message from being processed multiple times, even if the sender retries due to failures.

Exam trap

The trap here is that candidates often confuse message sessions (which guarantee order and grouping) with duplicate detection, but sessions do not prevent duplicates—they only ensure FIFO delivery within a session.

How to eliminate wrong answers

Option A is wrong because scheduled delivery delays message availability until a specified time, which does not prevent duplicate processing. Option C is wrong because message sessions enable ordered processing and grouping of related messages, but they do not inherently detect or discard duplicates. Option D is wrong because auto-forwarding automatically moves messages from one queue or subscription to another, which does not provide any duplicate detection or idempotency guarantee.

621
MCQmedium

You develop a serverless application using Azure Functions. The function must process images uploaded to a blob container. You need to ensure the function runs only when a new blob is created, and that it scales out automatically for high upload volumes. Which trigger and hosting plan combination should you use?

A.Blob trigger + Consumption plan
B.HTTP trigger + Consumption plan
C.Queue trigger + Consumption plan
D.Timer trigger + Consumption plan
AnswerA

Correct. Blob trigger fires on new blobs, and Consumption plan scales out automatically to handle high volumes while charging only for execution time.

Why this answer

A Blob trigger is designed to run a function when a blob is created or updated in Azure Blob Storage, which directly matches the requirement to process images only when a new blob is uploaded. The Consumption plan provides automatic scaling based on demand, handling high upload volumes by dynamically allocating resources without manual intervention. This combination ensures event-driven execution and cost-effective scaling.

Exam trap

The trap here is that candidates might confuse the Blob trigger with other triggers (HTTP, Queue, Timer) that can indirectly process blobs, but the question explicitly requires the function to run only when a new blob is created, which only the Blob trigger directly supports.

How to eliminate wrong answers

Option B is wrong because an HTTP trigger requires an explicit HTTP request to invoke the function, not a blob creation event, so it would not automatically run when a new blob is uploaded. Option C is wrong because a Queue trigger responds to messages in an Azure Storage Queue, not directly to blob creation events; while you could chain a blob trigger to a queue, the question specifies the function must run only when a new blob is created, making a queue trigger an indirect and unnecessary intermediary. Option D is wrong because a Timer trigger runs on a fixed schedule (e.g., every 5 minutes) and cannot respond to real-time blob creation events, leading to delays or missed uploads.

622
MCQmedium

You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function must use a managed identity to authenticate to the Service Bus to avoid managing secrets. Which configuration step is essential for this setup?

A.Store the Service Bus connection string in the function app settings
B.Create a Key Vault reference to the connection string
C.Enable system-assigned managed identity on the function app and assign the 'Azure Service Bus Data Receiver' role to the identity
D.Use the Service Bus SDK with a SharedAccessSignatureToken
AnswerC

This allows the function to authenticate without secrets.

Why this answer

Option C is correct because using a managed identity eliminates the need to manage secrets or connection strings. By enabling a system-assigned managed identity on the function app and assigning the 'Azure Service Bus Data Receiver' role to that identity, the function can authenticate to Azure Service Bus via Azure AD (OAuth 2.0) without any stored credentials. This is the recommended approach for secure, secretless authentication in Azure Functions.

Exam trap

The trap here is that candidates often think storing secrets in Key Vault (Option B) is sufficient for secretless authentication, but Key Vault references still involve retrieving a secret at runtime, whereas managed identity completely removes the need for any secret.

How to eliminate wrong answers

Option A is wrong because storing the Service Bus connection string in function app settings reintroduces a secret that must be managed and rotated, defeating the purpose of using a managed identity for secretless authentication. Option B is wrong because a Key Vault reference still requires the function app to retrieve a connection string (a secret) at runtime, which does not eliminate secret management and adds dependency on Key Vault access policies. Option D is wrong because using a SharedAccessSignatureToken requires generating and managing a SAS token, which is a secret that must be stored and rotated, again contradicting the goal of avoiding secret management.

623
MCQmedium

You are monitoring an e-commerce application with Application Insights. You need to analyze all exceptions that occurred in the last 24 hours, grouped by the exception type. You also need to include the URL where each exception was triggered and the number of times each type occurred. Which Log Analytics Kusto query should you use?

A.exceptions | where timestamp > ago(24h) | join kind=inner requests on operation_Id | extend exceptionType = tostring(innermostType) | summarize Count=count() by exceptionType, url
B.exceptions | where timestamp > ago(24h) | extend exceptionType = tostring(customDimensions.['ExceptionType']) | summarize Count=count() by exceptionType, url = tostring(customDimensions.['Url'])
C.requests | where timestamp > ago(24h) and success == false | extend exceptionType = tostring(resultCode) | summarize Count=count() by exceptionType, url
D.exceptions | where timestamp > ago(24h) | extend exceptionType = tostring(innermostType) | summarize Count=count() by exceptionType
AnswerA

This query joins the exceptions table with the requests table on operation_Id to get the URL (from requests table), then groups by exceptionType (innermostType) and url, counting occurrences.

Why this answer

Option A is correct because it uses the `exceptions` table to filter exceptions from the last 24 hours, joins with the `requests` table on `operation_Id` to correlate each exception with the request URL, and then summarizes the count by exception type (extracted from `innermostType`) and URL. This meets all requirements: grouping by exception type, including the URL, and counting occurrences.

Exam trap

The trap here is that candidates might think exception details (like type and URL) are stored directly in the `exceptions` table, but the URL is only available via a join with the `requests` table, and the exception type is in `innermostType`, not custom dimensions.

How to eliminate wrong answers

Option B is wrong because it attempts to extract exception type and URL from `customDimensions`, but the standard Application Insights schema stores the exception type in `innermostType` (or `type`) and the request URL in the `requests` table, not in custom dimensions. Option C is wrong because it queries the `requests` table for failed requests (success == false) and uses `resultCode` as the exception type, which only gives HTTP status codes (e.g., 500) rather than actual exception types (e.g., NullReferenceException). Option D is wrong because it summarizes by exception type only, omitting the URL column that the question explicitly requires.

624
MCQeasy

The team needs to receive an email when an App Service's HTTP 5xx error rate exceeds 5 percent for more than five consecutive minutes. No custom code should be written. What combination of Azure Monitor features implements this requirement?

A.Create a metric alert on the Http5xxErrors metric with a 5-percent threshold, a 5-minute evaluation window, and an action group that sends email
B.Create a log alert that queries the App Service diagnostic log table every 5 minutes and emails the team if the 5xx count exceeds a threshold
C.Enable Application Insights availability tests and configure an alert on test failure rate
D.Configure a diagnostic setting to stream logs to Azure Storage, then write a Function that reads the storage file and sends email when errors are found
AnswerA

App Service emits Http5xxErrors as a platform metric. A metric alert configured with a 5-percent threshold and a PT5M evaluation window checks the condition every minute and fires after the threshold is breached continuously for 5 minutes. The action group routes the alert to the team's email.

Why this answer

Option A is correct because Azure Monitor metric alerts can directly evaluate the Http5xxErrors metric over a specified time window (e.g., 5 minutes) and trigger an action group when the threshold (5%) is breached. This requires no custom code and uses the native metric alert pipeline, which polls the metric every minute and aggregates over the evaluation window to detect sustained violations.

Exam trap

The trap here is that candidates often confuse metric alerts (which work on platform metrics like Http5xxErrors) with log alerts (which require querying diagnostic logs), or mistakenly think Application Insights availability tests are the correct tool for server-side error monitoring.

How to eliminate wrong answers

Option B is wrong because log alerts query diagnostic logs, which are not real-time and incur additional ingestion costs; they also require custom KQL queries and are not as straightforward as metric alerts for simple threshold-based monitoring. Option C is wrong because Application Insights availability tests measure endpoint responsiveness (e.g., HTTP 200/404) and failure rates, not server-side HTTP 5xx errors from App Service; they are designed for synthetic transaction monitoring, not server error rate alerts. Option D is wrong because it requires writing a custom Azure Function to read storage blobs and send emails, violating the 'no custom code' requirement; it also introduces unnecessary complexity and latency compared to built-in metric alerts.

625
MCQhard

You develop an IoT solution using Azure IoT Hub. Devices send telemetry data that must be processed by a custom Azure Function. You need to ensure that the Function processes messages in order per device and exactly once. Which IoT Hub feature should you use?

A.Use IoT Hub message routing to send messages to a Service Bus queue, and process from the queue.
B.Use IoT Hub direct methods to invoke the Function per device.
C.Use IoT Hub device twins to store telemetry and trigger the Function on twin changes.
D.Use IoT Hub's built-in Event Hub-compatible endpoint with a consumer group that has one partition per device.
AnswerD

Event Hubs support per-partition ordering; with partition key = device ID, messages from a device go to the same partition, ensuring order and at-least-once delivery; idempotent processing can achieve exactly-once.

Why this answer

IoT Hub's Event Hub-compatible endpoint supports consumer groups, but for ordered processing per device, you need to partition by device ID. Option D is correct because using the built-in endpoint with a consumer group per partition ensures ordering. Option A does not guarantee exactly once; Option B is for device management; Option C is for cloud-to-device.

626
MCQhard

You are using Azure File Sync to sync on-premises file shares to Azure. You need to ensure that files are cached locally on the on-premises server for fast access, but only the most frequently accessed files should be cached. What should you configure?

A.Configure a caching rule using Azure File Sync's built-in cache size limit.
B.Configure a sync group with a custom server endpoint that filters files by last access time.
C.Enable cloud tiering on the server endpoint and set a volume free space policy.
D.Use the Invoke-AzStorageSyncFileRecall cmdlet to recall files on demand.
AnswerC

Cloud tiering automatically manages local caching based on access frequency.

Why this answer

Cloud tiering on an Azure File Sync server endpoint allows you to keep only frequently accessed files cached locally while infrequently accessed files are tiered to Azure. By setting a volume free space policy, you control how much local disk space is reserved for frequently accessed files, ensuring that only the most accessed files remain cached. This directly meets the requirement of caching only the most frequently accessed files locally.

Exam trap

The trap here is that candidates often confuse cloud tiering with manual recall or think they can filter files by access time via sync group settings, but Azure File Sync's cloud tiering is the only built-in mechanism that automatically manages local caching based on access frequency.

How to eliminate wrong answers

Option A is wrong because Azure File Sync does not have a built-in 'caching rule' with a cache size limit; the correct mechanism is cloud tiering with a volume free space policy or date policy. Option B is wrong because sync groups and server endpoints do not filter files by last access time; cloud tiering uses last access time to determine which files to tier, but you cannot configure a custom filter on the server endpoint itself. Option D is wrong because Invoke-AzStorageSyncFileRecall is used to manually recall all tiered files to local storage, which would cache all files, not just the most frequently accessed ones, and is not a configuration for ongoing caching behavior.

627
Multi-Selecthard

Which THREE of the following are features of Azure Storage replication that provide high availability?

Select 3 answers
A.Locally redundant storage (LRS)
B.Geo-zone-redundant storage (GZRS)
C.Geo-redundant storage (GRS)
D.Zone-redundant storage (ZRS)
E.Azure Content Delivery Network (CDN)
AnswersA, C, D

Replicates within one datacenter.

Why this answer

Locally redundant storage (LRS) replicates data three times within a single physical location in the primary region, protecting against server rack and drive failures. This provides high availability within a single datacenter, making it the most cost-effective option for scenarios where durability within one facility is sufficient.

Exam trap

Microsoft often tests the misconception that CDN is a storage replication feature, but it is a separate service for content delivery and caching, not a redundancy mechanism for Azure Storage accounts.

628
MCQhard

You are developing an Azure Functions app that processes large files from Azure Blob Storage. When a file is uploaded, the function triggers and reads the entire file into memory, causing high memory usage. You need to optimize the function to handle large files efficiently. Which approach should you recommend?

A.Stream the blob content directly to the processing logic
B.Use a byte array to read the blob in chunks
C.Read the blob content into a temporary file on disk
D.Increase the memory allocation of the function app
AnswerA

Streaming processes data as it arrives, without loading the entire blob into memory.

Why this answer

Option A is correct because streaming the blob content directly to the processing logic avoids loading the entire file into memory at once. The Azure Blob Storage SDK supports reading blob content as a stream (e.g., using `BlobClient.OpenReadAsync()`), which allows the function to process data in chunks, significantly reducing memory pressure for large files.

Exam trap

The trap here is that candidates often assume reading in chunks with a byte array is sufficient, but they overlook that the byte array itself still holds the entire chunk in memory, whereas streaming processes data without retaining it, which is the key optimization for large files.

How to eliminate wrong answers

Option B is wrong because using a byte array to read the blob in chunks still requires allocating a large buffer in memory, which can lead to high memory usage and potential `OutOfMemoryException` for very large files. Option C is wrong because writing the blob content to a temporary file on disk introduces unnecessary I/O overhead and disk space consumption, which is inefficient for serverless functions that may have limited local storage. Option D is wrong because increasing memory allocation only raises the ceiling for memory usage without addressing the root cause of inefficient memory management; it does not prevent the function from loading the entire file into memory and may increase costs.

629
MCQhard

You are building a real-time dashboard that displays data from Azure Event Hubs. You need to aggregate events over a one-minute window and update the dashboard every minute. Which Azure service should you use?

A.Azure Stream Analytics
B.Azure Data Factory
C.Azure Analysis Services
D.Azure Logic Apps
AnswerA

Stream Analytics is designed for real-time analytics on streaming data.

Why this answer

Azure Stream Analytics is the correct choice because it is designed for real-time stream processing, allowing you to aggregate events from Azure Event Hubs over a one-minute tumbling window and output results to a dashboard or sink. It natively supports windowing functions (e.g., TumblingWindow, HoppingWindow) and can handle high-throughput, low-latency data streams, making it ideal for updating a dashboard every minute.

Exam trap

The trap here is that candidates often confuse Azure Stream Analytics with Azure Data Factory, mistakenly thinking Data Factory can handle real-time streaming when it is actually designed for batch-oriented data movement and transformation.

How to eliminate wrong answers

Option B is wrong because Azure Data Factory is a data integration and orchestration service for batch ETL/ELT pipelines, not for real-time stream processing or windowed aggregations. Option C is wrong because Azure Analysis Services is an analytical engine for semantic models and OLAP cubes, designed for interactive reporting on pre-aggregated data, not for ingesting and aggregating live event streams. Option D is wrong because Azure Logic Apps is a workflow automation service for orchestrating business processes and integrating services, but it lacks native support for high-throughput, low-latency stream processing and windowed aggregations over Event Hubs.

630
MCQmedium

An application calls a Service Bus topic through HTTP. The developer must implement retries without overwhelming the remote system during partial outages. Which retry pattern is best?

A.Disable all timeout settings
B.Immediate infinite retries
C.Retry only after restarting the application
D.Exponential backoff with jitter and a maximum retry limit
AnswerD

Backoff with jitter reduces retry storms and gives the remote service time to recover.

Why this answer

Exponential backoff with jitter and a maximum retry limit is the best pattern because it progressively increases the delay between retries, preventing the client from overwhelming the Service Bus topic during partial outages. The jitter randomizes the delay to avoid thundering herd problems, while the maximum retry limit ensures the system doesn't retry indefinitely, aligning with Azure's recommended retry guidance for HTTP-based calls to Service Bus.

Exam trap

The trap here is that candidates may confuse 'exponential backoff' with 'immediate retries' or 'infinite retries,' overlooking the critical need for jitter and a maximum retry limit to prevent overwhelming the remote system during partial outages.

How to eliminate wrong answers

Option A is wrong because disabling all timeout settings would cause the application to hang indefinitely on a single request, failing to handle partial outages and potentially exhausting resources. Option B is wrong because immediate infinite retries would flood the Service Bus topic with repeated requests during an outage, exacerbating the load and violating the principle of not overwhelming the remote system. Option C is wrong because retrying only after restarting the application introduces unnecessary downtime and delays recovery, as it doesn't leverage transient fault handling within the same application session.

631
MCQhard

You have an Azure Storage account with hierarchical namespace enabled (Azure Data Lake Storage Gen2). You need to provide an application with delegated access to a specific directory and its contents, with the ability to list, read, and write files. The access must be scoped to the directory and not allow access to other parts of the storage account. Which approach should you use?

A.Generate a shared access signature (SAS) token for the directory.
B.Assign the 'Storage Blob Data Contributor' RBAC role to the application at the storage account level.
C.Configure access control lists (ACLs) on the directory and assign the application's managed identity.
D.Use the storage account access key in the application.
AnswerC

ACLs allow granular permissions scoped to the directory, and managed identities can be used for authentication.

Why this answer

Option C is correct because Azure Data Lake Storage Gen2 supports POSIX-like access control lists (ACLs) that can grant granular permissions to a specific directory and its contents. By configuring ACLs on the target directory and assigning the application's managed identity, you can precisely scope list, read, and write access to that directory without affecting other parts of the storage account. This approach avoids the need for account-level keys or RBAC roles, which would grant broader permissions.

Exam trap

The trap here is that candidates often confuse RBAC roles (which are coarse-grained and account/container-wide) with ACLs (which are fine-grained and directory/file-specific), leading them to choose Option B or A when the requirement is strict directory-level scoping.

How to eliminate wrong answers

Option A is wrong because a shared access signature (SAS) token for a directory can only delegate access at the container or directory level, but it cannot enforce fine-grained POSIX-style permissions (e.g., separate read/write/execute) and is typically scoped to the entire container or a path prefix, not a specific directory with ACL-level control. Option B is wrong because assigning the 'Storage Blob Data Contributor' RBAC role at the storage account level grants permissions to all containers and directories in the account, violating the requirement to scope access to a single directory. Option D is wrong because using the storage account access key provides full administrative access to the entire storage account, including all data and management operations, which is far too broad and insecure for delegated directory-level access.

632
MCQmedium

An Azure Container Instance running a webhook processor requires a password at startup. The password must not be visible in the portal or container logs. What should be used?

A.Secure environment variable
B.Container command-line argument
C.Public blob containing the password
D.Plain environment variable
AnswerA

Secure environment variables in ACI protect sensitive values and hide them from normal display.

Why this answer

Secure environment variables in Azure Container Instances are encrypted at rest and in transit, and they are not visible in the Azure portal or container logs. This ensures the password is available to the container at startup without exposing it through the portal interface or log output, meeting the security requirement.

Exam trap

The trap here is that candidates may confuse secure environment variables with plain environment variables, assuming both are equally hidden, but only secure environment variables are encrypted and excluded from portal and log visibility.

How to eliminate wrong answers

Option B is wrong because command-line arguments are passed as part of the container's process command line, which can be logged by the container runtime or appear in process listings, making them visible in logs and potentially the portal. Option C is wrong because a public blob containing the password would be accessible to anyone with the URL, violating security by exposing the password to unauthorized users. Option D is wrong because plain environment variables are stored in plain text and can be viewed in the Azure portal's container settings and may be captured in container logs, failing the requirement to keep the password hidden.

633
MCQmedium

Your Azure Logic App needs to send emails using Microsoft Graph API on behalf of the signed-in user. The user is authenticated with Microsoft Entra ID. Which authentication method should you use in the Logic App?

A.Use OAuth 2.0 authorization code flow with delegated permissions
B.Use a system-assigned managed identity
C.Use client credentials flow with an app registration
D.Use Basic authentication with user credentials
AnswerA

This allows the app to act on behalf of the signed-in user.

Why this answer

Option D is correct because the Logic App connector for Microsoft Graph supports OAuth 2.0 with user delegation. Option A is wrong because managed identity cannot act on behalf of a signed-in user. Option B is wrong because Basic Auth is not supported.

Option C is wrong because client credentials flow is for app-only access.

634
MCQmedium

A developer needs to grant an Azure Function read access to secrets in Azure Key Vault without storing any credentials in the function code or configuration. Which approach should they use?

A.Service principal with a certificate
B.Managed identity
C.Access policy with a client secret
D.Shared access signature (SAS)
AnswerB

Managed identity eliminates the need for credentials entirely by providing an identity that is automatically managed and can be assigned to the Function app to access Key Vault.

Why this answer

Managed identity (B) is the correct approach because it allows the Azure Function to authenticate to Azure Key Vault without storing any credentials in code or configuration. Azure automatically manages the identity, and the function can obtain an access token from Azure AD to read secrets, eliminating the need for secrets, certificates, or keys in the application.

Exam trap

The trap here is that candidates may confuse managed identity with a service principal, thinking a certificate or client secret is always required, but managed identity eliminates the need for any stored credentials by leveraging Azure's automatic identity management.

How to eliminate wrong answers

Option A is wrong because a service principal with a certificate still requires the certificate to be stored or deployed with the function code or configuration, which violates the requirement of not storing any credentials. Option C is wrong because an access policy with a client secret requires the client secret to be stored in the function's configuration or code, directly contradicting the no-credentials requirement. Option D is wrong because a shared access signature (SAS) is used for granting delegated access to Azure Storage resources, not for authenticating to Azure Key Vault, and it would still need to be stored in the function.

635
MCQmedium

A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run? The design must avoid adding custom operational scripts.

A.Logs in Application Insights or the associated Log Analytics workspace
B.Microsoft Entra audit logs
C.Azure Key Vault diagnostic settings
D.Azure Resource Graph only
AnswerA

Application Insights stores telemetry that can be queried with KQL in Logs.

Why this answer

Application Insights and its associated Log Analytics workspace store application request data and support Kusto Query Language (KQL) queries. Running a Kusto query against the `requests` table in the Logs workspace allows you to calculate percentile latency (e.g., using the `percentiles()` function) without custom operational scripts, as this is a built-in capability.

Exam trap

The trap here is that candidates may confuse Azure Resource Graph (which queries resource metadata) with Log Analytics (which queries telemetry data), leading them to choose Option D despite its inability to handle application performance queries.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra audit logs contain sign-in and directory activity, not application request latency data. Option C is wrong because Azure Key Vault diagnostic settings capture vault access and management events, not application request performance metrics. Option D is wrong because Azure Resource Graph is designed for querying Azure resource inventory and configuration across subscriptions, not for analyzing application telemetry like request latency.

636
MCQeasy

You have an Azure Function app that needs to retrieve a secret from Azure Key Vault at runtime. You want to avoid storing any credentials in code or configuration. Which mechanism should you use?

A.Service principal with client secret
B.Managed identity
C.Access key
D.Shared access signature (SAS)
AnswerB

Correct. Managed identity allows the Function app to authenticate to Azure Key Vault without any stored credentials.

Why this answer

Managed identity (B) is the correct mechanism because it allows the Azure Function app to authenticate to Azure Key Vault without storing any credentials in code or configuration. Azure automatically manages the identity and provides a token from Azure AD that the function can use to access the vault, eliminating the need for secrets or keys in the application.

Exam trap

The trap here is that candidates may confuse managed identity with a service principal, thinking a client secret is required, or incorrectly assume that an access key or SAS can be used for Key Vault authentication.

How to eliminate wrong answers

Option A is wrong because a service principal with client secret requires storing the client secret in code or configuration, which violates the requirement to avoid storing credentials. Option C is wrong because an access key is used for authenticating to Azure Functions itself, not for retrieving secrets from Key Vault. Option D is wrong because a shared access signature (SAS) is a token for granting limited access to Azure Storage resources, not for authenticating to Key Vault.

637
MCQmedium

An application needs to upload large thumbnail metadata to Blob Storage reliably over unstable networks. Which upload approach should be used?

A.Block blob staged block upload with commit
B.Page blob only
C.Append blob only
D.Table Storage batch operation
AnswerA

Staging blocks supports resumable, parallel uploads for large block blobs.

Why this answer

Block blob staged block upload with commit is the correct approach because it allows uploading large thumbnails in smaller, independent blocks that can be retried individually if a network failure occurs. This method uses the Put Block and Put Block List REST APIs, enabling reliable uploads over unstable networks by committing only successfully uploaded blocks. It is specifically designed for large files and provides fine-grained control over upload progress and error recovery.

Exam trap

The trap here is that candidates may confuse blob types (block, page, append) and choose page blobs due to their 'reliability' reputation for VHDs, but fail to recognize that block blobs are the correct choice for large file uploads with retry logic over unstable networks.

How to eliminate wrong answers

Option B (Page blob only) is wrong because page blobs are optimized for random read/write operations (like VHD disks), not for uploading large sequential data like thumbnails, and they lack the staged block upload mechanism for reliable transfer over unstable networks. Option C (Append blob only) is wrong because append blobs are designed for append-only operations (e.g., logging), not for uploading large files with retry capability; they do not support staged block uploads. Option D (Table Storage batch operation) is wrong because Table Storage is for structured NoSQL data (entities), not for binary large objects like thumbnails, and batch operations are for transactional entity updates, not file uploads.

638
MCQeasy

Your company uses Azure API Management to expose APIs to external partners. You need to enforce throttling limits per subscription key. Which policy should you add?

A.rate-limit by key policy with @(context.Subscription.Id) as counter key
B.rate-limit policy with IP address filtering
C.rate-limit by key policy with no counter key
D.validate-jwt policy with claims check
AnswerA

This limits requests per subscription key.

Why this answer

Option B is correct because the rate-limit policy by key throttles requests per subscription key. Option A is wrong because it limits per key but not by key. Option C is wrong because IP-based throttling is not per key.

Option D is wrong because it's for authentication, not throttling.

639
Multi-Selecthard

Which THREE considerations are important when designing an Azure Function that uses Durable Functions for fan-out/fan-in pattern?

Select 3 answers
A.The orchestrator function must be deterministic.
B.The orchestrator function should not perform any I/O operations directly.
C.Orchestration history is stored in memory to reduce latency.
D.The orchestrator function should be triggered by an HTTP trigger directly.
E.The function app must have a storage account connection string configured.
AnswersA, B, E

Non-deterministic code can cause issues during replay.

Why this answer

The orchestrator function in Durable Functions must be deterministic because it replays execution history multiple times to recover state after a process restart or to handle async operations. Non-deterministic code (e.g., random numbers, current time) would produce different results on replay, breaking the reliable execution model that Durable Functions relies on for fan-out/fan-in patterns.

Exam trap

The trap here is that candidates often confuse the orchestrator's role with a regular function, thinking it can perform I/O directly or be triggered by HTTP, when in fact it must be stateless and deterministic, relying on activity functions for all I/O.

640
Multi-Selecthard

A function consumes messages from Azure Service Bus. Which two settings help handle transient failures safely?

Select 2 answers
A.Configure max delivery count with a dead-letter queue
B.Make message processing idempotent
C.Disable lock renewal for long processing
D.Use anonymous sender access
AnswersA, B

Dead-lettering isolates messages after repeated delivery failures.

Why this answer

Configuring max delivery count with a dead-letter queue is correct because it allows the function to handle transient failures safely by automatically moving messages that exceed the maximum number of delivery attempts to a dead-letter queue. This prevents infinite retries and ensures that problematic messages are isolated for manual inspection, while the function can continue processing other messages without blocking. The max delivery count setting in Azure Service Bus controls how many times a message is delivered before being dead-lettered, which is essential for managing transient failures without losing data.

Exam trap

The trap here is that candidates often confuse disabling lock renewal (which is a performance optimization for long processing) with a transient failure handling strategy, when in fact it can lead to message duplication or loss, and they overlook that idempotent processing (Option B) is a complementary pattern but not a Service Bus setting for handling transient failures.

641
Multi-Selectmedium

Which THREE features does Azure Container Instances (ACI) provide?

Select 3 answers
A.Integrate with Azure Virtual Network by default.
B.Assign a public IP address and DNS name label.
C.Mount Azure Files shares as volumes.
D.Configure restart policies.
E.Run containers as nested containers (Docker-in-Docker).
AnswersB, C, D

ACI supports public IP and DNS labels.

Why this answer

Option B is correct because Azure Container Instances allows you to assign a public IP address and a DNS name label to a container group, enabling direct internet access to the container. This is configured at the container group level, and the DNS name label must be unique within the Azure region.

Exam trap

The trap here is that candidates often assume ACI automatically integrates with Azure Virtual Network, but this requires explicit configuration and is not enabled by default.

642
MCQmedium

You are using Application Insights to monitor a web app. You want to automatically analyze and alert on sudden increases in request failure rates, without manually setting static thresholds. Which Application Insights feature should you use?

A.Smart Detection
B.Application Insights Profiler
C.Live Metrics Stream
D.Continuous Export
AnswerA

Smart Detection uses machine learning to detect anomalies like failure rate increases and sends alerts automatically.

Why this answer

Smart Detection in Application Insights automatically analyzes telemetry from your web app to detect anomalies, such as sudden increases in request failure rates, without requiring manual static thresholds. It uses machine learning models to adapt to your app's normal behavior and alert on deviations, making it ideal for dynamic monitoring scenarios.

Exam trap

The trap here is that candidates often confuse Live Metrics Stream (real-time but no analysis) with Smart Detection (which provides automatic anomaly detection and alerting), leading them to choose the wrong option for failure rate analysis.

How to eliminate wrong answers

Option B (Application Insights Profiler) is wrong because it is designed for performance profiling and tracing slow requests, not for analyzing failure rates or setting alerts. Option C (Live Metrics Stream) is wrong because it provides real-time monitoring of metrics but does not include automatic anomaly detection or alerting on failure rate changes. Option D (Continuous Export) is wrong because it exports telemetry data to storage for long-term analysis, but it does not analyze data or generate alerts for sudden failure rate increases.

643
MCQmedium

You are building an event-driven solution that processes orders from an Azure Storage Queue. Each order triggers an Azure Function. To improve reliability, you need to automatically retry processing if an exception occurs, but only up to 3 times. You must also preserve the original order message in a poison queue after max retries. Which configuration should you use in the function's host.json?

A.Set 'prefetchCount' to 3
B.Set 'newBatchThreshold' to 3
C.Set 'maxDequeueCount' to 3
D.Set 'batchSize' to 3
AnswerC

maxDequeueCount defines the maximum number of times to try processing a message before moving it to the poison queue.

Why this answer

The 'maxDequeueCount' setting in host.json controls the number of times the function tries to process a message before moving it to the poison queue. Setting it to 3 achieves the requirement. Option A is wrong because 'prefetchCount' controls how many messages are retrieved at once, not retries.

Option B is wrong because 'newBatchThreshold' controls batch size, not retries. Option D is wrong because 'batchSize' controls how many messages are processed concurrently, not retries.

644
MCQmedium

You are designing a serverless application using Azure Functions. The solution must process messages from an Azure Service Bus queue and update a Cosmos DB database. Which binding configuration should you use on the function?

A.Service Bus trigger with Table storage output binding
B.Blob trigger with Cosmos DB output binding
C.HTTP trigger with Cosmos DB input binding
D.Service Bus trigger with Cosmos DB output binding
AnswerD

Correct combination for queue-triggered DB update.

Why this answer

Option D is correct because the requirement specifies processing messages from an Azure Service Bus queue and updating a Cosmos DB database. A Service Bus trigger binds the function to the queue, and a Cosmos DB output binding writes the processed data directly to Cosmos DB, enabling a seamless serverless workflow without additional code for database operations.

Exam trap

The trap here is that candidates may confuse output bindings with input bindings or choose a trigger that does not match the event source, such as selecting a Blob or HTTP trigger when the requirement explicitly states a Service Bus queue as the message source.

How to eliminate wrong answers

Option A is wrong because it uses a Table storage output binding, which writes to Azure Table Storage, not Cosmos DB, and thus does not meet the requirement to update a Cosmos DB database. Option B is wrong because it uses a Blob trigger, which responds to blob storage events, not Service Bus messages, so it cannot process messages from the Service Bus queue. Option C is wrong because it uses an HTTP trigger, which requires an external HTTP request to invoke the function, and a Cosmos DB input binding only reads data from Cosmos DB, not updates it.

645
MCQhard

A single-page app signs in users with Microsoft Entra ID and calls a protected API. The app cannot safely keep a client secret. Which OAuth flow should be used? The team wants the control to be enforceable during normal operations.

A.Implicit flow
B.Client credentials flow
C.Resource owner password credentials flow
D.Authorization code flow with PKCE
AnswerD

PKCE protects public clients that cannot store secrets and is recommended for SPAs.

Why this answer

The authorization code flow with PKCE (Proof Key for Code Exchange) is the recommended OAuth flow for single-page apps because it prevents the client secret from being exposed by using a dynamically generated code verifier and challenge. This flow ensures that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original code verifier, making it secure for public clients that cannot safely store secrets.

Exam trap

The trap here is that candidates often confuse the deprecated implicit flow (Option A) with the authorization code flow with PKCE, mistakenly thinking the implicit flow is still acceptable for SPAs, but Microsoft and OAuth standards now mandate PKCE for all public clients.

How to eliminate wrong answers

Option A is wrong because the implicit flow was deprecated by OAuth 2.0 Security Best Current Practice (BCP) due to security risks like access token leakage in the URL fragment and lack of token binding; it should not be used for new applications. Option B is wrong because the client credentials flow is designed for server-to-server (confidential client) scenarios where the app authenticates with its own credentials, not for user authentication in a single-page app. Option C is wrong because the resource owner password credentials flow requires the user to provide their username and password directly to the app, which violates security best practices and is not suitable for modern single-page apps that delegate authentication to Microsoft Entra ID.

646
MCQmedium

You are deploying an Azure Functions app using ARM template. The exhibit shows a portion of the template. You notice that the AzureWebJobsStorage connection string includes the account key directly. What is the MOST important security concern?

A.The FUNCTIONS_WORKER_RUNTIME is set to dotnet-isolated, which is outdated.
B.The storage account name is hardcoded in the connection string.
C.The storage account key is exposed in the template, which could be compromised.
D.The connection string does not use HTTPS.
AnswerC

Hardcoding keys in templates is insecure; use managed identities or Key Vault.

Why this answer

Option C is correct because embedding the storage account key directly in an ARM template exposes a long-lived secret in plaintext. If the template is stored in source control, shared, or logged, the key can be compromised, granting an attacker full access to the storage account. This violates the principle of least privilege and security best practices for infrastructure as code.

Exam trap

The trap here is that candidates often focus on superficial issues like hardcoded names or protocol strings, missing the fundamental security risk of embedding a secret (the account key) in plaintext within an ARM template.

How to eliminate wrong answers

Option A is wrong because 'dotnet-isolated' is the current recommended mode for .NET 8+ isolated worker processes, not outdated. Option B is wrong because hardcoding the storage account name is a maintainability concern, not a security vulnerability; the key exposure is the critical risk. Option D is wrong because connection strings for Azure Storage (using the default HTTPS endpoint) inherently use HTTPS; the protocol is not a security issue here.

647
MCQmedium

You are developing an Azure Function that reads secrets from Azure Key Vault. The function must not use any static credentials in configuration files. You need to authenticate to Key Vault using the function's own identity. Which Azure service feature should you enable?

A.Use storage account access keys to authenticate to Key Vault
B.Assign a managed identity to the function app and grant it access to the Key Vault
C.Generate a shared access signature (SAS) token for the Key Vault
D.Create a service principal and store its certificate in the function app's local storage
AnswerB

Managed identities allow the function app to authenticate to Key Vault without any stored credentials. The identity is automatically managed by Microsoft Entra ID.

Why this answer

Option B is correct because Azure Functions can use a system-assigned or user-assigned managed identity to authenticate to Azure Key Vault without storing any static credentials. When enabled, the function app obtains an Azure AD token from the Managed Identity endpoint (169.254.169.254) and uses it to access Key Vault secrets, eliminating the need for connection strings, keys, or certificates in configuration files.

Exam trap

The trap here is that candidates may confuse SAS tokens (which are for Storage) or service principals (which require manual certificate management) with the fully managed, credential-free authentication provided by managed identities.

How to eliminate wrong answers

Option A is wrong because storage account access keys are static credentials that must be stored in configuration files, violating the requirement to avoid static credentials, and they are used for Azure Storage, not for authenticating to Key Vault. Option C is wrong because shared access signature (SAS) tokens are used to delegate access to Azure Storage resources (blobs, queues, tables), not to authenticate to Key Vault; Key Vault uses Azure AD authentication or access policies, not SAS. Option D is wrong because creating a service principal and storing its certificate in the function app's local storage introduces a static credential (the certificate file) that must be managed and stored, contradicting the requirement to avoid static credentials; managed identities are the recommended approach for passwordless authentication.

648
MCQmedium

A developer is configuring a web app to authenticate users with Microsoft Entra ID. The web app needs to call a downstream API that also uses Microsoft Entra ID for authentication. The developer must ensure that the web app can securely obtain access tokens for the downstream API. Which authentication flow should the developer implement?

A.OAuth 2.0 Client Credentials flow
B.OAuth 2.0 Implicit flow
C.OAuth 2.0 On-Behalf-Of flow
D.OAuth 2.0 Authorization Code flow
AnswerC

On-Behalf-Of flow allows the web app to use the user's identity to get a token for the downstream API.

Why this answer

Option B is correct because the OAuth 2.0 On-Behalf-Of flow allows a web app to use the user's identity to obtain a token for a downstream API. Option A is incorrect because the Authorization Code flow is for user authentication, not for chaining to a downstream API. Option C is incorrect because Client Credentials flow is for daemon apps, not for user context.

Option D is incorrect because the Implicit flow is deprecated and not secure.

649
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used? The design must avoid adding custom operational scripts.

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish-subscribe pattern where multiple independent subscribers each receive a copy of every published message. This decouples the publisher from subscribers, allowing new subscribers to be added later without modifying the publisher. The built-in subscription entities eliminate the need for custom operational scripts.

Exam trap

The trap here is confusing a point-to-point queue (Storage Queue) with a publish-subscribe topic (Service Bus), where the requirement for multiple independent subscribers and future extensibility without scripts directly points to the topic's subscription model.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policies automate tiering or deletion of blobs based on age, not message delivery to multiple subscribers. Option B is wrong because Azure Storage Queues implement a point-to-point message queue where each message is consumed by a single worker, not broadcast to multiple independent subscribers. Option C is wrong because Azure Cache for Redis list only provides a simple list data structure; it lacks built-in publish-subscribe semantics and would require custom polling logic and scripts to distribute messages to multiple subscribers.

650
MCQhard

You are designing a solution for a healthcare application that stores patient data in Azure Cosmos DB. The data must be encrypted at rest using a customer-managed key stored in Azure Key Vault. You need to ensure that the key can be rotated without downtime. Which approach should you recommend?

A.Configure Azure Security Center to automatically rotate the key.
B.After rotating the key in Key Vault, manually update the Cosmos DB account with the new key version.
C.Use the Cosmos DB account key rotation feature to regenerate the key.
D.Enable automatic key rotation on the Key Vault key and use the key's versionless identifier in Cosmos DB.
AnswerD

Versionless identifier allows Cosmos DB to automatically use the latest key version.

Why this answer

Cosmos DB supports customer-managed keys with key auto-rotation when using a Key Vault key version. By enabling automatic rotation and using the key vault key's versionless identifier, Cosmos DB will automatically use the new version when the key is rotated. Option B is correct.

Option A is wrong because regenerating the key in Cosmos DB would require re-encryption. Option C is wrong because manual update is not needed. Option D is wrong because Azure Security Center is not involved.

651
MCQmedium

You are developing an API that uses managed identity to access Azure Key Vault. The API runs in an Azure App Service with system-assigned managed identity enabled. You need to retrieve a secret value. Which API endpoint should your code call?

A.https://vault.azure.net/secrets/{secret-name}
B.https://myvault.vault.azure.net/secrets/{secret-name}?api-version=7.0
C.https://login.microsoftonline.com/{tenant}/oauth2/token
D.https://management.azure.com/subscriptions/{sub}/...
AnswerB

Correct. The format is https://{vault-name}.vault.azure.net/secrets/{secret-name} with an optional API version.

Why this answer

Option B is correct because it uses the full Key Vault REST API endpoint with the specific vault name ('myvault'), the 'secrets' resource path, the secret name, and the required 'api-version' query parameter (7.0). The managed identity in the App Service authenticates via Azure AD, and the code must call this specific endpoint to retrieve the secret value, as the vault name is part of the DNS name and the API version is mandatory.

Exam trap

The trap here is that candidates often confuse the Key Vault REST API endpoint with the Azure AD token endpoint or the Azure Resource Manager endpoint, forgetting that the vault name is part of the DNS and that an API version is required.

How to eliminate wrong answers

Option A is wrong because 'vault.azure.net' is not a valid Key Vault DNS name; the vault name must be included (e.g., 'myvault.vault.azure.net'). Option C is wrong because it is the Azure AD OAuth2 token endpoint, which is used to obtain an access token, not to directly retrieve a secret from Key Vault. Option D is wrong because it points to the Azure Resource Manager endpoint for subscription-level operations, not to the Key Vault secrets REST API.

652
MCQmedium

You are building an Azure Logic App that calls an external REST API secured with the OAuth 2.0 client credentials flow. You have registered an app in Microsoft Entra ID with client ID and client secret stored in Azure Key Vault. The Logic App uses a system-assigned managed identity with Get permission on the secret. Which action should you use in the Logic App designer to authenticate to the API?

A.HTTP action with 'Active Directory OAuth' authentication type, referencing the client ID and client secret
B.HTTP action with 'Managed Identity' authentication type
C.Invoke an API with OAuth predefined connector
D.HTTP action with 'Basic' authentication and pass the secret as password
AnswerA

This correctly implements the client credentials grant by providing the client ID and secret in the HTTP request.

Why this answer

Option A is correct because the OAuth 2.0 client credentials flow requires a client ID and client secret to obtain an access token from Microsoft Entra ID. The HTTP action's 'Active Directory OAuth' authentication type directly supports this flow, allowing you to reference the client ID and the client secret stored in Azure Key Vault. The Logic App's system-assigned managed identity has Get permission on the secret, enabling it to retrieve the secret at runtime without exposing it in the workflow definition.

Exam trap

The trap here is that candidates confuse 'Managed Identity' authentication (which works only for Azure resources like Azure SQL or Storage) with the need to authenticate to an external API using OAuth client credentials, leading them to incorrectly select Option B instead of the HTTP action with Active Directory OAuth.

How to eliminate wrong answers

Option B is wrong because the 'Managed Identity' authentication type is used to authenticate to Azure resources that support managed identity (e.g., Azure Storage, Azure SQL), not to external REST APIs secured with OAuth 2.0 client credentials; it cannot provide a client ID and client secret for token acquisition. Option C is wrong because 'Invoke an API with OAuth predefined connector' is not a built-in Logic App action; there is no generic 'OAuth predefined connector' that dynamically handles client credentials with Key Vault secrets—connectors are specific to services like Microsoft Graph or Salesforce. Option D is wrong because 'Basic' authentication sends the client ID and secret as a plaintext username:password pair in the HTTP Authorization header, which violates the OAuth 2.0 client credentials flow that requires a token endpoint exchange and does not support Basic auth for bearer token issuance.

653
MCQhard

You are developing a solution that processes events from Azure Event Hubs and stores them in Azure Blob Storage. The processing must be idempotent and exactly-once. Which approach should you use?

A.Use EventProcessorHost with checkpointing and blob leases to track processed events
B.Use Azure Functions with Event Hubs trigger and store events in batches
C.Use a simple consumer group and delete events after reading from Event Hubs
D.Implement a transactional outbox pattern with Azure SQL Database
AnswerA

Checkpointing with sequence numbers and lease-based partition ownership ensures each event is processed exactly once.

Why this answer

Option A is correct because checkpoints with sequence numbers allow tracking processed events, and using blob leasing ensures exactly-once. Option B is wrong because idempotency is not guaranteed. Option C is wrong because Event Hubs does not support transactional outbox natively.

Option D is wrong because batch processing does not provide exactly-once.

654
Multi-Selecthard

Which TWO scenarios require the use of Azure Event Hubs over Azure Service Bus? (Choose two.)

Select 2 answers
A.Capturing event data to Azure Blob Storage for long-term retention
B.Ingesting millions of IoT device telemetry events per second
C.Processing messages in FIFO order with sessions
D.Implementing a publish-subscribe pattern with multiple subscribers
E.Dead-lettering messages that fail processing
AnswersA, B

Event Hubs Capture automatically stores events in Blob Storage.

Why this answer

Option A is correct: Event Hubs is designed for high-throughput event ingestion, often for telemetry. Option D is correct: Event Hubs supports capturing events to Azure Blob Storage for archiving. Option B is wrong: Service Bus supports sessions for ordered processing.

Option C is wrong: Service Bus supports topics and subscriptions for pub/sub. Option E is wrong: Service Bus supports dead-lettering.

655
MCQeasy

Your company uses Azure Logic Apps to automate workflows. A workflow must call an external REST API that requires an API key in the header. You need to securely store the API key and reference it in the Logic App without exposing it in the workflow definition. What should you do?

A.Store the API key in plain text directly in the Logic App HTTP action header.
B.Store the API key in Azure Key Vault and use the Key Vault connector to retrieve it dynamically in the Logic App.
C.Store the API key in an App Service application setting and reference it using the 'appsetting' expression.
D.Create an Azure Function with the API key hardcoded as an environment variable and call it from the Logic App.
AnswerB

This securely stores the key in Key Vault and allows the Logic App to reference it at runtime without exposing it in the definition.

Why this answer

Option B is correct because Azure Key Vault provides a secure, centralized store for secrets like API keys, and the Logic App Key Vault connector retrieves the key at runtime without exposing it in the workflow definition. This approach ensures the secret is never stored in plain text within the Logic App's JSON definition or source control, aligning with Azure security best practices for managed identities and access policies.

Exam trap

The trap here is that candidates may confuse App Service application settings (Option C) with Logic App environment variables, but Logic Apps do not support the 'appsetting' expression, and Azure Key Vault is the only secure, native way to inject secrets into Logic Apps without exposing them in the definition.

How to eliminate wrong answers

Option A is wrong because storing the API key in plain text directly in the HTTP action header exposes the secret in the workflow definition, which can be viewed by anyone with read access to the Logic App and is a severe security risk. Option C is wrong because App Service application settings are designed for App Service apps, not Logic Apps; the 'appsetting' expression is not supported in Logic Apps, and even if it were, the setting would be stored in plain text in the App Service configuration. Option D is wrong because hardcoding the API key as an environment variable in an Azure Function still stores the secret in plain text within the Function's configuration, and calling a separate Azure Function adds unnecessary complexity and latency without improving security over directly using Key Vault.

656
MCQmedium

You deploy an Azure Function app that runs on the Consumption plan. The function writes logs to Application Insights. You notice that some log entries are missing during periods of high load. You need to ensure that all logs are captured without significantly increasing cost. What should you do?

A.Adjust the sampling rate in the Application Insights configuration to 100%.
B.Change the function app to the Premium plan to get more CPU and memory.
C.Create a separate Application Insights resource for the function app.
D.Disable sampling in the function's host.json.
AnswerA

Setting sampling to 100% ensures all telemetry is sent, but may increase cost; however, for the Consumption plan it's acceptable if volume is manageable.

Why this answer

Under high load, Application Insights uses adaptive sampling by default to reduce data volume, which can cause log entries to be dropped. Adjusting the sampling rate to 100% in the Application Insights configuration ensures all telemetry data is captured, while still running on the Consumption plan, which does not significantly increase cost because the function app itself scales and you only pay for execution time and resources used.

Exam trap

The trap here is that candidates often think disabling sampling in host.json or upgrading the plan will fix missing logs, but they overlook that Application Insights sampling is controlled at the Application Insights configuration level, not the function app's host configuration.

How to eliminate wrong answers

Option B is wrong because upgrading to the Premium plan increases CPU and memory but does not affect Application Insights sampling behavior; logs would still be subject to sampling unless explicitly configured. Option C is wrong because creating a separate Application Insights resource does not change the sampling rate; the default adaptive sampling still applies and would continue to drop logs under high load. Option D is wrong because disabling sampling in host.json only affects the function app's own logging pipeline, not the Application Insights ingestion sampling; the Application Insights SDK still applies adaptive sampling at the telemetry channel level.

657
MCQhard

You are developing a web application that relies on a third-party weather API. The API has a rate limit of 10 requests per second per API key. You need to ensure your application never exceeds this limit and also caches responses for 10 minutes to reduce call frequency. Which combination of Azure services should you implement?

A.Azure Functions with Durable Functions to throttle calls and a static in-memory cache.
B.Azure Logic Apps with a retry policy and a cache using Azure Redis Cache.
C.Azure API Management with rate-limit and caching policies.
D.Azure Traffic Manager to distribute requests and Azure Front Door for caching.
AnswerC

API Management provides out-of-the-box policies for rate limiting (by key or subscription) and caching (response cache). This is the recommended approach for controlling access to third-party APIs and improving performance.

Why this answer

Azure API Management (APIM) provides built-in rate-limit and caching policies that directly address the requirements: the `rate-limit` policy enforces a per-key request quota (e.g., 10 calls/second), and the `cache-store`/`cache-lookup` policies cache responses for a configurable duration (e.g., 10 minutes). This eliminates the need for custom throttling logic or external caching services, making it the most straightforward and maintainable solution.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing a combination of services (e.g., Functions + Redis) when Azure API Management's single, purpose-built policy set directly solves both rate limiting and caching without custom code.

How to eliminate wrong answers

Option A is wrong because Durable Functions are designed for orchestrating long-running workflows, not for fine-grained per-second rate limiting, and a static in-memory cache in a serverless function app is not shared across instances, leading to cache inconsistency and potential rate-limit breaches. Option B is wrong because Azure Logic Apps' retry policy handles transient failures but does not provide proactive rate limiting, and Azure Redis Cache, while a valid distributed cache, adds unnecessary complexity and cost when APIM's built-in caching suffices. Option D is wrong because Azure Traffic Manager distributes traffic at the DNS level for global load balancing and does not enforce per-key rate limits, and Azure Front Door's caching is for static content at the edge, not for API response caching with per-key granularity.

658
MCQmedium

Your AKS cluster runs a microservices application. You need to expose an internal service only within the cluster virtual network. Which Service type should you use?

A.NodePort
B.Internal LoadBalancer (with annotation)
C.LoadBalancer
D.ClusterIP
AnswerB

Creates an internal load balancer accessible from the VNet.

Why this answer

ClusterIP is default and only accessible within the cluster, not from the VNet. LoadBalancer creates external IP, NodePort exposes on node IP, ExternalName maps to external DNS.

659
MCQmedium

Your application running on Azure App Service is experiencing intermittent timeouts. You have configured Application Insights to collect telemetry. Which metric should you analyze in the Azure portal to identify the slowest dependencies?

A.Request Duration
B.Failed Requests
C.Dependency Duration
D.Availability
AnswerC

Dependency Duration shows the time spent on external service calls.

Why this answer

Option C is correct because the 'Dependency Duration' metric in Application Insights shows the duration of calls to external dependencies. Option A is wrong because 'Request Duration' only measures the total time for requests, not specific dependencies. Option B is wrong because 'Availability' measures uptime, not performance.

Option D is wrong because 'Failed Requests' tracks errors, not duration.

660
MCQhard

An application uses Azure Event Hubs to ingest telemetry data. The team wants to process the data in near real-time and store aggregated results in Azure SQL Database. Which Azure service should they use?

A.Azure HDInsight
B.Azure Functions
C.Azure Stream Analytics
D.Azure Data Lake Storage Gen2
AnswerC

Stream Analytics processes streaming data and outputs to SQL Database.

Why this answer

Azure Stream Analytics is designed for real-time processing on streaming data from Event Hubs and can output to SQL Database. Option A is wrong because Data Lake Storage is for storage, not processing. Option B is wrong because HDInsight is for batch processing.

Option D is wrong because Functions can process events but lack the built-in streaming SQL capabilities of Stream Analytics.

661
MCQmedium

You have an Azure App Service that uses a system-assigned managed identity. You need to grant it permission to read a secret from Azure Key Vault. Which RBAC role should you assign at the Key Vault scope?

A.Key Vault Reader
B.Key Vault Secrets User
C.Key Vault Contributor
D.Key Vault Certificate User
AnswerB

This role grants permissions to list and read secrets, which is the minimum required for the App Service to retrieve the secret.

Why this answer

The system-assigned managed identity needs to read a secret from Azure Key Vault. The 'Key Vault Secrets User' RBAC role grants exactly that permission — the ability to read secret contents. This is the least-privilege role that allows the 'Microsoft.KeyVault/vaults/secrets/read' action, which is required for reading secret values.

Exam trap

The trap here is that candidates often confuse 'Key Vault Reader' (a management-plane role) with the data-plane role needed to actually read secret values, or they over-provision by choosing 'Key Vault Contributor' thinking it includes read access.

How to eliminate wrong answers

Option A is wrong because 'Key Vault Reader' only allows listing vaults and reading metadata (e.g., vault properties, tags), but does not grant permission to read secret values. Option C is wrong because 'Key Vault Contributor' grants full management of the vault and its objects (including secrets, keys, certificates), which is excessive for a read-only secret access scenario and violates least-privilege principles. Option D is wrong because 'Key Vault Certificate User' only allows reading certificate contents and metadata, not secrets.

662
MCQmedium

You have an Azure Storage account with a blob container. You need to grant a user read-only access to a specific blob for 24 hours without requiring them to authenticate with Microsoft Entra ID. What should you use?

A.Generate a user delegation SAS token
B.Provide the storage account access key
C.Assign the Storage Blob Data Reader role
D.Configure a stored access policy
AnswerA

User delegation SAS uses Entra ID credentials to sign the SAS and provides granular, time-limited access.

Why this answer

A shared access signature (SAS) token with a user delegation key provides time-limited, delegated access to a specific blob. Option A is wrong because an access policy is used to manage SAS tokens but does not itself grant access. Option B is wrong because RBAC requires Entra ID authentication.

Option D is wrong because storage account keys grant full access to the entire account.

663
Multi-Selecteasy

Which TWO features of Azure App Service can help you reduce application downtime during deployments?

Select 2 answers
A.Continuous deployment from GitHub.
B.Traffic Manager.
C.Deployment slots.
D.Auto-heal.
E.Slot swap with auto-swap.
AnswersC, E

Slots allow staging and swap with no downtime.

Why this answer

Deployment slots (C) are a feature of Azure App Service that allow you to deploy a new version of your application to a staging slot, perform validation, and then swap it into production with zero downtime. Slot swap with auto-swap (E) automates this process, ensuring that the production slot is updated only after the staging slot is fully warmed up and ready, eliminating downtime during the transition.

Exam trap

The trap here is that candidates often confuse high-availability features like Traffic Manager or Auto-heal with deployment-specific downtime reduction, but only deployment slots and slot swap directly address zero-downtime deployments within a single App Service instance.

664
MCQmedium

You are implementing an Azure Durable Functions application that processes orders. The function must call three external APIs (payment gateway, inventory system, and shipping calculator) in parallel, then aggregate the results once all three have completed. Which Durable Functions pattern should you use?

A.Function chaining
B.Fan-out/Fan-in
C.Monitor
D.Human interaction
AnswerB

Fan-out calls multiple activity functions in parallel, and fan-in waits for all to complete before aggregating results.

Why this answer

The Fan-out/Fan-in pattern is designed exactly for this scenario: it triggers multiple function tasks in parallel (fan-out) and then aggregates their results once all complete (fan-in). In Durable Functions, this is implemented using `CallActivityAsync` in a loop with `Task.WhenAll` to wait for all parallel activities to finish, allowing the orchestrator to collect and process the combined results.

Exam trap

The trap here is that candidates may confuse 'parallel execution' with 'chaining' or 'monitoring', but the key differentiator is the need to wait for all parallel tasks to finish before aggregating results, which is the hallmark of the Fan-out/Fan-in pattern.

How to eliminate wrong answers

Option A is wrong because Function chaining executes activities sequentially, one after another, which would not achieve the required parallel API calls and would increase total execution time. Option C is wrong because the Monitor pattern is used for polling an external status or waiting for a condition to be met, not for parallel execution and aggregation of multiple independent tasks. Option D is wrong because the Human interaction pattern involves waiting for external input (e.g., approval or manual intervention), which is unrelated to parallel API calls and result aggregation.

665
Multi-Selecthard

Which THREE features of Azure Monitor can help you diagnose a performance issue in an Azure Virtual Machine?

Select 3 answers
A.Log Analytics workspace queries
B.VM Insights
C.Azure Network Watcher
D.Azure Backup reports
E.Diagnostic settings to send performance counters to Log Analytics
AnswersA, B, E

KQL queries can analyze performance data.

Why this answer

Options A, C, and D are correct. VM Insights provides performance charts. Log Analytics queries allow deep analysis.

Diagnostic settings send data to Log Analytics. Option B is wrong because VM backup is unrelated. Option E is wrong because Network Watcher is for network issues, not VM performance.

666
MCQeasy

Configuration values that control whether a new checkout experience is enabled must be changeable without redeploying the App Service application. The team uses ASP.NET Core. Which Azure service provides the correct combination of runtime configuration reload and feature flag management?

A.Azure App Configuration with the feature management library enabled for ASP.NET Core
B.App Service Application Settings with the flag stored as an environment variable
C.An ARM template parameter file stored in the application's repository
D.An Azure DevOps pipeline variable referenced during the build stage
AnswerA

App Configuration's feature flags integrate with IFeatureManager in ASP.NET Core. The library polls App Configuration at a configurable interval (e.g., 30 seconds). Toggling a feature flag in the portal causes the running application to pick up the change at the next polling cycle without a restart or redeployment.

Why this answer

Azure App Configuration with the feature management library for ASP.NET Core provides a centralized, managed service that supports dynamic configuration reload without restarting the application and built-in feature flag management. The feature management library integrates with the .NET Core configuration system, allowing feature flags to be evaluated and toggled at runtime via the `IFeatureManager` interface, with automatic refresh based on a configurable cache expiration. This meets the requirement of changing the checkout experience without redeploying the App Service.

Exam trap

The trap here is that candidates often confuse App Service Application Settings (which require a restart) with Azure App Configuration (which supports dynamic reload), or they assume pipeline variables can be changed at runtime without understanding they are compile-time artifacts.

How to eliminate wrong answers

Option B is wrong because App Service Application Settings stored as environment variables require an application restart to take effect when changed, and they lack native feature flag management capabilities like gradual rollout or targeting. Option C is wrong because an ARM template parameter file stored in the repository is used for infrastructure deployment, not runtime configuration; any change would require redeploying the ARM template and the application. Option D is wrong because an Azure DevOps pipeline variable referenced during the build stage is baked into the application at build time, so changing it requires a new build and deployment, violating the 'without redeploying' requirement.

667
Matchingmedium

Match each Azure service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

NoSQL globally distributed database

Serverless compute for event-driven apps

Workflow automation and integration

Enterprise message broker with queues and topics

Event routing service for pub/sub

Why these pairings

These are core Azure services for building cloud applications.

668
Multi-Selectmedium

You are monitoring an ASP.NET Core web API with Application Insights. You want to view the SQL queries being executed, including the command text and duration, in the Application Insights portal. Which actions must you take? (Select all that apply.) (Choose 2.)

Select 2 answers
A.Install the `Microsoft.ApplicationInsights.Profiler.AspNetCore` NuGet package.
B.Install the `Microsoft.ApplicationInsights.DependencyCollector` NuGet package.
C.Set `EnableSqlCommandTextInstrumentation` to `true` in the `DependencyTrackingTelemetryModule` configuration.
D.Enable adaptive sampling to ensure all SQL queries are collected.
AnswersB, C

This package collects dependency telemetry (including SQL). By default, it does not capture SQL command text; it must be enabled via configuration.

Why this answer

Option B is correct because the `Microsoft.ApplicationInsights.DependencyCollector` NuGet package is required to automatically collect dependency telemetry, including SQL Server calls. Without this package, Application Insights will not capture SQL dependency data at all. Option C is correct because even with the dependency collector installed, SQL command text is not collected by default for security reasons; you must explicitly set `EnableSqlCommandTextInstrumentation` to `true` in the `DependencyTrackingTelemetryModule` configuration to view the actual SQL queries and their duration in the portal.

Exam trap

The trap here is that candidates often assume installing the dependency collector alone is sufficient to see SQL command text, but they overlook the explicit configuration flag (`EnableSqlCommandTextInstrumentation`) required to enable that specific data collection.

669
MCQeasy

You are developing a web app that runs on Azure App Service. The app needs to read a connection string from configuration. Which is the recommended approach to access the connection string in the app code?

A.Call an HTTP endpoint on the App Service instance
B.Use Environment.GetEnvironmentVariable("SQLAZURECONNSTR_MyConn")
C.Use Azure.Identity.DefaultAzureCredential and Key Vault
D.Read from appsettings.json using IConfiguration
AnswerB

Correct: App Service prefixes connection strings with the type, and they are available as environment variables.

Why this answer

Option B is correct because Azure App Service automatically injects connection strings defined in the 'Connection strings' blade as environment variables with a specific prefix. For SQL Azure, the prefix is 'SQLAZURECONNSTR_', so the environment variable name becomes 'SQLAZURECONNSTR_MyConn'. Using Environment.GetEnvironmentVariable is the recommended way to retrieve these values at runtime, as they are securely stored and managed by the platform.

Exam trap

The trap here is that candidates often assume IConfiguration or appsettings.json is the primary source for connection strings, but Azure App Service overrides these with environment variables when connection strings are configured in the portal, and the exam expects you to know the specific prefix-based environment variable naming convention.

How to eliminate wrong answers

Option A is wrong because there is no standard HTTP endpoint on an App Service instance that exposes connection strings; this approach is not supported and would require custom implementation. Option C is wrong because while Azure.Identity.DefaultAzureCredential and Key Vault are valid for secrets, they are not the recommended approach for App Service connection strings—App Service already manages them securely via environment variables, and using Key Vault adds unnecessary complexity and latency for this specific scenario. Option D is wrong because reading from appsettings.json using IConfiguration would only work for connection strings hardcoded in the file, not for those configured in the App Service portal; the portal-defined connection strings override appsettings.json values and are injected as environment variables, not into the IConfiguration pipeline by default.

670
MCQeasy

You are developing a solution that requires multiple Azure virtual machines to access the same set of files concurrently. The files are updated frequently and must be accessible with low latency. You need to choose a shared storage solution that integrates with Microsoft Entra ID (Microsoft Entra ID) for authentication. Which Azure storage solution should you use?

A.Azure Blob Storage with a private container.
B.Azure NetApp Files.
C.Azure Files shares.
D.Azure Disk Storage with shared disks.
AnswerC

Azure Files provides fully managed SMB and NFS file shares that can be accessed by multiple VMs concurrently. It supports Microsoft Entra ID-based authentication and authorization, making it ideal for shared file access.

Why this answer

Azure Files shares provide fully managed SMB and NFS file shares that can be accessed concurrently by multiple Azure VMs with low latency. They support identity-based authentication using Microsoft Entra ID (formerly Azure AD) over SMB, enabling granular access control via RBAC and NTFS ACLs. This makes Azure Files the correct choice for a shared, frequently updated file store requiring Entra ID integration.

Exam trap

The trap here is that candidates often confuse Azure NetApp Files (which supports SMB/NFS but not native Entra ID auth) with Azure Files (which does support Entra ID auth), or they mistakenly think Blob Storage can serve as a file share with low-latency concurrent access.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage with a private container is an object storage solution, not a file system; it does not support SMB/NFS protocols for concurrent VM file access and lacks native Microsoft Entra ID authentication for file-level operations. Option B is wrong because Azure NetApp Files, while providing high-performance shared file storage, does not natively integrate with Microsoft Entra ID for authentication; it relies on Active Directory Domain Services (AD DS) or LDAP, not Entra ID. Option D is wrong because Azure Disk Storage with shared disks is a block-level storage solution that requires cluster-aware file systems (e.g., Scale-out File Server) and does not support Microsoft Entra ID authentication; it is designed for SAN-like scenarios, not direct file sharing with identity-based access.

671
MCQmedium

Your company stores secrets in Azure Key Vault. You need to ensure that when a secret is disabled, it does not become accessible to applications that already have a cached copy. Which additional step must you take?

A.Rotate the secret immediately
B.Delete the secret
C.Enable soft-delete and purge protection
D.Use Key Vault access policies to deny access
AnswerA

Rotating changes the secret value, thus invalidating any cached copies held by applications.

Why this answer

When a secret is disabled in Azure Key Vault, the vault itself will reject new access requests, but applications that have already retrieved and cached the secret can continue using it until the cache expires or is refreshed. To immediately invalidate the cached copy, you must rotate the secret (change its value) so that any subsequent attempt to use the old cached value fails because it no longer matches the secret stored in Key Vault. Disabling alone does not force applications to re-authenticate or re-fetch; rotation ensures the cached value becomes obsolete.

Exam trap

The trap here is that candidates assume disabling a secret immediately revokes all access, but they overlook the fact that applications may hold a cached copy that remains valid until the cache expires or the secret is rotated.

How to eliminate wrong answers

Option B is wrong because deleting the secret removes it permanently (or moves it to a soft-deleted state), but applications with a cached copy can still use the old value until they attempt to retrieve it again; deletion does not actively invalidate the cache. Option C is wrong because enabling soft-delete and purge protection only prevents accidental or malicious permanent deletion of secrets; it does not affect cached copies held by applications. Option D is wrong because Key Vault access policies control who can read or modify secrets, but they do not retroactively invalidate secrets already cached by authorized applications; once a secret is fetched, the cached copy remains usable regardless of policy changes.

672
MCQmedium

An Azure Functions image resize worker must run for up to 30 minutes and uses a VNet integration feature. The team wants serverless scaling without managing virtual machines. Which hosting plan should be used?

A.App Service Free tier
B.Premium plan
C.Azure Batch pool
D.Consumption plan
AnswerB

The Premium plan supports longer execution duration, VNet integration, pre-warmed instances, and serverless scale.

Why this answer

The Premium plan is correct because it supports VNet integration, allows execution for up to 30 minutes (unlimited execution duration), and provides serverless scaling without managing virtual machines. The Consumption plan has a 10-minute timeout and lacks VNet integration for all triggers, while the Premium plan offers these features with pre-warmed instances and dedicated compute resources.

Exam trap

The trap here is that candidates often assume the Consumption plan supports VNet integration for all triggers and has a flexible timeout, but in reality, VNet integration is limited to Premium and Dedicated plans, and Consumption has a hard 10-minute timeout.

How to eliminate wrong answers

Option A is wrong because the App Service Free tier does not support VNet integration and has strict resource limits, making it unsuitable for a long-running image resize worker. Option C is wrong because Azure Batch pool requires managing virtual machines and a job scheduler, not serverless scaling without VM management. Option D is wrong because the Consumption plan has a maximum execution timeout of 10 minutes (260 seconds for HTTP triggers) and does not support VNet integration for all trigger types, failing the 30-minute requirement.

673
MCQmedium

Audit logs are written daily as block blobs to an Azure Storage account. Logs older than 90 days must move to Cool tier automatically; logs older than 365 days must be deleted. The developer wants to implement this with no custom code and no recurring jobs. What is the correct solution?

A.Create a lifecycle management policy with two rules: tier to Cool after 90 days and delete after 365 days
B.Write an Azure Function with a Timer trigger that lists all blobs, checks last-modified dates, and tiers or deletes them via the SDK
C.Enable Blob versioning and set a version retention policy of 365 days
D.Configure a Logic App with a Recurrence trigger to enumerate and process blobs weekly
AnswerA

Lifecycle management policies are evaluated nightly by Azure. The two rules (tier after 90 days, delete after 365 days) are declared in JSON and applied to blobs matching the prefix filter. No code is required — the storage service acts on them automatically.

Why this answer

Azure Blob Storage lifecycle management policies allow you to automate tier transitions and deletions based on blob age, without any custom code or recurring jobs. By defining a rule to tier blobs to Cool after 90 days and another rule to delete blobs after 365 days, the developer meets all requirements with a fully managed, no-code solution.

Exam trap

The trap here is that candidates may overlook the 'no custom code and no recurring jobs' constraint and choose a serverless compute option (Azure Function or Logic App) instead of the built-in lifecycle management policy, which is the only fully managed, no-code solution.

How to eliminate wrong answers

Option B is wrong because it requires custom code (Azure Function with Timer trigger) and a recurring job, violating the 'no custom code and no recurring jobs' constraint. Option C is wrong because Blob versioning with a retention policy only manages versions, not the base blobs, and it does not support tiering to Cool; it only retains or deletes versions, not the original blobs. Option D is wrong because a Logic App with a Recurrence trigger is a recurring job that requires custom logic to enumerate and process blobs, again violating the no-code and no-recurring-jobs requirement.

674
MCQmedium

A company uses Azure Blob Storage to store sensitive documents. They want to ensure that data is encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data immediately if a security breach is detected. Which feature should they enable?

A.Configure Azure Storage encryption with customer-managed keys in Azure Key Vault and enable soft delete and purge protection.
B.Enable infrastructure encryption for the storage account.
C.Use Azure Storage Service Encryption with Microsoft-managed keys.
D.Implement client-side encryption using Azure Key Vault.
AnswerA

With CMK, revoking the key in Key Vault immediately makes the data inaccessible.

Why this answer

Option D is correct because enabling double encryption with CMK and then revoking the key in Key Vault renders the data inaccessible. Option A is wrong because infrastructure encryption uses platform-managed keys, not CMK. Option B is wrong because client-side encryption is performed by the client, not server-side.

Option C is wrong because storage service encryption uses Microsoft-managed keys by default.

675
Multi-Selecthard

Which TWO options are valid ways to scale an Azure Functions app running on the Premium plan?

Select 2 answers
A.Disable scale-to-zero to keep instances always warm.
B.Configure pre-warmed instances to reduce cold start.
C.Set minimum and maximum instance counts.
D.Scale out based on the length of a storage queue.
E.Set the scale mode to 'Automatic' with no configuration.
AnswersB, C

Pre-warmed instances are a Premium feature.

Why this answer

Option B is correct because pre-warmed instances in the Premium plan reduce cold start latency by keeping a specified number of instances always loaded and ready to handle requests. Option C is correct because the Premium plan allows you to set both minimum and maximum instance counts, giving you control over baseline capacity and scaling limits. These settings are configured in the function app's scale settings and are not available in the Consumption plan.

Exam trap

The trap here is that candidates confuse the Premium plan's scaling capabilities with the Consumption plan's, mistakenly thinking that options like disabling scale-to-zero or configuring queue-length-based scaling rules are directly configurable in the Premium plan, when in fact the Premium plan's scaling is automatic and only allows setting min/max instance counts and pre-warmed instances.

Page 8

Page 9 of 14

Page 10