CCNA Connect to and consume Azure services and third-party services Questions

75 of 266 questions · Page 2/4 · Connect to and consume Azure services and third-party services · Answers revealed

76
MCQmedium

You are deploying a microservices application to Azure Kubernetes Service (AKS). One service needs to retrieve configuration values from Azure App Configuration. The configuration includes sensitive values that must be stored in Azure Key Vault. The solution should not require application code changes to reference Key Vault. What should you use?

A.Store the configuration values as Key Vault references in Azure App Configuration.
B.Use Azure AD managed identity to access Key Vault directly from the service.
C.Store the secrets in Kubernetes Secrets and mount them as environment variables.
D.Use the Azure Key Vault SDK directly in the service to retrieve secrets.
AnswerA

Key Vault references are resolved by App Configuration automatically.

Why this answer

Azure App Configuration has a Key Vault references feature that allows you to store references to secrets in Key Vault. The application retrieves configuration normally, and App Configuration resolves the reference by fetching the secret from Key Vault. Option A is correct.

Option B is incorrect because direct Key Vault SDK calls require code changes. Option C is incorrect because Kubernetes Secrets do not integrate with Key Vault natively. Option D is incorrect because managed identity alone does not automatically resolve references.

77
MCQeasy

A developer needs to store session state for a web app that runs on multiple instances behind a load balancer. The state must be persisted across restarts. Which Azure service should they use?

A.Azure Table Storage
B.Azure SQL Database
C.Azure Blob Storage
D.Azure Cache for Redis
AnswerD

Fast, distributed, supports session state providers.

Why this answer

Azure Cache for Redis (option B) provides a distributed cache for session state. Azure Table Storage (A) is slower. Azure Blob Storage (C) is not designed for session state.

Azure SQL Database (D) is overkill and slower.

78
MCQmedium

A company uses Azure Functions with an HTTP trigger and Azure Cosmos DB. They need to securely store connection strings for Cosmos DB and rotate them automatically every 90 days. Which service should they use?

A.Azure Key Vault
B.Managed Identity
C.Azure App Configuration
D.Microsoft Entra ID
AnswerA

Key Vault securely stores secrets and supports automatic rotation.

Why this answer

Azure Key Vault is the correct choice for storing secrets like connection strings and supports automatic rotation. Option A is wrong because App Configuration is for feature flags and configuration settings, not secret rotation. Option B is wrong because Managed Identity provides identity but not secret rotation.

Option D is wrong because Azure AD is for authentication and authorization, not secret management.

79
MCQmedium

Your application uses Azure Cosmos DB for NoSQL. You need to query items by a property that is not the partition key. The container has 10,000 RU/s. How can you optimize this query to minimize cost and latency?

A.Increase the RU/s to handle cross-partition queries.
B.Create a composite index that includes the property and the partition key.
C.Change the partition key to the property you query on.
D.Enable analytical store and use Synapse Link.
AnswerB

Allows efficient query without full scan.

Why this answer

Option B is correct because creating a composite index on the property and the partition key allows the query to be efficient without a full cross-partition scan. Option A is wrong because changing the partition key is a breaking change. Option C is wrong because increasing RU/s does not solve the indexing issue.

Option D is wrong because enabling analytical store is for analytical queries, not transactional.

80
MCQmedium

You are implementing a custom API that calls a downstream API secured with OAuth 2.0. The downstream API requires a client credentials grant flow. You need to securely store the client secret and obtain an access token. What should you use?

A.Azure App Configuration to store the secret and the Azure Identity SDK to obtain the token
B.Managed identity to access the downstream API directly
C.Azure Key Vault to store the secret and MSAL to obtain the token
D.Azure Certificate Manager to store the secret and the HttpClient to obtain the token
AnswerC

Key Vault securely stores secrets; MSAL obtains tokens using client credentials flow.

Why this answer

Option B is correct because Azure Key Vault securely stores the client secret, and the Microsoft Authentication Library (MSAL) can be used to obtain an access token using the client credentials flow. Option A is wrong because App Configuration is for feature flags and configuration, not for secrets. Option C is wrong because managed identity is for Azure resources, but the downstream API may not support managed identity authentication; client credentials flow requires a client secret.

Option D is wrong because Certificate Manager is not an Azure service.

81
Multi-Selectmedium

Which THREE services can be used to implement a pub/sub messaging pattern in Azure?

Select 3 answers
A.Azure Service Bus Topics
B.Azure Notification Hubs
C.Azure Queue Storage
D.Azure Event Grid
E.Azure Event Hubs
AnswersA, D, E

Topics support multiple subscribers.

Why this answer

Options B, C, and E are correct. Service Bus Topics, Event Grid, and Event Hubs support pub/sub. Option A is wrong because Queue Storage is point-to-point.

Option D is wrong because Notification Hubs is for push notifications.

82
MCQhard

A system receives high-volume event notifications from Azure resources and routes them to serverless handlers. Events are lightweight and should use native event routing. Which service should be used? The design must avoid adding custom operational scripts.

A.Azure DNS
B.Azure Event Grid
C.Azure Files
D.Azure Service Bus queue
AnswerB

Event Grid is designed for reactive event routing from Azure services and custom publishers.

Why this answer

Azure Event Grid is a fully managed event routing service that uses a publish-subscribe model to deliver lightweight, high-volume events from Azure resources to registered handlers like Azure Functions or webhooks. It supports native event routing without requiring custom polling scripts or infrastructure, making it ideal for serverless event-driven architectures.

Exam trap

The trap here is that candidates often confuse Azure Event Grid with Azure Service Bus, but Event Grid is designed for reactive event routing (push model) with no need for polling or custom scripts, whereas Service Bus is for message queuing with explicit consumer processing.

How to eliminate wrong answers

Option A is wrong because Azure DNS is a domain name resolution service that translates domain names to IP addresses; it does not route events or handle event notifications. Option C is wrong because Azure Files provides fully managed file shares in the cloud, used for storing and accessing files via SMB or NFS protocols, not for event routing. Option D is wrong because Azure Service Bus queue is a message broker designed for reliable, ordered message delivery with features like sessions and transactions, but it requires custom polling or message processing logic and is not optimized for lightweight, native event routing without operational scripts.

83
MCQeasy

A company uses Azure Service Bus to decouple microservices. They need to ensure that messages are processed in the order they are received, and that each message is handled by exactly one consumer instance even when the system scales out. Which feature should they enable?

A.Sessions
B.Topics
C.Dead-letter queue
D.Duplicate detection
AnswerA

Correct. Sessions enable FIFO and lock a session to one consumer at a time, ensuring ordered and single-consumer processing.

Why this answer

Sessions in Azure Service Bus enforce first-in-first-out (FIFO) ordering and guarantee that all messages with the same session ID are processed by a single consumer instance. This ensures strict message ordering and exactly-once processing per session, even when multiple consumers are scaled out. Without sessions, competing consumers would break ordering because messages could be processed by different instances concurrently.

Exam trap

The trap here is that candidates often confuse topics (which support multiple subscribers) with the need for ordering and single-consumer processing, overlooking that sessions are the specific feature designed for FIFO and exclusive consumption in a competing-consumers pattern.

How to eliminate wrong answers

Option B (Topics) is wrong because topics implement a publish/subscribe pattern where each subscription receives a copy of every message, allowing multiple consumers to process the same message, which violates the 'exactly one consumer' requirement. Option C (Dead-letter queue) is wrong because dead-letter queues are used to hold messages that cannot be processed normally (e.g., due to exceeding max delivery count or TTL), not to enforce ordering or single-consumer processing. Option D (Duplicate detection) is wrong because duplicate detection prevents duplicate message delivery within a specified time window but does not guarantee message ordering or ensure single-consumer processing.

84
MCQmedium

You are configuring an Azure Event Grid subscription to trigger an Azure Function when a blob is created in a storage account. However, the function is not being triggered. You have verified that the function endpoint is reachable and the storage account is in the same region. What is the most likely cause?

A.The storage account has public network access disabled.
B.The AzureWebJobsStorage connection string is missing from the function app settings.
C.Blob versioning is not enabled on the storage account.
D.The Event Grid subscription does not have the required RBAC role on the function.
AnswerD

Event Grid requires the 'EventGrid Data Sender' role on the function endpoint to invoke it.

Why this answer

Option C is correct because Event Grid requires explicit permission to invoke the function endpoint. If the Event Grid subscription's managed identity or service principal does not have the 'EventGrid Data Sender' role on the function, the invocation will fail silently. Option A is wrong because Event Grid can trigger functions even with public network access disabled as long as private endpoints are configured.

Option B is wrong because the AzureWebJobsStorage connection string is for function runtime storage, not for Event Grid triggers. Option D is wrong because blob versioning is not required for Event Grid triggers.

85
MCQmedium

Your company uses Azure Blob Storage to store sensitive documents. You need to ensure that all access to the storage account is encrypted in transit and that clients must use TLS 1.2 or higher. Which configuration should you enforce?

A.Use a private endpoint for the storage account.
B.Set the 'Minimum TLS version' to 1.2 in the storage account's configuration.
C.Configure network rules to allow only from trusted IPs.
D.Enable 'Secure transfer required' (HTTPS only).
AnswerB

Enforces TLS 1.2 or higher.

Why this answer

Option B is correct because the 'Minimum TLS version' property on the storage account enforces TLS 1.2 for all requests. Option A is wrong because HTTPS-only is already default but doesn't enforce TLS version. Option C is wrong because firewall rules control network access, not encryption.

Option D is wrong because private endpoint ensures private connectivity but not TLS version.

86
MCQmedium

Refer to the exhibit. The APIM policy is applied to an API. What is the effect of this policy?

A.Each subscription can make up to 10 calls per minute.
B.Each subscription can make up to 10 calls total.
C.Each IP address can make up to 10 calls per minute.
D.All calls from a single IP are blocked after 10 requests.
AnswerA

The rate-limit policy with calls='10' and renewal-period='60' limits to 10 calls per 60 seconds (1 minute) per subscription.

Why this answer

Option A is correct. The policy limits each subscription to 10 calls per 60 seconds. Option B is wrong because the policy applies to all operations; Option C is wrong because it doesn't limit total calls; Option D is wrong because it doesn't block IPs.

87
MCQeasy

A developer is building a solution that sends emails via SendGrid from Azure. Which Azure service should they use to integrate with SendGrid?

A.Azure Logic Apps
B.Azure API Management
C.Azure Functions
D.Azure Event Grid
AnswerA

Logic Apps has a built-in SendGrid connector.

Why this answer

Azure Logic Apps provides connectors for SendGrid, making it easy to send emails. Option B is wrong because API Management is for managing APIs, not direct integration. Option C is wrong because Event Grid is for event routing.

Option D is wrong because Functions can be used but require custom code; Logic Apps are simpler for this scenario.

88
MCQmedium

You are building an Azure Logic App that must call an external API secured with OAuth 2.0 Client Credentials flow. The external API is registered in a different Microsoft Entra ID tenant. You need to obtain an access token and add it to the request headers. Which action and authentication configuration should you use?

A.Use the HTTP action with Managed Identity authentication.
B.Use the HTTP + Swagger connector to import the API definition.
C.Use the HTTP action with Active Directory OAuth authentication, providing the tenant ID, client ID, and client secret.
D.Use the Azure Key Vault - Get secret action to retrieve a token.
AnswerC

This configuration allows the Logic App to obtain a token using Client Credentials flow and attach it to the request, even for a different tenant.

Why this answer

Option C is correct because the HTTP action's Active Directory OAuth authentication type directly supports the OAuth 2.0 Client Credentials flow for cross-tenant scenarios. By providing the tenant ID, client ID, and client secret, the Logic App runtime can obtain an access token from the external tenant's token endpoint and automatically inject it into the Authorization header as a Bearer token. This is the only built-in authentication option in the HTTP action that handles the client credentials grant without custom code.

Exam trap

The trap here is that candidates often confuse Managed Identity with cross-tenant authentication, assuming it works across tenants, when in fact Managed Identity is strictly scoped to the resource's home tenant.

How to eliminate wrong answers

Option A is wrong because Managed Identity authentication only works within the same tenant as the Logic App; it cannot be used to obtain tokens from a different Microsoft Entra ID tenant. Option B is wrong because the HTTP + Swagger connector is used to import an API definition for design-time validation and does not provide any OAuth 2.0 Client Credentials token acquisition capability. Option D is wrong because the Azure Key Vault - Get secret action retrieves a stored secret (like a client secret) but does not perform the OAuth 2.0 token exchange; you would still need a separate action to call the token endpoint and construct the Bearer token.

89
MCQmedium

Your company has a set of REST APIs that are exposed through Azure API Management (APIM). One of the backend APIs is secured and requires an OAuth 2.0 access token from Microsoft Entra ID. The APIM instance has a system-assigned managed identity with permissions to request tokens for the backend API's scope. You need to configure APIM to automatically obtain a token and pass it to the backend API when requests come in. What should you do?

A.Add a set-backend-service policy with the authentication-managed-identity attribute
B.Configure the backend API's subscription key in policy
C.Use a validate-jwt policy to check incoming token
D.Create a named value with the token and reference it in policy
AnswerA

This policy automatically obtains a token using the managed identity and passes it to the backend as an Authorization header.

Why this answer

Option A is correct because the `set-backend-service` policy with the `authentication-managed-identity` attribute allows APIM to use its system-assigned managed identity to obtain an OAuth 2.0 access token from Microsoft Entra ID for the specified backend API scope. This token is automatically attached to the backend request as an Authorization header, enabling secure access without manual token management.

Exam trap

The trap here is that candidates confuse `validate-jwt` (which checks client tokens) with the need to obtain a new token for the backend, or they assume a static token stored in a named value is sufficient, ignoring the dynamic nature of OAuth 2.0 token expiry and managed identity capabilities.

How to eliminate wrong answers

Option B is wrong because subscription keys are used for APIM-level authentication and rate limiting, not for obtaining OAuth 2.0 tokens for backend APIs. Option C is wrong because `validate-jwt` only validates an incoming token from the client; it does not obtain or attach a token for the backend. Option D is wrong because named values store static secrets or configuration strings, not dynamically obtained tokens; manually storing a token would require frequent updates and defeats the purpose of managed identity.

90
MCQhard

A company has an Azure App Service web app that reads from Azure Blob Storage. The app uses a connection string stored in app settings. Recently, the storage account key was rotated, and the app started throwing authentication errors. What should the developer do to resolve this issue without redeploying the app?

A.Change the app to use managed identity
B.Rotate the storage account key again
C.Update the connection string in the app settings to use the new key
D.Restart the app service
AnswerC

Updating the app settings will automatically restart the app with the new connection string.

Why this answer

Option D is correct because updating the connection string in the App Service app settings will take effect without redeployment (the app is restarted). Option A (update the key in the storage account) does not update the connection string; Option B (use managed identity) would require code changes; Option C (restart the app) would not fix the connection string.

91
MCQeasy

You are building an Azure Logic App that needs to call an external REST API. The API requires an API key to be passed in the 'X-API-Key' header. You have stored the API key as a secret in Azure Key Vault. The Logic App uses a managed identity that has read access to the Key Vault secret. You want to retrieve the API key securely at runtime and include it in the HTTP request. Which approach should you use?

A.Add a 'Get secret' action from Key Vault to retrieve the secret, then use the 'HTTP' action and set the 'X-API-Key' header to the secret value using a dynamic expression.
B.Configure the HTTP action to use managed identity authentication and set the 'Audience' to the Key Vault URL. This will automatically pass the API key as the Authorization header.
C.Store the API key in an Azure App Service application setting and reference it from the Logic App using the 'appsetting' function.
D.Use the 'Invoke an HTTP endpoint' action with Application Insights dependency tracking enabled. The API key is automatically logged by Application Insights.
AnswerA

This is the correct approach. The Logic App can use a managed identity to authenticate to Key Vault, retrieve the secret via the 'Get secret' action, and then use that value in the HTTP request header.

Why this answer

Option A is correct because it uses the native 'Get secret' action from Azure Key Vault to securely retrieve the API key at runtime, leveraging the Logic App's managed identity for authentication. The secret value can then be dynamically injected into the 'X-API-Key' header of the subsequent HTTP action using an expression like `@{outputs('Get_secret')?['value']}`. This approach follows the principle of least privilege and avoids hardcoding secrets or exposing them in configuration.

Exam trap

The trap here is that candidates may confuse managed identity authentication on an HTTP action (which is for authenticating to the target API) with the mechanism to retrieve secrets from Key Vault, leading them to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because managed identity authentication on an HTTP action is used to authenticate the Logic App to the target API (e.g., using OAuth 2.0), not to retrieve a secret from Key Vault; setting the 'Audience' to the Key Vault URL would attempt to authenticate to Key Vault, not pass the API key in the header. Option C is wrong because Azure App Service application settings are not accessible from a Logic App via the 'appsetting' function; that function is specific to Azure Functions and App Service code, not Logic App workflow expressions. Option D is wrong because the 'Invoke an HTTP endpoint' action with Application Insights dependency tracking does not automatically retrieve or inject API keys; it only enables telemetry logging of the HTTP call, and the API key would still need to be manually provided and could be exposed in logs.

92
Multi-Selecthard

Which TWO are best practices for securing an Azure API Management instance?

Select 2 answers
A.Expose the management endpoint publicly for easy configuration
B.Require subscription keys for all APIs
C.Set rate limits to prevent brute force attacks
D.Use OAuth 2.0 with Azure AD to authenticate API consumers
E.Share API keys with partners via email
AnswersB, D

Subscription keys provide a basic level of access control.

Why this answer

Options A and D are correct. Using subscription keys and OAuth 2.0 are best practices. Option B is wrong because sharing keys is insecure.

Option C is wrong because public endpoints are not recommended. Option E is wrong because rate limiting is for throttling, not security.

93
MCQhard

A microservices application deployed on Azure Kubernetes Service (AKS) needs to securely store and retrieve configuration settings. The configuration should be updated without redeploying containers. Which Azure service should be used?

A.Azure App Configuration
B.Azure Cosmos DB
C.Azure Key Vault
D.Azure Blob Storage
AnswerA

Azure App Configuration is a managed service for centralizing application configuration and feature flags, supporting dynamic updates.

Why this answer

Option D is correct because Azure App Configuration is designed for dynamic configuration management and supports feature flags, which can be updated without redeployment. Option A (Key Vault) is for secrets, not general configuration; Option B (Cosmos DB) is a database; Option C (Blob Storage) is for unstructured data, but not optimized for configuration.

94
MCQeasy

You are developing an app that processes orders. When an order is placed, you need to send a confirmation email and update an inventory database. The email service may be slow but must not delay the order processing. Which approach should you use?

A.Scale out the email service to handle the load.
B.Send the email asynchronously via a queue (e.g., Azure Queue Storage).
C.Use Azure Event Grid to trigger the email.
D.Call the email service synchronously and wait for the response.
AnswerB

Decouples slow email service from order processing.

Why this answer

Option A is correct because queuing the email send decouples the email service from the order processing, allowing the inventory update to proceed immediately. Option B is wrong because synchronous calls would block the order processing. Option C is wrong because the email service is external and cannot be scaled by your app.

Option D is wrong because Event Grid is for event-driven architectures but does not provide a queue for work items.

95
MCQmedium

A web app uses Azure Key Vault to store secrets. The app runs in a production environment and needs to authenticate to Key Vault without storing connection strings in configuration files. Which authentication method should be used?

A.Client secret stored in app settings
B.Managed identity
C.Storage account access keys
D.Certificate stored in Key Vault
AnswerB

Managed identity provides an automatically managed identity for the app to authenticate to Key Vault without secrets.

Why this answer

Option B is correct because managed identities allow Azure resources to authenticate to Azure services (like Key Vault) without storing credentials in code or config. Option A (client secret) requires storing a secret, violating the requirement; Option C (certificate) also requires managing certificates; Option D (access keys) is for storage accounts, not Key Vault.

96
MCQmedium

Three analytics pipelines each need to read every event from the same Azure Event Hub: one pipeline archives events to cold storage, one computes real-time aggregations, and one feeds a machine learning model. How should the developer configure Event Hubs to allow all three to consume independently without interfering with each other?

A.Create a separate consumer group for each pipeline; each group tracks its own offset independently
B.Create three separate Event Hubs in the same namespace and replicate events between them with Event Hubs Capture
C.Use a single consumer group and route events to different pipelines by partition key prefix
D.Enable Event Hubs Capture for all three pipelines so they read from the captured Avro files in storage instead of the Event Hub directly
AnswerA

With three consumer groups, each pipeline reads the full stream from its own position. The archiving pipeline, aggregation pipeline, and ML pipeline each checkpoint independently. If one falls behind or restarts, it resumes from its own saved offset without disturbing the others.

Why this answer

A is correct because each consumer group in Event Hubs maintains its own independent offset and checkpoint, allowing multiple consumers to read the same event stream without interfering. By creating a separate consumer group for each pipeline (archival, real-time aggregation, ML), each pipeline can process events at its own pace and from its own position in the stream, ensuring no consumer's progress affects another.

Exam trap

The trap here is that candidates often confuse consumer groups with partitions, thinking that multiple consumers must use different partitions to avoid interference, but partitions are for scaling throughput, not for independent offset tracking—consumer groups are the correct abstraction for independent consumption.

How to eliminate wrong answers

Option B is wrong because creating three separate Event Hubs and replicating events between them is unnecessary overhead and does not solve the independent consumption requirement; each pipeline would still need its own consumer group within each hub, and replication introduces latency and complexity. Option C is wrong because using a single consumer group forces all pipelines to share the same offset, meaning one pipeline's consumption progress (e.g., fast real-time aggregation) would advance the offset, causing other pipelines (e.g., slower archival) to miss events. Option D is wrong because Event Hubs Capture writes events to Azure Blob Storage or Data Lake Store in Avro format, but it is a one-way archival feature, not a mechanism for multiple independent consumers; pipelines would still need to read from the Event Hub directly for real-time processing, and Capture does not provide independent offset tracking.

97
MCQhard

Refer to the exhibit. You deploy the ARM template to create an Azure Key Vault. After deployment, you attempt to add an access policy to grant a user 'Get' secret permissions using the Azure portal, but the option is grayed out. What is the most likely reason?

A.The vault is disabled due to 'enableSoftDelete'
B.The property 'enabledForDeployment' is set to false
C.Soft delete is enabled, which prevents access policy changes
D.RBAC authorization is enabled, so access policies are not used
AnswerD

With RBAC authorization, permissions are managed via RBAC roles, not access policies.

Why this answer

The property 'enableRbacAuthorization' is set to true, which means the Key Vault uses Azure RBAC for authorization instead of access policies. The access policies tab is disabled. Option A is wrong because soft delete does not affect access policies.

Option B is wrong because the vault is enabled. Option C is wrong because 'enabledForDeployment' is for Azure VMs, not access policies.

98
Multi-Selecthard

A function consumes messages from Azure Service Bus. Which two settings help handle transient failures safely? The design must avoid adding custom operational scripts.

Select 2 answers
A.Configure max delivery count with a dead-letter queue
B.Make message processing idempotent
C.Disable lock renewal for long processing
D.Use anonymous sender access
AnswersA, B

Dead-lettering isolates messages after repeated delivery failures.

Why this answer

Option A is correct because configuring a max delivery count with a dead-letter queue allows the system to automatically move a message to the dead-letter queue after a specified number of failed delivery attempts. This prevents poison messages from being retried indefinitely, handling transient failures safely without custom scripts. Option B is correct because idempotent message processing ensures that if a message is processed more than once due to transient failures or retries, the system state remains consistent, avoiding duplicate side effects.

Exam trap

The trap here is that candidates often confuse disabling lock renewal as a way to handle long processing times, but it actually causes message abandonment and reprocessing, not safe transient failure handling.

99
MCQmedium

Tailwind Traders uses Azure Logic Apps to orchestrate a multi-step business process. The workflow must call an external REST API that requires OAuth 2.0 authentication. The API is registered in Microsoft Entra ID. The Logic App must authenticate using a system-assigned managed identity. The API's app registration has been configured to accept tokens from the managed identity. Which connector should the team use in the Logic App to call the API, and how should they configure authentication?

A.Use the HTTP connector. In the connector's authentication settings, choose 'Managed Identity' and select the system-assigned identity. Set the audience to the API's Application ID URI.
B.Use the HTTP connector with 'Active Directory OAuth' authentication. Provide the client ID and client secret of a service principal.
C.Use the custom connector. In the custom connector's authentication, choose 'Managed Identity' and provide the managed identity's principal ID.
D.Use the Azure API Management connector. Configure it to use OAuth 2.0 with the managed identity.
AnswerA

Correct: HTTP connector supports managed identity authentication.

Why this answer

Use the HTTP connector with 'Managed Identity' authentication type. Select the system-assigned identity. Option A is correct.

Option B uses 'Active Directory OAuth' which requires client credentials. Option C uses API Management, unnecessary. Option D uses custom connector, overkill.

100
Multi-Selecthard

Which THREE Azure services can be used to trigger an Azure Function when a new blob is uploaded to a storage account?

Select 3 answers
A.Azure Service Bus queue
B.Azure Logic Apps
C.Azure Blob Storage trigger (Event Grid based)
D.Azure Event Hubs
E.Azure Event Grid
AnswersC, D, E

The Blob Storage trigger uses Event Grid to notify the function.

Why this answer

Blob Storage trigger (Event Grid), Event Grid directly, and Event Hubs can all be used. Service Bus is not designed for blob events. Logic Apps is a different service that can trigger functions but is not a standalone trigger service.

101
MCQmedium

You are reviewing an Azure Policy definition that applies to storage accounts. The policy has an effect of 'deny' and specifies network ACLs. What is the intended behavior of this policy?

A.Allow all storage accounts to be created regardless of network rules
B.Deny all traffic to storage accounts
C.Deny creation of storage accounts that do not have a virtual network rule allowing vnet1 and default action set to Deny
D.Allow only traffic from the specified virtual network
AnswerC

The policy denies any storage account that does not meet the network ACL conditions.

Why this answer

Option A is correct. The policy denies storage accounts that do not have the specified virtual network rule and default action Deny. Option B is wrong because it allows all networks.

Option C is wrong because it denies all traffic. Option D is wrong because it only allows traffic from vnet1.

102
MCQhard

You are developing a microservices-based application deployed to Azure Kubernetes Service (AKS). One of the microservices needs to securely retrieve secrets (e.g., database connection strings) from Azure Key Vault. The application uses managed identity for authentication. You need to implement a solution that meets the following requirements: 1) The microservice should retrieve secrets from Key Vault without storing any credentials in the application code or configuration files. 2) The solution must support automatic rotation of secrets without application restart. 3) The solution should minimize latency and avoid direct calls to Key Vault on every request. 4) The application is written in .NET 8 and uses the Azure SDK. What should you do?

A.Store the connection string in an environment variable in the AKS pod spec and update the variable when the secret rotates.
B.Generate a client certificate in Key Vault and mount it as a volume in the AKS pod. Use the certificate to authenticate to Key Vault and retrieve secrets on each request.
C.Use the Azure Key Vault Secrets provider for the .NET Configuration API and set reloadOnChange to true to automatically reload secrets.
D.Use Azure.Identity.DefaultAzureCredential to authenticate to Key Vault and retrieve secrets on application startup, caching them in memory with a configurable expiration time. Use a background service to refresh the cache before expiration.
AnswerD

This approach uses managed identity, caches secrets, and refreshes them periodically without restarting the application.

Why this answer

Option C is correct because using Azure Key Vault with the Azure.Identity.DefaultAzureCredential and configuring the SecretClient to cache secrets with a configurable refresh interval meets all requirements: managed identity authentication, no credentials stored, automatic rotation via periodic refresh, and reduced latency by caching. Option A is incorrect because environment variables are not secure and require application restart on change. Option B is incorrect because the Key Vault Secrets provider for .NET Configuration can poll for changes, but it does not support automatic rotation without application restart by default and may cause high latency if configured to poll too frequently.

Option D is incorrect because client certificates still require certificate management and rotation, and the application would need to handle certificate renewal.

103
MCQmedium

You are developing a .NET Core application that needs to authenticate users via Microsoft Entra ID and call Microsoft Graph API. You register an app in the Microsoft Entra admin center and configure the necessary permissions. However, when the app tries to acquire a token, it receives an 'interaction_required' error. What is the most likely cause?

A.The client secret is expired or invalid.
B.The scope parameter is incorrectly formatted.
C.The application is requesting admin-restricted permissions without admin consent.
D.The redirect URI does not match the registered redirect URI.
AnswerC

Admin-restricted permissions require admin consent, otherwise user interaction is needed.

Why this answer

The 'interaction_required' error typically indicates that the token acquisition requires user interaction, often because the user has not granted consent or the permissions require admin consent. Option A is correct because if the app requests admin-restricted permissions (e.g., User.Read.All), the user must be an admin or consent must be pre-granted. Option B is incorrect; the redirect URI mismatch would cause a different error.

Option C is incorrect; a client secret issue would cause an authentication failure, not interaction_required. Option D is incorrect; the scope format is correct.

104
MCQeasy

You need to authenticate an Azure Function to an Azure SQL Database using a managed identity. The function has a system-assigned managed identity enabled. Which connection string setting should you use in the function's application settings?

A.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Password;
B.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Managed Identity;
C.Server=tcp:myserver.database.windows.net;Database=mydb;User Id=myuser;Password=mypassword;
D.Server=tcp:myserver.database.windows.net;Database=mydb;Authentication=Active Directory Managed Identity;User Id=<client-id>;
AnswerB

This connection string uses managed identity authentication.

Why this answer

When using managed identity, you do not include User ID and Password. Instead, you set 'Authentication=Active Directory Managed Identity' in the connection string. Option A is for SQL authentication, B uses the client ID of a user-assigned managed identity, and D uses a service principal.

105
MCQhard

You have an Azure Function that processes messages from an Event Hubs event stream. The function is failing with 'Message lock lost' errors. The processing time per event is about 10 minutes. What should you do to resolve the errors?

A.Increase the function's timeout duration
B.Configure the EventProcessorOptions with a longer lease duration
C.Increase the number of partitions in the Event Hub
D.Decrease the batch size to process events faster
AnswerB

Increasing the lease duration prevents the lock from expiring during long processing.

Why this answer

Event Hubs capture does not have a lock mechanism; the error is likely due to the checkpoint store. However, the issue is that the function is using Event Hubs with a consumer group that has a short lease duration. Increasing the 'maxReceiveWaitTime' or 'prefetch count' might help, but the best solution is to increase the 'eventProcessorOptions' for the lease duration.

Option A is wrong because partition count does not affect lock loss. Option B is wrong because batch size is not the issue. Option D is wrong because increasing function timeout does not affect the Event Hubs lease.

106
MCQmedium

Your company has an Azure Logic App that processes orders by calling a third-party REST API using an HTTP trigger. Recently, the API provider changed their authentication to require OAuth 2.0 with client credentials. The Logic App currently uses a basic authentication header. What should you do to update the Logic App?

A.Use Azure API Management to proxy the API and add OAuth support
B.Add the client ID and client secret as query parameters
C.Configure the Logic App to use a managed identity and update the HTTP action authentication to 'Active Directory OAuth'
D.Replace the HTTP trigger with a Service Bus queue
AnswerC

Managed identity allows secure OAuth 2.0 authentication without managing secrets.

Why this answer

Azure Logic Apps can use managed identities to authenticate to services that support Microsoft Entra ID. For third-party APIs, you can configure the authentication type to 'Active Directory OAuth' and use the managed identity. Option A is wrong because the API key is not OAuth 2.0.

Option B is wrong because API Management can be used but adds unnecessary complexity. Option D is wrong because connection strings are not relevant.

107
MCQhard

Refer to the exhibit. An Azure Function is configured with an Event Hub trigger to process telemetry data. The function uses the EventProcessorHost to read events. The developer notices that the function is not processing all events; some events are skipped. What is the most likely cause?

A.The event hub name is misspelled
B.The cardinality is set to 'many' causing batch processing issues
C.The consumer group is set to $Default
D.The connection string is stored as a securestring parameter
AnswerB

Batch processing may cause timeouts or checkpoint issues leading to skipped events.

Why this answer

Option C is correct because the cardinality is set to 'many', which means the function receives a batch of events. If the batch size is too large, some events may be skipped due to timeouts. Option A is incorrect because the connection string is secure.

Option B is incorrect because $Default is a valid consumer group. Option D is incorrect because the event hub name is correct.

108
MCQhard

You are developing a .NET Core application that uses Azure Service Bus queues. You need to implement a dead-lettering mechanism for messages that cannot be processed after 5 delivery attempts. Which property should you set on the queue to automate this?

A.defaultMessageTimeToLive
B.maxDeliveryCount
C.lockDuration
D.requiresDuplicateDetection
AnswerB

maxDeliveryCount sets the maximum number of delivery attempts before dead-lettering.

Why this answer

The 'maxDeliveryCount' property on a Service Bus queue defines the maximum number of times a message can be delivered before it is automatically dead-lettered. Setting it to 5 meets the requirement. Option A is wrong because 'defaultMessageTimeToLive' controls time-based expiration, not delivery count.

Option B is wrong because 'lockDuration' is for peek-lock, not retry count. Option D is wrong because 'requiresDuplicateDetection' is for deduplication, not dead-lettering.

109
MCQhard

You are designing a solution to send email notifications from an Azure App Service web app. The app must use a third-party email service that requires an API key. You need to minimize management overhead and ensure the key is rotated automatically. What should you do?

A.Use a system-assigned managed identity to authenticate to the email service
B.Store the API key in the App Service application settings
C.Create an Azure Logic App to send emails and call it from the web app
D.Store the API key in Azure Key Vault and use a managed identity to retrieve it
AnswerD

Key Vault provides secure storage and automatic rotation; managed identity provides secure access.

Why this answer

Azure Key Vault can store the API key, and the app can use a managed identity to retrieve it. Key Vault supports automatic rotation of secrets. Option A is wrong because storing in app settings is not secure and does not rotate automatically.

Option B is wrong because managed identities do not store secrets directly. Option D is wrong because the Logic App adds unnecessary overhead.

110
MCQmedium

Wide World Importers has an Azure API Management (APIM) instance that exposes several APIs. One API is a custom REST API hosted on an Azure App Service. The API requires authentication via a subscription key. APIM is configured to require subscription keys for all APIs. The team wants to offload authentication to APIM so that backend services do not need to validate keys. However, the backend API also needs to know the identity of the calling application for logging. The team decides to use APIM's OAuth 2.0 authorization with Microsoft Entra ID. The backend API should receive the JWT token from APIM. How should the team configure APIM to pass the token to the backend?

A.In the inbound processing policy, add a 'validate-jwt' policy to validate the token. Then add a 'set-header' policy to copy the token from the Authorization header (or from the context) and forward it to the backend.
B.Use the 'ip-filter' policy to restrict access to known IPs. The backend trusts requests from APIM's IP.
C.Remove the subscription key requirement for that API. APIM will not pass any authentication information to the backend.
D.Configure APIM to use client certificate authentication for the backend. The certificate is presented to the backend, which extracts the identity from the certificate.
AnswerA

Correct: APIM validates and forwards JWT.

Why this answer

Use the 'validate-jwt' policy to validate the token, and then use 'set-header' policy to forward the token in the Authorization header. Option A is correct. Option B uses client certificate, not token.

Option C removes subscription key but not pass token. Option D uses IP filtering, not token.

111
MCQeasy

A company exposes an internal REST API to external partners using Azure API Management. They need to enforce a rate limit of 100 requests per minute per subscription. Which policy should they add?

A.CORS policy
B.Rate limit policy
C.Throttling policy
D.Validate JWT policy
AnswerB

The rate-limit policy limits API call rates per subscription or key, enforcing the specified limit per time window.

Why this answer

The Rate limit policy (option B) is correct because it enforces a per-subscription key rate limit of 100 requests per minute, which is exactly what the scenario requires. Azure API Management's rate-limit policy counts requests against the specified duration and blocks additional calls once the limit is exceeded, returning a 429 Too Many Requests response.

Exam trap

The trap here is that candidates confuse the 'rate-limit' policy (per-subscription, fixed window) with the 'throttling' policy (rate-limit-by-key, per-key or per-identity), but the question's requirement for 'per subscription' directly maps to the rate-limit policy, not the throttling policy.

How to eliminate wrong answers

Option A is wrong because the CORS policy handles cross-origin resource sharing (HTTP headers like Access-Control-Allow-Origin) and does not enforce any request rate limits. Option C is wrong because the throttling policy (rate-limit-by-key) is designed for per-key rate limiting but is typically used for more granular scenarios like per-IP or per-claim, and the question explicitly asks for per-subscription enforcement, which is the standard rate-limit policy. Option D is wrong because the Validate JWT policy validates JSON Web Tokens for authentication/authorization and has no mechanism to control request frequency.

112
MCQeasy

You are using Azure CLI to upload a blob using your Azure AD credentials (--auth-mode login). The command fails with an authorization error. What is the most likely cause?

A.The user does not have the 'Storage Blob Data Contributor' role on the storage account
B.The Azure CLI version is outdated
C.The storage account key is not provided
D.The container name does not exist
AnswerA

Azure RBAC role assignment is required for Azure AD authentication.

Why this answer

Option B is correct. The user must have the 'Storage Blob Data Contributor' role to upload blobs. Option A is wrong because the storage account key is not needed when using Azure AD.

Option C is wrong because the container exists. Option D is wrong because the CLI version is fine.

113
MCQmedium

You have an Azure Event Grid topic that receives storage blob created events. You only want to process events for files with a '.jpg' extension. You need to minimize cost and latency. How should you filter the events?

A.Configure a subject filter in the Event Grid subscription with suffix '.jpg'
B.Filter inside the Azure Function code by checking the blob name extension
C.Use Azure Service Bus topics instead of Event Grid, with a filter on message properties
D.Create separate Event Grid topics for JPEG files and route only JPEG events
AnswerA

Subject suffix filtering ensures only events with blob names ending in '.jpg' are delivered, avoiding unnecessary function invocations.

Why this answer

Option A is correct because Event Grid subscriptions support subject filtering with prefix and suffix matching, allowing you to filter events at the Event Grid service level before they are delivered to your endpoint. By configuring a subject filter with suffix '.jpg', only blob created events for files ending in '.jpg' are sent to your Azure Function, minimizing both cost (fewer invocations) and latency (no unnecessary processing). This approach avoids the overhead of receiving and discarding unwanted events in your function code.

Exam trap

The trap here is that candidates often assume filtering in code is simpler or more flexible, but they overlook that Event Grid's built-in subject filtering is the most cost-effective and low-latency approach because it prevents unwanted events from ever reaching the function endpoint.

How to eliminate wrong answers

Option B is wrong because filtering inside the Azure Function code still incurs the cost of every event being delivered to the function and the latency of function invocations for unwanted events, defeating the purpose of minimizing cost and latency. Option C is wrong because Azure Service Bus topics are designed for message queuing and pub/sub with message properties, but Event Grid is the native service for reacting to Azure storage blob events with built-in subject filtering; using Service Bus adds unnecessary complexity and cost. Option D is wrong because creating separate Event Grid topics for JPEG files requires additional management overhead and does not leverage the built-in filtering capability of Event Grid subscriptions, leading to higher cost and complexity without benefit.

114
MCQmedium

An application uses Azure Functions with a Durable Functions extension to orchestrate a workflow. The workflow calls multiple external APIs. The developer needs to handle transient failures when calling these APIs. Which pattern should the developer implement?

A.Implement retry logic with exponential backoff
B.Use a saga pattern
C.Use a request-reply pattern
D.Use a circuit breaker pattern
AnswerA

Exponential backoff is a standard approach for handling transient failures.

Why this answer

Option A is correct because automatic retry with exponential backoff is a best practice for transient faults. Option B is incorrect because circuit breaker is for preventing repeated calls to a failing service, but it doesn't handle retries. Option C is incorrect because the request-reply pattern is for messaging, not for handling failures.

Option D is incorrect because the saga pattern is for distributed transactions, not for retries.

115
MCQmedium

A company integrates an Azure Logic App with Microsoft Teams to send notifications when a new file is added to an Azure Blob storage container. The Logic App currently polls the blob container every minute. They want to reduce latency and avoid polling. What should they do?

A.Increase the polling frequency to every 10 seconds.
B.Add an Event Grid subscription to the blob storage.
C.Use Azure Data Factory to monitor the storage.
D.Use Azure Service Bus topics for file notifications.
AnswerB

Event Grid pushes events to Logic App, eliminating polling.

Why this answer

Using an Event Grid subscription (option B) triggers the Logic App on blob creation events, eliminating polling. Option A increases frequency but still polls. Option C uses Service Bus which adds overhead.

Option D is for data factory, not Logic Apps.

116
Multi-Selecthard

Your company uses Azure API Management to manage APIs. You need to implement policies that ensure only authenticated requests from partners are allowed, and that responses are cached to improve performance. Which THREE policies should you configure?

Select 3 answers
A.set-header
B.rate-limit
C.cache-store
D.validate-jwt
E.cache-lookup
AnswersC, D, E

Stores responses in cache.

Why this answer

The validate-jwt policy is used to authenticate requests by validating JSON Web Tokens. The cache-store and cache-lookup policies work together to cache responses. Option A is correct for authentication.

Option B is correct for storing cache. Option C is correct for looking up cache. Option D is incorrect because rate-limit is for throttling, not authentication.

Option E is incorrect because set-header is for modifying headers.

117
MCQmedium

Refer to the exhibit. An Azure App Service deployment is configured using this ARM template snippet. The web app is built from a GitHub repository. However, when a pull request is merged to main, the app does not automatically deploy. What is the most likely cause?

A.The isManualIntegration property is set to false.
B.The runtime stack is incorrect for the application.
C.The branch is set to main, but the deployments only trigger on a different branch.
D.The GitHub Actions workflow file is missing from the repository.
AnswerD

The ARM template only enables the integration; the actual workflow file must exist in the repo.

Why this answer

The GitHub Actions configuration is set but the ARM template does not include a workflow file path. The most likely issue is missing a GitHub Actions workflow file in the repo (option C). Option A: isManualIntegration is false, so it should be automated.

Option B: runtime is correct. Option D: branch is main, which is typical.

118
MCQhard

You are using Azure API Management to expose a legacy SOAP API as a RESTful API. The SOAP API has complex XML schemas. You need to transform the SOAP response to JSON. Which policy should you use?

A.transform-body
B.return-response
C.convert-to-json
D.set-body
AnswerD

set-body policy allows you to transform the response body using Liquid templates or XSLT to convert SOAP XML to JSON.

Why this answer

Option D is correct because the set-body policy allows you to transform the response body using a Liquid template or XSLT, which can convert SOAP XML to JSON. Option A is wrong because the convert-to-json policy is not a standard API Management policy; it does not exist. Option B is wrong because the transform-body policy does not exist; the correct policy is set-body.

Option C is wrong because the return-response policy is for returning a custom response, not for transforming the body.

119
Multi-Selectmedium

Which TWO approaches can be used to securely connect an Azure web app to an on-premises database without exposing it to the internet?

Select 2 answers
A.Azure API Management
B.Public IP address with firewall rules
C.Azure VPN Gateway
D.Azure App Service Hybrid Connections
E.Azure ExpressRoute
AnswersC, E

VPN Gateway creates a secure site-to-site VPN.

Why this answer

Azure VPN Gateway and Azure ExpressRoute create secure connections between Azure and on-premises networks. Option B is wrong because Hybrid Connections require a relay agent. Option D is wrong because App Service Hybrid Connections are for specific services, not general connectivity.

Option E is wrong because public endpoints expose the database to internet.

120
MCQmedium

You are building an API that needs to send notifications to multiple subscribers. Each subscriber has a different callback URL, and you need to ensure each notification is sent exactly once and retried on failure. Which Azure service should you use?

A.Azure Event Grid.
B.Azure Service Bus.
C.Azure Notification Hubs.
D.Azure Queue Storage.
AnswerA

Correct. Event Grid delivers events to multiple subscribers with retry and exactly-once semantics.

Why this answer

Azure Event Grid is the correct choice because it is a fully managed event routing service that uses a publish-subscribe model with built-in retry logic and exactly-once delivery semantics. It supports multiple subscribers with distinct callback URLs (webhooks) and automatically retries delivery on failure, making it ideal for sending notifications to multiple endpoints with guaranteed delivery.

Exam trap

The trap here is that candidates often confuse Azure Event Grid with Azure Service Bus, mistakenly thinking a message broker is needed for multiple subscribers, but Event Grid's native webhook delivery and built-in retry make it the correct choice for this exact scenario.

How to eliminate wrong answers

Option B (Azure Service Bus) is wrong because it is a message broker designed for point-to-point or competing consumer patterns, not for broadcasting to multiple subscribers with individual callback URLs; it lacks native webhook delivery and requires custom polling or relay logic. Option C (Azure Notification Hubs) is wrong because it is optimized for push notifications to mobile devices (e.g., iOS, Android) and does not support arbitrary HTTP callback URLs or exactly-once delivery to multiple webhook subscribers. Option D (Azure Queue Storage) is wrong because it is a simple message queue for decoupling components with at-least-once delivery and no built-in retry or webhook subscription model; it cannot directly send notifications to multiple callback URLs.

121
MCQmedium

You are building an Azure Logic App that must send a confirmation email to users after a purchase. Your company uses Office 365 for email and you want to use the corporate email address. Which connector should you use?

A.Office 365 Outlook
B.SMTP
C.SendGrid
D.Outlook.com
AnswerA

Correct. This connector integrates with Office 365 and uses the sender's corporate email account.

Why this answer

The Office 365 Outlook connector is the correct choice because it provides direct, managed integration with Office 365 email services, allowing the Logic App to send emails using the corporate email address without needing to configure SMTP server details or handle authentication manually. This connector supports OAuth 2.0 authentication, which is the recommended and secure method for accessing Office 365 resources, and it is specifically designed for enterprise Office 365 accounts.

Exam trap

The trap here is that candidates confuse the Outlook.com connector (for personal accounts) with the Office 365 Outlook connector (for enterprise accounts), or they assume SMTP is always the simplest choice without considering authentication and security requirements in a cloud-native service.

How to eliminate wrong answers

Option B (SMTP) is wrong because while SMTP can technically send emails, it requires manual configuration of server, port, and credentials, and does not natively support OAuth 2.0 for Office 365, making it less secure and more complex to maintain in a Logic App. Option C (SendGrid) is wrong because SendGrid is a third-party email delivery service, not designed for sending emails directly from a corporate Office 365 mailbox; it would require a separate SendGrid account and API key. Option D (Outlook.com) is wrong because the Outlook.com connector is intended for personal Microsoft accounts (e.g., @outlook.com, @hotmail.com), not for corporate Office 365 accounts, and it does not support enterprise features like shared mailboxes or Exchange Online policies.

122
MCQmedium

Refer to the exhibit. You are deploying an ARM template that includes the above network security group rule. The rule is intended to block all outbound internet traffic from a virtual network. However, after deployment, virtual machines in the subnet still have outbound internet access. What is the most likely reason?

A.The destination port range '*' is invalid; you must specify explicit ports.
B.The source address prefix should be '*' instead of 'VirtualNetwork'.
C.The network security group is not associated with the subnet or network interface.
D.The rule priority is too low; it should be lower than the default allow rule.
AnswerC

Without association, the rule does not take effect.

Why this answer

Option C is correct because the rule has a priority of 100, which is a high priority number (lowest priority). By default, Azure NSGs allow outbound internet traffic with a default rule (AllowInternetOutbound) that has a priority of 65001. Since 100 is lower than 65001, the deny rule should take precedence.

However, the issue is that the rule uses 'VirtualNetwork' as the source address prefix, which means it only applies to traffic from the virtual network itself, not to traffic originating from VMs. Actually, the exhibit shows sourceAddressPrefixes as 'VirtualNetwork', which is correct for traffic from the VNet. But the problem is that the rule's priority is 100, which is higher than the default allow rule (65001), so it should work.

Wait, let's re-evaluate: priority numbers are lower = higher priority. A priority of 100 means it is evaluated before the default rule (65001). So the rule should block outbound internet.

However, the rule might not be applied because the NSG is not associated with the subnet or NIC. But the exhibit only shows the rule definition. The most likely reason from the options is that the NSG is not associated with the subnet or NIC.

Option A is wrong because priority 100 is higher than default rules. Option B is wrong because the rule does apply to VMs in the VNet. Option D is wrong because the rule does not need to specify source port ranges.

So Option C is correct.

123
MCQeasy

Contoso is building a serverless application using Azure Functions. One function needs to read messages from an Azure Event Hub and store them in Azure Blob Storage. The function uses the Event Hubs trigger. The team wants to authenticate to both Event Hubs and Blob Storage using managed identities. The Function app has system-assigned managed identity enabled. Which role assignments are required on the Event Hubs namespace and the storage account?

A.Assign the 'Azure Event Hubs Data Sender' role and 'Storage Blob Data Reader' role.
B.Assign the 'Azure Event Hubs Data Reader' role (which does not exist) and 'Storage Blob Data Contributor' role.
C.Assign the 'Azure Event Hubs Data Receiver' role to the managed identity on the Event Hubs namespace. Assign the 'Storage Blob Data Contributor' role to the managed identity on the storage account.
D.Assign the 'Azure Event Hubs Data Owner' role and 'Storage Blob Data Owner' role.
AnswerC

Correct: correct roles for reading from Event Hubs and writing to Blob.

Why this answer

For Event Hubs, the managed identity needs 'Azure Event Hubs Data Receiver' role. For Blob Storage, it needs 'Storage Blob Data Contributor' role. Option A is correct.

Option B has wrong roles. Option C uses wrong roles. Option D has wrong roles.

124
Multi-Selecthard

Which THREE are benefits of using Azure API Management for consuming third-party APIs? (Choose three.)

Select 3 answers
A.Transforming request and response formats (e.g., XML to JSON).
B.Implementing rate limiting and throttling to avoid exceeding API quotas.
C.Automatically scaling the third-party API based on demand.
D.Caching responses to reduce latency and load on the third-party API.
E.Providing a global load balancer for the third-party API.
AnswersA, B, D

APIM policies can transform data formats.

Why this answer

APIM provides caching, transformation, and rate limiting. Option A (caching) reduces latency; Option B (transformation) allows modifying requests/responses; Option D (rate limiting) protects backend. Option C is not a typical benefit; Option E is a feature of Azure Front Door, not APIM.

125
Multi-Selecteasy

Which TWO Azure services can be used to implement serverless event-driven architectures?

Select 2 answers
A.Azure Batch
B.Azure Logic Apps
C.Azure Functions
D.Azure Container Instances
E.Azure Virtual Machines
AnswersB, C

Logic Apps are serverless workflows that integrate with various services.

Why this answer

Azure Logic Apps is correct because it provides a fully managed integration platform for orchestrating workflows that respond to events from various sources, such as HTTP requests, Azure services, or third-party apps, using a visual designer and connectors. Azure Functions is correct because it offers event-driven compute capabilities where code executes in response to triggers like HTTP requests, queue messages, or timer events, enabling serverless architectures without managing infrastructure.

Exam trap

The trap here is that candidates often confuse Azure Batch or Azure Container Instances as serverless event-driven services because they are 'serverless' in some sense, but they lack the native event-triggering and orchestration capabilities that define serverless event-driven architectures.

126
Multi-Selecteasy

Which TWO Azure services can be used to store application configuration settings?

Select 2 answers
A.Azure App Configuration
B.Azure Queue Storage
C.Azure Blob Storage
D.Azure Cosmos DB
E.Azure Key Vault
AnswersA, E

Azure App Configuration is a managed service for configuration settings.

Why this answer

Options B and C are correct. Azure App Configuration is purpose-built for configuration. Azure Key Vault can store secrets that are part of configuration.

Option A (Cosmos DB) is a database; Option D (Blob Storage) can store config files but is not a managed configuration service; Option E (Queue Storage) is for messages.

127
MCQmedium

A company uses Azure Logic Apps to integrate with a third-party SaaS application. The Logic App must send an HTTP request to the SaaS API and handle pagination. Which connector should be used?

A.API Connection
B.HTTP + Swagger
C.HTTP
D.HTTP Webhook
AnswerC

The HTTP connector allows full control over requests and responses, enabling custom pagination logic.

Why this answer

Option C is correct because the HTTP connector allows custom HTTP requests, including handling pagination manually. Option A (HTTP + Swagger) is for APIs with Swagger definitions; Option B (HTTP Webhook) is for subscriptions; Option D (API Connection) requires a pre-built connector, which may not support custom pagination.

128
MCQeasy

A developer needs to deploy a web app that uses Azure SQL Database. They want to connect to the database using a connection string without storing it in code. Which feature of Azure App Service should they use?

A.Key Vault references
B.Environment variables
C.Application settings
D.Azure App Configuration
AnswerC

App settings can securely store connection strings.

Why this answer

App Settings in Azure App Service allow storing connection strings securely. Option B is wrong because Key Vault references are used but require additional setup. Option C is wrong because App Configuration is for configuration management.

Option D is wrong because Environment variables are not persistent in App Service.

129
Multi-Selecthard

Which THREE components are required to implement a secure authentication flow for a single-page application (SPA) using Microsoft Entra ID to call Microsoft Graph? (Choose three.)

Select 3 answers
A.Client certificate
B.Authorization endpoint
C.Client ID (Application ID)
D.Client secret
E.Token endpoint
AnswersB, C, E

To obtain authorization code.

Why this answer

Options A, B, and D are correct. A SPA needs a client ID, authorization endpoint, and token endpoint. Option C is wrong because client secret is not used in public clients like SPAs.

Option E is wrong because certificate is for confidential clients.

130
MCQmedium

You are building an Azure Logic App that must call a third-party REST API secured with OAuth 2.0 Client Credentials flow. The client ID and client secret are stored in Azure Key Vault. You need to securely obtain an access token and include it in requests to the API. Which approach should you use in the Logic App?

A.Use the HTTP action with 'Active Directory OAuth' authentication and hardcode the client secret in the connection parameters.
B.Create an Azure API connection (custom connector) with the OAuth 2.0 settings and store the secret in the connector's definition.
C.Enable a system-assigned managed identity for the Logic App, grant it access to Key Vault, use the 'Get secret' action to retrieve the client secret into a variable, then use the HTTP action with 'Active Directory OAuth' authentication referencing that variable for the secret.
D.Store the client secret in an Azure App Service application setting and reference it in the Logic App via a connector.
AnswerC

This approach uses managed identity to securely access Key Vault, and the secret is passed at runtime without being exposed in the workflow definition. The HTTP action's OAuth authentication can use a variable for the client secret.

Why this answer

Option C is correct because it securely retrieves the client secret from Azure Key Vault at runtime using a managed identity, avoiding any hardcoded secrets. The Logic App's system-assigned managed identity is granted access to Key Vault, then the 'Get secret' action fetches the secret into a variable, which is passed to the HTTP action's 'Active Directory OAuth' authentication. This approach follows the principle of least privilege and eliminates secret exposure in connection definitions or source code.

Exam trap

The trap here is that candidates may think a custom connector (Option B) is the correct way to handle OAuth 2.0, but they overlook that storing the secret in the connector definition is not secure and that managed identities with Key Vault provide a more robust and auditable solution.

How to eliminate wrong answers

Option A is wrong because hardcoding the client secret in the HTTP action's connection parameters violates security best practices and exposes the secret in the Logic App's definition and runtime history. Option B is wrong because storing the secret in the custom connector's definition embeds it in the connector metadata, which is not secure and cannot be dynamically rotated without redeploying the connector. Option D is wrong because Azure App Service application settings are not designed for Logic Apps (they are for App Service apps) and referencing them via a connector still exposes the secret in the Logic App's configuration, lacking the secure retrieval and dynamic secret management that Key Vault provides.

131
MCQmedium

You are building a serverless workflow using Azure Logic Apps. The workflow must start when a new blob is uploaded to a specific container in Azure Blob Storage. Which trigger should you configure?

A.When a blob is created or modified (blob trigger)
B.HTTP request trigger
C.Recurrence trigger
D.Service Bus trigger
AnswerA

This trigger monitors a blob storage container and fires when a new blob is added or an existing blob is updated.

Why this answer

Option A is correct because the 'When a blob is created or modified (blob trigger)' is the native Azure Logic Apps trigger designed to start a workflow automatically when a new blob is uploaded or an existing blob is modified in a specified Azure Blob Storage container. This trigger uses the Azure Blob Storage event subscription to detect changes and is the appropriate choice for event-driven serverless workflows that respond to blob storage events.

Exam trap

The trap here is that candidates often confuse the Blob Storage trigger with the HTTP trigger, thinking they can manually invoke the workflow via a URL, but the question specifically requires an event-driven start from a blob upload, which only the blob trigger supports.

How to eliminate wrong answers

Option B is wrong because the HTTP request trigger is used to start a workflow when an external HTTP request is received, not when a blob is uploaded to Blob Storage. Option C is wrong because the Recurrence trigger runs the workflow on a fixed schedule (e.g., every hour) and does not respond to real-time blob upload events. Option D is wrong because the Service Bus trigger is designed to start a workflow when a message is received from an Azure Service Bus queue or topic, not from Blob Storage.

132
MCQmedium

Your company is building a real-time dashboard that displays sales data from multiple stores. The data is generated as events from point-of-sale systems and must be ingested with low latency. The dashboard needs to display aggregated data (e.g., total sales per store per minute) with a maximum delay of 5 seconds from event generation. You have decided to use Azure Event Hubs for ingestion and Azure Stream Analytics for real-time processing. The processed data will be stored in Azure Cosmos DB for the dashboard to query. However, the dashboard requires that the data in Cosmos DB be updated as soon as new aggregations are available. You need to design the output from Azure Stream Analytics to Cosmos DB. Which output configuration should you use?

A.Configure the output to use Cosmos DB MongoDB API and use a unique index on store ID and timestamp.
B.Output to Azure Cosmos DB Table API with a partition key of store ID.
C.Write the output to Azure Blob Storage and use an Azure Function triggered by blob creation to update Cosmos DB.
D.Configure the output to use Cosmos DB SQL API with the document ID set to a concatenation of store ID and minute timestamp, and enable upsert.
AnswerD

SQL API with upsert provides low-latency updates.

Why this answer

Azure Stream Analytics can output to Cosmos DB. To ensure low latency and upserts, you should configure the output to use the Cosmos DB SQL API with a document ID that is a composite key (e.g., storeId + timestamp) to enable upserts. Option A is correct because it specifies the correct API and upsert configuration.

Option B is incorrect because the MongoDB API may not support the same performance guarantees. Option C is incorrect because writing to Blob Storage and then using a trigger introduces additional latency. Option D is incorrect because Table API is not suitable for the required query patterns.

133
Multi-Selecteasy

Which TWO Azure services can be used to securely store and retrieve secrets, such as API keys and connection strings, for use in cloud applications?

Select 2 answers
A.Azure Cosmos DB
B.Azure Key Vault
C.Azure Blob Storage
D.Azure App Configuration
E.Azure SQL Database
AnswersB, D

Dedicated secrets management service.

Why this answer

A and D are correct. Azure Key Vault is designed for secrets management. Azure App Configuration can store Key Vault references, effectively storing secrets securely.

Option B is wrong because Azure Blob Storage is not designed for secrets; it stores blobs. Option C is wrong because Azure Cosmos DB is a NoSQL database. Option E is wrong because Azure SQL Database is a relational database.

134
MCQmedium

A developer writes an Azure Function that uses the Azure.Storage.Blobs SDK to upload a file to Blob Storage. The function runs locally but fails when deployed to Azure with a '403 Forbidden' error. What is the most likely cause?

A.The function app does not have the correct RBAC role on the storage account
B.The Azure.Storage.Blobs SDK version is deprecated
C.The function runtime version is incompatible
D.The storage account is behind a firewall and the function app's outbound IP is not whitelisted
AnswerA

Managed identity needs Storage Blob Data Contributor role to write blobs.

Why this answer

The function app in Azure needs a managed identity with the appropriate RBAC role (e.g., Storage Blob Data Contributor) to access the storage account. Locally, the developer might be using their own credentials. Option A is wrong because the function runtime is not the issue.

Option B is wrong because firewall rules would affect both local and cloud. Option D is wrong because the SDK version is unlikely to cause a 403.

135
Multi-Selectmedium

Which TWO actions can you take to improve the performance of an Azure App Service web app that makes calls to an external API? (Choose two.)

Select 2 answers
A.Use a connection pool to reuse connections to the API.
B.Send multiple requests in parallel to the API.
C.Scale out the App Service to more instances.
D.Use async/await patterns in the code to avoid blocking threads.
E.Implement caching of API responses using Azure Cache for Redis.
AnswersD, E

Async/await improves scalability and responsiveness.

Why this answer

Options B and D are correct. Caching responses reduces redundant calls, and using async/await frees up threads. Option A is wrong because increasing instance count adds cost but may not improve per-request latency.

Option C is wrong because multiple API calls per request increase latency. Option E is wrong because keeping a persistent connection may help but is not a direct performance improvement for the described issue.

136
MCQeasy

You are developing a mobile app backend using Azure Functions. The app allows users to upload profile pictures. The pictures are stored in Azure Blob Storage and the metadata (user ID, blob URL, upload timestamp) is stored in Azure SQL Database. You need to implement a process that automatically generates a thumbnail for each uploaded picture and updates the metadata with the thumbnail URL. The thumbnail generation is CPU-intensive and may take up to 30 seconds per image. The solution should be serverless and cost-effective. Which combination of Azure services should you use?

A.Use an Azure VM with a scheduled task to poll for new blobs and generate thumbnails.
B.Use an Azure Queue Storage trigger to invoke an Azure Function that processes the image and updates Azure SQL Database.
C.Use an Azure Blob Storage trigger to invoke an Azure Function that generates the thumbnail and updates Azure SQL Database.
D.Use Azure Event Grid to trigger an Azure Logic App that generates the thumbnail and updates Azure SQL Database.
AnswerC

Blob Storage trigger is serverless and cost-effective.

Why this answer

An Azure Blob Storage trigger can start an Azure Function on blob creation. The function can generate the thumbnail and then update the metadata in Azure SQL Database. This is serverless and scales automatically.

Option A is correct. Option B is incorrect because Event Grid can also trigger a function, but the Blob Storage trigger is simpler and directly tied to blob events. Option C is incorrect because using a queue adds unnecessary complexity.

Option D is incorrect because using a VM is not serverless.

137
MCQmedium

A developer exposes several backend APIs through Azure API Management. Clients must be throttled by subscription to protect the backend. What should be configured? The architecture review board prefers a managed AWS-native control.

A.Blob soft delete
B.Application Insights sampling
C.Private DNS zone only
D.API Management rate-limit or quota policy
AnswerD

APIM policies can enforce rate limits and quotas per subscription or caller.

Why this answer

Option D is correct because Azure API Management provides built-in rate-limit and quota policies that allow you to throttle client requests based on the subscription key. This directly protects backend services from excessive traffic by enforcing per-subscription call rates and quotas, which aligns with the requirement to throttle clients by subscription.

Exam trap

The trap here is that candidates may confuse Application Insights sampling (a telemetry feature) with API throttling, or think Blob soft delete or DNS zones could somehow limit API calls, when only API Management policies directly enforce subscription-based rate limits.

How to eliminate wrong answers

Option A is wrong because Blob soft delete is a data protection feature for Azure Blob Storage that recovers accidentally deleted blobs; it has no role in API throttling or subscription-based rate limiting. Option B is wrong because Application Insights sampling reduces the volume of telemetry data collected for monitoring, not API request throttling; it controls data ingestion, not client access rates. Option C is wrong because a Private DNS zone only manages custom DNS resolution within a virtual network; it does not enforce any rate limits or quotas on API calls.

138
Multi-Selectmedium

Which TWO authentication mechanisms can be used to securely connect an Azure Function app to an Azure SQL Database using managed identities?

Select 2 answers
A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal with client secret
D.Certificate-based authentication
E.Connection string with access key
AnswersA, B

Correct: a type of managed identity.

Why this answer

System-assigned managed identity and user-assigned managed identity are both supported for Azure SQL Database connections. Service principal and connection strings with keys are not managed identities. Certificate-based authentication is not a managed identity type.

139
MCQhard

You are a developer at Contoso Ltd. The company has an existing .NET Core web application hosted on Azure App Service that allows users to upload images. The application currently stores images directly to Azure Blob Storage using connection strings stored in the Web.config file. The security team has mandated that all secrets must be stored in Azure Key Vault and rotated automatically. Additionally, the application must be able to access the Key Vault without storing any credentials in the application code or configuration files. The application uses Microsoft Entra ID for user authentication. You need to modify the application to meet these requirements with minimal changes to the application code. You have the following resources: an Azure Key Vault instance with the secrets (storage account connection string) already stored; a managed identity enabled for the App Service. You want to use the Key Vault references feature of Azure App Configuration or direct Key Vault access. Which approach should you take?

A.Set the connection string as an environment variable in the App Service using the Azure CLI and rely on the Key Vault backup.
B.Create an Azure App Configuration store, import the secrets from Key Vault, and change the application to use the App Configuration provider.
C.In the Azure portal, update the App Service application settings to reference the Key Vault secrets using the Key Vault references feature. Enable the system-assigned managed identity for the App Service and grant it Get and List permissions on the Key Vault.
D.Modify the application code to use the Azure Identity SDK to authenticate to Key Vault via managed identity and retrieve the connection string.
AnswerC

Key Vault references allow secure access without code changes and support automatic rotation.

Why this answer

The correct approach is to use Key Vault references in the App Service application settings. This allows you to reference a secret stored in Key Vault using a syntax like @Microsoft.KeyVault(SecretUri=...). The App Service will automatically retrieve the secret using the system-assigned managed identity, and no code changes are required.

Option A is correct. Option B is incorrect because using App Configuration would require additional setup and code changes to reference the configuration. Option C is incorrect because manually retrieving secrets via SDK requires code changes.

Option D is incorrect because environment variables set directly are not rotated automatically.

140
MCQmedium

You are deploying a microservice that needs to read secrets (e.g., connection strings) from Azure Key Vault. The service runs on Azure Kubernetes Service (AKS). You want to minimize code changes and automatically rotate secrets. Which approach should you use?

A.Use the Azure Key Vault SDK in the application code to fetch secrets.
B.Store secrets as environment variables in the container image.
C.Use the Azure Key Vault Provider for Secrets Store CSI Driver on AKS.
D.Use Azure App Configuration with Key Vault references.
AnswerC

Mounts secrets as volumes or env vars, supports rotation.

Why this answer

Option B is correct because the CSI driver allows mounting secrets as volumes or environment variables with automatic rotation without code changes. Option A is wrong because it requires code changes to call the SDK. Option C is wrong because storing secrets in environment variables is insecure.

Option D is wrong because Azure App Configuration is for configuration, not secrets.

141
MCQmedium

An application calls a third-party shipping API through HTTP. The developer must implement retries without overwhelming the remote system during partial outages. Which retry pattern is best?

A.Immediate infinite retries
B.Retry only after restarting the application
C.Exponential backoff with jitter and a maximum retry limit
D.Disable all timeout settings
AnswerC

Backoff with jitter reduces retry storms and gives the remote service time to recover.

Why this answer

Exponential backoff with jitter and a maximum retry limit is the best pattern because it progressively increases the delay between retries, preventing the client from overwhelming the third-party shipping API during partial outages. Jitter randomizes the delay to avoid thundering herd problems where multiple clients retry simultaneously, and the maximum retry limit ensures the system does not retry indefinitely, preserving resources and allowing for graceful degradation.

Exam trap

The trap here is that candidates may choose immediate infinite retries (Option A) thinking it ensures delivery, but they overlook the risk of overwhelming the remote system and violating rate limits, which is explicitly tested in the context of third-party API consumption.

How to eliminate wrong answers

Option A is wrong because immediate infinite retries would flood the third-party API with requests during a partial outage, likely exacerbating the outage or triggering rate limiting and throttling responses (e.g., HTTP 429). Option B is wrong because retrying only after restarting the application introduces unnecessary downtime and delays recovery; the application should handle transient faults programmatically without requiring a restart. Option D is wrong because disabling all timeout settings would cause the application to hang indefinitely on unresponsive requests, leading to resource exhaustion (e.g., thread pool starvation) and no mechanism to detect or recover from failures.

142
MCQeasy

You are developing a web app that uses Azure Key Vault to retrieve secrets. The app must authenticate using a system-assigned managed identity. Which endpoint should you use to get an access token for Key Vault?

A.https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
B.http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.azure.net&api-version=2018-02-01
C.https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{vaultName}
D.https://graph.microsoft.com/v1.0/me
AnswerB

This is the Azure Instance Metadata Service endpoint for managed identity token requests.

Why this answer

The correct endpoint for getting a token via managed identity on Azure App Service is http://169.254.169.254/metadata/identity/oauth2/token (the Instance Metadata Service endpoint). Option A is the Azure CLI login endpoint, B is the Graph API token endpoint, and D is the ARM token endpoint, which do not use managed identity for Key Vault.

143
MCQhard

Refer to the exhibit. A developer deploys this ARM template to create a blob container. Later, they attempt to upload a file to the container using a SAS token. What is the result?

A.The upload succeeds only if the SAS token includes read permission.
B.The container is not created because publicAccess is set to None.
C.The upload succeeds if the SAS token has write permission.
D.The upload fails because the container is private.
AnswerC

A SAS token with write permission allows upload to a private container.

Why this answer

Option C is correct. The container has publicAccess set to None, meaning no anonymous access. However, a SAS token provides delegated access, so uploads with a valid SAS token will succeed.

Option A is wrong because SAS tokens are still valid; Option B is wrong because SAS does not require public access; Option D is wrong because the container is created.

144
MCQhard

A company uses Azure Cosmos DB for a global e-commerce platform. They need to query product inventory across multiple regions with low latency. The data is partitioned by product category. Some queries filter on category and price range. What indexing policy should be configured to optimize these queries?

A.Use a wildcard index for all properties.
B.Create a composite index with (category, price).
C.Add a hash index on category and a range index on price.
D.Enable spatial index on price.
AnswerB

Composite index supports efficient filtering on both fields.

Why this answer

A composite index on (category, price) (option B) allows efficient range queries on price within a category. Option A uses separate indexes which may require composite index for range. Option C is too broad.

Option D is not a valid index type.

145
MCQeasy

You are developing an application that needs to retrieve secrets from Azure Key Vault. The application will run as an Azure Functions app. Which authentication method should you use to access Key Vault?

A.Use a client certificate stored in the function app
B.Use a system-assigned managed identity
C.Use the Key Vault connection string from app settings
D.Use the storage account access key from the function app
AnswerB

Managed identities provide a secure, passwordless authentication method directly integrated with Microsoft Entra ID.

Why this answer

Managed identities provide an automatically managed identity in Microsoft Entra ID for the Azure Functions app to authenticate to Key Vault without storing credentials in code. Option A is wrong because client certificates require certificate management. Option B is wrong because connection strings are not used for authentication to Key Vault.

Option D is wrong because access keys are for storage accounts, not Key Vault.

146
Multi-Selectmedium

Which TWO services can be used to implement a publish-subscribe messaging pattern in Azure?

Select 2 answers
A.Azure Storage Queues
B.Azure Event Hubs
C.Azure Service Bus Topics
D.Azure Event Grid
E.Azure Queue Storage
AnswersC, D

Service Bus Topics support pub-sub with subscriptions.

Why this answer

Azure Service Bus Topics and Azure Event Grid both support publish-subscribe. Option B is wrong because Storage Queues use point-to-point. Option D is wrong because Event Hubs is for event ingestion, not pub-sub.

Option E is wrong because Azure Queue Storage is point-to-point.

147
MCQeasy

You need to send email notifications from an Azure Function app when a new user registers in your application hosted on Azure App Service. Which Azure service should you use to send the emails?

A.Microsoft 365 SMTP relay
B.Azure Communication Services
C.SendGrid
D.Azure Logic Apps
AnswerC

SendGrid is a cloud-based email service suitable for transactional emails.

Why this answer

SendGrid is a third-party email delivery service available as an Azure Marketplace solution that integrates with Azure Functions. Option A is correct. Option B is incorrect; Azure Communication Services is for SMS, chat, and voice, not primarily email.

Option C is incorrect; Azure Logic Apps is a workflow service, not an email service. Option D is incorrect; Microsoft 365 SMTP is not recommended for automated transactional emails due to sending limits and authentication complexity.

148
MCQmedium

You are building an Azure Logic App that must call an external API that uses the OAuth 2.0 authorization code grant. The API requires the user to sign in interactively to grant consent. You want to minimize development effort and securely manage the token lifecycle. Which built-in action and authentication method should you use?

A.Use the 'HTTP' action with 'OAuth 2.0' authentication and configure the authorization endpoint, client ID, and client secret.
B.Use the 'HTTP + Swagger' action with 'Identity Provider' authentication.
C.Use the 'API Connection' action with a custom connector that uses OAuth 2.0.
D.Use the 'HTTP' action with 'Managed identity' authentication.
AnswerA

Correct. The HTTP action's OAuth2 authentication supports the authorization code grant, including interactive user consent.

Why this answer

Option A is correct because the 'HTTP' action with 'OAuth 2.0' authentication type in Azure Logic Apps is specifically designed to handle the authorization code grant flow, including interactive user consent. It manages the token lifecycle (acquisition, refresh, and storage) automatically, minimizing development effort. You only need to configure the authorization endpoint, client ID, and client secret, and the runtime handles the redirect and token exchange.

Exam trap

The trap here is that candidates often confuse 'Managed identity' (which is for Azure AD resources without user interaction) with OAuth 2.0 flows that require interactive consent, or they overcomplicate the solution by choosing a custom connector when the built-in 'HTTP' action already supports the authorization code grant natively.

How to eliminate wrong answers

Option B is wrong because the 'HTTP + Swagger' action with 'Identity Provider' authentication is used for calling APIs described by a Swagger/OpenAPI definition, not for OAuth 2.0 authorization code grant with interactive consent; it relies on a pre-configured identity provider (like Azure AD) and does not support the interactive user consent flow. Option C is wrong because using an 'API Connection' action with a custom connector that uses OAuth 2.0 requires you to build and manage a custom connector, which increases development effort and does not minimize it; the built-in 'HTTP' action is simpler. Option D is wrong because 'Managed identity' authentication is intended for authenticating to Azure resources (e.g., Azure Key Vault, Azure SQL) without user interaction, and it cannot handle the OAuth 2.0 authorization code grant that requires interactive user consent.

149
MCQhard

You are querying Azure Monitor metrics using Kusto Query Language (KQL). The query is supposed to return average metric values per hour per resource provider, but it returns no results. What is the most likely issue?

A.The ORDER BY clause should be before GROUP BY.
B.The 'bin' function is used incorrectly; it should be 'bin(TimeGenerated, 1h)' without the alias.
C.The table name should be 'AzureMetrics' instead of 'metrics'.
D.The GROUP BY clause cannot include a computed column like 'bin'.
AnswerC

Azure Monitor metrics are stored in the 'AzureMetrics' table in Log Analytics.

Why this answer

The query uses 'metrics' table, but Azure Monitor metrics are stored in the 'AzureMetrics' table. Option C is correct. Option A is incorrect because bin is valid; Option B is incorrect because GROUP BY works with bin; Option D is incorrect because ORDER BY is fine.

150
MCQhard

You are designing a solution that requires asynchronous processing of messages from an Azure Service Bus queue. The solution must guarantee at-least-once delivery and handle poison messages automatically. Which combination of Service Bus features should you use?

A.ReceiveAndDelete mode with a separate dead-letter queue
B.ReceiveAndDelete mode with automatic forwarding
C.PeekLock mode with sessions
D.PeekLock mode with dead-letter queue
AnswerD

PeekLock ensures at-least-once delivery; dead-letter queue captures poison messages after max delivery count.

Why this answer

Option D is correct because PeekLock mode locks the message during processing, preventing other consumers from processing it; if processing fails, the lock expires and the message becomes available again, achieving at-least-once delivery. The dead-letter queue automatically captures messages that exceed the maximum delivery count (poison messages). Option A is wrong because ReceiveAndDelete does not guarantee at-least-once delivery; if processing fails after deletion, the message is lost.

Option B is wrong because sessions are for ordered processing, not poison handling. Option C is wrong because automatic forwarding is for routing, not poison handling.

← PreviousPage 2 of 4 · 266 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Connect to and consume Azure services and third-party services questions.