CCNA Connect to and consume Azure services and third-party services Questions

41 of 266 questions · Page 4/4 · Connect to and consume Azure services and third-party services · Answers revealed

226
Multi-Selectmedium

Which TWO authentication methods can be used to connect an Azure App Service to an Azure SQL Database without storing connection strings in code or configuration files?

Select 2 answers
A.Client certificate installed on the App Service
B.Storage account access key
C.SQL Server authentication (username and password)
D.System-assigned managed identity
E.User-assigned managed identity
AnswersD, E

Managed identity provides a passwordless identity for the App Service.

Why this answer

Managed identities (system-assigned or user-assigned) and service principals are both identity-based methods that can authenticate to Azure SQL without storing credentials. Option A is wrong because SQL authentication uses username/password stored in configuration. Option B is wrong because the access key is for storage accounts.

Option D is wrong because certificates are stored in the app, not managed by Azure identity.

227
MCQhard

You are building a solution that processes orders from multiple regions. Orders must be processed in the order they are received, but processing can take up to 5 minutes. You need to ensure exactly-once processing and minimize latency. Which Azure service and configuration should you use?

A.Azure Service Bus Queue with sessions enabled
B.Azure Event Hubs with consumer groups
C.Azure Service Bus Queue with duplicate detection enabled
D.Azure Queue Storage with poison messages
AnswerA

Sessions ensure FIFO ordering and exactly-once processing.

Why this answer

Service Bus Queues with sessions provide FIFO ordering and duplicate detection. Option A is wrong because default queues don't guarantee order. Option C is wrong because Event Hubs is for streaming, not ordered queues.

Option D is wrong because Storage Queues don't guarantee FIFO.

228
MCQeasy

Fabrikam Inc. has an Azure Function app that processes image uploads. Each time a blob is added to a container in Azure Blob Storage, the function is triggered. The function resizes the image and stores the result in another container. Currently, the function uses an Azure Storage account connection string stored in application settings. The security team requires that no connection strings or access keys be stored in application settings. The function must use managed identity to access the storage account. The storage account is in the same subscription. Which action should the team take?

A.Generate a SAS token for the storage account and store it in Key Vault. Retrieve the SAS token at runtime and use it to create the BlobServiceClient.
B.Create a user-assigned managed identity, assign it to the Function app, and grant it 'Storage Blob Data Contributor' role. Store the client ID in app settings. Use ManagedIdentityCredential with the client ID in code.
C.Keep the connection string in app settings but encrypt it using Azure Key Vault. Use Key Vault references to retrieve it.
D.Enable system-assigned managed identity on the Function app. Assign the 'Storage Blob Data Contributor' role to the managed identity on the storage account. Remove the connection string from application settings. Update the code to use DefaultAzureCredential to authenticate to Blob Storage.
AnswerD

Correct: uses managed identity, no secrets.

Why this answer

Enable system-assigned managed identity on the Function app, then assign the 'Storage Blob Data Contributor' role to the identity on the storage account. Remove the connection string from app settings. Use DefaultAzureCredential in code.

Option A is correct. Option B is for user-assigned but unnecessary; still correct but not simplest. Option C uses access keys.

Option D uses SAS token.

229
MCQmedium

You are developing a solution that needs to consume an external SOAP web service. Which approach should you use to integrate it into a modern .NET Core application?

A.Use gRPC client to call the service.
B.Use HttpClient to send raw HTTP requests with SOAP envelope.
C.Use the WCF Client (System.ServiceModel) to generate a proxy and call the SOAP service.
D.Use Azure Logic Apps with a SOAP connector.
AnswerC

WCF Client supports SOAP in .NET Core.

Why this answer

Option A is correct because the WCF Client (System.ServiceModel) can be used to consume SOAP services in .NET Core. Option B is wrong because HttpClient is for REST. Option C is wrong because gRPC is for high-performance RPC, not SOAP.

Option D is wrong because Azure Logic Apps has a SOAP connector but adds unnecessary complexity.

230
MCQhard

A company uses Azure Event Hubs to ingest telemetry data from IoT devices. The data is processed by a stream analytics job that outputs to Azure Data Lake Storage Gen2. The developer needs to ensure that the stream analytics job can authenticate to Event Hubs without storing connection strings in code. Which authentication method should the developer use?

A.Use a connection string with the Event Hubs namespace
B.Use a client certificate
C.Use a Shared Access Signature (SAS) token
D.Use Managed Identity
AnswerD

Managed Identity provides secure authentication without storing credentials.

Why this answer

Option B is correct because Managed Identity allows Azure resources to authenticate to other Azure services without storing credentials. Option A is incorrect because Shared Access Signature requires a token stored somewhere. Option C is incorrect because connection strings expose secrets.

Option D is incorrect because a client certificate would need to be stored.

231
MCQeasy

You need to call a third-party REST API from your Azure Function app. The API requires an API key in the header. Where should you store the API key to keep it secure?

A.Environment variable in the hosting plan
B.Azure Key Vault
C.Connection string in the Function app
D.App settings in the Function app configuration
AnswerB

Key Vault provides secure storage, access policies, and audit logging.

Why this answer

Azure Key Vault is the recommended service for storing secrets like API keys. Option A is wrong because app settings are not encrypted at rest. Option C is wrong because connection strings are not for API keys.

Option D is wrong because environment variables are not secure.

232
MCQmedium

Refer to the exhibit. You are configuring Azure Monitor autoscale for a virtual machine scale set using the above JSON metric configuration. The autoscale rule is supposed to scale out when average memory usage exceeds 80%. However, autoscale is not triggering even when memory usage is consistently above 90%. What is the most likely cause?

A.The aggregation interval is too long; it should be set to 1 minute.
B.The metric name is incorrect; it should be 'Percentage Memory'.
C.The aggregation type should be 'Maximum' instead of 'Average'.
D.The autoscale rule condition is not configured to use this metric.
AnswerD

The exhibit only shows the metric definition; the autoscale rule must reference this metric, and if not, it won't trigger.

Why this answer

Option B is correct because the exhibit shows that the aggregation interval is set to 00:05:00 (5 minutes) and the aggregation type is Average. Autoscale rules use the aggregated metric over the specified duration. If the duration is not configured correctly, the rule may not trigger.

However, a common issue is that the memory metric is not available or not collected. But from the exhibit, it seems the metric is defined. Another possibility is that the autoscale rule's threshold is defined in a separate configuration.

The exhibit only shows the metric definition, not the actual autoscale rule condition. The most likely cause from the options is that the autoscale rule is not associated with the scale set or the metric is not being emitted. Option A is wrong because the aggregation interval is 5 minutes, which is valid.

Option C is wrong because the aggregation type is Average, which is appropriate. Option D is wrong because the metric name is 'MemoryPercent', which is a valid metric for VMs (if collected). However, the exhibit does not show the autoscale rule condition; it only shows the metric configuration for a custom metric.

The actual autoscale rule might be missing or misconfigured. Based on the options, Option B is the most plausible: the autoscale rule might not be configured to use this metric, or the metric source is not set.

233
MCQhard

Your Azure Function app processes messages from an Azure Service Bus queue. The function is triggered by Service Bus messages. Occasionally, the function throws an unhandled exception after the message is processed but before the function completes. What happens to the message?

A.The message is moved to the dead-letter queue.
B.The message is abandoned and becomes available for other consumers after the lock duration expires.
C.The message is completed automatically despite the exception.
D.The message is automatically removed from the queue.
AnswerB

Exception causes abandon; message is retried.

Why this answer

Option C is correct because the Service Bus trigger completes the message only when the function runs successfully to completion. If an exception occurs, the message is abandoned and becomes visible again after the lock duration expires, causing it to be retried. Option A is wrong because the message is not dead-lettered on exception; it is retried.

Option B is wrong because the message is not automatically removed; it remains in the queue. Option D is wrong because the message is not automatically completed.

234
MCQeasy

You need to expose an on-premises API securely to external partners without opening firewall ports. Which Azure service should you use?

A.Azure Traffic Manager
B.Azure API Management
C.Azure Application Gateway
D.Azure Front Door
AnswerB

Exposes APIs securely, can route to on-prem.

Why this answer

Option D is correct because Azure API Management can expose APIs securely and integrate with on-premises backends via VPN or ExpressRoute. Option A is wrong because Azure Front Door is for global load balancing and CDN, not for exposing on-premises APIs. Option B is wrong because Azure Application Gateway is a regional load balancer with WAF, but not designed for API exposure.

Option C is wrong because Azure Traffic Manager is DNS-based load balancing.

235
MCQeasy

Your company uses Azure API Management (APIM) to expose several APIs. One of the backend APIs requires an API key that is stored in Azure Key Vault. You need to configure APIM to retrieve the API key from Key Vault and pass it to the backend in a header without exposing the key in policy definitions. Which APIM feature should you use?

A.Use a policy expression with the context.Variables to store the key.
B.Store the API key directly in the backend settings of the API.
C.Use a named value that references the Key Vault secret, and reference that named value in a set-header policy.
D.Use the authentication-managed-identity policy to authenticate to Key Vault and retrieve the secret.
AnswerC

Correct. Named values in APIM can be linked to Key Vault secrets. The policy will automatically retrieve the secret value and use it in the header without exposing the secret.

Why this answer

Option C is correct because named values in Azure API Management can be configured to reference secrets stored in Azure Key Vault. When a named value is linked to a Key Vault secret, APIM automatically retrieves the secret value at runtime and can inject it into policies (e.g., a set-header policy) without the secret ever appearing in plaintext in the policy definition. This approach ensures the API key is securely managed and not exposed in source control or policy code.

Exam trap

The trap here is that candidates often confuse the authentication-managed-identity policy (used for backend authentication) with the named value Key Vault integration (used for secret retrieval), leading them to select option D even though it does not directly retrieve secrets from Key Vault.

How to eliminate wrong answers

Option A is wrong because context.Variables in a policy expression are used to store temporary values within a policy scope, but they cannot directly retrieve secrets from Key Vault; the secret would still need to be fetched via a named value or managed identity, making this approach incomplete and insecure if the key is hardcoded. Option B is wrong because storing the API key directly in the backend settings of the API would expose the key in plaintext within the APIM configuration, violating the requirement to avoid exposing the key in policy definitions and not leveraging Key Vault for secure storage. Option D is wrong because the authentication-managed-identity policy is used to authenticate APIM to a backend service (e.g., to call another Azure resource), not to retrieve secrets from Key Vault; retrieving a secret from Key Vault requires a named value with a Key Vault reference or a custom policy using the send-request policy with managed identity, but the authentication-managed-identity policy alone does not fetch secrets.

236
MCQmedium

You are implementing Azure API Management (APIM) to expose a legacy SOAP service as a modern REST API. The SOAP service requires WS-Security UsernameToken authentication. How should you configure APIM to handle this?

A.Use the 'convert-soap-to-rest' policy and configure OAuth2 for the backend.
B.Use a 'set-header' policy to add the WS-Security UsernameToken to the backend request.
C.Create a custom connector in Power Automate and import it to APIM.
D.Configure APIM with a client certificate and use the 'validate-client-certificate' policy.
AnswerB

The 'set-header' policy can inject the required SOAP header with credentials.

Why this answer

APIM can transform SOAP to REST using policies. For WS-Security, you can use the 'set-header' policy to add the UsernameToken. Option C is correct because you need to pass credentials to the backend.

Option A is not possible; Option B is not needed; Option D is for OAuth.

237
MCQeasy

Your company wants to send email notifications to users via a third-party email service (SendGrid) from an Azure Logic App. What is the recommended way to securely store the SendGrid API key?

A.Store the API key in Azure Key Vault and use a managed identity to retrieve it
B.Store the API key in an App Setting of the Logic App
C.Hardcode the API key in the Logic App workflow definition
D.Store the API key in an environment variable on the integration service environment
AnswerA

Key Vault provides secure storage with access policies and auditing.

Why this answer

Option B is correct because Azure Key Vault securely stores secrets and can be accessed by Logic Apps via managed identity. Option A is wrong because app settings are less secure. Option C is wrong because hardcoding is a bad practice.

Option D is wrong because environment variables are not recommended for secrets.

238
MCQhard

Adventure Works is developing a payment processing system on Azure. The system uses an Azure Service Bus queue to decouple the frontend from the backend. The frontend sends a message to the queue. A backend service, running as an Azure WebJob, processes the message and calls a third-party payment gateway via HTTPS. The backend must authenticate to the payment gateway using a client certificate stored in Azure Key Vault. The WebJob must be able to access the certificate without storing any secrets in configuration. The WebJob runs in an App Service plan with system-assigned managed identity enabled. Which approach should the team use to retrieve the certificate and authenticate to the payment gateway?

A.In the WebJob code, use SecretClient from Azure.Security.KeyVault.Secrets to retrieve the certificate as a secret. Parse the secret value to X509Certificate2. Use the certificate in HttpClientHandler to call the payment gateway.
B.Store the certificate as a .pfx file in a blob container with a SAS token. Download the blob using the SAS token and load the certificate.
C.Create a service principal with a client secret, store the secret in Key Vault. Use ClientSecretCredential to authenticate to Key Vault and retrieve the certificate.
D.Store the certificate thumbprint in application settings. Use the Azure App Service certificate store to load the certificate by thumbprint.
AnswerA

Correct: uses managed identity to retrieve certificate from Key Vault.

Why this answer

Use the Key Vault SDK with DefaultAzureCredential to download the certificate as X509Certificate2. Use that certificate in HttpClientHandler. Option A is correct.

Option B uses a secret identifier, but certificate with private key is better. Option C uses connection strings. Option D uses a service principal with secret.

239
MCQmedium

Your company uses Azure Logic Apps to automate a business process. The process needs to call an external REST API that requires an API key passed in the Authorization header. You need to store the API key securely and reference it in the Logic App. Which approach should you use?

A.Store the API key in the Logic App's definition as a constant
B.Use an Azure Key Vault secret and a managed identity
C.Hardcode the API key in a parameter file
D.Use an Azure Storage account table to store the key
AnswerB

Key Vault provides secure secret storage, and a managed identity allows the Logic App to authenticate without credentials.

Why this answer

Option B is correct because Azure Key Vault securely stores secrets like API keys, and using a managed identity allows the Logic App to authenticate to Key Vault without embedding credentials in code or configuration. This follows the principle of least privilege and eliminates the need to manage secrets in connection strings or parameter files.

Exam trap

The trap here is that candidates often choose Option A or C because they think storing the key in the Logic App definition or a parameter file is 'secure enough' for development, but the exam emphasizes that any plaintext storage in code or configuration is a security violation, and the only correct approach is to use a dedicated secrets store like Key Vault with managed identity.

How to eliminate wrong answers

Option A is wrong because storing the API key as a constant in the Logic App's definition exposes the key in plaintext within the workflow JSON, which can be viewed by anyone with read access to the Logic App and violates security best practices. Option C is wrong because hardcoding the API key in a parameter file still stores the key in plaintext within the deployment or configuration files, which can be leaked through source control or logs. Option D is wrong because using an Azure Storage account table to store the key does not provide encryption at rest by default (unless client-side encryption is implemented) and requires managing access keys for the storage account, introducing additional security risks.

240
MCQmedium

You are building an event-driven application that needs to publish messages to multiple independent subscribers. Each subscriber must be able to filter messages based on custom properties, and each subscriber must receive all messages that match its filter, even if other subscribers have different filters. The solution must guarantee message delivery. Which Azure messaging service should you use?

A.Azure Queue Storage
B.Azure Service Bus Topics and Subscriptions
C.Azure Service Bus Queues
D.Azure Event Hubs
AnswerB

You can create a topic with multiple subscriptions, each with its own filter. Each subscription receives a copy of messages that match its filter, supporting independent consumption.

Why this answer

Azure Service Bus Topics and Subscriptions are designed for publish-subscribe messaging where multiple independent subscribers each receive a copy of every message that matches their filter criteria. The topic allows publishing messages with custom properties, and each subscription can define a SQL-like filter (using the `SqlFilter` class) to select only relevant messages. This ensures that all subscribers receive all messages matching their filter, with guaranteed delivery via the broker's persistent storage and at-least-once delivery semantics.

Exam trap

The trap here is that candidates confuse Azure Service Bus Queues (point-to-point) with Topics (publish-subscribe), or assume Event Hubs can handle per-subscriber filtering, but Event Hubs lacks broker-side filtering and guarantees each event is consumed by only one consumer per consumer group, not by multiple independent subscribers with custom filters.

How to eliminate wrong answers

Option A is wrong because Azure Queue Storage provides a simple FIFO queue for point-to-point messaging; it does not support multiple independent subscribers or message filtering based on custom properties — each message is consumed by a single consumer. Option C is wrong because Azure Service Bus Queues also implement a point-to-point pattern where each message is delivered to only one consumer; they lack the publish-subscribe capability and per-subscriber filtering that topics and subscriptions provide. Option D is wrong because Azure Event Hubs is optimized for high-throughput event ingestion from multiple producers, not for guaranteed delivery to multiple independent subscribers with custom property filtering — it uses consumer groups for load balancing, not per-subscriber filters, and does not offer the same broker-level filtering or at-least-once delivery guarantees for each subscriber.

241
Drag & Dropmedium

Arrange the steps to deploy a containerized application to Azure Container Instances (ACI) from Azure Container Registry (ACR) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create ACR, push image, create container group, configure settings, then start.

242
MCQeasy

A company wants to send email notifications from an Azure Function app. The function app runs on a Consumption plan. Which service should be used to send emails?

A.Azure Logic Apps
B.Microsoft Graph API
C.Azure Communication Services
D.SendGrid
AnswerD

SendGrid is a third-party email service integrated with Azure, suitable for sending emails from functions.

Why this answer

Option A is correct because SendGrid is a third-party email service available as an Azure Marketplace integration. Option B is incorrect because Azure Logic Apps could be used but adds overhead. Option C is incorrect because Azure Communication Services is for SMS/chat, not email.

Option D is incorrect because Microsoft Graph API sends emails from a user mailbox, which is not suitable for automated notifications.

243
MCQhard

Your organization uses Azure API Management (APIM) to expose internal APIs to external partners. You need to ensure that only partners with a valid subscription key can access the APIs. Additionally, you want to log all requests for auditing. Which APIM policy should you implement?

A.Apply a <validate-jwt> policy and a <log-to-eventhub> policy
B.Apply an <ip-filter> policy
C.Apply a <rate-limit> policy
D.Apply a <cors> policy
AnswerA

<validate-jwt> can validate the subscription key in the header, and <log-to-eventhub> enables auditing.

Why this answer

The <validate-jwt> policy can check the subscription key (via the 'Ocp-Apim-Subscription-Key' header) and the <log-to-eventhub> policy sends logs to an event hub for auditing. Option A is wrong because <rate-limit> only throttles, not validates. Option B is wrong because <cors> handles cross-origin requests.

Option C is wrong because <ip-filter> filters by IP, not by key.

244
MCQeasy

You are building an Azure Logic App that must send an email notification when a new file is added to a SharePoint Online document library. Which connector and trigger should you use?

A.Use the SharePoint connector with the 'When a file is created' trigger
B.Use the Office 365 Outlook connector with the 'When a new email arrives' trigger
C.Use the Azure Blob Storage connector with the 'When a blob is added or modified' trigger
D.Use the HTTP connector with a manual trigger and poll SharePoint's REST API
AnswerA

This is the correct approach: SharePoint connector natively integrates with Logic Apps and provides a trigger for file creation.

Why this answer

The SharePoint connector's 'When a file is created' trigger is the correct choice because it directly monitors a SharePoint Online document library for new file additions and initiates the Logic App workflow automatically. This trigger uses SharePoint's webhook capabilities to receive real-time notifications, eliminating the need for polling or manual intervention.

Exam trap

The trap here is that candidates may confuse the SharePoint connector with other storage connectors (like Azure Blob Storage) or mistakenly think a polling-based HTTP approach is simpler, overlooking the native event-driven trigger that is purpose-built for this exact scenario.

How to eliminate wrong answers

Option B is wrong because the Office 365 Outlook connector's 'When a new email arrives' trigger monitors an email inbox, not a SharePoint document library, and would require an email to be sent for each file addition, which is not the requirement. Option C is wrong because the Azure Blob Storage connector's 'When a blob is added or modified' trigger is designed for Azure Blob Storage containers, not SharePoint Online document libraries, and cannot directly detect file changes in SharePoint. Option D is wrong because using the HTTP connector with a manual trigger and polling SharePoint's REST API introduces unnecessary complexity, latency, and resource consumption compared to the native event-driven trigger, and it lacks the built-in authentication and optimization of the SharePoint connector.

245
MCQmedium

Contoso Ltd. is migrating a legacy on-premises application to Azure. The application processes customer orders and sends confirmation emails. The new solution must use Azure Functions with an HTTP trigger to receive orders, store order data in Azure Cosmos DB, and send emails via SendGrid. Security requirements: All connections must use managed identities where possible. No secrets should be stored in code or configuration files. Cosmos DB and SendGrid API keys must be retrieved at runtime from Azure Key Vault. The Azure Function app must be able to access Key Vault without storing any connection strings or secrets in application settings. The development team plans to use the Azure.Identity and Azure.Security.KeyVault.Secrets libraries. Which approach should the team use to authenticate to Key Vault?

A.Upload a client certificate to the Function app's certificate store. Use ClientCertificateCredential to authenticate to Key Vault.
B.Use Key Vault references in application settings. Store the Key Vault URI in app settings and let the Functions runtime resolve secrets.
C.Enable system-assigned managed identity on the Function app. Grant the identity 'Get' and 'List' permissions on Key Vault secrets. Use DefaultAzureCredential in code to authenticate to Key Vault.
D.Create a user-assigned managed identity, assign it to the Function app, and store its client ID in application settings. Grant the identity permissions to Key Vault. Use ClientSecretCredential with the client ID and a secret.
AnswerC

Correct: no secrets stored, managed identity used.

Why this answer

Enable system-assigned managed identity on the Function app, then grant that identity 'Get' and 'List' permissions on the Key Vault secrets. The code uses DefaultAzureCredential to authenticate. Option A is correct.

Option B requires storing a client ID, not fully secret-free. Option C requires storing certificate thumbprint. Option D requires storing connection string.

246
MCQhard

A company has an Azure Function app that processes messages from an Azure Storage queue. The function fails intermittently with timeout exceptions when the queue has many messages. What is the best approach to handle this?

A.Upgrade to a Premium plan
B.Decrease the batch size to reduce processing time per batch
C.Scale out the function app to multiple instances
D.Increase the batch size in the function's host.json
AnswerD

Larger batch size reduces total invocations and improves throughput.

Why this answer

Increasing the batch size allows the function to process more messages per invocation, improving throughput. Option A is wrong because scaling out may cause more timeouts. Option C is wrong because reducing batch size would increase timeouts.

Option D is wrong because premium plan increases cost but does not directly solve timeouts.

247
MCQeasy

You are developing an ASP.NET Core application that needs to access Azure Key Vault to retrieve secrets. You have enabled a managed identity for the App Service. Which Azure SDK class should you use to authenticate to Key Vault?

A.DefaultAzureCredential
B.ClientSecretCredential
C.ManagedIdentityCredential
D.InteractiveBrowserCredential
AnswerA

Correct. It automatically uses the available managed identity and falls back to other credential types if needed.

Why this answer

DefaultAzureCredential is the recommended approach because it provides a chained authentication mechanism that attempts multiple credential types in order, including ManagedIdentityCredential, EnvironmentCredential, and others. When running in an Azure App Service with a managed identity enabled, DefaultAzureCredential will automatically use the managed identity to authenticate to Key Vault, making it the most flexible and future-proof choice for this scenario.

Exam trap

The trap here is that candidates see 'managed identity' and immediately choose ManagedIdentityCredential, forgetting that DefaultAzureCredential is the recommended and more robust choice that automatically includes managed identity support.

How to eliminate wrong answers

Option B (ClientSecretCredential) is wrong because it requires explicitly providing a client secret (password) for a service principal, which defeats the purpose of using a managed identity and introduces secret management overhead. Option C (ManagedIdentityCredential) is wrong because while it would work in this specific scenario, it is not the best practice; DefaultAzureCredential is preferred as it falls back to other credential types (e.g., environment variables, Visual Studio credentials) if the managed identity is unavailable, providing better portability and resilience. Option D (InteractiveBrowserCredential) is wrong because it requires user interaction via a browser to authenticate, which is unsuitable for a server-side App Service that runs unattended.

248
MCQmedium

A company uses Azure DevOps to deploy microservices to Azure Kubernetes Service (AKS). They need to securely pull container images from Azure Container Registry (ACR) during deployment without storing credentials. Which authentication method should they use?

A.ACR Tasks
B.ACR admin keys
C.Managed Identity
D.Service principal with password
AnswerC

AKS's managed identity with AcrPull role avoids storing credentials.

Why this answer

AKS can be assigned a Managed Identity with AcrPull role to pull images from ACR without storing credentials. Option A is wrong because service principal requires credential management. Option C is wrong because admin keys are insecure.

Option D is wrong because ACR tasks build images, not pull them.

249
MCQmedium

A retail system uses Azure Service Bus to process orders. Each order has multiple messages (e.g., payment, shipping, confirmation) that must be processed in sequence. You need to guarantee that all messages belonging to the same order are handled by the same consumer in order. Which Service Bus feature should you use?

A.Sessions
B.Scheduled messages
C.Dead-letter queue
D.Auto-forwarding
AnswerA

Sessions ensure FIFO ordering and guarantee that messages with the same session ID are processed by a single consumer.

Why this answer

Sessions in Azure Service Bus enable ordered, first-in-first-out (FIFO) processing of related messages. By setting the SessionId property to the order ID, all messages for that order are grouped into a session, ensuring a single consumer processes them sequentially. This guarantees that payment, shipping, and confirmation messages for the same order are handled in order and by the same consumer.

Exam trap

The trap here is that candidates may confuse Sessions with Scheduled messages or Auto-forwarding, mistakenly thinking that delaying delivery or forwarding messages can achieve ordered processing, but only Sessions provide the required consumer affinity and FIFO guarantee for grouped messages.

How to eliminate wrong answers

Option B (Scheduled messages) is wrong because it only delays message delivery to a future time and does not provide any ordering or grouping guarantees for related messages. Option C (Dead-letter queue) is wrong because it is a sub-queue for storing messages that cannot be processed normally (e.g., due to exceeding MaxDeliveryCount), not for ensuring ordered processing of grouped messages. Option D (Auto-forwarding) is wrong because it automatically forwards messages from one queue or subscription to another based on a rule, but it does not enforce FIFO ordering or consumer affinity for related messages.

250
MCQmedium

You are designing a microservices architecture where each service needs to publish events to multiple subscribers. You choose Azure Event Grid. However, one of the subscribers is a third-party service that requires HTTPS endpoint and custom headers in the event delivery. How should you configure Event Grid?

A.Use Event Grid's 'Advanced Filters' to add custom headers to events.
B.Use Event Grid domains to route events to the third-party service.
C.Set custom headers in the event subscription's 'Delivery Properties' configuration.
D.Configure a dead-letter destination to handle delivery failures.
AnswerC

Event Grid allows you to define custom headers that are included in the HTTP POST to the endpoint.

Why this answer

Event Grid supports custom headers in event subscriptions via the 'includedEventTypes' and 'subjectBeginsWith' filters, but for custom headers, you need to use the 'Advanced Filter' or 'Delivery Properties'. Option C is correct because you can set custom headers in the event subscription. Option A is not supported; Option B is for dead-lettering; Option D is for filtering.

251
MCQeasy

A developer needs to call a third-party REST API from an Azure Function app. The API requires OAuth2 client credentials flow. Which approach should they use to securely store and retrieve the client secret?

A.Store in application settings as environment variable
B.Store in Azure App Configuration
C.Store in Azure Key Vault
D.Use Managed Identity
AnswerC

Key Vault securely stores secrets and provides access via managed identity.

Why this answer

Azure Key Vault is the secure store for secrets like client secrets. Option A is wrong because App Configuration is for configuration. Option B is wrong because environment variables are not secure.

Option D is wrong because Managed Identity does not store secrets; it provides identity.

252
MCQhard

You are designing a solution that reads messages from an Azure Service Bus queue and processes them using an Azure Function. The function must process messages in order and ensure no duplicate processing. Which configuration should you use?

A.Use auto-forwarding to a dead-letter queue on failure
B.Partition the queue and use multiple functions to process each partition in order
C.Enable sessions on the queue and use peek-lock mode with automatic complete on success
D.Use receive and delete mode to ensure each message is processed only once
AnswerC

Sessions guarantee order; peek-lock with complete ensures exactly-once processing.

Why this answer

Option A is correct because Service Bus sessions enable ordered processing, and peek-lock mode with complete on success prevents duplicates. Option B is wrong because receive and delete does not allow retries. Option C is wrong because partitions are for throughput, not ordering.

Option D is wrong because manual completion is less reliable.

253
MCQhard

You have an Azure Function app that processes messages from a Service Bus queue. The function uses the Service Bus trigger. You notice that under high load, some messages are processed multiple times. What is the most likely cause?

A.The queue is partitioned
B.The lock duration is too short for message processing time
C.The batch size is too large
D.The maxDeliveryCount is set too high
AnswerB

If processing exceeds lock duration, the message is released and reprocessed.

Why this answer

The Service Bus trigger uses peek-lock mode, and if the function fails to complete the message within the lock duration, the message becomes visible again for reprocessing. Option A is wrong because max delivery count does not cause duplicates. Option B is wrong because batch size doesn't cause duplicates.

Option D is wrong because partitioning does not cause duplicates; it relates to ordering.

254
MCQmedium

You are developing a .NET Core web application that needs to send an email notification when a user registers. You decide to use Azure Communication Services Email. Which authentication method should you use to securely connect from your application to Azure Communication Services?

A.Use an Azure AD service principal with client secret.
B.Use an endpoint and an access key from Azure Communication Services.
C.Use a connection string from the Azure portal.
D.Use a managed identity for Azure resources.
AnswerB

The correct authentication method for Azure Communication Services Email is to use the endpoint and access key provided in the Azure portal.

Why this answer

Azure Communication Services uses an endpoint and an access key for authentication. Connection strings are not used; Azure AD is supported but requires additional setup; managed identity is an option but not the simplest for this scenario.

255
Multi-Selecthard

Which TWO are best practices when using Azure Service Bus for high-throughput messaging?

Select 2 answers
A.Enable duplicate detection for all queues
B.Use sessions to guarantee ordering
C.Enable batching of messages when sending
D.Use partitioned queues or topics
E.Send messages larger than 256 KB to reduce the number of messages
AnswersC, D

Batching reduces the number of operations and improves throughput.

Why this answer

Batching messages reduces overhead. Using partitioned queues improves throughput. Option C is wrong because large messages reduce throughput.

Option D is wrong because sessions can limit throughput. Option E is wrong because duplicate detection adds overhead.

256
MCQmedium

Refer to the exhibit. A developer deploys this ARM template to create a web app with a connection string to Azure Cosmos DB. The deployment succeeds but the web app cannot connect to Cosmos DB. What is the most likely cause?

A.The connection string should use a secret reference to Azure Key Vault
B.The listKeys function is used incorrectly
C.The web app name parameter is missing
D.The listKeys function requires a different API version
AnswerA

Best practice is to use Key Vault references, but the immediate issue is that the connection string is incomplete; it needs the full connection string format.

Why this answer

Option B is correct because the connection string should use a secret reference to Azure Key Vault for security, and the raw master key in plaintext is not allowed. Option A is incorrect because the function is correct. Option C is incorrect because the listKeys function works.

Option D is incorrect because the deployment succeeded.

257
MCQmedium

You are developing a solution that processes large files uploaded by users to Azure Blob Storage. Each file must be validated for malware using Microsoft Defender for Cloud Apps before being moved to a different container for further processing. The validation can take several minutes. What is the most cost-effective and scalable approach?

A.Use Azure Event Grid to trigger an Azure Function on blob creation, which validates the file and moves it after scan.
B.Use the Azure SDK to poll for new blobs from within a continuously running background service.
C.Use an Azure VM running a scheduled task to poll for new blobs and perform validation.
D.Use Azure Logic Apps with a recurrence trigger to check for new blobs and call the Microsoft Defender API.
AnswerA

Event-driven, serverless, and cost-effective.

Why this answer

Azure Event Grid can trigger an Azure Function when a blob is created. The function can use Defender for Cloud Apps (or Microsoft Defender XDR) to scan the file. This is event-driven, scalable, and cost-effective.

Option A is correct. Option B is incorrect because using a VM would require manual scaling and incur costs even when idle. Option C is incorrect because Logic Apps may be more expensive for long-running operations.

Option D is incorrect because the SDK polling is inefficient and not real-time.

258
MCQmedium

A developer exposes several backend APIs through Azure API Management. Clients must be throttled by subscription to protect the backend. What should be configured?

A.Blob soft delete
B.Application Insights sampling
C.Private DNS zone only
D.API Management rate-limit or quota policy
AnswerD

APIM policies can enforce rate limits and quotas per subscription or caller.

Why this answer

Option D is correct because Azure API Management provides built-in rate-limit and quota policies that allow you to throttle client requests based on subscription keys. These policies enforce limits per subscription scope, protecting backend services from excessive traffic by rejecting requests that exceed the defined rate (e.g., requests per second) or quota (e.g., total calls per month). This directly addresses the requirement to throttle clients by subscription.

Exam trap

The trap here is that candidates may confuse telemetry or storage features (like Application Insights sampling or Blob soft delete) with API throttling mechanisms, overlooking that API Management's rate-limit and quota policies are the correct and direct solution for subscription-based throttling.

How to eliminate wrong answers

Option A is wrong because Blob soft delete is an Azure Storage feature that protects blob data from accidental deletion by retaining deleted blobs for a specified retention period; it has no role in API throttling or subscription-based rate limiting. Option B is wrong because Application Insights sampling is a telemetry feature that reduces data ingestion volume by selecting a percentage of events to analyze; it does not enforce any request throttling or access control on API calls. Option C is wrong because a Private DNS zone only is used for custom domain name resolution within a virtual network, not for implementing API rate limits or subscription-based throttling.

259
MCQeasy

You are building a solution that needs to send millions of events per second to Azure for processing. Which Azure service should you use to ingest the events?

A.Azure Service Bus
B.Azure Event Hubs
C.Azure IoT Hub
D.Azure Notification Hubs
AnswerB

Event Hubs is a big data streaming platform and event ingestion service.

Why this answer

Azure Event Hubs is designed for high-throughput data ingestion, capable of handling millions of events per second. Option A is wrong because Service Bus is for enterprise messaging with lower throughput. Option B is wrong because IoT Hub is for IoT device connectivity.

Option D is wrong because Notification Hubs is for push notifications.

260
MCQhard

Your company has an on-premises Windows service that exposes a custom TCP endpoint. You are building an Azure Logic App that needs to send data to this endpoint. Due to network security policies, you cannot open inbound ports in the firewall. You need to establish a secure bidirectional connection without configuring a VPN. Which Azure service should you use?

A.Azure API Management with on-premises gateway
B.Azure Relay Hybrid Connections
C.Azure Application Gateway with private link
D.Azure ExpressRoute
AnswerB

Correct. Hybrid Connections allow secure, outbound-only connections from on-premises to Azure, suitable for any TCP-based protocol.

Why this answer

Azure Relay Hybrid Connections enable secure bidirectional communication between on-premises services and cloud applications without opening inbound firewall ports. The on-premises service initiates an outbound connection to the Azure Relay over port 443 (HTTPS), and the Logic App sends data through the relay, which forwards it over the already-established outbound tunnel. This satisfies the requirement for a secure, bidirectional connection without VPN or inbound port exposure.

Exam trap

The trap here is that candidates often confuse Azure Relay with Azure API Management or Application Gateway, assuming they can handle arbitrary TCP traffic, but only Hybrid Connections provide the outbound-initiated tunnel required when inbound ports are blocked.

How to eliminate wrong answers

Option A is wrong because Azure API Management with on-premises gateway is designed for exposing and managing APIs, not for establishing a bidirectional TCP tunnel; it still requires inbound connectivity or a VPN for the gateway to reach the on-premises service. Option C is wrong because Azure Application Gateway with private link provides inbound HTTPS load balancing and private connectivity to Azure services, but it does not create an outbound-initiated tunnel to an on-premises TCP endpoint without opening inbound ports. Option D is wrong because Azure ExpressRoute establishes a dedicated private network connection between on-premises and Azure, which requires BGP routing and often firewall configuration, violating the 'no VPN' and 'no inbound ports' constraints.

261
MCQmedium

An application uses Azure Redis Cache to improve performance. The team notices that cache misses are high and the cache is not effectively reducing database load. What should they do to improve cache hit ratio?

A.Increase the cache size
B.Increase the time-to-live (TTL) for cached items
C.Implement cache-aside pattern with manual invalidation
D.Change the eviction policy to allkeys-lfu
AnswerB

Longer TTL keeps data in cache, reducing misses.

Why this answer

Increasing TTL keeps data in cache longer, reducing misses. Option A is wrong because increasing cache size does not guarantee better hit ratio. Option C is wrong because manual invalidation may increase misses.

Option D is wrong because eviction policy affects which data is removed, not hit ratio directly.

262
MCQeasy

Your web app hosted on Azure App Service needs to consume an external SaaS API that requires an API key. The key must be stored securely and rotated without redeploying the app. What is the best approach?

A.Store the API key in Azure SQL Database and query it at startup.
B.Store the API key in Azure Key Vault and use a managed identity to retrieve it.
C.Store the API key in a configuration file in the application code.
D.Store the API key in an App Service application setting.
AnswerD

App settings are encrypted and can be changed without redeployment; they are accessible via environment variables.

Why this answer

Option D is correct because App Service application settings are encrypted at rest and can be updated directly in the Azure portal or via CLI without redeploying the app. The app reads the setting at runtime from environment variables, making it easy to rotate the API key by simply changing the setting value. This approach satisfies the requirements of secure storage and rotation without redeployment.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing Azure Key Vault with managed identity (Option B) because it is the most secure option in general, but the question specifically asks for the 'best approach' given the constraints of secure storage and rotation without redeployment, and App Service application settings are the simplest and most direct solution that fully meets those requirements.

How to eliminate wrong answers

Option A is wrong because querying an Azure SQL Database at startup introduces unnecessary latency, complexity, and potential security exposure from connection strings, and it does not leverage Azure's built-in secure storage for secrets. Option B is wrong because while Azure Key Vault with managed identity is a highly secure approach, it is overkill for a single API key and requires additional code and configuration (e.g., using Key Vault references or SDK calls), whereas App Service application settings provide a simpler solution that still meets the requirements. Option C is wrong because storing the API key in a configuration file in the application code exposes the key in source control and prevents rotation without redeploying the app, violating both security and rotation requirements.

263
MCQmedium

You are building an Azure Logic App that needs to call an external API secured with OAuth 2.0 client credentials flow. You have registered an application in Microsoft Entra ID with client ID 'myClientId' and client secret stored in Key Vault. Which action should you use to authenticate?

A.HTTP action with Active Directory OAuth authentication
B.HTTP action with Managed Identity authentication
C.Invoke the API through Azure API Management
D.Use the Microsoft Entra ID OAuth 2.0 connector
AnswerA

The HTTP action in Logic Apps can be configured with Active Directory OAuth, which handles the client credentials flow and token management.

Why this answer

Option A is correct because the HTTP action in Azure Logic Apps supports an 'Active Directory OAuth' authentication type that directly implements the OAuth 2.0 client credentials flow. By providing the tenant ID, client ID, and referencing the client secret from Key Vault (via a secure parameter or connection reference), the Logic App can obtain an access token from Microsoft Entra ID and authenticate to the external API without custom code.

Exam trap

The trap here is that candidates often confuse the 'Managed Identity' option (which works only for Azure resources that accept Microsoft Entra ID tokens directly) with the need to authenticate to an external third-party API, or they mistakenly look for a dedicated 'OAuth 2.0 connector' instead of using the HTTP action's built-in authentication type.

How to eliminate wrong answers

Option B is wrong because Managed Identity authentication is designed for Azure-to-Azure scenarios where the resource (e.g., Azure Storage, Key Vault) supports Microsoft Entra ID token-based auth; it cannot be used to authenticate to an arbitrary external API secured with OAuth 2.0 client credentials flow unless that API explicitly trusts the managed identity's token. Option C is wrong because invoking the API through Azure API Management does not solve authentication; API Management would still need to authenticate to the external API, and the Logic App would need to pass credentials or tokens to API Management, adding unnecessary complexity. Option D is wrong because the 'Microsoft Entra ID OAuth 2.0 connector' is a deprecated or non-existent connector; the correct approach is to use the HTTP action with the built-in Active Directory OAuth authentication type, not a separate connector.

264
MCQhard

Your company uses Azure Service Bus topics and subscriptions to send order notifications. You notice that some messages are not being delivered to a subscription. The subscription has a SQL filter that matches messages with a 'region' property equal to 'EU'. You verify that the messages have 'region' set to 'eu' (lowercase). What is the most likely cause?

A.The SQL filter is case-sensitive and 'EU' does not match 'eu'.
B.The subscription is disabled.
C.The subscription has no filter defined.
D.The subscription has a correlation filter instead.
AnswerA

SQL filters are case-sensitive by default.

Why this answer

Option B is correct because SQL filters in Service Bus are case-sensitive. Option A is wrong because the Action property does not affect filtering. Option C is wrong because the default filter is 'MatchAll', which would match all messages.

Option D is wrong because the subscription already exists.

265
MCQmedium

Your app uses Azure Key Vault to store secrets. You need to grant the app access to read secrets using managed identity. Which RBAC role should you assign to the app's managed identity?

A.Key Vault Crypto Officer
B.Key Vault Reader
C.Key Vault Contributor
D.Key Vault Secrets User
AnswerD

This role allows reading secret values.

Why this answer

Key Vault Secrets User is the least-privilege role for reading secrets. Option A is wrong because Key Vault Reader only allows listing secrets, not reading values. Option C is wrong because Key Vault Contributor allows management.

Option D is wrong because Key Vault Crypto Officer is for cryptographic keys.

266
MCQeasy

A developer is building a function app that processes messages from an Azure Storage queue. The function must scale automatically based on queue length. Which hosting plan supports this automatic scaling?

A.Consumption plan
B.Premium plan
C.App Service plan
D.Azure Container Instances
AnswerA

Automatically scales based on event-driven triggers.

Why this answer

Consumption plan (option D) automatically scales based on triggers. Premium plan (A) also scales but has pre-warmed instances. App Service plan (B) does not auto-scale based on queue length.

Container Instances (C) is not for functions.

← PreviousPage 4 of 4 · 266 questions total

Ready to test yourself?

Try a timed practice session using only Connect to and consume Azure services and third-party services questions.