Back to Microsoft Azure Developer Associate AZ-204 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Microsoft Azure Developer Associate AZ-204 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
AZ-204
exam code
Microsoft
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related AZ-204 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

Refer to the exhibit. You are analyzing the Azure Blob Storage service properties configured for a storage account. A web application hosted at https://www.contoso.com attempts to make a PUT request to a blob. The request fails with a CORS error. What is the most likely cause?

Exhibit

{
  "version": "2019-04-01",
  "properties": {
    "cors": {
      "corsRules": [
        {
          "allowedOrigins": ["https://www.contoso.com"],
          "allowedMethods": ["GET", "PUT"],
          "allowedHeaders": ["*"],
          "exposedHeaders": ["x-ms-request-id"],
          "maxAgeInSeconds": 3600
        }
      ]
    },
    "deleteRetentionPolicy": {
      "enabled": true,
      "days": 7
    }
  }
}
Question 2hardmultiple choice
Full question →

Refer to the exhibit. You are reviewing a role assignment for a managed identity. The JSON shows the role and scope. What access does this assignment grant?

Exhibit

{"role": "Storage Blob Data Contributor", "scope": "/subscriptions/12345/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/st1/blobServices/default/containers/c1"}
Question 3mediummultiple choice
Full question →

You are deploying an Azure Functions app using ARM template. The exhibit shows a portion of the template. You notice that the AzureWebJobsStorage connection string includes the account key directly. What is the MOST important security concern?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.Web/sites/config",
  "apiVersion": "2023-01-01",
  "name": "[concat(parameters('siteName'), '/appsettings')]",
  "properties": {
    "WEBSITE_RUN_FROM_PACKAGE": "1",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated",
    "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', parameters('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2023-01-01').keys[0].value, ';EndpointSuffix=core.windows.net')]"
  }
}
Question 4mediummultiple choice
Full question →

Refer to the exhibit. You are deploying this ARM template to create a deployment slot for an Azure App Service. The template deploys successfully. However, the slot-specific app setting 'DEPLOYMENT_SLOT' is not visible in the Azure portal under the slot's Configuration > Application settings. What is the most likely cause?

Exhibit

{
  "type": "Microsoft.Web/sites/slots",
  "apiVersion": "2022-03-01",
  "name": "[concat(parameters('siteName'), '/', parameters('slotName'))]",
  "location": "[resourceGroup().location]",
  "properties": {
    "serverFarmId": "[parameters('hostingPlanId')]",
    "siteConfig": {
      "appSettings": [
        {
          "name": "DEPLOYMENT_SLOT",
          "value": "[parameters('slotName')]"
        }
      ]
    }
  }
}
Question 5mediummultiple choice
Full question →

Refer to the exhibit. You have an HTTP-triggered Azure Function that writes the request body to a blob in the 'samples-workitems' container. The function runs successfully but does not create a blob. What is the most likely cause?

Exhibit

public static async Task<IActionResult> Run(
    [HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequest req,
    [Blob("samples-workitems/{rand-guid}", FileAccess.Write)] Stream blobStream,
    ILogger log)
{
    string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
    byte[] bytes = Encoding.UTF8.GetBytes(requestBody);
    await blobStream.WriteAsync(bytes, 0, bytes.Length);
    return new OkResult();
}
Question 6hardmultiple choice
Full question →

Refer to the exhibit. You run this KQL query in Azure Resource Graph Explorer. The query returns no results. What is the most likely reason?

Exhibit

Resources
| where type == 'microsoft.insights/components'
| where name contains 'myapp'
Question 7mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. You run the Azure CLI command to check if blob encryption is enabled for a storage account. The command returns 'false'. However, you know that Azure Storage encrypts all data at rest by default. What is the explanation?

Network Topology
name mystorageaccountquery "encryption.services.blob.enabled"Refer to the exhibit.
Question 8mediummultiple choice
Full question →

Refer to the exhibit. You have an Azure Policy definition as shown. Your team creates a storage account with network rules set to 'Deny' by default, and then adds an IP rule to allow traffic from a specific IP range. What compliance state will this storage account be reported as?

Exhibit

{
  "type": "Microsoft.Authorization/policyDefinitions",
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
            "equals": "Allow"
          }
        ]
      },
      "then": {
        "effect": "Audit"
      }
    }
  }
}
Question 9hardmultiple choice
Full question →

Refer to the exhibit. You are deploying an ARM template that assigns the 'Storage Blob Data Contributor' role to the managed identity of an App Service named 'myapp' at the storage account 'mystorageacct' scope. The deployment fails with an error that 'principalId' is null. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
    "type": "Microsoft.Authorization/roleAssignments",
    "apiVersion": "2022-04-01",
    "name": "[guid(resourceGroup().id, 'Storage Blob Data Contributor')]",
    "properties": {
        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
        "principalId": "[reference(resourceId('Microsoft.Web/sites', 'myapp'), '2022-03-01', 'Full').identity.principalId]",
        "scope": "[resourceId('Microsoft.Storage/storageAccounts', 'mystorageacct')]"
    }
}
Question 10hardmultiple choice
Full question →

Refer to the exhibit. You are creating a custom Azure RBAC role. You assign this role to a user for the Production resource group. The user needs to read the contents of a blob in a container. Which permission is necessary for the user to list the container's blobs?

Exhibit

{
  "roleName": "Custom Storage Blob Data Reader",
  "assignableScopes": ["/subscriptions/12345-.../resourceGroups/ProdRG"],
  "permissions": [
    {
      "actions": ["Microsoft.Storage/storageAccounts/blobServices/containers/read"],
      "notActions": [],
      "dataActions": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"],
      "notDataActions": []
    }
  ]
}
Question 11easymultiple choice
Full question →

Refer to the exhibit. You run the Azure CLI command to store a secret in Key Vault. Later, you run 'az keyvault secret show --vault-name myvault --name MySecret'. What will be displayed?

Network Topology
az keyvault secret setvault-name myvaultname MySecretvalue "P@ssw0rd123"Refer to the exhibit.
Question 12easymultiple choice
Full question →

Refer to the exhibit. You are using Azure CLI to list blobs in a container. The command fails with an authorization error. The storage account has firewall rules enabled, and you are running the CLI from a machine that is not on the allowed network list. What is the most likely cause of the failure?

Network Topology
az storage blob listaccount-name mystorageaccountcontainer-name mycontainerquery "[].name"
Question 13mediummultiple choice
Full question →

Refer to the exhibit. You deploy this ARM template to an App Service named 'myapp'. After deployment, users report they are able to access the app without being prompted to log in. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.Web/sites/config",
  "apiVersion": "2022-03-01",
  "name": "[concat(parameters('siteName'), '/authsettingsV2')]",
  "properties": {
    "platform": {
      "enabled": true
    },
    "globalValidation": {
      "requireAuthentication": true,
      "unauthenticatedClientAction": "RedirectToLoginPage"
    },
    "identityProviders": {
      "azureActiveDirectory": {
        "enabled": true,
        "registration": {
          "openIdIssuer": "https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0",
          "clientId": "11111111-1111-1111-1111-111111111111"
        }
      }
    }
  }
}
Question 14mediummultiple choice
Full question →

Refer to the exhibit. You are configuring a Key Vault key using an ARM template. What does this configuration achieve?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "keyType": "RSA",
    "keySize": 2048,
    "keyOps": ["encrypt", "decrypt"],
    "rotationPolicy": {
      "lifetimeActions": [
        {
          "trigger": {
            "timeAfterCreate": "P90D"
          },
          "action": {
            "type": "Rotate"
          }
        }
      ]
    }
  }
}
Question 15hardmultiple choice
Full question →

Refer to the exhibit. You create a custom RBAC role with the shown permissions. You assign this role to a user at the resource group scope. What can the user do?

Exhibit

Refer to the exhibit.
{
  "roleName": "CustomRole",
  "actions": [
    "Microsoft.KeyVault/vaults/read",
    "Microsoft.KeyVault/vaults/secrets/read"
  ],
  "notActions": [],
  "assignableScopes": ["/subscriptions/sub1/resourceGroups/rg1"]
}

These AZ-204 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style AZ-204 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.