CCNA Connect Consume Services Questions

75 of 266 questions · Page 1/4 · Connect Consume Services topic · Answers revealed

1
MCQhard

A company uses Azure API Management to expose APIs. They need to enforce rate limiting per subscription key and also allow a burst of requests for a short period. Which policy should they apply?

A.limit-concurrency
B.rate-limit (per product)
C.rate-limit-by-key
D.rate-limit-by-ip
AnswerC

Limits per subscription key with burst support.

Why this answer

The rate-limit-by-key policy (option C) enforces rate limits per key with a burst window. Option A is per product, not per key. Option B is for IP addresses.

Option D is for concurrency, not rate.

2
MCQhard

Your Azure App Service app uses SignalR Service to push real-time updates to clients. You notice that some clients are disconnected after 30 minutes of inactivity. What is the most likely cause and solution?

A.The app service plan is scaled down, causing idle connections to drop
B.The app service plan has an idle timeout of 30 minutes
C.The SignalR service is in serverless mode, which disconnects idle clients
D.The Azure SignalR Service has a default client timeout of 30 minutes; configure the ClientTimeout setting in the SignalR service
AnswerD

The default client timeout is 30 minutes; increasing it resolves disconnections.

Why this answer

Option B is correct because Azure SignalR Service has a default client timeout of 30 minutes; it can be increased. Option A is wrong because the default is 30 minutes. Option C is wrong because serverless mode does not affect timeout.

Option D is wrong because app service plan does not limit SignalR connections directly.

3
MCQeasy

A company uses Azure Logic Apps to integrate with a third-party REST API. The API has a rate limit of 100 requests per minute. You need to ensure that the Logic App respects this limit. Which connector feature should you configure?

A.Retry policy.
B.Concurrency control.
C.Swagger connector.
D.API Management.
AnswerB

Correct. Concurrency control limits the number of in-flight requests, helping to stay within rate limits.

Why this answer

Concurrency control in Azure Logic Apps limits the number of concurrent runs of a workflow. By setting the concurrency limit to 1, you ensure that only one instance of the Logic App executes at a time, effectively serializing requests and preventing the app from exceeding the third-party API's rate limit of 100 requests per minute. This is the correct feature to throttle throughput to match external constraints.

Exam trap

The trap here is that candidates often confuse Retry policy (which handles failures after they occur) with concurrency control (which prevents the failures by limiting parallelism), leading them to select Retry policy as a proactive solution when it is actually reactive.

How to eliminate wrong answers

Option A is wrong because Retry policy handles transient failures (e.g., HTTP 429 or 5xx) by retrying failed requests, but it does not prevent the Logic App from sending too many requests in the first place; it only reacts after a limit is exceeded. Option C is wrong because a Swagger connector is used to import an OpenAPI definition for custom API integration, not to control request rate or concurrency. Option D is wrong because API Management is an external service that can enforce rate limits via policies, but it is not a feature of the Logic App connector itself; the question asks for a connector feature to configure within the Logic App.

4
MCQmedium

You are using Azure Event Grid to respond to blob storage events (blob created). You need to ensure that only JPEG image files trigger a function for processing, while other files are ignored. The number of files is high, and you want to minimize cost and latency. How should you filter events?

A.Create the function to check the blob extension at the start of the function code and return early if it's not a JPEG.
B.Configure Advanced Filters on the Event Grid subscription with a 'subjectEndsWith' condition set to '.jpg' or '.jpeg'.
C.Create separate event subscriptions for each file extension and point them to different functions.
D.Use Event Hubs capture to filter files before sending events.
AnswerB

Advanced filters allow you to specify conditions on event properties. By using 'subjectEndsWith' for both .jpg and .jpeg, Event Grid will only deliver events that match, preventing unnecessary function invocations.

Why this answer

Option B is correct because Azure Event Grid supports advanced filtering on event properties, including 'subjectEndsWith', which allows you to filter events at the service level before they are delivered to the endpoint. This ensures that only blob creation events for files ending with '.jpg' or '.jpeg' trigger the function, reducing unnecessary invocations, cost, and latency. By filtering at the Event Grid level, you avoid processing unwanted events entirely, which is more efficient than filtering within the function code.

Exam trap

The trap here is that candidates often default to filtering inside the function code (Option A) because it seems simpler, but they overlook that Event Grid's advanced filtering can prevent the function from being triggered at all, which is the key to minimizing cost and latency in high-volume scenarios.

How to eliminate wrong answers

Option A is wrong because it requires the function to be invoked for every blob creation event, including non-JPEG files, which increases cost and latency due to unnecessary function executions; this approach does not minimize cost or latency as required. Option C is wrong because creating separate event subscriptions for each file extension increases management complexity and does not provide a cost or latency benefit over a single subscription with advanced filters; it also requires multiple functions or routing logic. Option D is wrong because Event Hubs capture is designed for data ingestion and storage, not for real-time event filtering; it adds unnecessary complexity and latency compared to Event Grid's built-in filtering capabilities.

5
MCQhard

Trey Research uses Azure Service Bus for messaging between microservices. One microservice written in Node.js needs to send messages to a queue. The team wants to use managed identity to authenticate to Service Bus. The microservice runs in an Azure Container Instance (ACI) with a user-assigned managed identity. The identity has been granted 'Sender' role on the Service Bus namespace. The team uses the @azure/service-bus SDK. Which code snippet should the developer use to create a ServiceBusClient?

A.const { ServiceBusClient } = require('@azure/service-bus'); const { InteractiveBrowserCredential } = require('@azure/identity'); const credential = new InteractiveBrowserCredential(); const sbClient = new ServiceBusClient('<namespace>.servicebus.windows.net', credential);
B.const { ServiceBusClient } = require('@azure/service-bus'); const { DefaultAzureCredential } = require('@azure/identity'); const credential = new DefaultAzureCredential(); const sbClient = new ServiceBusClient('<namespace>.servicebus.windows.net', credential);
C.const { ServiceBusClient } = require('@azure/service-bus'); const { ManagedIdentityCredential } = require('@azure/identity'); const credential = new ManagedIdentityCredential('<client-id>'); const sbClient = new ServiceBusClient('<namespace>.servicebus.windows.net', credential);
D.const { ServiceBusClient } = require('@azure/service-bus'); const sbClient = new ServiceBusClient('<connection-string>');
AnswerB

Correct: DefaultAzureCredential works with user-assigned MI if environment variable set.

Why this answer

Use DefaultAzureCredential which will use the user-assigned managed identity if the environment variable AZURE_CLIENT_ID is set to the identity's client ID. Option A is correct. Option B uses ManagedIdentityCredential but requires explicit client ID.

Option C uses connection string. Option D uses InteractiveBrowserCredential, not for server scenarios.

6
MCQeasy

A developer needs to store a large number of binary files (images) that are accessed frequently from a web app. Which Azure storage solution is most cost-effective?

A.Azure Queue Storage
B.Azure Files
C.Azure Blob Storage
D.Azure Cosmos DB
AnswerC

Blob Storage is designed for large-scale unstructured data and is cost-effective for images.

Why this answer

Option A is correct because Blob Storage is optimized for storing large amounts of unstructured data like images. Option B (Azure Files) is for file shares; Option C (Cosmos DB) is a database; Option D (Queue Storage) is for messages.

7
MCQmedium

You manage a set of APIs using Azure API Management (APIM). One backend API requires an API key passed in the 'X-API-Key' header. The API key is stored securely in a named value in APIM. You need to configure APIM to add this header to all requests to that backend without exposing the key to API consumers. Which policy should you add to the inbound processing for that API?

A.set-backend-service
B.set-header
C.authentication-basic
D.validate-jwt
AnswerB

The set-header policy can add the X-API-Key header with the value from a named value, keeping the key secure and hidden from consumers.

Why this answer

The 'set-header' policy in Azure API Management allows you to add, modify, or remove HTTP headers on requests or responses. By placing this policy in the inbound processing section, you can inject the 'X-API-Key' header with the value retrieved from a named value (using the '{{NamedValue}}' syntax) without exposing the key to API consumers, as the policy executes on the gateway side.

Exam trap

The trap here is that candidates often confuse 'set-header' with 'authentication-basic' because both deal with adding authentication-related headers, but 'authentication-basic' specifically encodes credentials in Base64 and is intended for HTTP Basic Auth, not for arbitrary API key headers.

How to eliminate wrong answers

Option A is wrong because 'set-backend-service' is used to change the backend service URL for the request, not to manipulate headers. Option C is wrong because 'authentication-basic' is used to add a Basic Authentication header (username:password encoded in Base64) to the backend request, which is not the same as adding a custom API key header. Option D is wrong because 'validate-jwt' is used to enforce the existence and validity of a JSON Web Token (JWT) in the request, not to add a header.

8
MCQmedium

You are building a mobile app backend using Azure Functions. The function must send push notifications to devices using the Notification Hubs service. You need to authenticate the function to Notification Hubs using the principle of least privilege. What should you use?

A.Store the Notification Hubs connection string in Application Settings.
B.Use a managed identity assigned to the Function App to access Notification Hubs.
C.Create a shared access signature (SAS) token for the Notification Hub.
D.Use Microsoft Entra ID OAuth 2.0 client credentials flow.
AnswerB

Managed identity allows the function to authenticate without secrets, and roles can be assigned with fine-grained permissions, achieving least privilege.

Why this answer

Option B is correct because using a managed identity assigned to the Function App allows it to authenticate to Azure Notification Hubs without storing any credentials in code or configuration. This follows the principle of least privilege by granting only the necessary permissions (e.g., via Azure RBAC role assignments like 'Notification Hubs Data Sender') and eliminates the risk of connection string leakage. Managed identities are the recommended approach for Azure services to securely access other Azure resources.

Exam trap

The trap here is that candidates often confuse managed identities with SAS tokens or connection strings, thinking any form of shared secret is acceptable, but the principle of least privilege demands a secretless, identity-based approach that only managed identities provide.

How to eliminate wrong answers

Option A is wrong because storing the Notification Hubs connection string in Application Settings still exposes a shared secret that grants broad permissions (e.g., manage, send, listen) and violates the principle of least privilege; it also requires manual rotation and management. Option C is wrong because creating a SAS token for the Notification Hub still relies on a shared key and does not leverage Azure RBAC; SAS tokens are typically used for fine-grained access but still embed a secret and require secure distribution. Option D is wrong because Microsoft Entra ID OAuth 2.0 client credentials flow is used for service-to-service authentication with an app registration and client secret, which still requires managing a secret and does not provide the zero-secret, identity-based access that managed identities offer.

9
Multi-Selecthard

Which THREE actions should be taken to secure an Azure App Service web app that accesses an Azure SQL Database? (Choose three.)

Select 3 answers
A.Store the connection string in App Service application settings.
B.Enable Managed Identity for the App Service.
C.Use Azure Key Vault to store secrets and reference them from the app.
D.Configure Azure SQL Database firewall to allow Azure services.
E.Disable TLS 1.2 on the App Service.
AnswersB, C, D

Allows identity-based authentication without secrets.

Why this answer

Enable Managed Identity (A), configure firewall (C), and use Azure Key Vault (E) are security best practices. Use connection strings in app settings (B) is less secure. Disable TLS (D) is insecure.

10
MCQhard

A company uses Azure Service Bus for messaging between microservices. They need to ensure that messages are processed in order within a partition. Which feature should they enable?

A.Duplicate detection
B.Partitioning
C.Sessions
D.Dead-letter queue
AnswerC

Sessions guarantee FIFO order within a session.

Why this answer

Sessions in Service Bus enable ordered processing of messages within a session. Option B is wrong because partitioning distributes messages across partitions, not order. Option C is wrong because duplicate detection prevents duplicates but does not guarantee order.

Option D is wrong because dead-lettering is for undelivered messages.

11
MCQmedium

An application calls a Event Grid event stream through HTTP. The developer must implement retries without overwhelming the remote system during partial outages. Which retry pattern is best?

A.Immediate infinite retries
B.Retry only after restarting the application
C.Disable all timeout settings
D.Exponential backoff with jitter and a maximum retry limit
AnswerD

Backoff with jitter reduces retry storms and gives the remote service time to recover.

Why this answer

Exponential backoff with jitter and a maximum retry limit is the best pattern because it prevents overwhelming the Event Grid endpoint during partial outages by progressively increasing wait times between retries, while jitter randomizes those intervals to avoid thundering herd problems. The maximum retry limit ensures the system does not retry indefinitely, aligning with Event Grid's own retry policy (which uses exponential backoff up to 30 minutes and a max of 30 retries for HTTP 5xx errors). This balances resilience with resource protection.

Exam trap

The trap here is that candidates may think immediate retries or disabling timeouts are acceptable for reliability, but Azure explicitly recommends exponential backoff with jitter and a cap to protect both the client and the service from overload during outages.

How to eliminate wrong answers

Option A is wrong because immediate infinite retries would flood the Event Grid endpoint with requests during an outage, likely causing a thundering herd problem and potentially triggering rate limiting or denial-of-service conditions. Option B is wrong because retrying only after restarting the application introduces unnecessary downtime and fails to handle transient failures gracefully, as Event Grid expects clients to retry with backoff for HTTP 429 or 5xx responses. Option C is wrong because disabling all timeout settings removes critical safeguards, risking indefinite hangs and resource exhaustion, and does not address retry logic or backoff behavior.

12
Multi-Selectmedium

Which TWO services can be used to implement serverless event-driven architectures in Azure? (Choose 2)

Select 2 answers
A.Azure Batch
B.Azure Logic Apps
C.Azure Kubernetes Service
D.Azure App Service
E.Azure Functions
AnswersB, E

Logic Apps provides serverless workflow automation triggered by events.

Why this answer

Option A is correct because Azure Functions is a serverless compute service. Option C is correct because Azure Logic Apps provides serverless workflow automation. Option B is incorrect because Azure App Service is a platform for hosting web apps, not event-driven.

Option D is incorrect because Azure Kubernetes Service is container orchestration, not serverless. Option E is incorrect because Azure Batch is for batch computing, not event-driven.

13
MCQhard

You have an Azure App Service web app that uses Azure SQL Database. The connection string is stored in Azure Key Vault. You need to automatically rotate the database password every 30 days without app downtime. Which solution should you implement?

A.Store the connection string as a Key Vault reference in App Service application settings and use Key Vault's auto-rotation.
B.Use Azure CLI to update the connection string in App Service settings.
C.Use Managed Identity to access SQL Database instead of a password.
D.Update the connection string in the application code and redeploy.
AnswerA

Key Vault reference updates automatically without restart.

Why this answer

Option D is correct because storing the connection string as a Key Vault reference in App Service configuration allows automatic rotation without restart. Option A is wrong because updating the connection string in code requires redeployment. Option B is wrong because updating App Service settings via CLI does not support automatic rotation.

Option C is wrong because using Managed Identity avoids passwords but does not rotate them; it's a better approach but the question specifically asks for password rotation without downtime.

14
MCQmedium

Refer to the exhibit. An Azure OpenAI Service account is deployed with this ARM template. After deployment, a developer tries to call the OpenAI endpoint from an Azure App Service that has no public IP. The request is blocked. What change should be made to allow access?

A.Add a service tag for App Service in the ipRules.
B.Configure a private endpoint for the OpenAI account.
C.Change the defaultAction to Allow.
D.Add the App Service's outbound IP address to the ipRules.
AnswerB

Private endpoint allows secure access from Azure services via Microsoft backbone.

Why this answer

The network ACLs only allow a specific IP range. To allow an Azure service without a public IP, you should use a private endpoint (option D). Option A is correct but not listed; option B: changing defaultAction to Allow would allow all traffic, which is insecure.

Option C: adding the App Service's outbound IP is not reliable due to dynamic IPs. Option D is the best practice.

15
MCQhard

A company uses Azure API Management (APIM) to expose a set of REST APIs. A new requirement mandates that all API calls must be throttled per user based on usage tiers (Free, Basic, Premium). User identity is provided via a JWT token. Which policy should the developer configure in APIM to enforce this throttling?

A.rate-limit policy
B.rate-limit-by-key policy
C.quota-by-key policy
D.IP-based throttling
AnswerB

rate-limit-by-key can throttle based on a key extracted from JWT claims, enabling per-user throttling.

Why this answer

Option B is correct because the rate-limit-by-key policy can throttle calls based on a key extracted from the JWT claim (e.g., subscription tier). Option A is incorrect because rate-limit policy applies globally, not per user. Option C is incorrect because quota-by-key limits total calls over a period, not rate.

Option D is incorrect because IP-based throttling does not consider user identity.

16
Multi-Selecthard

Which THREE are best practices for implementing an API using Azure API Management? (Choose three.)

Select 3 answers
A.Use policies to enforce throttling and quotas.
B.Implement caching policies to reduce backend load.
C.Use subscription keys for client authentication and rate limiting.
D.Use the Consumption tier for production APIs with custom domains.
E.Expose the backend service URLs directly to clients.
AnswersA, B, C

Policies allow you to control usage limits.

Why this answer

Options A, C, and D are correct. Use subscription keys to authenticate and rate-limit clients. Implement caching to reduce backend load and improve response times.

Use policies to enforce throttling and quotas. Option B is wrong because exposing internal service URLs directly bypasses API Management's security and management features. Option E is wrong because the consumption tier does not support custom domains; for custom domains, you need a higher tier.

17
MCQmedium

You are building an application that subscribes to an Azure Event Grid topic using a custom webhook endpoint. The endpoint is a web API hosted on Azure App Service. You need to ensure that only Event Grid can invoke your webhook endpoint, preventing unauthorized requests. What should you implement in your webhook endpoint?

A.IP address filtering to allow only the Azure Event Grid service tag
B.Validate the Aeg-SasKey header against a shared secret known to Event Grid
C.Require a client certificate that you upload to Event Grid
D.Use an OAuth 2.0 token from Microsoft Entra ID
AnswerB

Event Grid includes the Aeg-SasKey header in every delivery, and your endpoint can verify it using the access key from the subscription to confirm the sender.

Why this answer

Option B is correct because Event Grid sends an Aeg-SasKey header with each request to a custom webhook endpoint. By validating this header against a pre-configured shared secret (the same key used when creating the event subscription), the endpoint can confirm that the request originated from Event Grid. This prevents unauthorized actors from invoking the webhook, as they would not possess the shared secret.

Exam trap

The trap here is that candidates often assume IP whitelisting (Option A) is sufficient for security, but Event Grid's outbound IPs are not static or documented for custom webhooks, making this approach unreliable and unsupported.

How to eliminate wrong answers

Option A is wrong because IP address filtering using the Azure Event Grid service tag is not supported for custom webhook endpoints; Event Grid's outbound IP addresses can vary and are not published as a stable service tag for inbound validation. Option C is wrong because Event Grid does not support uploading client certificates for authentication to custom webhook endpoints; client certificate authentication is not a feature of Event Grid's webhook delivery. Option D is wrong because OAuth 2.0 tokens from Microsoft Entra ID are not natively supported by Event Grid for authenticating to custom webhook endpoints; Event Grid uses its own shared access signature (SAS) mechanism via the Aeg-SasKey header.

18
MCQmedium

A web app running on Azure App Service must integrate with Microsoft Graph API to read user profiles. The app is registered in Microsoft Entra ID and uses the OAuth 2.0 authorization code flow. However, after deployment, the app fails to acquire tokens. What is the most likely cause?

A.The API permission for User.Read is not granted
B.The app is using the client credentials flow instead of authorization code flow
C.The redirect URI is not configured in the app registration
D.The client secret is expired
AnswerC

The reply URL must match exactly for the authorization code flow to complete.

Why this answer

Option C is correct because redirect URIs must be registered in the app registration to match the application's reply URL. Option A is wrong because the client secret is correct. Option B is wrong because API permissions are granted.

Option D is wrong because the app uses authorization code flow, not client credentials.

19
MCQeasy

A company uses Azure Functions to process messages from Azure Service Bus. The function needs to scale out during high load. Which consumption plan should you choose to enable automatic scaling?

A.Logic Apps plan
B.Premium plan
C.Consumption plan
D.App Service plan
AnswerC

Consumption plan automatically scales based on demand, ideal for event-driven workloads.

Why this answer

The Consumption plan automatically scales based on the number of incoming messages. Option A is wrong because App Service plan requires manual scaling. Option B is wrong because Premium plan also scales but has additional features; however, the question asks for automatic scaling, which both achieve, but Consumption is the simplest.

Option D is wrong because Logic Apps is a different service.

20
Matchingmedium

Match each Azure DevOps component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Git repositories for source control

CI/CD for building and deploying code

Agile project management with Kanban boards

Package management for Maven, npm, NuGet

Why these pairings

Azure DevOps provides a suite of tools for the development lifecycle.

21
MCQmedium

You deploy the above policy to an Azure API Management API. What is the effect?

A.Limits the total bandwidth to 100 MB per 60 seconds.
B.Limits the API to 100 calls per 60 seconds from the backend.
C.Limits the API to 100 calls per 60 seconds per subscription key.
D.Limits the API to 100 calls per 60 seconds per client IP address.
AnswerC

rate-limit policy applies per subscription key.

Why this answer

Option B is correct. The policy limits calls to 100 per 60 seconds per subscription key. Option A is wrong because it applies per key, not per IP.

Option C is wrong because it limits calls, not bandwidth. Option D is wrong because the policy is inbound, not outbound.

22
MCQeasy

You need to authenticate an Azure Function app to call Microsoft Graph API on behalf of the signed-in user. Which authentication flow should you use?

A.Device code flow
B.Client credentials flow
C.Implicit flow
D.Authorization code flow with PKCE
AnswerD

For user authentication, returns tokens.

Why this answer

Option C is correct because the authorization code flow is for apps that need to authenticate a user and get an access token for APIs like Graph. Option A is wrong because client credentials flow is for daemon apps without a user. Option B is wrong because device code flow is for devices without a browser.

Option D is wrong because implicit flow is deprecated.

23
Multi-Selecteasy

Which TWO services can be used to implement a pub/sub messaging pattern in Azure? (Choose two.)

Select 2 answers
A.Azure Logic Apps
B.Azure Service Bus topics
C.Azure Queue Storage
D.Azure Event Grid
E.Azure Data Lake Storage
AnswersB, D

Service Bus topics support pub/sub with multiple subscriptions.

Why this answer

Options A and D are correct. Azure Service Bus topics support pub/sub with multiple subscriptions. Azure Event Grid also supports pub/sub with multiple subscribers.

Option B is wrong because Azure Queue Storage is a point-to-point queue, not pub/sub. Option C is wrong because Azure Data Lake Storage is a storage service. Option E is wrong because Azure Logic Apps is an integration service, not a messaging service.

24
Multi-Selecteasy

Which TWO Azure services can be used to store and manage secrets, such as API keys and connection strings? (Choose 2)

Select 2 answers
A.Azure Key Vault
B.Azure App Configuration
C.Azure Storage
D.Azure SQL Database
E.Azure Managed Identity
AnswersA, E

Key Vault securely stores secrets.

Why this answer

Option B is correct because Azure Key Vault is designed for secret storage. Option D is correct because Azure Managed Identity helps manage credentials without storing secrets. Option A is incorrect because Azure App Configuration is for configuration settings, not secrets.

Option C is incorrect because Azure Storage is for data storage. Option E is incorrect because Azure SQL Database is for relational data.

25
MCQhard

Your company uses Azure API Management to expose APIs to external partners. You need to implement rate limiting per subscription key to prevent abuse, but you also want to allow burst traffic up to a certain limit. Which policy should you configure?

A.Add a 'quota-per-key' policy with a renewal period of 1 day.
B.Add a 'limit' policy with a condition on subscription key.
C.Add a 'rate-limit-by-key' policy with a counter key of 'subscription-key'.
D.Add a 'rate-limit' policy with a renewal period of 60 seconds and a burst count of 10.
AnswerD

rate-limit supports burst and per-key limits.

Why this answer

The rate-limit policy in Azure API Management enforces a fixed rate limit (e.g., 100 calls per minute) while also allowing a burst (e.g., 10 calls) over a short period. Option A is correct because rate-limit supports both renewal period and burst. Option B is incorrect because quota-per-key is for a total number of calls over a longer period (e.g., per day), not burst.

Option C is incorrect because rate-limit-by-key does not exist; the correct name is rate-limit. Option D is incorrect because the 'limit' policy is not a standard APIM policy for rate limiting.

26
MCQeasy

A web app needs to access Azure Key Vault secrets for database credentials. The app runs as a managed identity in Azure App Service. Which authentication method should be used to retrieve secrets without storing credentials in the app code?

A.Managed identity
B.Access key
C.Client certificate
D.Shared access signature (SAS) token
AnswerA

Provides an identity automatically managed by Azure, no credentials stored.

Why this answer

Managed identity (option A) allows the app to authenticate to Azure services without storing credentials. Access keys (B) are not recommended. Client certificate (C) requires certificate management.

SAS tokens (D) are for storage, not Key Vault.

27
MCQmedium

You have an order processing system using Azure Service Bus. Each order generates multiple messages that must be processed in order and by the same consumer. Which Service Bus feature ensures this?

A.Message sessions
B.Topics and subscriptions
C.Dead-letter queues
D.Auto-forwarding
AnswerA

Correct. Sessions guarantee ordered, first-in-first-out (FIFO) delivery and that messages in a session are handled by a single consumer.

Why this answer

Message sessions in Azure Service Bus enable ordered, sequential processing of related messages by a single consumer. When messages belong to the same session, they are guaranteed to be delivered in order and are locked to a single consumer until the session is complete, ensuring that all messages for a given order are processed by the same consumer without interleaving.

Exam trap

The trap here is that candidates often confuse topics/subscriptions (which handle fan-out messaging) with the need for ordered, single-consumer processing, not realizing that only sessions provide the required ordering and consumer affinity.

How to eliminate wrong answers

Option B is wrong because topics and subscriptions implement a publish/subscribe pattern, which broadcasts messages to multiple subscribers and does not guarantee ordered delivery or single-consumer processing. Option C is wrong because dead-letter queues are used to hold messages that cannot be processed normally (e.g., due to exceeding max delivery count), not to enforce ordering or consumer affinity. Option D is wrong because auto-forwarding moves messages from one queue or subscription to another automatically, but it does not provide session-based ordering or ensure the same consumer processes all related messages.

28
MCQeasy

Avanade is developing a .NET Core console application that runs on an Azure VM. The application needs to read a secret from Azure Key Vault. The VM has a system-assigned managed identity enabled. The managed identity has been granted 'Get' and 'List' permissions on the Key Vault secrets. The code uses the Azure.Identity and Azure.Security.KeyVault.Secrets NuGet packages. Which code snippet should the developer use to authenticate to Key Vault?

A.var client = new SecretClient(new Uri(keyVaultUrl), new EnvironmentCredential());
B.var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
C.var client = new SecretClient(new Uri(keyVaultUrl), new ManagedIdentityCredential());
D.var client = new SecretClient(new Uri(keyVaultUrl), new ClientSecretCredential(tenantId, clientId, clientSecret));
AnswerB

Correct: DefaultAzureCredential will use system-assigned managed identity.

Why this answer

Use DefaultAzureCredential to automatically use the managed identity. Option A is correct. Option B uses ClientSecretCredential which requires a secret.

Option C uses ManagedIdentityCredential but requires client ID for user-assigned. Option D uses EnvironmentCredential which requires environment variables.

29
MCQeasy

You are developing a microservices application that needs to send messages between services asynchronously. Which Azure service should you use to decouple the components and ensure reliable message delivery?

A.Azure Cosmos DB
B.Azure Service Bus
C.Azure Queue Storage
D.Azure Event Hubs
AnswerC

Queue Storage is a simple, scalable queue for asynchronous message passing.

Why this answer

Azure Queue Storage provides a simple, reliable message queue for asynchronous communication. Option A is wrong because Azure Service Bus offers more advanced features but is overkill for basic queuing. Option B is wrong because Azure Event Hubs is for big data streaming.

Option D is wrong because Azure Cosmos DB is a database.

30
MCQmedium

Coho Vineyard has an Azure Logic App that processes orders. The workflow must call a third-party API that uses Basic authentication. The credentials (username and password) must be stored securely in Azure Key Vault. The Logic App uses a system-assigned managed identity. The managed identity has been granted 'Get' permission on the Key Vault secrets. Which approach should the team use to pass the credentials to the third-party API?

A.Use an HTTP connector with 'Active Directory OAuth' authentication. Provide the client ID and client secret.
B.Use managed identity authentication on the HTTP connector. The third-party API must support managed identity.
C.Store the username and password directly in the Logic App's connection settings for the HTTP connector.
D.Add a Key Vault connector step to retrieve the secret containing the password. Then use an HTTP connector with 'Basic' authentication type. In the authentication parameters, reference the secret for the password.
AnswerD

Correct: retrieves password from Key Vault, uses Basic auth.

Why this answer

Use an HTTP connector with Basic authentication. In the authentication settings, use 'Raw' authentication and construct the Basic header using the secret from Key Vault via a Key Vault connector. Option A is correct.

Option B uses OAuth, not Basic. Option C stores credentials in Logic App config. Option D uses managed identity for the third-party, which is not supported.

31
Multi-Selecthard

Which THREE Azure services can be used to securely store and retrieve secrets, connection strings, and API keys for a cloud-native application?

Select 3 answers
A.Azure Blob Storage
B.Azure App Configuration
C.Azure Managed HSM
D.Azure Cosmos DB
E.Azure Key Vault
AnswersB, C, E

Correct: stores configuration and feature flags, can reference Key Vault.

Why this answer

Azure Key Vault, Azure App Configuration, and Azure Managed HSM are designed to store secrets and configuration securely. Azure Cosmos DB and Azure Blob Storage are not primarily for secret management.

32
Matchingmedium

Match each Azure caching service to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

In-memory data store based on Redis

Content delivery network for static assets

Global HTTP load balancer and web application firewall

Regional HTTP load balancer with SSL termination

Why these pairings

These services improve performance and availability of applications.

33
Multi-Selecthard

Which THREE Azure services or features can be used to implement retry logic for transient failures when calling an external API from a .NET Core application?

Select 3 answers
A.Azure SDK retry policies
B.Azure Logic Apps retry policy
C.Polly library
D.Azure Traffic Manager
E.Azure Front Door
AnswersA, B, C

Built-in in many SDKs.

Why this answer

A, B, and D are correct. Polly is a .NET library for retry logic. Azure SDKs include built-in retry policies.

Azure Logic Apps provides retry policies for connectors. Option C is wrong because Azure Traffic Manager is for DNS load balancing, not retry logic. Option E is wrong because Azure Front Door is a global load balancer, not for application-level retry.

34
Multi-Selectmedium

Which TWO Azure services can be used to implement a pub/sub messaging pattern for decoupling microservices? (Choose two.)

Select 2 answers
A.Azure Storage Queue
B.Azure Service Bus Topics
C.Azure Event Hubs
D.Azure Event Grid
E.Azure Logic Apps
AnswersB, D

Supports pub/sub with multiple subscribers.

Why this answer

Azure Service Bus Topics (A) and Azure Event Grid (D) support pub/sub. Storage Queue (B) is point-to-point. Event Hubs (C) is for telemetry but can be used for pub/sub, but not the typical choice.

Azure Logic Apps (E) is an integration service, not a messaging broker.

35
MCQhard

You have an Azure API Management instance that exposes a REST API. You need to secure the API using OAuth 2.0 with Microsoft Entra ID. The API should accept tokens from multiple client applications. Which policy should you add to the inbound processing section?

A.<validate-jwt header-name="Authorization" failed-validation-httpcode="401" />
B.<xml-to-json>
C.<rate-limit>
D.<cache-lookup>
AnswerA

validate-jwt policy validates the JWT token from the Authorization header.

Why this answer

The 'validate-jwt' policy is used in Azure API Management to validate JWT tokens issued by Microsoft Entra ID. It can be configured to accept tokens from multiple audiences by specifying an array of allowed audiences. Option A is for caching, B is for rate limiting, and D is for transforming XML to JSON, none of which handle JWT validation.

36
MCQmedium

Refer to the exhibit. You executed the Azure CLI command to create a storage account. Later, you attempt to connect from an application that uses TLS 1.1. The connection fails. What is the most likely reason?

A.The storage account uses Standard_GRS replication which is not accessible from all clients
B.The storage account is in a different location than the client
C.The storage account kind is StorageV2 which does not support blobs
D.The minimum TLS version is set to 1.2, blocking TLS 1.1
AnswerD

The command sets the minimum TLS version to 1.2.

Why this answer

The '--min-tls-version 1.2' parameter sets the minimum TLS version to 1.2, so TLS 1.1 is rejected. Option A is wrong because Standard_GRS is geo-redundant storage, which is available. Option B is wrong because the kind StorageV2 supports blobs.

Option D is wrong because the location eastus is valid.

37
MCQmedium

You are building an Azure Logic App that processes orders. When an order is placed, the Logic App must send a message to an Azure Service Bus queue. The queue is secured using managed identity. Which connector action should you use?

A.HTTP action with SAS token
B.Service Bus connector with managed identity authentication
C.Azure Functions connector
D.Event Grid connector
AnswerB

Correct. The Service Bus connector has built-in support for managed identity, allowing secure authentication without secrets.

Why this answer

The Service Bus connector with managed identity authentication is correct because it allows the Logic App to authenticate to the Azure Service Bus queue using an Azure AD managed identity, eliminating the need for secrets or SAS tokens. This is the recommended approach for securing Service Bus resources when using Azure services, as it leverages Azure RBAC for fine-grained access control and aligns with the principle of least privilege.

Exam trap

The trap here is that candidates may confuse the HTTP action with SAS token as a valid way to use managed identity, but managed identity requires Azure AD authentication, not SAS, and the Service Bus connector explicitly supports this authentication type.

How to eliminate wrong answers

Option A is wrong because the HTTP action with SAS token requires you to generate and manage a Shared Access Signature token, which introduces secret management overhead and does not use managed identity; it is less secure and not the intended method for managed identity scenarios. Option C is wrong because the Azure Functions connector is used to trigger or invoke Azure Functions, not to directly send messages to a Service Bus queue; it would add unnecessary complexity and latency. Option D is wrong because the Event Grid connector is designed for publishing and subscribing to events via Azure Event Grid, not for sending messages to a Service Bus queue; it does not support Service Bus queue operations directly.

38
Multi-Selectmedium

Which TWO Azure services can be used to implement a pub/sub messaging pattern?

Select 2 answers
A.Azure Service Bus Topics
B.Azure Blob Storage
C.Azure Event Hubs
D.Azure Queue Storage
E.Azure Event Grid
AnswersA, E

Service Bus Topics support pub/sub with multiple subscribers.

Why this answer

Options B and D are correct. Service Bus Topics support pub/sub with multiple subscribers. Event Grid also supports pub/sub with event subscriptions.

Option A (Queue Storage) is point-to-point; Option C (Event Hubs) is for event streaming, but can be used for pub/sub; Option E (Blob Storage) is not messaging.

39
Multi-Selecteasy

You are developing a solution that uses Azure Functions to process messages from Azure Service Bus. Which TWO configurations are required to ensure the function scales out to handle high throughput?

Select 2 answers
A.Enable sessions on the Service Bus queue.
B.Set the maxConcurrentCalls property to a value greater than 1.
C.Use a managed identity to connect to Service Bus.
D.Set the batch size to a value greater than 1.
E.Use a Premium App Service plan for the function app.
AnswersB, D

Increases concurrency for message processing.

Why this answer

To scale out Azure Functions with Service Bus, you need to set the maxConcurrentCalls to allow multiple messages to be processed concurrently. Also, you should enable sessions if you need to process messages in order; but for scaling, enabling sessions is not required. However, the correct options are: setting maxConcurrentCalls and ensuring the Service Bus trigger is used with a batch size.

Option A is correct because maxConcurrentCalls controls concurrency. Option B is correct because batch size allows processing multiple messages per function invocation. Option C is incorrect because enabling sessions can limit scaling due to session locking.

Option D is incorrect because Premium plan is not required for scaling; Consumption plan scales automatically. Option E is incorrect because managed identity is for authentication, not scaling.

40
MCQmedium

A company runs a microservices application on Azure Kubernetes Service (AKS). One service needs to securely access an Azure SQL Database. The solution should avoid storing connection strings in code or configuration. What should they use?

A.Azure Key Vault with a secret store CSI driver
B.Virtual machine managed identity
C.Kubernetes secrets
D.Azure AD Pod Identity (aad-pod-identity)
AnswerD

Assigns Azure AD identities to pods for direct authentication.

Why this answer

Azure AD Pod Identity (option D) assigns an Azure AD identity to pods, allowing them to authenticate to Azure SQL without secrets. Option A uses secrets which are stored in Kubernetes. Option B uses managed identities at the VM level, not pod level.

Option C uses Azure Key Vault but still requires initial secret retrieval.

41
MCQhard

A company has an Azure Service Bus namespace with a topic that receives high-throughput messages. They need to ensure that if a subscriber fails, messages are not lost and can be replayed. The subscriber is a client application that uses the PeekLock receive mode. What should they configure?

A.Enable auto-forwarding on the subscription.
B.Set a SQL filter on the subscription.
C.Disable dead-lettering on the subscription.
D.Enable dead-lettering on the subscription.
AnswerD

Dead-letter queue stores messages that fail processing, allowing replay.

Why this answer

A subscription with dead-lettering (option A) ensures messages that cannot be processed are moved to a dead-letter queue. Option B disables dead-lettering. Option C enables auto-forwarding, not dead-letter.

Option D sets a filter, not relevant.

42
MCQhard

Refer to the exhibit. You are deploying an API in Azure API Management using an ARM template. The API is configured to use OAuth 2.0 authentication. The deployment fails with a validation error. What is the most likely cause?

A.The serviceUrl is not a valid URL.
B.The dependsOn array uses resourceId incorrectly.
C.The protocols array does not include http.
D.The authorization server 'auth-server-1' is not defined in the template.
AnswerD

The dependsOn expects the authorization server resource to exist; if missing, validation fails.

Why this answer

The dependsOn references an authorization server, but the authorization server resource might not be defined in the template (option C). Option A: protocols is correct. Option B: serviceUrl is valid.

Option D: dependsOn syntax is correct.

43
MCQmedium

You are building an Azure Logic App that needs to call an external HTTP API secured with OAuth 2.0 Client Credentials flow. The client ID and client secret are stored in Azure Key Vault. You need to obtain an access token and include it in the Authorization header of each request. Which combination of actions should you use within the Logic App?

A.Use an HTTP action with the OAuth 2.0 authentication type. Set the client secret parameter to a secure reference to the Key Vault secret.
B.Use two HTTP actions: first, call the token endpoint with credentials to get a token, then use the token in the second action. Store credentials in a string variable.
C.Use the HTTP action with managed identity authentication.
D.Use the 'Invoke an Microsoft Entra ID protected API' connector with the client credentials grant type.
AnswerA

Logic Apps' built-in OAuth 2.0 authentication for HTTP actions handles token acquisition and renewal. The secret can be securely referenced from Key Vault via a parameter.

Why this answer

Option A is correct because the HTTP action in Azure Logic Apps natively supports the OAuth 2.0 authentication type, which can directly handle the Client Credentials flow. By setting the client secret parameter to a secure reference (e.g., `@Microsoft.KeyVault(SecretUri=...)`) pointing to the secret stored in Azure Key Vault, you avoid exposing credentials in the workflow definition. The Logic Apps runtime automatically retrieves the secret from Key Vault, obtains an access token from the token endpoint, and includes it in the Authorization header of each request without requiring custom token management.

Exam trap

The trap here is that candidates often overcomplicate the solution by manually implementing token acquisition (Option B) or misapplying managed identity (Option C) or prebuilt connectors (Option D), not realizing that the built-in HTTP action's OAuth 2.0 authentication type directly supports the Client Credentials flow with Key Vault integration.

How to eliminate wrong answers

Option B is wrong because storing credentials in a string variable within the Logic App is insecure and defeats the purpose of using Key Vault; it also requires manual token acquisition and renewal, which is error-prone and unnecessary when the built-in OAuth 2.0 authentication type handles it automatically. Option C is wrong because managed identity authentication is designed for Azure AD-protected resources that support managed identities (e.g., Azure Storage, Azure SQL), not for external HTTP APIs secured with OAuth 2.0 Client Credentials flow; it cannot be used to obtain a token for a third-party API that expects a client ID and client secret. Option D is wrong because the 'Invoke an Microsoft Entra ID protected API' connector is a prebuilt connector that works only with APIs registered in the same Azure AD tenant and does not support the Client Credentials grant type with custom client secrets from Key Vault; it is intended for delegated user authentication scenarios, not for service-to-service calls.

44
MCQeasy

You are building an Azure Logic App that must call a third-party REST API. The API requires an API key passed as a query parameter. You need to store the API key securely and automatically add it to each request. Which approach should you use?

A.Hardcode the API key in the Logic App definition.
B.Use Azure Key Vault and the Key Vault connector to retrieve the secret dynamically.
C.Store the API key in an Azure Storage Table and reference it from the Logic App.
D.Use an environment variable in the Logic App.
AnswerB

Key Vault is designed for secure secret storage. The Logic App connector retrieves the secret at runtime without exposing it in code.

Why this answer

Option B is correct because Azure Key Vault provides a secure, centralized service for storing secrets like API keys, and the Key Vault connector in Logic Apps allows you to dynamically retrieve the secret at runtime without exposing it in the workflow definition. This approach ensures the API key is never hardcoded or stored in plaintext, meeting security best practices for accessing third-party APIs.

Exam trap

The trap here is that candidates may think storing the key in an Azure Storage Table or using environment variables is sufficient, but Azure Key Vault is the only option that provides secure, auditable, and managed secret storage with built-in integration for Logic Apps.

How to eliminate wrong answers

Option A is wrong because hardcoding the API key in the Logic App definition exposes the secret in plaintext within the workflow JSON, making it visible to anyone with access to the definition and violating security best practices. Option C is wrong because storing the API key in an Azure Storage Table does not provide encryption at rest by default (unless client-side encryption is implemented), and the key would be stored as plaintext in a table, which is not a secure secret management solution. Option D is wrong because Logic Apps do not support environment variables; this concept is not applicable to Azure Logic Apps, and even if it were, environment variables are not a secure way to store secrets as they can be exposed in logs or configuration files.

45
Multi-Selecthard

Which THREE considerations are important when designing a solution using Azure API Management (APIM) to secure backend APIs?

Select 3 answers
A.Implement rate limiting to prevent abuse
B.Store backend database credentials in APIM policies
C.Use OAuth2 authentication with Azure AD
D.Use JWT validation policies to verify tokens
E.Disable TLS to improve performance
AnswersA, C, D

Rate limiting protects backend APIs from excessive calls.

Why this answer

Options A, B, and D are correct. APIM can validate JWT tokens, limit requests via rate limiting, and use OAuth2 for authentication. Option C (store SQL credentials) is not a best practice; Option E (disable TLS) is insecure.

46
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used?

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish/subscribe pattern where multiple independent subscribers can each receive a copy of the same message. This decouples the publisher from subscribers, allowing new subscribers to be added later without modifying the publisher. The topic's subscription mechanism ensures each subscriber processes the event independently.

Exam trap

The trap here is that candidates often confuse Azure Storage Queue (point-to-point) with Service Bus topics (pub/sub), mistakenly thinking a queue can serve multiple independent subscribers when it actually requires a single consumer or competing consumers pattern.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policies automate tiering or deletion of blobs based on age, not message delivery to multiple subscribers. Option B is wrong because Azure Storage Queue provides a point-to-point messaging model where a single consumer processes each message, not a broadcast to multiple independent subscribers. Option C is wrong because Azure Cache for Redis list only supports a simple list data structure for point-to-point message queuing (e.g., via LPUSH/BRPOP), lacking the publish/subscribe semantics needed for multiple independent subscribers.

47
MCQeasy

You are using Azure Blob Storage to store large media files. Clients upload files directly to the storage account using SAS tokens. You need to ensure that the SAS token expires 1 hour after creation. Which parameter should you set when generating the SAS token?

A.SignedProtocol (spr)
B.IP range (sip)
C.SignedExpiry (se)
D.SignedStart (st)
AnswerC

SignedExpiry sets the expiration time of the SAS token.

Why this answer

The 'signedexpiry' parameter (se) defines when the SAS token expires. Setting it to 1 hour from now meets the requirement. Option A is for the start time, C is for the IP range, and D is for allowed protocols.

48
Multi-Selecteasy

Which TWO Azure services can be used to implement a publish-subscribe messaging pattern?

Select 2 answers
A.Azure Queue Storage
B.Azure Event Grid
C.Azure Notification Hubs
D.Azure Service Bus Topics
E.Azure Event Hubs
AnswersB, D

Event Grid supports pub-sub with event subscriptions.

Why this answer

Azure Service Bus Topics and Azure Event Grid both support publish-subscribe. Event Hubs is for event streaming, not pub-sub. Queue Storage is for point-to-point messaging.

Notification Hubs is for push notifications.

49
Multi-Selecteasy

Which TWO Azure services can be used to trigger an Azure Function in response to a new blob being added to an Azure Storage account? (Choose two.)

Select 2 answers
A.HTTP trigger
B.Queue trigger
C.Timer trigger
D.Azure Blob Storage trigger
E.Azure Event Grid subscription
AnswersD, E

Built-in trigger for blob events.

Why this answer

Azure Blob Storage trigger (A) and Azure Event Grid subscription (D) can trigger functions on blob creation. Timer trigger (B) is time-based. HTTP trigger (C) is for HTTP requests.

Queue trigger (E) is for queue messages.

50
MCQhard

You are deploying this ARM template. After deployment, you want to ensure that all traffic to the storage account uses HTTPS. However, you notice that HTTP requests are still accepted. What is the most likely reason?

A.The property 'supportsHttpsTrafficOnly' is misspelled
B.The storage account's network rules allow HTTP traffic from certain IP addresses
C.The property should be set on the blob service, not the storage account
D.The API version does not support this property
AnswerB

Network ACLs can override the HTTPS enforcement for specific sources.

Why this answer

Option C is correct. The property 'supportsHttpsTrafficOnly' only enforces HTTPS for the storage account's endpoints, but the default action for public network access is Allow, so HTTP requests from allowed networks are accepted. Option A is wrong because the property is set.

Option B is wrong because the property is correct. Option D is wrong because the API version is fine.

51
MCQeasy

Your web app needs to authenticate users with Microsoft Entra ID (formerly Azure AD). Which OAuth 2.0 flow should you use for a single-page application (SPA) that uses MSAL.js?

A.Client credentials flow
B.Authorization code flow with PKCE
C.Implicit flow
D.Resource owner password credentials flow
AnswerB

PKCE provides secure token exchange for SPAs.

Why this answer

The authorization code flow with PKCE is the recommended OAuth 2.0 flow for SPAs. Option B is wrong because implicit flow is deprecated. Option C is wrong because client credentials flow is for daemon apps.

Option D is wrong because resource owner password credentials flow is not recommended.

52
MCQeasy

You are developing an application that needs to store and retrieve large binary objects (up to 5 TB) in Azure Blob Storage. The application requires the ability to access data from any URL via HTTP/HTTPS. Which Blob Storage access tier should you use?

A.Hot
B.Archive
C.Cool
D.Premium
AnswerA

Hot tier is optimized for frequent access and supports instant retrieval via HTTP/HTTPS.

Why this answer

Option B is correct because the Hot tier is optimized for frequent access and supports instant retrieval, which matches the requirement for accessing data from any URL. Option A is wrong because the Cool tier is for infrequent access with a 30-day minimum storage duration and higher access costs. Option C is wrong because the Archive tier is for rarely accessed data with hours-long retrieval latency, not suitable for instant HTTP access.

Option D is wrong because the Premium tier is for low-latency, high-transaction scenarios and is more expensive, not necessary for this use case.

53
MCQhard

Your Azure Function app needs to call a third-party REST API that requires OAuth 2.0 client credentials flow. The API expects a JWT token signed with a client certificate. You want to store the certificate securely and rotate it automatically. Which Azure service and feature should you use?

A.Store the certificate in Azure Cosmos DB as a document, and retrieve it using the Cosmos DB SDK.
B.Store the certificate in Azure Key Vault with automatic rotation enabled, and use Managed Identity to access it from the Function app.
C.Store the certificate in Azure App Service as a TLS/SSL binding, and use the WEBSITE_LOAD_CERTIFICATES app setting.
D.Store the certificate in Azure Storage as a blob, and reference it from the Function app using a SAS token.
AnswerB

Key Vault supports certificate auto-rotation, and Managed Identity provides secure access without secrets.

Why this answer

Azure Key Vault can store the certificate, and the Managed Identity of the Function app can authenticate to Key Vault. Automatic rotation requires Key Vault's certificate auto-rotation feature. Option A is the best combination.

54
MCQmedium

You are developing a microservice that needs to publish events to multiple subscribers. Each subscriber should receive the event independently and at its own pace. The event must be retained for up to 7 days. Which Azure messaging service should you use?

A.Azure Service Bus queue
B.Azure Service Bus topic
C.Azure Event Grid
D.Azure Event Hubs
AnswerC

Event Grid supports pub/sub with independent subscribers and retention up to 7 days.

Why this answer

Option D is correct because Event Grid supports event publishing to multiple subscribers, each receiving the event independently, and has a retention period of up to 7 days by default (configurable up to 7 days). Option A is wrong because Service Bus queues are for point-to-point communication, not pub/sub. Option B is wrong because Event Hubs is for streaming large volumes of data, not for discrete event fan-out.

Option C is wrong because Service Bus topics support pub/sub, but the default retention is up to 14 days, but the requirement is for 7 days; however, Event Grid is more appropriate for discrete events and has simpler integration.

55
MCQmedium

You are developing a mobile app that uses Azure Cognitive Services to analyze images. The app must authenticate to the Computer Vision API using a key that is rotated monthly. What is the best practice for handling the key?

A.Store the key in Azure App Configuration with Key Vault references and retrieve it at runtime
B.Use a system-assigned managed identity and acquire a token for Cognitive Services
C.Prompt the user to enter the key on first launch
D.Store the key in the mobile app's local secure storage after initial retrieval
AnswerA

App Configuration supports dynamic secret retrieval from Key Vault, enabling key rotation without redeployment.

Why this answer

Option C is correct because App Configuration with Key Vault references allows key rotation without redeployment. Option A is wrong because user identity is not suitable for service-to-service. Option B is wrong because tokens from managed identity are easier.

Option D is wrong because local storage is insecure.

56
Multi-Selectmedium

Which TWO are correct ways to securely store and access secrets for Azure Functions? (Choose two.)

Select 2 answers
A.Use Environment.ExpandEnvironmentVariables in the code.
B.Use a Key Vault reference in the Function App settings.
C.Store secrets in the Function App code as constants.
D.Use App Settings with 'slot-sticky' settings and access restrictions.
E.Store secrets in a local.settings.json file and deploy it.
AnswersB, D

Key Vault references allow secure access without exposing secrets.

Why this answer

Azure Key Vault references and App Settings with access restrictions are both secure. Option A (Key Vault reference) is correct; Option C (App Settings) is correct. Option B exposes secrets; Option D is not secure; Option E is for local development only.

57
MCQhard

You are building a solution that processes events from multiple Azure Event Hubs. Events must be dispatched to different downstream services based on the event type. You need a serverless solution that can handle high throughput and uses managed identity to authenticate to Event Hubs. Which Azure service should you use?

A.Azure Functions (Event Hubs trigger) with managed identity
B.Azure Stream Analytics
C.Azure Logic Apps (Event Hubs connector)
D.Azure Data Factory
AnswerA

Correct. Azure Functions can process events from Event Hubs at scale and supports managed identity for authentication.

Why this answer

Azure Functions with an Event Hubs trigger supports managed identity authentication, enabling secure, passwordless connections to Event Hubs. It is a serverless, event-driven compute service that can scale to handle high throughput by processing events in parallel across multiple partitions. This makes it the ideal choice for dispatching events to downstream services based on event type.

Exam trap

The trap here is that candidates often confuse Azure Stream Analytics as a general-purpose event dispatcher, but it is specifically a stream analytics engine, not a serverless event router; Azure Functions is the correct choice for event-driven dispatching with managed identity support.

How to eliminate wrong answers

Option B (Azure Stream Analytics) is wrong because it is designed for real-time analytics and complex stream processing (e.g., SQL-like queries over time windows), not for dispatching individual events to multiple downstream services based on event type. Option C (Azure Logic Apps) is wrong because while it can connect to Event Hubs, it is a low-throughput, workflow-orchestration service that does not natively support managed identity for Event Hubs authentication and is not optimized for high-throughput event processing. Option D (Azure Data Factory) is wrong because it is a data integration and ETL service for scheduled, batch-oriented data movement, not a real-time event processing or dispatching service.

58
Drag & Dropmedium

Arrange the steps to implement Azure Blob Storage lifecycle management to archive blobs after 30 days in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create storage and container, upload blobs, navigate to lifecycle, add rule with actions.

59
MCQmedium

You are developing a serverless application using Azure Functions that processes orders. Each order must be validated by calling a third-party API. If the third-party API is unavailable, the function should retry with exponential backoff. How should you implement this?

A.Implement retry logic with exponential backoff and circuit breaker using Polly within the function
B.Enable automatic retries on the function's trigger binding
C.Configure the function to have a long timeout and hope the API responds
D.Use Azure Durable Functions to orchestrate the retry
AnswerA

Polly provides robust transient fault handling.

Why this answer

Option A is correct because Azure Functions can retry on transient faults with exponential backoff and circuit breaker pattern. Option B is wrong because it does not handle failures. Option C is wrong because it does not handle the external call.

Option D is wrong because it's not a built-in feature.

60
MCQmedium

You are designing a solution that uses Azure Event Grid to handle events from multiple Azure services. The events must be filtered and routed to different endpoints based on event type. Which component should you use to filter events before they are sent to subscribers?

A.Event grid domain
B.Event grid topic
C.Event subscription with filters
D.Event handler
AnswerC

Event subscriptions can include filters to select which events to forward.

Why this answer

Event Grid allows you to create event subscriptions with filters. You can filter events by event type, subject, or custom properties. This is done at the event subscription level, not on the topic itself.

Option A is wrong because topics are logical endpoints for publishing events, not for filtering. Option C is wrong because domains are for multi-tenant scenarios, not filtering. Option D is wrong because event handlers are the destinations, not filtering components.

61
MCQeasy

Your company is building a microservices application on Azure Kubernetes Service (AKS). The application must securely access Azure Key Vault to retrieve secrets. Which identity type should you use for the pods?

A.Service principal with certificate stored in the pod
B.User-assigned managed identity on the node resource group
C.System-assigned managed identity on AKS cluster
D.Microsoft Entra Workload ID (formerly Azure AD Pod Identity)
AnswerD

Workload ID assigns managed identities to pods, enabling secure access to Azure services.

Why this answer

Option B is correct because Azure AD Pod Identity (now Microsoft Entra Workload ID) allows pods to assume a managed identity to access Azure resources like Key Vault. Option A is wrong because system-assigned managed identity is for Azure resources, not pods. Option C is wrong because service principals require managing credentials.

Option D is wrong because user-assigned managed identity can be assigned to Azure resources, but for pods, Workload ID is recommended.

62
MCQeasy

You need to process large volumes of streaming data from IoT devices in near real-time. The processed data must be stored in Azure Cosmos DB for further analysis. Which Azure service should you use for stream processing?

A.Azure Batch
B.Azure Databricks
C.Azure Data Lake Storage
D.Azure Stream Analytics
AnswerD

Stream Analytics is designed for real-time stream processing and can output directly to Cosmos DB.

Why this answer

Option C is correct because Azure Stream Analytics is designed for real-time stream processing and can output directly to Azure Cosmos DB. Option A is wrong because Azure Data Lake Storage is a storage service, not a stream processing service. Option B is wrong because Azure Databricks is a big data analytics platform, but it is not the most straightforward for simple stream processing to Cosmos DB; it requires more configuration.

Option D is wrong because Azure Batch is for batch processing, not streaming.

63
MCQeasy

A company develops a web app that processes images uploaded by users. The app uses Azure Cognitive Services to analyze images for moderation. The solution must minimize latency when calling the Cognitive Services endpoint. Which service should the developer use to call the endpoint?

A.Azure Traffic Manager
B.Azure Front Door
C.Azure API Management
D.Azure Blob Storage with a public endpoint
AnswerB

Azure Front Door provides global load balancing and acceleration, reducing latency for Cognitive Services calls.

Why this answer

Option A is correct because Azure Blob Storage with public endpoint adds latency. Option B is correct because Azure Front Door provides global load balancing and acceleration, reducing latency. Option C is incorrect because Azure API Management adds processing overhead.

Option D is incorrect because Azure Traffic Manager is DNS-based and doesn't optimize the connection path.

64
MCQhard

Litware Inc. has an Azure App Service web app that needs to authenticate users via Microsoft Entra ID. The app uses the Microsoft Authentication Library (MSAL) for .NET. The app must also call Microsoft Graph to read user profiles. The app is registered in Entra ID with delegated permissions for 'User.Read'. The team wants to use the OAuth 2.0 authorization code flow with PKCE. The redirect URI is set to the App Service's URL. The app uses the App Service Authentication feature (EasyAuth) and also custom code. The team notices that after signing in, the app receives an ID token but not an access token for Microsoft Graph. What is the most likely cause?

A.The app registration in Entra ID is missing the 'User.Read' delegated permission. The team must grant admin consent for the permission.
B.The App Service Authentication feature is not configured to request the 'User.Read' scope. The team must add the scope in the 'Allowed external redirect URLs' or configure the 'Additional login parameters' to include 'scope=User.Read'.
C.The authorization code flow with PKCE is not supported by App Service Authentication. The team should use the implicit flow.
D.The redirect URI is incorrect. The team must use the App Service's authentication endpoint instead of the app's URL.
AnswerB

Correct: EasyAuth does not automatically request Graph scopes.

Why this answer

The App Service Authentication feature (EasyAuth) by default only requests the 'openid' and 'profile' scopes. It does not request the 'User.Read' scope for Graph unless configured. The team must configure the 'Allowed token audiences' or scopes in the EasyAuth settings.

Option A is correct. Option B is wrong because the app registration does include the scope. Option C is wrong because PKCE is not the issue.

Option D is wrong because the redirect URI is correct.

65
MCQhard

Refer to the exhibit. You run the above Azure CLI command to upload a blob to Azure Blob Storage. The command fails with the error 'This request is not authorized to perform this operation.' You have verified that the storage account name and container name are correct, and the file exists. What should you do to resolve the error?

A.Provide the storage account key using the --account-key parameter or set the AZURE_STORAGE_KEY environment variable.
B.Generate a shared access signature (SAS) and use it instead of key.
C.Change --auth-mode key to --auth-mode login.
D.Upgrade to the latest version of Azure CLI.
AnswerA

The command uses key auth but does not supply the key; adding the key resolves the error.

Why this answer

Option D is correct because the --auth-mode key option uses the storage account key for authentication. However, the error indicates that the request is not authorized, which typically means the key is missing or invalid. By default, the CLI uses Azure AD authentication.

To use key authentication, you must provide the account key either via the --account-key parameter or set the AZURE_STORAGE_KEY environment variable. The command as shown does not include the key, so it fails. Option A is wrong because upgrading the CLI version does not fix missing credentials.

Option B is wrong because the --auth-mode key is correct for key-based auth, but the key itself is missing. Option C is wrong because SAS is not required; key auth should work.

66
MCQhard

You manage an API in Azure API Management. You need to cache API responses such that different responses are returned based on the product subscription key used by the caller. Which set of policies should you implement?

A.Set a 'cache-lookup' policy in the inbound section and a 'cache-store' policy in the outbound section, using the subscription key as a cache vary-by parameter.
B.Set a 'cache-store' policy in the inbound section and a 'cache-lookup' policy in the outbound section.
C.Set both 'cache-lookup' and 'cache-store' policies in the inbound section.
D.Set only a 'cache-store' policy in the backend section.
AnswerA

This is the correct pattern: lookup cache on request, store on response, varying by subscription key.

Why this answer

Option A is correct because caching API responses based on the subscription key ensures that each caller receives a cached response unique to their subscription. The 'cache-lookup' policy in the inbound section checks the cache before forwarding the request, and the 'cache-store' policy in the outbound section stores the response after it is generated. By specifying the subscription key as a vary-by parameter, the cache key includes the subscription key, so different keys produce different cached entries.

Exam trap

The trap here is that candidates often assume caching policies must both be in the inbound section, not realizing that 'cache-lookup' must run before the backend call and 'cache-store' must run after the response is generated, requiring them in inbound and outbound respectively.

How to eliminate wrong answers

Option B is wrong because it reverses the policy placement: 'cache-store' in the inbound section would attempt to store a response before it is generated, and 'cache-lookup' in the outbound section would check the cache after the response is already produced, defeating the purpose of caching. Option C is wrong because placing both policies in the inbound section would attempt to store a response before it is created, and the 'cache-lookup' would not have a response to cache from the outbound flow. Option D is wrong because a 'cache-store' policy alone in the backend section does not include a 'cache-lookup' to retrieve cached responses, and the backend section is not the correct location for response caching; caching policies must be paired in inbound/outbound sections.

67
MCQhard

A developer is building a microservices application on Azure Kubernetes Service (AKS). One service needs to consume messages from an Azure Service Bus queue. The solution must minimize cost and automatically scale based on the number of messages. Which approach should the developer choose?

A.Use KEDA to scale the pods based on the Service Bus queue length
B.Use Azure Event Grid to route messages to the microservice
C.Use Azure Functions with a Service Bus trigger on a dedicated App Service plan
D.Use the Azure Service Bus SDK in the pod code and manually scale pods
AnswerA

KEDA provides event-driven autoscaling for Kubernetes based on queue length, optimizing cost.

Why this answer

Option A is correct because KEDA (Kubernetes Event-Driven Autoscaling) can scale pods based on Service Bus queue length, and it's cost-effective. Option B is incorrect because the Service Bus SDK with manual scaling doesn't provide automatic scaling. Option C is incorrect because Azure Functions running on a dedicated plan would incur cost even when idle.

Option D is incorrect because Azure Event Grid is for event routing, not queue consumption.

68
MCQeasy

A business process requires sending an approval email, waiting up to 48 hours for a manager's response, and then updating a SharePoint list based on the decision. The process owner has no programming experience and wants to build this without writing code. Which Azure service is the most appropriate?

A.Azure Logic Apps with the Office 365 Outlook approval action and the SharePoint connector
B.Azure Durable Functions with the Human Interaction pattern using a timer and event listener
C.Azure Data Factory with a Copy Activity pipeline triggered by an Azure Function
D.Azure Event Grid with a custom webhook handler that calls the SharePoint REST API
AnswerA

The Logic Apps approval action sends an email with Approve/Reject buttons and suspends the workflow run (using Azure's durable storage) until the response arrives or the timeout expires. The SharePoint connector's 'Update item' action then writes the outcome to the list. The entire workflow is configured without code using the Logic Apps Designer.

Why this answer

Azure Logic Apps is the correct choice because it provides a no-code/low-code designer that allows the process owner to visually build the approval workflow using the Office 365 Outlook 'Send approval email' action and the SharePoint connector to update the list. This fully meets the requirement of no programming experience while handling the 48-hour wait and conditional update.

Exam trap

The trap here is that candidates may over-engineer the solution by choosing Durable Functions (Option B) because they recognize the Human Interaction pattern, but they overlook the explicit 'no programming experience' constraint that makes Logic Apps the only viable choice.

How to eliminate wrong answers

Option B is wrong because Azure Durable Functions require writing code in C#, JavaScript, or Python to implement the Human Interaction pattern, which violates the 'no programming experience' requirement. Option C is wrong because Azure Data Factory is designed for data movement and transformation pipelines, not for human approval workflows or sending emails. Option D is wrong because Azure Event Grid is a pub/sub event routing service that requires a custom webhook handler (typically an Azure Function or web app) to process the approval logic and call the SharePoint REST API, which again requires coding.

69
Multi-Selectmedium

Which TWO approaches can you use to call an external REST API from an Azure Function while ensuring the API key is not exposed in the function code?

Select 2 answers
A.Store the API key in GitHub repository secrets.
B.Hardcode the API key in the function code.
C.Store the API key as an environment variable in the function app settings.
D.Pass the API key in an HTTP header and include it in the source code.
E.Store the API key in Azure Key Vault and retrieve it using Managed Identity.
AnswersC, E

Keeps key out of code.

Why this answer

B and D are correct. Storing the API key in Key Vault and using Managed Identity to access it ensures the key is not in code. Using environment variables in App Service (function app settings) also keeps the key out of code.

Option A is wrong because hardcoding is direct exposure. Option C is wrong because storing in GitHub Secrets is for CI/CD, not runtime. Option E is wrong because using HTTP headers with a hardcoded key still exposes it.

70
MCQhard

A company uses Azure API Management (APIM) to expose APIs to external partners. They need to enforce rate limiting per subscription key. Which APIM policy should be configured?

A.quota
B.rate-limit
C.ip-filter
D.throttling
AnswerB

rate-limit policy enforces a rate limit per subscription key, which is the requirement.

Why this answer

Option A is correct because the rate-limit policy enforces a fixed rate limit per subscription key. Option B (quota) is for a total number of calls over a period, not per time window; Option C (throttling) sets a rate limit per IP or per client, but not per subscription key; Option D (ip-filter) restricts by IP address.

71
MCQmedium

You manage an API in Azure API Management. You need to enforce a rate limit of 200 requests per minute for each subscription key. Which policy should you include in the inbound policy section?

A.<rate-limit> policy
B.<quota> policy
C.<limit-concurrency> policy
D.<throttle> policy
AnswerA

The <rate-limit> policy limits call rates per subscription key (or other scope) over a sliding window.

Why this answer

The <rate-limit> policy in Azure API Management is specifically designed to enforce a per-subscription key rate limit, such as 200 requests per minute. It operates on a sliding window counter to smooth traffic and is applied in the inbound section to evaluate each request before it reaches the backend. This matches the requirement exactly.

Exam trap

The trap here is confusing <rate-limit> with <quota>, as both control request volume, but <quota> applies to total counts over days/months, not per-minute rate limiting.

How to eliminate wrong answers

Option B is wrong because the <quota> policy enforces a total number of requests over a longer period (e.g., 10,000 calls per month), not a per-minute rate limit. Option C is wrong because the <limit-concurrency> policy restricts the number of simultaneous connections, not the request rate over time. Option D is wrong because there is no <throttle> policy in Azure API Management; the correct term is <rate-limit> for per-key throttling.

72
MCQmedium

You are using Azure Logic Apps to integrate with a third-party CRM. The CRM API requires OAuth 2.0 authentication with a client secret. The secret must be stored securely and rotated automatically. What should you do?

A.Use a system-assigned managed identity without storing the secret
B.Store the secret in Azure Key Vault and use a managed identity to access it
C.Store the secret in the Logic App definition as a string parameter
D.Store the secret in Azure App Configuration with encryption
AnswerB

Key Vault provides secure storage and automatic rotation with access via managed identity.

Why this answer

Store the secret in Key Vault and reference it from the Logic App using a managed identity. Option A is wrong because storing secrets in Logic App definitions is insecure. Option C is wrong because storing in App Configuration is not designed for secrets.

Option D is wrong because managed identity alone does not store the secret.

73
Multi-Selecteasy

Which TWO authentication mechanisms can be used to authenticate an Azure Function to Azure Storage?

Select 2 answers
A.Client certificate
B.Shared access signature (SAS) token
C.Storage account connection string with account key
D.Azure AD token acquired via client credentials flow
E.System-assigned managed identity
AnswersC, E

Connection strings with account key are a supported method.

Why this answer

Options A and D are correct. Managed identity and connection strings with account key are supported. Option B is wrong because SAS tokens are for delegated access, not function identity.

Option C is wrong because certificate authentication is not supported for Storage. Option E is wrong because Azure AD token is used with managed identity, not directly.

74
MCQhard

You are designing a solution to securely store connection strings for an Azure Function app that connects to Azure Service Bus. The connection string contains a Shared Access Key. The company policy requires that secrets be rotated every 90 days and that no secret is stored in source code or configuration files. The solution should minimize operational overhead. What should you use?

A.Store the connection string in Azure Key Vault and use a managed identity to access it from the Function app.
B.Store the connection string in a JSON configuration file and use Azure Policy to enforce encryption.
C.Store the connection string in Azure App Configuration with encryption at rest using a customer-managed key.
D.Store the connection string as an environment variable in the Function app's application settings.
AnswerA

Key Vault with managed identity provides secure storage, rotation, and no secrets in code.

Why this answer

Azure Key Vault with managed identity allows secure storage and automatic rotation of secrets without managing credentials in code. Option A is correct because it uses managed identity to access Key Vault, and Key Vault can handle rotation. Option B is incorrect because App Configuration with encryption still requires managing the encryption key and does not provide built-in rotation.

Option C is incorrect because Environment variables in the Function app's app settings can be accessed by anyone with access to the portal, and rotation requires manual updates. Option D is incorrect because configuration files are explicitly against policy.

75
Multi-Selectmedium

Which TWO actions should you take to securely store and retrieve secrets for an Azure App Service application? (Choose two.)

Select 2 answers
A.Configure a Key Vault access policy for the App Service managed identity
B.Store connection strings as plain text in the application code
C.Store secrets in Azure Key Vault
D.Generate SAS tokens in Key Vault
E.Store secrets in the App Service application settings
AnswersA, C

Access policies grant the managed identity permission to read secrets.

Why this answer

Option A is correct: Azure Key Vault is the recommended service for storing secrets. Option C is correct: Access policies in Key Vault control access to secrets. Option B is wrong because storing secrets in app settings is insecure.

Option D is wrong because connection strings should not be hardcoded; they should be retrieved from Key Vault. Option E is wrong because Key Vault does not generate SAS tokens; they are generated by the application.

Page 1 of 4 · 266 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Connect Consume Services questions.