CCNA Connect Consume Services Questions

75 of 266 questions · Page 3/4 · Connect Consume Services topic · Answers revealed

151
MCQeasy

Messages failing to process are redelivered by Azure Service Bus. After a message has been delivered and abandoned the maximum number of times (MaxDeliveryCount), where does Service Bus move the message?

A.The message is moved to the dead-letter sub-queue of the original queue
B.The message is permanently deleted from the queue
C.The message is returned to the front of the queue with its DeliveryCount reset to zero
D.The message expires and is discarded according to the Time-to-Live setting
AnswerA

Dead-lettering on MaxDeliveryCount is automatic. The message's DeliveryCount property increments on each delivery attempt. When DeliveryCount exceeds MaxDeliveryCount, Service Bus moves the message to the /<queue>/$deadletterqueue path with a DeadLetterReason of 'MaxDeliveryCountExceeded'.

Why this answer

When a message in Azure Service Bus is delivered and abandoned the maximum number of times (as defined by the MaxDeliveryCount property, default 10), the message is automatically moved to the dead-letter sub-queue of the original queue. This dead-letter sub-queue stores messages that cannot be processed successfully, allowing you to inspect and handle them separately without losing the message entirely.

Exam trap

The trap here is that candidates often assume messages are simply deleted or returned to the queue when the delivery count is exceeded, but Azure Service Bus explicitly moves them to a dead-letter sub-queue to ensure no data loss and to provide a mechanism for manual handling.

How to eliminate wrong answers

Option B is wrong because Service Bus does not permanently delete messages that exceed MaxDeliveryCount; instead, it moves them to the dead-letter sub-queue to preserve them for later analysis. Option C is wrong because returning the message to the front of the queue with a reset DeliveryCount would defeat the purpose of the MaxDeliveryCount limit and could cause infinite processing loops. Option D is wrong because the Time-to-Live (TTL) setting controls message expiration independently of MaxDeliveryCount; a message that exceeds MaxDeliveryCount is moved to the dead-letter sub-queue regardless of its TTL, unless the TTL expires first.

152
Multi-Selectmedium

Which THREE Azure services can be used to send email notifications from an application?

Select 3 answers
A.Azure Event Grid
B.Azure Logic Apps
C.Azure Communication Services Email
D.Azure Functions (with SendGrid binding)
E.Azure Service Bus
AnswersB, C, D

Correct: has connectors for email (e.g., Office 365).

Why this answer

Azure Logic Apps, Azure Functions (with SendGrid), and Azure Communication Services Email can send emails. Azure Event Grid and Azure Service Bus are messaging/event services, not email.

153
MCQeasy

You run the above PowerShell script to upload a blob to Azure Storage. The script fails with an error. Which part of the script is causing the failure?

A.The storage account name 'mystorageaccount' is invalid.
B.The connection string format is incorrect.
C.The -File parameter should be a file path, not a string.
D.The container name 'mycontainer' does not exist.
AnswerC

Set-AzStorageBlobContent expects a local file path; to upload a string, you should use -Value parameter.

Why this answer

The Set-AzStorageBlobContent -File parameter expects a file path, not a string. Option B is correct. Option A is fine; Option C is fine; Option D is fine.

154
MCQhard

Your application uses Azure Cosmos DB for NoSQL. You need to implement server-side computed properties that depend on multiple document fields. The computation must be performed atomically. Which approach should you use?

A.Use a pre-trigger to compute the property on write
B.Use the change feed to compute the property asynchronously
C.Use a user-defined function (UDF) in queries
D.Use a stored procedure to compute and update the property in a single transaction
AnswerD

Stored procedures provide atomic transactional execution within a partition.

Why this answer

Stored procedures in Azure Cosmos DB for NoSQL execute within a transactional scope, allowing you to atomically compute a property based on multiple document fields and update the document in a single operation. This ensures that the computation and update are performed as an all-or-nothing unit, which is required for atomicity. Pre-triggers, change feeds, and UDFs do not provide atomic read-modify-write semantics across multiple fields.

Exam trap

The trap here is that candidates often confuse the atomic execution of a stored procedure with the eventual consistency of the change feed or the query-time computation of a UDF, failing to recognize that only stored procedures provide a transactional scope for read-modify-write operations on the same document.

How to eliminate wrong answers

Option A is wrong because pre-triggers run before a write operation but cannot atomically read the existing document fields, compute a new property, and update the same document in a single transaction—they only modify the document being written. Option B is wrong because the change feed processes changes asynchronously, which breaks atomicity; the computed property would be applied in a separate operation, not within the same transaction as the original write. Option C is wrong because user-defined functions (UDFs) are stateless and only compute values at query time; they cannot persist computed properties back to the document or guarantee atomic updates.

155
MCQmedium

You are developing a microservice that processes images. After processing, it needs to store the result in Azure Blob Storage and send a message to Azure Service Bus for further processing. Which Azure SDK client should you use to minimize overhead?

A.Use the Azure.Storage.Blobs and Azure.Messaging.ServiceBus NuGet packages
B.Deploy the microservice as an Azure Function
C.Call the Azure REST APIs directly using HttpClient
D.Use Azure SignalR Service for messaging
AnswerA

These SDK packages provide efficient, high-level APIs for Blob Storage and Service Bus.

Why this answer

The Azure SDK for .NET provides client libraries for Blob Storage and Service Bus that are optimized for performance and low overhead. Option A is wrong because REST APIs require manual HTTP handling. Option B is wrong because SignalR is for real-time messaging, not queues.

Option C is wrong because Functions are compute, not client libraries.

156
MCQmedium

A company uses Azure Logic Apps to integrate with a third-party CRM system. The CRM API requires OAuth 2.0 authentication. The developer needs to securely store the client secret and refresh token. Which Azure service should the developer use?

A.Azure App Configuration
B.Azure Key Vault
C.Azure Managed Identity
D.Azure SQL Database
AnswerB

Key Vault securely stores secrets and credentials, and Logic Apps can reference them.

Why this answer

Option A is correct because Azure Key Vault securely stores secrets and credentials, and Logic Apps can reference them. Option B is incorrect because Azure App Configuration is for configuration settings, not secrets. Option C is incorrect because Azure SQL Database is not a secret store.

Option D is incorrect because Azure Managed Identity is for Azure AD authentication, not for third-party OAuth secrets.

157
MCQhard

A system receives high-volume event notifications from Azure resources and routes them to serverless handlers. Events are lightweight and should use native event routing. Which service should be used? The architecture review board prefers a managed AWS-native control.

A.Azure DNS
B.Azure Event Grid
C.Azure Files
D.Azure Service Bus queue
AnswerB

Event Grid is designed for reactive event routing from Azure services and custom publishers.

Why this answer

Azure Event Grid is the correct choice because it is a fully managed event routing service designed for high-volume, lightweight event notifications using native event routing (HTTP push). It directly supports Azure resource events and serverless handlers like Azure Functions, aligning with the requirement for native event routing without polling or queuing overhead.

Exam trap

The trap here is confusing Azure Event Grid (push-based, lightweight event routing) with Azure Service Bus (pull-based, durable messaging), leading candidates to choose Service Bus for its familiarity with queuing, despite the requirement for native event routing.

How to eliminate wrong answers

Option A is wrong because Azure DNS is a domain name resolution service, not an event routing service; it cannot handle event notifications or trigger serverless handlers. Option C is wrong because Azure Files provides managed file shares via SMB/NFS protocols, which are unsuitable for event-driven, lightweight event routing. Option D is wrong because Azure Service Bus queue is a message broker for ordered, durable messaging with pull-based consumption, not a native event routing service for lightweight, push-based events.

158
MCQhard

Your company deploys a microservices architecture on Azure Kubernetes Service (AKS). The application consists of a frontend service, an order service, and a payment service. The order service writes messages to an Azure Service Bus queue, and the payment service processes them. You need to ensure that the payment service can scale independently based on the queue length, and that the processing is fault-tolerant: if the payment service crashes during message processing, the message should not be lost and should be retried. You also need to minimize cost by reducing the number of idle instances. You configure the payment service as an Azure Function triggered by the Service Bus queue. Which configuration options should you set?

A.Use an Azure Storage Queue instead of Service Bus. Set the function's batchSize to 10.
B.Disable retries completely to avoid duplicate processing.
C.Set the function to run on a fixed instance count of 3.
D.Set maxDeliveryCount to 5 in the Service Bus queue. Configure the Azure Function's scaling mode to 'Scale based on the number of messages in the queue'.
AnswerD

maxDeliveryCount provides retries; scaling based on queue length optimizes cost.

Why this answer

Setting maxDeliveryCount to 5 ensures that messages are retried up to 5 times if processing fails, which provides fault tolerance. Setting the function scaling mode to 'Scale based on the number of messages in the queue' allows the function to scale out based on queue length, reducing idle instances. Option A is the correct combination.

Option B is wrong because using a storage queue instead of Service Bus would require different scaling. Option C is wrong because a fixed instance count would not minimize cost. Option D is wrong because disabling retries would lead to message loss.

159
MCQhard

A system receives high-volume event notifications from Azure resources and routes them to serverless handlers. Events are lightweight and should use native event routing. Which service should be used?

A.Azure DNS
B.Azure Event Grid
C.Azure Files
D.Azure Service Bus queue
AnswerB

Event Grid is designed for reactive event routing from Azure services and custom publishers.

Why this answer

Azure Event Grid is the correct choice because it is a fully managed event routing service designed for high-volume, lightweight event notifications using native event routing (HTTP-based push model). It supports serverless handlers like Azure Functions and automatically delivers events to subscribers with built-in retry and dead-lettering, making it ideal for reacting to Azure resource state changes.

Exam trap

The trap here is confusing Azure Event Grid (push-based, lightweight event routing) with Azure Service Bus (pull-based, message queuing), leading candidates to choose Service Bus for event scenarios when Event Grid is the native, serverless-optimized choice.

How to eliminate wrong answers

Option A is wrong because Azure DNS is a domain name resolution service (translates domain names to IP addresses) and does not handle event routing or serverless event processing. Option C is wrong because Azure Files provides fully managed file shares accessible via SMB or NFS protocols, not event notification or routing capabilities. Option D is wrong because Azure Service Bus queue is a message broker designed for reliable, ordered message delivery with features like sessions and transactions, but it uses pull-based messaging and is not optimized for lightweight, native event routing; it is better suited for decoupled messaging with complex processing requirements.

160
MCQeasy

You need to send notifications to mobile devices when a new file is uploaded to Azure Blob Storage. Which Azure service should you use to route the event to a notification hub?

A.Azure Service Bus
B.Azure Queue Storage
C.Azure Event Grid
D.Azure Event Hubs
AnswerC

Event routing service.

Why this answer

Option B is correct because Azure Event Grid is designed for event routing from Azure services to handlers like Azure Notification Hubs. Option A is wrong because Azure Service Bus is for messaging. Option C is wrong because Azure Queue Storage is for storage queues.

Option D is wrong because Azure Event Hubs is for big data streaming.

161
MCQmedium

You are building an Azure Logic App that must send email notifications via Office 365 when a new order is placed. You need to securely store the Office 365 credentials and reference them in the Logic App. Which approach should you use?

A.Store the credentials in a variable within the Logic App designer
B.Use an Azure Key Vault action with a connection that uses a username and password
C.Use an Azure Key Vault connector with a managed identity assigned to the Logic App
D.Store the credentials in an Azure Storage table and fetch them in the Logic App
AnswerC

The managed identity authenticates to Key Vault without any stored credentials, allowing the Logic App to retrieve the Office 365 credentials securely at runtime.

Why this answer

Option C is correct because using an Azure Key Vault connector with a managed identity assigned to the Logic App allows you to securely store Office 365 credentials in Key Vault and authenticate to it without hardcoding secrets or managing credentials. The managed identity provides an Azure AD-backed identity for the Logic App, eliminating the need for username/password in connection strings and enabling secure, auditable access to secrets.

Exam trap

The trap here is that candidates often confuse using a Key Vault action with a username/password connection (Option B) as secure, when in fact the connection itself still stores credentials, whereas a managed identity eliminates credential storage entirely.

How to eliminate wrong answers

Option A is wrong because storing credentials in a variable within the Logic App designer exposes them in plain text in the workflow definition and logs, violating security best practices. Option B is wrong because using an Azure Key Vault action with a connection that uses a username and password still requires you to store and manage those credentials in the connection definition, defeating the purpose of Key Vault and introducing a security risk. Option D is wrong because storing credentials in an Azure Storage table is insecure (data is not encrypted at rest by default unless client-side encryption is used) and introduces unnecessary complexity and latency when fetching secrets at runtime.

162
MCQhard

Refer to the exhibit. The exhibit shows an Azure Event Grid subscription configuration. You notice that the webhook endpoint is not receiving events when a .png file is uploaded to the 'images' container. What is the most likely reason?

A.The subscription is disabled
B.The destination endpoint type is incorrect
C.The webhook endpoint requires authentication
D.The subject filter excludes .png files
AnswerD

The filter 'subjectEndsWith' is '.jpg', so .png files are filtered out.

Why this answer

The filter 'subjectEndsWith' is set to '.jpg', so only .jpg files trigger events. .png files do not match. Option A is wrong because the subscription is enabled. Option B is wrong because the endpoint type is WebHook.

Option D is wrong because there is no authentication configured in the exhibit, but that would affect all events, not just .png.

163
MCQhard

You are using Azure Logic Apps to orchestrate a workflow that calls a third-party API. The API occasionally returns HTTP 429 (Too Many Requests). How should you handle this to ensure the workflow completes successfully without manual intervention?

A.Increase the timeout value for the HTTP request.
B.Change the concurrency setting to 1 to avoid multiple requests.
C.Use a webhook action instead of HTTP.
D.Configure a retry policy on the HTTP action with exponential backoff.
AnswerD

Automatically retries on 429 with backoff.

Why this answer

Option A is correct because Logic Apps built-in retry policy with exponential backoff handles 429 automatically. Option B is wrong because changing to sequential calls reduces throughput but does not handle retries. Option C is wrong because increasing timeout does not retry.

Option D is wrong because using webhook is for async patterns, not retry.

164
MCQhard

Your application uses Azure Cache for Redis to cache session state. You notice that after a scaling operation, some users are prompted to log in again. What is the most likely cause?

A.The cache's connection string changed, causing applications to connect to a new cache.
B.The cache was scaled to a tier that does not support session state.
C.The cache was scaled without enabling data persistence, causing session data to be lost.
D.The cache's primary key changed during scaling, invalidating existing sessions.
AnswerC

Without persistence, scaling can cause data loss.

Why this answer

Azure Cache for Redis can be configured with clustering, and when scaling, data may be redistributed among shards. If the session data is not stored persistently, scaling can cause data loss. Option A is correct.

Option B is incorrect because scaling does not change the primary key. Option C is incorrect because scaling does not change the access key. Option D is incorrect because scaling does not change the connection timeout.

165
MCQmedium

You develop an app that uses Azure Cosmos DB for NoSQL. The app requires reading a specific item by ID with low latency. You need to ensure the query is as fast as possible. What should you use?

A.Use a stored procedure that reads the item.
B.Use a SQL query filtering by ID without partition key.
C.Use a point read with the item's ID and partition key.
D.Use a SQL query with a composite index on ID.
AnswerC

Point reads are the fastest operation in Cosmos DB.

Why this answer

Option A is correct because a point read by ID and partition key is the fastest operation in Cosmos DB, directly accessing the item without query engine overhead. Option B is wrong because cross-partition queries add latency. Option C is wrong because even with indexing, point reads are faster.

Option D is wrong because stored procedures run on the server but still involve query processing.

166
MCQhard

Your team is migrating a legacy application to Azure. The application uses a proprietary database that is not supported by Azure SQL or Cosmos DB. You need to provide a managed database service with minimal rearchitecture. Which Azure service should you use?

A.Azure Virtual Machines with the database software installed
B.Azure Database for MySQL
C.Azure Database Migration Service
D.Azure SQL Database
AnswerA

IaaS allows you to run any database software on a VM.

Why this answer

Azure Database Migration Service helps migrate databases to Azure, but for unsupported databases, you can use Azure Virtual Machines to host the database. Option B is correct. Option A is for SQL servers; Option C is for PostgreSQL/MySQL; Option D is a migration tool, not a hosting service.

167
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used? The team wants the control to be enforceable during normal operations.

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish/subscribe pattern where multiple independent subscribers can each receive a copy of every published message. Subscribers can be added later without modifying the publisher, and the team can enforce control during normal operations using topic-level authorization rules and subscription filters.

Exam trap

The trap here is that candidates often confuse Azure Storage Queue (point-to-point) with Service Bus topics (pub/sub), missing the requirement for multiple independent subscribers that can be added later without changing the publisher.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policies automate tiering or deletion of blobs based on age, not message delivery to multiple subscribers. Option B is wrong because Azure Storage Queue implements a point-to-point messaging model where each message is consumed by a single consumer, not broadcast to multiple independent subscribers. Option C is wrong because Azure Cache for Redis list only provides a simple list data structure for ordered storage, not a managed pub/sub messaging system with durable delivery and subscriber management.

168
MCQhard

A company uses Azure Service Bus to receive order messages. Each order message must be processed exactly once, and duplicate messages are not tolerated due to financial transactions. However, the order processing system sometimes fails and retries, leading to potential duplicates. What Service Bus feature should be enabled on the message to support idempotent processing?

A.Scheduled delivery
B.Duplicate detection
C.Message sessions
D.Auto-forwarding
AnswerB

Duplicate detection uses the MessageId property to identify and discard duplicate messages sent within the detection window, ensuring exactly-once processing.

Why this answer

B is correct because Azure Service Bus's duplicate detection feature uses a user-defined MessageId to identify and discard duplicate messages within a specified time window (default 10 minutes, configurable up to 7 days). This ensures exactly-once processing by preventing the same order message from being processed multiple times, even if the sender retries due to failures.

Exam trap

The trap here is that candidates often confuse message sessions (which guarantee order and grouping) with duplicate detection, but sessions do not prevent duplicates—they only ensure FIFO delivery within a session.

How to eliminate wrong answers

Option A is wrong because scheduled delivery delays message availability until a specified time, which does not prevent duplicate processing. Option C is wrong because message sessions enable ordered processing and grouping of related messages, but they do not inherently detect or discard duplicates. Option D is wrong because auto-forwarding automatically moves messages from one queue or subscription to another, which does not provide any duplicate detection or idempotency guarantee.

169
MCQhard

You develop an IoT solution using Azure IoT Hub. Devices send telemetry data that must be processed by a custom Azure Function. You need to ensure that the Function processes messages in order per device and exactly once. Which IoT Hub feature should you use?

A.Use IoT Hub message routing to send messages to a Service Bus queue, and process from the queue.
B.Use IoT Hub direct methods to invoke the Function per device.
C.Use IoT Hub device twins to store telemetry and trigger the Function on twin changes.
D.Use IoT Hub's built-in Event Hub-compatible endpoint with a consumer group that has one partition per device.
AnswerD

Event Hubs support per-partition ordering; with partition key = device ID, messages from a device go to the same partition, ensuring order and at-least-once delivery; idempotent processing can achieve exactly-once.

Why this answer

IoT Hub's Event Hub-compatible endpoint supports consumer groups, but for ordered processing per device, you need to partition by device ID. Option D is correct because using the built-in endpoint with a consumer group per partition ensures ordering. Option A does not guarantee exactly once; Option B is for device management; Option C is for cloud-to-device.

170
MCQmedium

An application calls a Service Bus topic through HTTP. The developer must implement retries without overwhelming the remote system during partial outages. Which retry pattern is best?

A.Disable all timeout settings
B.Immediate infinite retries
C.Retry only after restarting the application
D.Exponential backoff with jitter and a maximum retry limit
AnswerD

Backoff with jitter reduces retry storms and gives the remote service time to recover.

Why this answer

Exponential backoff with jitter and a maximum retry limit is the best pattern because it progressively increases the delay between retries, preventing the client from overwhelming the Service Bus topic during partial outages. The jitter randomizes the delay to avoid thundering herd problems, while the maximum retry limit ensures the system doesn't retry indefinitely, aligning with Azure's recommended retry guidance for HTTP-based calls to Service Bus.

Exam trap

The trap here is that candidates may confuse 'exponential backoff' with 'immediate retries' or 'infinite retries,' overlooking the critical need for jitter and a maximum retry limit to prevent overwhelming the remote system during partial outages.

How to eliminate wrong answers

Option A is wrong because disabling all timeout settings would cause the application to hang indefinitely on a single request, failing to handle partial outages and potentially exhausting resources. Option B is wrong because immediate infinite retries would flood the Service Bus topic with repeated requests during an outage, exacerbating the load and violating the principle of not overwhelming the remote system. Option C is wrong because retrying only after restarting the application introduces unnecessary downtime and delays recovery, as it doesn't leverage transient fault handling within the same application session.

171
MCQeasy

Your company uses Azure API Management to expose APIs to external partners. You need to enforce throttling limits per subscription key. Which policy should you add?

A.rate-limit by key policy with @(context.Subscription.Id) as counter key
B.rate-limit policy with IP address filtering
C.rate-limit by key policy with no counter key
D.validate-jwt policy with claims check
AnswerA

This limits requests per subscription key.

Why this answer

Option B is correct because the rate-limit policy by key throttles requests per subscription key. Option A is wrong because it limits per key but not by key. Option C is wrong because IP-based throttling is not per key.

Option D is wrong because it's for authentication, not throttling.

172
Multi-Selecthard

A function consumes messages from Azure Service Bus. Which two settings help handle transient failures safely?

Select 2 answers
A.Configure max delivery count with a dead-letter queue
B.Make message processing idempotent
C.Disable lock renewal for long processing
D.Use anonymous sender access
AnswersA, B

Dead-lettering isolates messages after repeated delivery failures.

Why this answer

Configuring max delivery count with a dead-letter queue is correct because it allows the function to handle transient failures safely by automatically moving messages that exceed the maximum number of delivery attempts to a dead-letter queue. This prevents infinite retries and ensures that problematic messages are isolated for manual inspection, while the function can continue processing other messages without blocking. The max delivery count setting in Azure Service Bus controls how many times a message is delivered before being dead-lettered, which is essential for managing transient failures without losing data.

Exam trap

The trap here is that candidates often confuse disabling lock renewal (which is a performance optimization for long processing) with a transient failure handling strategy, when in fact it can lead to message duplication or loss, and they overlook that idempotent processing (Option B) is a complementary pattern but not a Service Bus setting for handling transient failures.

173
MCQmedium

You are building an event-driven solution that processes orders from an Azure Storage Queue. Each order triggers an Azure Function. To improve reliability, you need to automatically retry processing if an exception occurs, but only up to 3 times. You must also preserve the original order message in a poison queue after max retries. Which configuration should you use in the function's host.json?

A.Set 'prefetchCount' to 3
B.Set 'newBatchThreshold' to 3
C.Set 'maxDequeueCount' to 3
D.Set 'batchSize' to 3
AnswerC

maxDequeueCount defines the maximum number of times to try processing a message before moving it to the poison queue.

Why this answer

The 'maxDequeueCount' setting in host.json controls the number of times the function tries to process a message before moving it to the poison queue. Setting it to 3 achieves the requirement. Option A is wrong because 'prefetchCount' controls how many messages are retrieved at once, not retries.

Option B is wrong because 'newBatchThreshold' controls batch size, not retries. Option D is wrong because 'batchSize' controls how many messages are processed concurrently, not retries.

174
MCQmedium

A developer is configuring a web app to authenticate users with Microsoft Entra ID. The web app needs to call a downstream API that also uses Microsoft Entra ID for authentication. The developer must ensure that the web app can securely obtain access tokens for the downstream API. Which authentication flow should the developer implement?

A.OAuth 2.0 Client Credentials flow
B.OAuth 2.0 Implicit flow
C.OAuth 2.0 On-Behalf-Of flow
D.OAuth 2.0 Authorization Code flow
AnswerC

On-Behalf-Of flow allows the web app to use the user's identity to get a token for the downstream API.

Why this answer

Option B is correct because the OAuth 2.0 On-Behalf-Of flow allows a web app to use the user's identity to obtain a token for a downstream API. Option A is incorrect because the Authorization Code flow is for user authentication, not for chaining to a downstream API. Option C is incorrect because Client Credentials flow is for daemon apps, not for user context.

Option D is incorrect because the Implicit flow is deprecated and not secure.

175
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used? The design must avoid adding custom operational scripts.

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish-subscribe pattern where multiple independent subscribers each receive a copy of every published message. This decouples the publisher from subscribers, allowing new subscribers to be added later without modifying the publisher. The built-in subscription entities eliminate the need for custom operational scripts.

Exam trap

The trap here is confusing a point-to-point queue (Storage Queue) with a publish-subscribe topic (Service Bus), where the requirement for multiple independent subscribers and future extensibility without scripts directly points to the topic's subscription model.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policies automate tiering or deletion of blobs based on age, not message delivery to multiple subscribers. Option B is wrong because Azure Storage Queues implement a point-to-point message queue where each message is consumed by a single worker, not broadcast to multiple independent subscribers. Option C is wrong because Azure Cache for Redis list only provides a simple list data structure; it lacks built-in publish-subscribe semantics and would require custom polling logic and scripts to distribute messages to multiple subscribers.

176
MCQmedium

You are building an Azure Logic App that calls an external REST API secured with the OAuth 2.0 client credentials flow. You have registered an app in Microsoft Entra ID with client ID and client secret stored in Azure Key Vault. The Logic App uses a system-assigned managed identity with Get permission on the secret. Which action should you use in the Logic App designer to authenticate to the API?

A.HTTP action with 'Active Directory OAuth' authentication type, referencing the client ID and client secret
B.HTTP action with 'Managed Identity' authentication type
C.Invoke an API with OAuth predefined connector
D.HTTP action with 'Basic' authentication and pass the secret as password
AnswerA

This correctly implements the client credentials grant by providing the client ID and secret in the HTTP request.

Why this answer

Option A is correct because the OAuth 2.0 client credentials flow requires a client ID and client secret to obtain an access token from Microsoft Entra ID. The HTTP action's 'Active Directory OAuth' authentication type directly supports this flow, allowing you to reference the client ID and the client secret stored in Azure Key Vault. The Logic App's system-assigned managed identity has Get permission on the secret, enabling it to retrieve the secret at runtime without exposing it in the workflow definition.

Exam trap

The trap here is that candidates confuse 'Managed Identity' authentication (which works only for Azure resources like Azure SQL or Storage) with the need to authenticate to an external API using OAuth client credentials, leading them to incorrectly select Option B instead of the HTTP action with Active Directory OAuth.

How to eliminate wrong answers

Option B is wrong because the 'Managed Identity' authentication type is used to authenticate to Azure resources that support managed identity (e.g., Azure Storage, Azure SQL), not to external REST APIs secured with OAuth 2.0 client credentials; it cannot provide a client ID and client secret for token acquisition. Option C is wrong because 'Invoke an API with OAuth predefined connector' is not a built-in Logic App action; there is no generic 'OAuth predefined connector' that dynamically handles client credentials with Key Vault secrets—connectors are specific to services like Microsoft Graph or Salesforce. Option D is wrong because 'Basic' authentication sends the client ID and secret as a plaintext username:password pair in the HTTP Authorization header, which violates the OAuth 2.0 client credentials flow that requires a token endpoint exchange and does not support Basic auth for bearer token issuance.

177
MCQhard

You are developing a solution that processes events from Azure Event Hubs and stores them in Azure Blob Storage. The processing must be idempotent and exactly-once. Which approach should you use?

A.Use EventProcessorHost with checkpointing and blob leases to track processed events
B.Use Azure Functions with Event Hubs trigger and store events in batches
C.Use a simple consumer group and delete events after reading from Event Hubs
D.Implement a transactional outbox pattern with Azure SQL Database
AnswerA

Checkpointing with sequence numbers and lease-based partition ownership ensures each event is processed exactly once.

Why this answer

Option A is correct because checkpoints with sequence numbers allow tracking processed events, and using blob leasing ensures exactly-once. Option B is wrong because idempotency is not guaranteed. Option C is wrong because Event Hubs does not support transactional outbox natively.

Option D is wrong because batch processing does not provide exactly-once.

178
Multi-Selecthard

Which TWO scenarios require the use of Azure Event Hubs over Azure Service Bus? (Choose two.)

Select 2 answers
A.Capturing event data to Azure Blob Storage for long-term retention
B.Ingesting millions of IoT device telemetry events per second
C.Processing messages in FIFO order with sessions
D.Implementing a publish-subscribe pattern with multiple subscribers
E.Dead-lettering messages that fail processing
AnswersA, B

Event Hubs Capture automatically stores events in Blob Storage.

Why this answer

Option A is correct: Event Hubs is designed for high-throughput event ingestion, often for telemetry. Option D is correct: Event Hubs supports capturing events to Azure Blob Storage for archiving. Option B is wrong: Service Bus supports sessions for ordered processing.

Option C is wrong: Service Bus supports topics and subscriptions for pub/sub. Option E is wrong: Service Bus supports dead-lettering.

179
MCQeasy

Your company uses Azure Logic Apps to automate workflows. A workflow must call an external REST API that requires an API key in the header. You need to securely store the API key and reference it in the Logic App without exposing it in the workflow definition. What should you do?

A.Store the API key in plain text directly in the Logic App HTTP action header.
B.Store the API key in Azure Key Vault and use the Key Vault connector to retrieve it dynamically in the Logic App.
C.Store the API key in an App Service application setting and reference it using the 'appsetting' expression.
D.Create an Azure Function with the API key hardcoded as an environment variable and call it from the Logic App.
AnswerB

This securely stores the key in Key Vault and allows the Logic App to reference it at runtime without exposing it in the definition.

Why this answer

Option B is correct because Azure Key Vault provides a secure, centralized store for secrets like API keys, and the Logic App Key Vault connector retrieves the key at runtime without exposing it in the workflow definition. This approach ensures the secret is never stored in plain text within the Logic App's JSON definition or source control, aligning with Azure security best practices for managed identities and access policies.

Exam trap

The trap here is that candidates may confuse App Service application settings (Option C) with Logic App environment variables, but Logic Apps do not support the 'appsetting' expression, and Azure Key Vault is the only secure, native way to inject secrets into Logic Apps without exposing them in the definition.

How to eliminate wrong answers

Option A is wrong because storing the API key in plain text directly in the HTTP action header exposes the secret in the workflow definition, which can be viewed by anyone with read access to the Logic App and is a severe security risk. Option C is wrong because App Service application settings are designed for App Service apps, not Logic Apps; the 'appsetting' expression is not supported in Logic Apps, and even if it were, the setting would be stored in plain text in the App Service configuration. Option D is wrong because hardcoding the API key as an environment variable in an Azure Function still stores the secret in plain text within the Function's configuration, and calling a separate Azure Function adds unnecessary complexity and latency without improving security over directly using Key Vault.

180
MCQhard

You are developing a web application that relies on a third-party weather API. The API has a rate limit of 10 requests per second per API key. You need to ensure your application never exceeds this limit and also caches responses for 10 minutes to reduce call frequency. Which combination of Azure services should you implement?

A.Azure Functions with Durable Functions to throttle calls and a static in-memory cache.
B.Azure Logic Apps with a retry policy and a cache using Azure Redis Cache.
C.Azure API Management with rate-limit and caching policies.
D.Azure Traffic Manager to distribute requests and Azure Front Door for caching.
AnswerC

API Management provides out-of-the-box policies for rate limiting (by key or subscription) and caching (response cache). This is the recommended approach for controlling access to third-party APIs and improving performance.

Why this answer

Azure API Management (APIM) provides built-in rate-limit and caching policies that directly address the requirements: the `rate-limit` policy enforces a per-key request quota (e.g., 10 calls/second), and the `cache-store`/`cache-lookup` policies cache responses for a configurable duration (e.g., 10 minutes). This eliminates the need for custom throttling logic or external caching services, making it the most straightforward and maintainable solution.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing a combination of services (e.g., Functions + Redis) when Azure API Management's single, purpose-built policy set directly solves both rate limiting and caching without custom code.

How to eliminate wrong answers

Option A is wrong because Durable Functions are designed for orchestrating long-running workflows, not for fine-grained per-second rate limiting, and a static in-memory cache in a serverless function app is not shared across instances, leading to cache inconsistency and potential rate-limit breaches. Option B is wrong because Azure Logic Apps' retry policy handles transient failures but does not provide proactive rate limiting, and Azure Redis Cache, while a valid distributed cache, adds unnecessary complexity and cost when APIM's built-in caching suffices. Option D is wrong because Azure Traffic Manager distributes traffic at the DNS level for global load balancing and does not enforce per-key rate limits, and Azure Front Door's caching is for static content at the edge, not for API response caching with per-key granularity.

181
MCQhard

An application uses Azure Event Hubs to ingest telemetry data. The team wants to process the data in near real-time and store aggregated results in Azure SQL Database. Which Azure service should they use?

A.Azure HDInsight
B.Azure Functions
C.Azure Stream Analytics
D.Azure Data Lake Storage Gen2
AnswerC

Stream Analytics processes streaming data and outputs to SQL Database.

Why this answer

Azure Stream Analytics is designed for real-time processing on streaming data from Event Hubs and can output to SQL Database. Option A is wrong because Data Lake Storage is for storage, not processing. Option B is wrong because HDInsight is for batch processing.

Option D is wrong because Functions can process events but lack the built-in streaming SQL capabilities of Stream Analytics.

182
Multi-Selectmedium

Which THREE actions should you take to securely access Azure Key Vault from an Azure App Service? (Choose three.)

Select 3 answers
A.Configure network restrictions on the Key Vault to allow only the App Service's outbound IP.
B.Grant the managed identity the 'Key Vault Secrets User' role.
C.Enable managed identity on the App Service.
D.Use DefaultAzureCredential in the application code.
E.Store the Key Vault URL and a client secret in App Service application settings.
AnswersB, C, D

This role allows reading secrets from Key Vault.

Why this answer

Options A, B, and D are correct. Enable managed identity on the App Service to authenticate without secrets. Grant the managed identity the Key Vault Secrets User role to read secrets.

Use the DefaultAzureCredential class in code to automatically use the managed identity. Option C is wrong because storing the connection string in app settings exposes the secret. Option E is wrong because network restrictions are not required for security; managed identity and RBAC are sufficient.

183
MCQmedium

You are reviewing an ARM template that deploys an Azure App Service. The template sets an app setting 'MyApiKey' that references a Key Vault secret. However, the deployment fails with an error that the app service cannot access the secret. What is the most likely cause?

A.The Key Vault reference syntax '@Microsoft.KeyVault(SecretUri=...)' is incorrect.
B.The ARM template cannot use Key Vault references in app settings.
C.The secret name in the URI does not match the actual secret name.
D.The App Service does not have a managed identity enabled and the Key Vault access policy is missing.
AnswerD

For Key Vault references to work, the App Service must have a managed identity with GET permission on the secret.

Why this answer

The Key Vault reference syntax is correct, but the App Service must have a managed identity and Key Vault access policy to read the secret. Option B is correct. Option A is incorrect because the syntax is valid; Option C is incorrect because ARM templates support Key Vault references; Option D is incorrect because the syntax is correct.

184
MCQmedium

A company is developing an application that processes orders. The application uses Azure Service Bus queues to decouple order submission from processing. During peak hours, some messages are not processed within the required time, causing order delays. The team needs to increase throughput without changing the existing message processing logic. What should they do?

A.Use Azure Event Hubs instead of Service Bus.
B.Increase the number of concurrent listeners on the queue.
C.Enable sessions on the queue to group related messages.
D.Increase the lock duration on messages.
AnswerB

More listeners allow parallel processing, increasing throughput.

Why this answer

Increasing the number of concurrent listeners (option C) allows more messages to be processed simultaneously, improving throughput without changes to processing logic. Option A adds sessions which require changes to consumer logic. Option B increases lock duration but not throughput.

Option D uses a different service that may not fit the architecture.

185
MCQeasy

The mobile app team needs to send push notifications to 10 million devices running both iOS and Android. On iOS, notifications go through Apple Push Notification service (APNs); on Android, through Firebase Cloud Messaging (FCM). The team wants a single Azure service that abstracts platform differences and scales without managing separate APNs and FCM integrations per platform. Which service should they use?

A.Azure Notification Hubs with APNs and FCM credentials configured in the hub namespace
B.Azure Service Bus with topics — one subscription per platform, each subscription delivering to APNs or FCM
C.Azure Event Grid with a custom endpoint handler per platform that calls APNs or FCM directly
D.Azure Communication Services email with HTML-formatted alerts sent to device email addresses
AnswerA

Notification Hubs is the Azure service designed for exactly this use case. Configure your APNs certificate and FCM server key once. The backend then calls Notification Hubs with a unified API, specifying templates or platform-specific payloads. The hub routes and delivers to the appropriate PNS for each device's platform.

Why this answer

Azure Notification Hubs is the correct choice because it is a fully managed push notification service designed to abstract platform-specific notification systems like APNs (iOS) and FCM (Android). By configuring the APNs and FCM credentials in the hub namespace, the team can send a single notification that is automatically routed to the correct platform service, scaling to millions of devices without managing separate integrations.

Exam trap

The trap here is that candidates may confuse Azure Service Bus or Event Grid as viable push notification services, but neither provides direct, platform-abstracted push notification delivery to mobile devices like Notification Hubs does.

How to eliminate wrong answers

Option B is wrong because Azure Service Bus Topics are a message broker for decoupling applications, not a push notification service; they lack native integration with APNs or FCM and cannot directly deliver push notifications to mobile devices. Option C is wrong because Azure Event Grid is an event routing service that requires custom endpoint handlers to call APNs or FCM, which defeats the purpose of abstracting platform differences and adds complexity. Option D is wrong because Azure Communication Services email is designed for sending emails, not push notifications, and cannot reach mobile devices via APNs or FCM.

186
MCQeasy

You are developing a web application that uses Azure Cosmos DB for NoSQL. You need to perform a point read by document ID and partition key. Which API method should you use to achieve the best performance and lowest cost?

A.Call ReadItemAsync with the partition key and document ID.
B.Call QueryAsync with a SQL query that filters by ID.
C.Call CreateItemAsync and check for conflict.
D.Call ReadManyAsync with a list of IDs.
AnswerA

Point read via ReadItemAsync is the most efficient.

Why this answer

Point reads in Cosmos DB are the most efficient way to retrieve a single document when you know both the partition key and the ID. Option A is correct because ReadItemAsync is designed for point reads and consumes minimal RUs. Option B is incorrect because QueryAsync with a filter requires a query execution, which is more expensive.

Option C is incorrect because ReadManyAsync is for reading multiple items by ID. Option D is incorrect because CreateItemAsync is for creating items, not reading.

187
Multi-Selectmedium

You are designing a solution that processes orders from an e-commerce website. The solution must guarantee that each order is processed exactly once. Which TWO Azure services can you use to achieve this requirement?

Select 2 answers
A.Azure Service Bus
B.Azure Storage Queues
C.Azure Event Grid
D.Azure Cache for Redis
E.Azure Event Hubs
AnswersA, E

Service Bus supports duplicate detection for exactly-once.

Why this answer

Azure Service Bus queues support message sessions and duplicate detection to ensure exactly-once processing. Azure Event Hubs with consumer groups and checkpointing can also achieve exactly-once semantics when combined with idempotent processing. Option A is correct because Service Bus provides duplicate detection.

Option B is correct because Event Hubs with checkpointing can achieve exactly-once. Option C is incorrect because Azure Storage Queues do not guarantee exactly-once. Option D is incorrect because Event Grid offers at-least-once delivery.

Option E is incorrect because Azure Cache for Redis is not a messaging service.

188
Multi-Selecthard

Which THREE factors should be considered when choosing between Azure Service Bus and Azure Event Hubs for a messaging solution? (Choose 3)

Select 3 answers
A.Event Hubs cannot be used with Apache Kafka client applications
B.Event Hubs is optimized for high-throughput telemetry ingestion
C.Service Bus supports topics and subscriptions for publish/subscribe patterns
D.Service Bus does not support the AMQP protocol
E.Both services can be used in a hybrid cloud architecture with on-premises systems
AnswersB, C, E

Event Hubs is designed for high-volume telemetry.

Why this answer

Options A, B, and D are correct: Service Bus supports topics and subscriptions for pub/sub, Event Hubs is optimized for high-throughput telemetry, and both can be used in hybrid architectures. Option C is incorrect because both services support AMQP. Option E is incorrect because both can be used with Kafka protocol, but Event Hubs has native Kafka support.

189
MCQhard

Refer to the exhibit. You are creating an Azure Service Bus queue using an ARM template. The requirement is that messages should be automatically dead-lettered after 3 failed delivery attempts. Does this configuration meet the requirement?

A.No, because lockDuration should be shorter
B.Yes, because defaultMessageTimeToLive ensures messages expire
C.No, because maxDeliveryCount should be 3
D.Yes, because maxDeliveryCount is set
AnswerC

To dead-letter after 3 attempts, maxDeliveryCount must be 3.

Why this answer

The queue has maxDeliveryCount set to 10, which means messages will be retried up to 10 times before dead-lettering. The requirement is 3 attempts, so this configuration does not meet the requirement. Option A is wrong because the maxDeliveryCount is 10.

Option B is correct. Option C is wrong because lockDuration does not affect delivery count. Option D is wrong because TTL is separate from delivery count.

190
MCQmedium

An application publishes order events that multiple independent subscribers must process. Subscribers may be added later without changing the publisher. Which Azure messaging service should be used? The architecture review board prefers a managed AWS-native control.

A.Azure Blob Storage lifecycle policy
B.Azure Storage Queue
C.Azure Cache for Redis list only
D.Azure Service Bus topic
AnswerD

Service Bus topics support publish-subscribe messaging with independent subscriptions.

Why this answer

Azure Service Bus topics support a publish-subscribe pattern where multiple independent subscribers can process the same message. Subscribers can be added later without modifying the publisher, and each subscriber receives its own copy of the message through subscriptions. This matches the requirement for order events that must be processed by multiple independent subscribers.

Exam trap

The trap here is that candidates often confuse Azure Storage Queue (point-to-point) with Service Bus topics (pub-sub), failing to recognize that multiple independent subscribers require a topic-based pattern, not a queue.

How to eliminate wrong answers

Option A is wrong because Azure Blob Storage lifecycle policy is used to manage blob tiering and deletion based on age, not for messaging or event distribution. Option B is wrong because Azure Storage Queue implements a point-to-point queue pattern where a single consumer processes each message; it does not support multiple independent subscribers receiving the same message. Option C is wrong because Azure Cache for Redis list only provides a simple list data structure for FIFO operations, not a managed pub-sub messaging system with durable subscriptions and independent subscriber processing.

191
MCQmedium

Backend APIs exposed through Azure API Management are consumed by multiple subscribers. The product owner wants to prevent any single subscriber from sending more than 100 requests per minute, while allowing subscribers with heavier plans to have higher limits configured separately. Which APIM policy implements per-subscriber rate limiting?

A.Apply the rate-limit-by-key policy using the subscription key as the counter key, with calls set to 100 and renewal-period to 60
B.Apply the quota policy to the product with a total of 100 calls per minute shared across all subscribers
C.Apply an ip-filter policy that blocks IP addresses making more than 100 requests per minute
D.Configure a backend circuit breaker policy to return cached responses after 100 calls
AnswerA

rate-limit-by-key with counter-key='@(context.Subscription.Id)' (or the subscription key header) creates a separate 100-calls/60-second counter per subscriber. When a subscriber's counter reaches 100, APIM returns 429 Too Many Requests for that subscriber while other subscribers continue at full rate.

Why this answer

Option A is correct because the `rate-limit-by-key` policy in Azure API Management enforces a per-key rate limit, and using the subscription key as the counter key ensures each subscriber is limited individually. The `calls` parameter set to 100 and `renewal-period` to 60 seconds matches the requirement of 100 requests per minute per subscriber, while allowing different limits for different plans by applying separate policies with different call counts.

Exam trap

The trap here is confusing the `quota` policy (which sets a total limit shared across all subscribers of a product) with the `rate-limit-by-key` policy (which enforces per-subscriber limits), leading candidates to pick Option B when they see 'product' and 'per minute' without recognizing the shared vs. individual distinction.

How to eliminate wrong answers

Option B is wrong because the `quota` policy applied to a product with 100 calls per minute shared across all subscribers enforces a total limit for the entire product, not per subscriber, so a single subscriber could consume all 100 calls and block others. Option C is wrong because the `ip-filter` policy blocks or allows traffic based on IP addresses, but it cannot track request counts per minute or differentiate between subscribers sharing the same IP (e.g., behind a NAT), and it does not provide rate limiting based on subscription keys. Option D is wrong because a backend circuit breaker policy is used to protect the backend from overload by returning cached responses after a failure threshold, not to limit client request rates; it does not track per-subscriber request counts or enforce rate limits.

192
MCQmedium

You are building an Azure Logic App that must consume messages from an Azure Service Bus queue. The queue messages are JSON payloads containing order information. The Logic App must process each message exactly once and in the order they are received. You need to configure the trigger in the Logic App. Which trigger type and property should you choose?

A.Use a Service Bus trigger with the 'PeekLock' mode and set the 'IsSessionsEnabled' property to false
B.Use a Service Bus trigger with the 'ReceiveAndDelete' mode
C.Use a Service Bus trigger with the 'PeekLock' mode and set the 'IsSessionsEnabled' property to true
D.Use an Event Grid trigger for Service Bus
AnswerC

Sessions provide FIFO order within a session, and PeekLock allows the Logic App to complete or abandon the message, ensuring exactly-once processing.

Why this answer

Option C is correct because Service Bus sessions provide first-in-first-out (FIFO) ordering and exactly-once processing. By enabling sessions (IsSessionsEnabled = true) and using PeekLock mode, the Logic App can lock a message while processing, ensuring it is not delivered to other consumers, and sessions guarantee that messages with the same session ID are processed in order. This meets the requirement of processing each message exactly once and in the order received.

Exam trap

The trap here is that candidates often assume PeekLock mode alone guarantees ordering, but without sessions, multiple concurrent trigger instances can pick up messages from the same queue out of order, breaking the FIFO requirement.

How to eliminate wrong answers

Option A is wrong because PeekLock mode without sessions (IsSessionsEnabled = false) does not guarantee message ordering; messages may be processed out of order if multiple triggers fire concurrently. Option B is wrong because ReceiveAndDelete mode removes the message from the queue immediately upon retrieval, making it impossible to retry processing on failure and violating exactly-once semantics. Option D is wrong because an Event Grid trigger for Service Bus is designed for event-driven notifications (e.g., when a queue has messages) but does not provide built-in ordering or exactly-once processing guarantees; it also introduces potential duplicate deliveries.

193
MCQeasy

You are building an Azure Logic App that must call an external REST API. The API requires an API key passed in the Authorization header. You need to store the API key securely and reference it in the Logic App without exposing it in the workflow definition. What should you do?

A.A
B.B
C.C
D.D
AnswerA

This approach securely stores the API key in Azure Key Vault and uses the Key Vault connector to retrieve it at runtime without exposing the key in the Logic App definition.

Why this answer

Option A is correct because Azure Logic Apps can securely reference API keys stored in Azure Key Vault using a managed identity. By configuring the Logic App with a system-assigned or user-assigned managed identity, you grant it access to retrieve the secret from Key Vault at runtime without hardcoding the key in the workflow definition or connection parameters. This approach ensures the API key is never exposed in the Logic App's JSON definition or source control.

Exam trap

The trap here is that candidates often confuse Azure App Configuration with Azure Key Vault, assuming App Configuration's encrypted storage is sufficient for secrets, but Key Vault is the only service designed for managing and auditing access to sensitive secrets like API keys.

How to eliminate wrong answers

Option B is wrong because storing the API key directly in the Logic App's connection parameters or workflow definition, even if marked as a secure string, still embeds the secret in the definition file and can be exposed through source control or runtime history. Option C is wrong because using an Azure App Configuration reference with a plain-text value does not provide encryption at rest or access control; it still requires the key to be stored in the configuration store without native secret management. Option D is wrong because passing the API key as a query parameter in the HTTP request URL exposes the secret in server logs, browser history, and network traces, violating security best practices.

194
MCQmedium

You are building an integration solution that connects an on-premises SQL Server database to Azure Data Factory. The on-premises network does not allow direct inbound connections from Azure. You need to securely transfer data from the database to Azure Blob Storage. Which data factory component should you use?

A.Self-hosted Integration Runtime
B.Azure Integration Runtime
C.Azure-SSIS Integration Runtime
D.Azure Data Lake Storage connector
AnswerA

Self-hosted IR runs on a local machine and can connect to on-premises SQL Server, sending data to Azure via outbound HTTPS, satisfying security requirements.

Why this answer

The Self-hosted Integration Runtime (SHIR) is required because the on-premises SQL Server database resides in a network that blocks direct inbound connections from Azure. SHIR acts as a bridge, running on a local machine or VM within the on-premises network, enabling Azure Data Factory to securely connect to the database via outbound HTTPS (port 443) or the Microsoft Service Bus. It handles data movement and transformation without exposing the on-premises network to inbound traffic.

Exam trap

The trap here is that candidates often confuse the Azure Integration Runtime (which works only for cloud-to-cloud scenarios) with the Self-hosted Integration Runtime, assuming Azure's built-in runtime can somehow tunnel into on-premises networks without explicit configuration.

How to eliminate wrong answers

Option B (Azure Integration Runtime) is wrong because it operates entirely within Azure's public cloud and cannot access on-premises resources behind a firewall that blocks inbound connections. Option C (Azure-SSIS Integration Runtime) is wrong because it is designed for lifting and shifting SQL Server Integration Services (SSIS) packages to Azure, not for direct data transfer between on-premises SQL Server and Azure Blob Storage via ADF pipelines. Option D (Azure Data Lake Storage connector) is wrong because it is a data sink or source connector, not a compute component for connectivity; it requires an Integration Runtime to actually move data.

195
Multi-Selectmedium

A developer needs to authenticate an Azure Function app to call Microsoft Graph API. Which THREE components are required?

Select 3 answers
A.Azure API Management
B.Microsoft Entra ID app registration
C.Azure SQL Database
D.Azure Key Vault
E.Azure Managed Identity
AnswersB, D, E

App registration defines permissions and authentication.

Why this answer

Option B is correct because an app registration in Microsoft Entra ID (formerly Azure AD) is required to define the application identity, configure API permissions for Microsoft Graph, and obtain a client ID and tenant ID. This registration is the foundation for OAuth 2.0 authentication flows, enabling the Azure Function to request an access token for Microsoft Graph.

Exam trap

The trap here is that candidates often think Azure API Management is needed to secure the outbound call, but it is only relevant for inbound API management, not for the Function app's own authentication to Microsoft Graph.

196
MCQeasy

You need to deploy a web app that uses Azure SQL Database. The connection string must be securely stored and automatically rotated without application downtime. What should you use?

A.Store the connection string as an environment variable in the App Service.
B.Store the connection string in a web.config file with encrypted configuration.
C.Store the connection string in Azure App Configuration and use a managed identity.
D.Store the connection string in Azure Key Vault and configure automatic rotation.
AnswerD

Key Vault provides rotation capabilities.

Why this answer

Azure Key Vault supports automatic rotation of secrets (e.g., SQL connection strings) via integration with Azure SQL. Option A is correct. Option B is incorrect because App Configuration does not natively rotate secrets.

Option C is incorrect because environment variables do not support rotation. Option D is incorrect because connection strings in web.config are not rotated automatically.

197
MCQmedium

Refer to the exhibit. You are reviewing an ARM template for a storage account. A security audit requires that all storage accounts enforce TLS 1.2 or higher. Does this configuration meet the requirement?

A.No, because supportsHttpsTrafficOnly does not enforce TLS version
B.Yes, because minimumTlsVersion is set to TLS1_2
C.No, because minimumTlsVersion is not a valid property
D.No, because the property should be minimumTlsVersion: "1.2"
AnswerB

This property enforces the minimum TLS version.

Why this answer

The property 'minimumTlsVersion' is set to 'TLS1_2', which enforces TLS 1.2 as the minimum version. This meets the requirement. Option A is correct.

Option B is wrong because the property exists and is set correctly. Option C is wrong because the property is indeed supported for StorageV2. Option D is wrong because 'supportsHttpsTrafficOnly' is about HTTPS, not TLS version.

198
MCQeasy

Refer to the exhibit. A developer is creating an Azure Data Factory pipeline to copy data from Azure Blob Storage to Azure SQL Database. The pipeline fails with a timeout error when copying large files. Which action should the developer take to resolve the issue?

A.Change the source type to DelimitedTextSource
B.Enable Data Integration Units (DIU) to increase throughput
C.Increase the timeout value in the copy activity settings
D.Use a staging copy with Azure Data Lake Storage Gen2
AnswerC

Increasing timeout will allow larger files to complete.

Why this answer

Option D is correct because increasing the copy activity's timeout setting will allow more time for large files. Option A is incorrect because the source is already BlobSource. Option B is incorrect because the issue is timeout, not throughput.

Option C is incorrect because staging is not needed for this scenario.

199
MCQeasy

A company uses Azure Functions to process orders. The function needs to read messages from an Azure Service Bus queue. Which binding should the developer configure in the function.json?

A.serviceBus
B.eventHubTrigger
C.queueTrigger
D.serviceBusTrigger
AnswerD

serviceBusTrigger is the correct binding for a function triggered by a Service Bus queue.

Why this answer

Option C is correct because the serviceBusTrigger binding is used to trigger a function when a message arrives in a Service Bus queue. Option A (serviceBus) is not a valid binding for Service Bus; Option B (queueTrigger) is for Storage queues; Option D (eventHubTrigger) is for Event Hubs.

200
Multi-Selectmedium

Which TWO are valid ways to authenticate to Azure Service Bus from an application? (Choose two.)

Select 2 answers
A.Using an X.509 certificate directly in the connection string.
B.Using Azure AD and a managed identity.
C.Using a connection string with a SAS key from Azure Event Hubs.
D.Using a storage account access key.
E.Using a connection string with Shared Access Signature (SAS) key.
AnswersB, E

Managed identity can authenticate to Service Bus without secrets.

Why this answer

Azure Service Bus supports Shared Access Signatures (SAS) and Azure AD (managed identity). Option A (connection string with SAS) is correct; Option C (managed identity) is correct. Option B is for Event Hubs; Option D is not standard; Option E is for storage.

201
MCQmedium

You are building a solution that uses Azure Cosmos DB for NoSQL. You need to implement a change feed processor to handle real-time updates. The application runs on multiple instances to ensure high availability. Which lease container configuration ensures that each instance processes a distinct set of partitions?

A.Set the partition key of the monitored container to /city
B.Configure the change feed to start from the beginning
C.Use a separate lease container with partition key /id
D.Set the lease container's throughput to 1000 RU/s
AnswerC

The lease container's partition key /id allows the change feed processor to distribute leases across instances.

Why this answer

The change feed processor uses a lease container to distribute work across instances. Each instance acquires leases on partitions. To ensure distinct processing, the lease container must be configured with a partition key that allows the processor to assign different lease documents to different instances.

The partition key of the lease container is '/id' by default, which is a unique identifier. Option A is wrong because the monitored container's partition key is irrelevant to instance distribution. Option C is wrong because throughput is not directly related to partition distribution.

Option D is wrong because the change feed is processed from the beginning only if not already stored; it doesn't ensure distinct processing.

202
MCQhard

Your company has a microservices application deployed on Azure Kubernetes Service (AKS). One service, OrderProcessor, needs to read messages from an Azure Service Bus queue and write results to Azure Cosmos DB. The processing must be reliable: if the service crashes mid-processing, the message should not be lost and should be retried. You also need to ensure that messages are processed in order within a partition. The solution should minimize code changes and leverage platform features. Which approach should you use?

A.Use the Azure Service Bus SDK with ReceiveAndDelete mode in a background worker.
B.Use Azure Functions with a Service Bus trigger that uses sessions for ordered processing.
C.Use the Azure Service Bus SDK with PeekLock mode and manual message completion.
D.Use Azure Event Hubs with a consumer group and checkpointing.
AnswerB

Functions handles peek-lock and retries; sessions ensure ordering per partition.

Why this answer

Option A is correct because Azure Functions with Service Bus trigger uses peek-lock mode by default, which ensures reliable processing; if the function fails, the message is not completed and will be retried; Service Bus sessions provide ordered processing per partition. Option B is wrong because the Service Bus SDK with ReceiveAndDelete would lose messages if the service crashes after receiving but before processing. Option C is wrong because Event Hubs is not designed for ordered processing per partition with message-level retries; also it's not a queue for command messages.

Option D is wrong because the Service Bus SDK with PeekLock requires manual handling of message completion, lock renewal, and session management, leading to more code and complexity.

203
Multi-Selecthard

A function consumes messages from Azure Service Bus. Which two settings help handle transient failures safely? The architecture review board prefers a managed AWS-native control.

Select 2 answers
A.Configure max delivery count with a dead-letter queue
B.Make message processing idempotent
C.Disable lock renewal for long processing
D.Use anonymous sender access
AnswersA, B

Dead-lettering isolates messages after repeated delivery failures.

Why this answer

Option A is correct because configuring max delivery count with a dead-letter queue ensures that after a message has been unsuccessfully processed a specified number of times (e.g., 10), it is automatically moved to the dead-letter queue rather than being retried indefinitely. This prevents infinite retry loops during transient failures and allows for manual inspection or reprocessing of poison messages. The dead-letter queue is a native Service Bus feature that isolates problematic messages without losing them.

Exam trap

The trap here is that candidates may confuse 'transient failure handling' with 'security settings' (like anonymous access) or 'performance tuning' (like disabling lock renewal), when the question specifically asks for safe handling of transient failures using managed Azure-native features.

204
MCQeasy

You are building a solution that processes images uploaded to Azure Blob Storage. Each image must be analyzed by Azure AI Vision (Computer Vision). You need to trigger the analysis automatically when a new blob is created. Which Azure service should you use?

A.Azure Event Grid
B.Azure Logic Apps
C.Azure Functions
D.Azure WebJobs
AnswerC

Functions can be triggered by Blob Storage events.

Why this answer

Option D is correct because Azure Functions can be triggered by Blob Storage events to run custom code. Option A is wrong because Azure Logic Apps can also be used but Functions is more appropriate for code-based processing. Option B is wrong because Event Grid itself is the event broker, not the compute.

Option C is wrong because WebJobs are outdated and less flexible.

205
MCQhard

You are using Azure Cognitive Search to index documents stored in Azure Blob Storage. The indexer is failing with the error 'Data source credentials are invalid.' You have verified that the connection string for the storage account is correct. What is the most likely cause?

A.The Cognitive Search service is in a different region than the storage account.
B.The Cognitive Search service's admin key is missing.
C.The indexer configuration is missing the storage account key.
D.The storage account is behind a firewall and the Cognitive Search service IP is not allowed.
AnswerD

Firewall rules block the search service; add its IP to the storage account firewall.

Why this answer

Option A is correct because if the storage account is behind a firewall, the Cognitive Search service must be granted access via firewall rules or by using a managed identity with appropriate permissions. The suggested resolution is to add the Cognitive Search service's IP address to the storage account firewall rules. Option B is wrong because the indexer does not require the search service to be in the same region.

Option C is wrong because the indexer uses the storage account connection string, not a search service key, to access the data source. Option D is wrong because the indexer configuration does not need to specify the storage account key separately if using a connection string.

206
MCQeasy

You are developing a solution that needs to retrieve secrets from Azure Key Vault. The solution will run as an Azure App Service managed identity. Which authentication method should you use?

A.SharedAccessSignatureCredential
B.InteractiveBrowserCredential
C.DefaultAzureCredential
D.ClientSecretCredential
AnswerC

DefaultAzureCredential automatically uses managed identity when running in Azure, and falls back to other credential types for local development.

Why this answer

The correct answer is DefaultAzureCredential because it automatically uses the managed identity of the App Service when running in Azure, and falls back to other credential types for local development. Option A is wrong because interactive browser authentication requires user interaction and is not suitable for background services. Option B is wrong because client secret authentication is not recommended for managed identities.

Option D is wrong because shared access signature is for storage access, not Key Vault.

207
MCQmedium

An app uses Azure Event Grid to publish events. The events must be delivered to an Azure Function that processes them. Which Event Grid event delivery model should be used?

A.Pull delivery
B.Push delivery
C.Batch delivery
D.Poll delivery
AnswerB

Event Grid pushes events to subscribers like Azure Functions.

Why this answer

Option C is correct because Event Grid supports push delivery to event handlers like Azure Functions. Option A (pull) is for Event Hubs; Option B (poll) is not a typical model; Option D (batch) is a delivery mode, but the push model is the standard for Event Grid.

208
MCQmedium

You are building an Azure Logic App that must connect to a third-party CRM system using a custom API. The API requires an API key in the header of every request. You need to securely store the API key and reference it in the Logic App. Which approach should you use?

A.Store the API key in the Azure Logic App's definition file.
B.Use a parameter and a connection reference in the Logic App.
C.Store the API key in Azure Key Vault and reference it with a dynamic expression.
D.Hardcode the API key in the HTTP action.
AnswerC

Key Vault centralizes secret management; Logic Apps can use the @keyVault() expression to retrieve secrets securely, avoiding exposure.

Why this answer

Option C is correct because Azure Key Vault provides a secure, centralized store for secrets like API keys, and Logic Apps can reference these secrets at runtime using a dynamic expression (e.g., `@Microsoft.KeyVault(SecretUri=...)`). This avoids exposing the key in plaintext within the Logic App definition or configuration, aligning with Azure security best practices for managed identities and secret management.

Exam trap

The trap here is that candidates may confuse 'parameter and connection reference' (Option B) as secure because it separates the value from the definition, but it still stores the key in plaintext in the connection resource, whereas Key Vault is the only option that provides encryption and access control via Azure RBAC.

How to eliminate wrong answers

Option A is wrong because storing the API key directly in the Logic App's definition file (JSON workflow) exposes it in plaintext within the source code and deployment artifacts, violating security best practices. Option B is wrong because while parameters and connection references can abstract values, they still store the API key in plaintext within the Logic App's configuration or connection resource, not providing encryption at rest or access control. Option D is wrong because hardcoding the API key in the HTTP action embeds the secret directly in the workflow definition, making it visible to anyone with read access to the Logic App and impossible to rotate without modifying the workflow.

209
MCQeasy

A developer is building an application that needs to store and retrieve large binary files (e.g., images, videos). The application runs on Azure Virtual Machines. Which Azure service provides the most cost-effective storage for these files?

A.Azure SQL Database
B.Azure Cosmos DB
C.Azure Files
D.Azure Blob Storage
AnswerD

Blob Storage is designed for cost-effective storage of large binary files.

Why this answer

Option B is correct because Azure Blob Storage is specifically designed for storing large amounts of unstructured data like binary files at low cost. Option A is incorrect because Azure SQL Database is for relational data, not blob storage. Option C is incorrect because Azure Files is for shared file systems, not optimal for large binary files.

Option D is incorrect because Azure Cosmos DB is for NoSQL data and is more expensive for blob storage.

210
MCQeasy

You are building a solution that processes orders and needs to send order confirmation emails reliably. You choose Azure Logic Apps with a Gmail connector. However, you are concerned about hitting Gmail's sending limits. What should you do to handle this?

A.Use Azure Queue Storage to buffer messages and process them asynchronously.
B.Use a webhook instead of a connector to send emails directly via Gmail API.
C.Increase the Gmail API quota by contacting Google support.
D.Configure a retry policy in the Logic App action to retry on failure with exponential backoff.
AnswerD

Exponential backoff retry policy helps respect rate limits by spacing out retries.

Why this answer

Gmail has sending limits; to avoid hitting them, use a retry policy with exponential backoff in Logic Apps. Option A is the correct approach. Option B is not available; Option C is unnecessary if retries are configured; Option D is not a standard feature.

211
Multi-Selecteasy

Which TWO authentication methods can be used to call a Microsoft Entra ID-protected web API from a client application?

Select 2 answers
A.HTTP Basic authentication
B.OAuth 2.0 implicit flow
C.OAuth 2.0 client credentials flow
D.SAML 2.0 bearer assertion flow
E.OAuth 2.0 authorization code flow with PKCE
AnswersC, E

Correct: for server-to-server calls.

Why this answer

OAuth 2.0 authorization code flow with PKCE and client credentials flow are both supported for web API access. Implicit flow is deprecated. SAML and Basic auth are not standard for Entra ID API calls.

212
MCQmedium

You are building an Azure Logic App that needs to call a third-party REST API. The API requires an API key to be passed in the 'X-API-Key' header. You have stored the API key as a secret in Azure Key Vault. The Logic App uses a managed identity that has read access to the Key Vault secret. You want to retrieve the API key securely at runtime and include it in the HTTP request. Which approach should you use?

A.Use the 'Get secret' action from the Azure Key Vault connector, configured to authenticate with a managed identity. Then pass the output to the 'HTTP' action's header as 'X-API-Key'.
B.Create an API connection for the external API, providing the API key in the connection parameters. Then use that connection in the Logic App.
C.Store the API key directly in the Logic App definition's 'constants' section and reference it in the HTTP action.
D.Use the 'HTTP' action with 'Managed Identity' authentication type, and configure the external API to accept Microsoft Entra ID tokens.
AnswerA

The Azure Key Vault connector allows secure retrieval of secrets using managed identity. The HTTP action can then reference the secret value in the header, keeping it out of the workflow definition.

Why this answer

Option A is correct because it uses the Azure Key Vault connector's 'Get secret' action with managed identity authentication to securely retrieve the API key at runtime. The output is then passed directly into the HTTP action's 'X-API-Key' header, ensuring the secret is never exposed in the Logic App definition or logs. This approach follows the principle of least privilege and avoids hardcoding secrets.

Exam trap

The trap here is that candidates may confuse managed identity authentication on the HTTP action (which sends an Entra ID token) with using a managed identity to authenticate to Key Vault, leading them to select option D, which is technically incorrect for an API key scenario.

How to eliminate wrong answers

Option B is wrong because creating an API connection stores the API key in the connection definition, which is persisted and can be exposed if the connection is shared or exported; it also bypasses the runtime retrieval from Key Vault. Option C is wrong because storing the API key directly in the Logic App definition's 'constants' section hardcodes the secret into the workflow, violating security best practices and exposing it in source control or deployment artifacts. Option D is wrong because the 'HTTP' action with 'Managed Identity' authentication type sends a Microsoft Entra ID token, not an API key; the external API would need to support OAuth 2.0 token validation, which is not the case here—it expects a static API key in the 'X-API-Key' header.

213
MCQeasy

You need to consume an Azure Cognitive Services Text Analytics API from a Python application. The API requires a subscription key. Where should you store the key to ensure security?

A.Store the key in a text file in the application directory.
B.Store the key in an environment variable on the hosting machine.
C.Use Azure AD authentication instead of a key.
D.Hardcode the key in the Python source code.
AnswerB

Environment variables are secure and can be set in App Service or VM configuration.

Why this answer

Option B is correct because storing the subscription key in an environment variable on the hosting machine keeps it out of source code and configuration files, reducing the risk of accidental exposure. Environment variables are a standard security best practice for secrets in cloud applications, and Azure Cognitive Services APIs require key-based authentication unless Azure AD is explicitly configured.

Exam trap

The trap here is that candidates may choose Option C (Azure AD authentication) thinking it eliminates the need for a key entirely, but the Text Analytics API does not support Azure AD out-of-the-box without additional configuration, and the question explicitly states the API requires a subscription key.

How to eliminate wrong answers

Option A is wrong because storing the key in a text file in the application directory makes it part of the deployment package, easily accessible if the file system is compromised or if the code is shared via version control. Option C is wrong because Azure AD authentication is not supported by default for the Text Analytics API; it requires additional configuration (e.g., managed identity) and is not a drop-in replacement for the subscription key in this context. Option D is wrong because hardcoding the key in Python source code exposes it to anyone with access to the codebase, including version control history, and violates the principle of separating secrets from code.

214
MCQhard

Northwind Traders is building a microservices architecture on Azure Kubernetes Service (AKS). One service needs to read messages from an Azure Service Bus queue and write them to an Azure SQL database. The solution must use managed identities for authentication. The AKS cluster is integrated with Microsoft Entra ID. The development team wants to avoid managing service principals and secrets. The team has chosen to use the Azure Identity SDK for authentication. The service will run as a pod in AKS. Which approach should the team use to authenticate to Service Bus and Azure SQL Database?

A.Generate a self-signed certificate, upload it to AKS, and use ClientCertificateCredential in the code.
B.Deploy Azure AD Pod Identity (or Workload Identity) to assign a user-assigned managed identity to the pod. Use DefaultAzureCredential in the code. Grant the identity 'Listen' on Service Bus and 'Connect' on SQL Database.
C.Store Service Bus connection string and SQL connection string in Azure Key Vault. Use Key Vault SDK to retrieve them at runtime.
D.Create a service principal and store its client secret in a Kubernetes secret. Use ClientSecretCredential in the code. Assign the service principal permissions to Service Bus and SQL.
AnswerB

Correct: uses managed identity and DefaultAzureCredential.

Why this answer

Use Azure AD Pod Identity or Workload Identity to assign a managed identity to the pod. The code uses DefaultAzureCredential to authenticate to both Service Bus (via Azure.Messaging.ServiceBus) and SQL (via Microsoft.Data.SqlClient). Option A is correct.

Option B uses a service principal with secret, not managed identity. Option C uses connection strings. Option D uses certificate, not managed identity.

215
MCQmedium

A developer exposes several backend APIs through Azure API Management. Clients must be throttled by subscription to protect the backend. What should be configured? The design must avoid adding custom operational scripts.

A.Blob soft delete
B.Application Insights sampling
C.Private DNS zone only
D.API Management rate-limit or quota policy
AnswerD

APIM policies can enforce rate limits and quotas per subscription or caller.

Why this answer

Option D is correct because Azure API Management provides built-in rate-limit and quota policies that enforce throttling at the subscription level without requiring custom code. These policies allow you to define call rates (e.g., requests per second) or quotas (e.g., requests per month) per subscription key, directly protecting backend services from overuse.

Exam trap

The trap here is that candidates may confuse monitoring features (Application Insights sampling) or unrelated Azure services (Blob soft delete, Private DNS) with API throttling mechanisms, overlooking the purpose-built rate-limit and quota policies in API Management.

How to eliminate wrong answers

Option A is wrong because Blob soft delete is a data protection feature for Azure Blob Storage that recovers accidentally deleted blobs, not a mechanism for throttling API clients. Option B is wrong because Application Insights sampling reduces telemetry volume for monitoring, not API request throttling. Option C is wrong because a Private DNS zone only resolves custom domain names within a virtual network and has no role in rate limiting or quota enforcement.

216
MCQmedium

You are developing a worker role that processes events from an Azure Event Hub. The worker runs on multiple virtual machines to ensure high availability. Each partition of the Event Hub should be processed by only one instance at a time, and events from the same partition must be processed in order. You need to manage partition leasing and checkpointing efficiently. Which Azure SDK class should you use?

A.EventHubClient
B.PartitionReceiver
C.EventHubConsumerClient
D.EventProcessorHost
AnswerD

EventProcessorHost abstracts partition leasing, checkpointing, and ensures that each partition is processed by a single instance. It processes events in order within partitions and is ideal for high-availability scenarios.

Why this answer

The EventProcessorHost (EPH) class is designed specifically for scenarios requiring distributed processing of Event Hub partitions across multiple instances. It manages partition leasing to ensure each partition is processed by only one instance at a time, handles checkpointing to track progress, and guarantees ordered processing within a partition. This makes it the correct choice for high-availability worker roles that must avoid duplicate processing and maintain event order.

Exam trap

The trap here is that candidates often confuse high-level consumer clients (like EventHubConsumerClient) with the distributed coordination capabilities of EventProcessorHost, overlooking the need for automatic lease management and checkpointing in multi-instance deployments.

How to eliminate wrong answers

Option A is wrong because EventHubClient is a low-level client for sending events and managing Event Hub metadata; it does not provide partition leasing, checkpointing, or distributed processing coordination. Option B is wrong because PartitionReceiver is a single-partition receiver that requires manual management of leases and checkpoints, making it unsuitable for multi-instance high-availability scenarios. Option C is wrong because EventHubConsumerClient is a high-level consumer for reading events from one or more partitions but lacks built-in lease management and checkpoint coordination across multiple instances.

217
MCQhard

Your application uses Azure Service Bus topics. You need to ensure that messages are processed in the order they were sent within a session. What must you configure?

A.Enable duplicate detection.
B.Enable partitioning on the topic.
C.Enable sessions on the topic and set the SessionId property on messages.
D.Set the MessageId property to a GUID.
AnswerC

Sessions guarantee FIFO within a session.

Why this answer

Option B is correct because Service Bus sessions enable FIFO ordering within a session. The sender must set the SessionId property. Option A is wrong because message sessions require sessions to be enabled.

Option C is wrong because partitioning is for high availability. Option D is wrong because duplicate detection prevents duplicates but does not guarantee order.

218
MCQmedium

You are designing a solution that needs to relay events from an on-premises system to Azure Event Grid. The on-premises system cannot make outbound HTTPS calls. Which Azure service should you use as a bridge?

A.Azure VPN Gateway
B.Azure Relay
C.Azure ExpressRoute
D.Azure Event Grid on-premises
AnswerB

Azure Relay allows on-premises services to expose endpoints to Azure without opening inbound ports.

Why this answer

Azure Relay enables hybrid connections by allowing on-premises services to connect to Azure via outbound port 443. Option A is wrong because VPN Gateway requires network changes. Option B is wrong because ExpressRoute is a dedicated connection.

Option C is wrong because Event Grid does not support inbound connections from on-premises.

219
Multi-Selectmedium

Which THREE are valid ways to authenticate an Azure app to an Azure resource using managed identities?

Select 3 answers
A.Managed identity using Azure AD tokens
B.System-assigned managed identity
C.Client certificate
D.Connection string
E.User-assigned managed identity
AnswersA, B, E

Managed identities obtain Azure AD tokens to access resources.

Why this answer

System-assigned, user-assigned, and when accessing resources that support managed identity authentication, the app can use the managed identity. Option D is wrong because certificates are not a managed identity type. Option E is wrong because connection strings are not managed identity.

220
MCQmedium

Refer to the exhibit. A developer runs this Azure CLI command to set an app setting for a web app. What is the impact on the web app?

A.The command fails because the password is provided in plaintext.
B.The setting is available immediately without restart.
C.The web app restarts to apply the new setting.
D.The setting is stored in a local configuration file.
AnswerC

Setting app settings triggers a restart of the web app.

Why this answer

Option B is correct. The command sets an app setting, which triggers a restart of the web app. Option A is wrong because the setting is available immediately after restart; Option C is wrong because the app setting is stored in the app's configuration, not in a file; Option D is wrong because the command does not affect the code.

221
MCQhard

You are using Azure Cache for Redis to cache frequently accessed database query results. You need to ensure that the cache is updated automatically when the underlying data changes. Which pattern should you implement?

A.Cache-aside pattern with cache invalidation
B.Read-through pattern
C.Event-driven cache invalidation using Azure Event Grid
D.Write-through pattern
AnswerA

Cache-aside loads data on miss and invalidates cache entries when data changes.

Why this answer

The cache-aside (or lazy loading) pattern is the most common approach: on a cache miss, the application loads data from the database and stores it in the cache with a TTL. When data changes, the cache entry is invalidated (deleted) so the next read fetches fresh data. Option A is write-through, which updates the cache synchronously on writes but does not handle automatic updates on external changes.

Option C is read-through, which is similar to cache-aside but the cache itself loads data. Option D is event-driven invalidation, which is more complex and not a standard pattern.

222
MCQeasy

A company uses Azure Logic Apps to automate business processes. They need to call an external REST API that requires OAuth 2.0 client credentials grant. Which connector should they use with minimal configuration?

A.HTTP connector
B.HTTP + Swagger connector
C.Azure Functions connector
D.Custom connector
AnswerA

Correct. The HTTP connector can be configured with OAuth 2.0 authentication, including client credentials, with minimal custom setup.

Why this answer

The HTTP connector in Azure Logic Apps supports OAuth 2.0 client credentials grant natively with minimal configuration. You can directly set the authentication type to 'Active Directory OAuth' and provide the tenant ID, client ID, client secret, and audience/resource URI. This avoids the need for custom code or additional connectors.

Exam trap

The trap here is that candidates often overthink and choose a custom connector or Swagger-based option, not realizing the built-in HTTP connector already supports OAuth 2.0 client credentials with minimal setup.

How to eliminate wrong answers

Option B (HTTP + Swagger connector) is wrong because it is used when you have an OpenAPI (Swagger) definition to import, adding unnecessary overhead for a simple OAuth 2.0 call. Option C (Azure Functions connector) is wrong because it is designed to invoke Azure Functions, not to call external REST APIs with OAuth 2.0 client credentials. Option D (Custom connector) is wrong because it requires creating a custom API connector with a Swagger definition, which involves more configuration than the built-in HTTP connector's direct OAuth support.

223
MCQeasy

A developer is building an app that uses Azure Cognitive Services Text Analytics. The app needs to detect the language of text input. Which Azure SDK method should be called?

A.DetectLanguage
B.ExtractKeyPhrases
C.AnalyzeSentiment
D.RecognizeEntities
AnswerA

DetectLanguage is the correct method to detect the language of text.

Why this answer

Option A is correct because the Text Analytics client's DetectLanguage method is used to detect language. Option B (AnalyzeSentiment) is for sentiment; Option C (ExtractKeyPhrases) is for key phrases; Option D (RecognizeEntities) is for entities.

224
MCQmedium

You manage an API in Azure API Management. The API response varies depending on the caller's subscription key. You need to cache responses per subscription key to reduce backend load. Which policy configuration should you use?

A.Set cache key to include the subscription key
B.Use a global cache with no variation
C.Disable caching and rely on the backend
D.Use rate limiting policy
AnswerA

Correct. Using a policy like <cache-lookup vary-by-key="@(context.Subscription.Id)" /> caches different responses per subscription.

Why this answer

Option A is correct because Azure API Management's caching policy allows you to customize the cache key using the `@(context.Subscription.Id)` expression. By setting the cache key to include the subscription key, each caller's responses are cached separately based on their unique subscription, ensuring that variations in the API response per subscription key are preserved while reducing backend load.

Exam trap

The trap here is that candidates might confuse caching policies with rate limiting or assume that a single global cache is sufficient, overlooking the need to differentiate cache entries per caller identity when the API response varies by subscription key.

How to eliminate wrong answers

Option B is wrong because using a global cache with no variation would cache a single response for all callers, ignoring the fact that the API response varies per subscription key, leading to incorrect responses for most callers. Option C is wrong because disabling caching and relying on the backend would not reduce backend load, which is the primary requirement; it would force every request to hit the backend, defeating the purpose of caching. Option D is wrong because rate limiting policy controls the number of requests a caller can make, not the caching of responses; it does not address the need to cache responses per subscription key.

225
Multi-Selecthard

Which THREE features of Azure API Management help enforce security policies for APIs? (Choose three.)

Select 3 answers
A.rate-limit policy
B.xml-to-json policy
C.cache-lookup policy
D.validate-jwt policy
E.IP filtering policy
AnswersA, D, E

Limits request rates to prevent overload.

Why this answer

Option A is correct: validate-jwt validates tokens. Option B is correct: rate-limit throttles requests to prevent abuse. Option D is correct: IP filtering restricts access by source IP.

Option C is wrong: cache-lookup improves performance but not security. Option E is wrong: transform XML to JSON changes format, not security.

← PreviousPage 3 of 4 · 266 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Connect Consume Services questions.