Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
Your company stores secrets in Azure Key Vault. You need to ensure that when a secret is disabled, it does not become accessible to applications that already have a cached copy. Which additional step must you take?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Rotate the secret immediately
Rotating changes the secret value, thus invalidating any cached copies held by applications.
B
Distractor review
Delete the secret
Deleting the secret will cause new requests to fail, but cached copies remain valid until they expire or are refreshed.
C
Distractor review
Enable soft-delete and purge protection
Soft-delete and purge protection prevent permanent deletion but do not invalidate cached secret values.
D
Distractor review
Use Key Vault access policies to deny access
Access policies control who can read the secret; they do not affect cached values already held by applications.
Common exam trap
Common exam trap: ACLs stop at the first match
ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.
Technical deep dive
How to think about this question
ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.
KKey Concepts to Remember
- Standard ACLs match source addresses.
- Extended ACLs can match source, destination, protocol and ports.
- The first matching ACL entry is used.
- There is usually an implicit deny at the end.
TExam Day Tips
- Check inbound versus outbound direction.
- Read the ACL from top to bottom.
- Look for a broader permit or deny above the intended line.
Related practice questions
Related AZ-204 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
An application stores customer invoices in Azure Blob Storage. Deleted blobs must be recoverable for 14 days. What should be enabled?
Question 2
You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS termination. You need to configure these features. Which resource should you create alongside the container group?
Question 3
A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run? The architecture review board prefers a managed AWS-native control.
Question 4
You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?
Question 5
You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function uses a Service Bus queue trigger and runs on a Consumption Plan. The queue receives a high volume of messages in bursts. You need to ensure that the function scales out to handle the load but does not exceed 10 concurrent instances. Which configuration should you apply?
Question 6
You are monitoring an Azure App Service using Application Insights. You notice that the server response time is high for certain requests. You need to drill down to see which external dependencies (like databases or APIs) are causing the delay. Which Application Insights feature should you use?
FAQ
Questions learners often ask
What does this AZ-204 question test?
Standard ACLs match source addresses.
What is the correct answer to this question?
The correct answer is: Rotate the secret immediately — Disabling a secret prevents new access, but applications with a cached copy can still use the old value. Rotating the secret (changing its value) invalidates cached copies. Deleting the secret (even with soft-delete) may not be immediate and can cause errors. Access policies control permissions but do not affect cached values. Therefore, rotating the secret is required.
What should I do if I get this AZ-204 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.