AZ-204 Exam - 51 To 100

10/11/2021 22:24 AZ-204 Exam – Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
 Custom View Settings
Question #13 Topic 2
DRAG DROP -
You are developing a web service that will run on Azure virtual machines that use Azure Storage. You configure all virtual machines to use
managed identities.
You have the following requirements:
✑ Secret-based authentication mechanisms are not permitted for accessing an Azure Storage account.
✑ Must use only Azure Instance Metadata Service endpoints.
You need to write code to retrieve an access token to access Azure Storage. To answer, drag the appropriate code segments to the correct
locations. Each code segment may be used once or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Azure Instance Metadata Service endpoints "/oauth2/token"

Box 1: http://169.254.169.254/metadata/identity/oauth2/token
Sample request using the Azure Instance Metadata Service (IMDS) endpoint (recommended):
https://www.examtopics.com/exams/microsoft/az-204/custom-view/ 1/60
Sample request using the Azure Instance Metadata Service (IMDS) endpoint (recommended):
GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1
Metadata: true
Box 2: JsonConvert.DeserializeObject<Dictionary<string,string>>(payload);
Deserialized token response; returning access code.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
https://docs.microsoft.com/en-us/azure/service-fabric/how-to-managed-identity-service-fabric-app-code
DRAG DROP -
You are developing a new page for a website that uses Azure Cosmos DB for data storage. The feature uses documents that have the following
format:
You must display data for the new page in a specific order. You create the following query for the page:
You need to configure a Cosmos DB policy to support the query.

How should you configure the policy? To answer, drag the appropriate JSON segments to the correct locations. Each JSON segment may be used
once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: compositeIndexes -
You can order by multiple properties. A query that orders by multiple properties requires a composite index.
Box 2: descending -
Example: Composite index defined for (name ASC, age ASC):
It is optional to specify the order. If not specified, the order is ascending.
{
"automatic":true,
"indexingMode":"Consistent",
"includedPaths":[
{
"path":"/*"
}
],
"excludedPaths":[],
"compositeIndexes":[
[
{
"path":"/name",
},
{
"path":"/age",
}
]
]
}
HOTSPOT -
You are building a traffic monitoring system that monitors traffic along six highways. The system produces time series analysis-based reports for
each highway.
Data from traffic sensors are stored in Azure Event Hub.
Traffic data is consumed by four departments. Each department has an Azure Web App that displays the time series-based reports and contains a
WebJob that processes the incoming data from Event Hub. All Web Apps run on App Service Plans with three instances.
Data throughput must be maximized. Latency must be minimized.
You need to implement the Azure Event Hub.
Which settings should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: 6 -
The number of partitions is specified at creation and must be between 2 and 32.
There are 6 highways.
Box 2: Highway -
Reference:
https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features
DRAG DROP -
You are developing a microservices solution. You plan to deploy the solution to a multinode Azure Kubernetes Service (AKS) cluster.
You need to deploy a solution that includes the following features:
✑ reverse proxy capabilities
✑ configurable traffic routing
✑ TLS termination with a custom certificate
Which components should you use? To answer, drag the appropriate components to the correct requirements. Each component may be used once,
more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: Helm -
To create the ingress controller, use Helm to install nginx-ingress.
Box 2: kubectl -
To find the cluster IP address of a Kubernetes pod, use the kubectl get pod command on your local machine, with the option -o wide .
Box 3: Ingress Controller -

An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes
services. Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services.
Incorrect Answers:
Virtual Kubelet: Virtual Kubelet is an open-source Kubernetes kubelet implementation that masquerades as a kubelet. This allows Kubernetes
nodes to be backed by Virtual Kubelet providers such as serverless cloud container platforms.
CoreDNS: CoreDNS is a flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. Like Kubernetes, the CoreDNS project is
hosted by the
CNCF.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/aks/ingress-basic https://www.digitalocean.com/community/tutorials/how-to-inspect-kubernetes-
networking
DRAG DROP -
You are implementing an order processing system. A point of sale application publishes orders to topics in an Azure Service Bus queue. The Label
property for the topic includes the following data:
The system has the following requirements for subscriptions:
You need to implement filtering and maximize throughput while evaluating filters.
Which filter types should you implement? To answer, drag the appropriate filter types to the correct subscriptions. Each filter type may be used
Select and Place:
Correct Answer:
FutureOrders: SQLFilter -
HighPriortyOrders: CorrelationFilter
CorrelationID only -
InternationalOrders: SQLFilter -
Country NOT USA requires an SQL Filter
HighQuantityOrders: SQLFilter -
Need to use relational operators so an SQL Filter is needed.
AllOrders: No Filter -
SQL Filter: SQL Filters - A SqlFilter holds a SQL-like conditional expression that is evaluated in the broker against the arriving messages' user-
defined properties and system properties. All system properties must be prefixed with sys. in the conditional expression. The SQL-language
subset for filter conditions tests for the existence of properties (EXISTS), as well as for null-values (IS NULL), logical NOT/AND/OR, relational
operators, simple numeric arithmetic, and simple text pattern matching with LIKE.
Correlation Filters - A CorrelationFilter holds a set of conditions that are matched against one or more of an arriving message's user and system
properties. A common use is to match against the CorrelationId property, but the application can also choose to match against ContentType,
Label, MessageId, ReplyTo,
ReplyToSessionId, SessionId, To, and any user-defined properties. A match exists when an arriving message's value for a property is equal to
the value specified in the correlation filter. For string expressions, the comparison is case-sensitive. When specifying multiple match properties,
the filter combines them as a logical
AND condition, meaning for the filter to match, all conditions must match.
Boolean filters - The TrueFilter and FalseFilter either cause all arriving messages (true) or none of the arriving messages (false) to be selected
for the subscription.
Reference:
https://docs.microsoft.com/en-us/azure/service-bus-messaging/topic-filters
DRAG DROP -
Your company has several websites that use a company logo image. You use Azure Content Delivery Network (CDN) to store the static image.
You need to determine the correct process of how the CDN and the Point of Presence (POP) server will distribute the image and list the items in
the correct order.
In which order do the actions occur? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: A user requests the image..

A user requests a file (also called an asset) by using a URL with a special domain name, such as <endpoint name>.azureedge.net. This name
can be an endpoint hostname or a custom domain. The DNS routes the request to the best performing POP location, which is usually the POP
that is geographically closest to the user.
Step 2: If no edge servers in the POP have the..
If no edge servers in the POP have the file in their cache, the POP requests the file from the origin server. The origin server can be an Azure Web
App, Azure
Cloud Service, Azure Storage account, or any publicly accessible web server.
Step 3: The origin server returns the..
The origin server returns the file to an edge server in the POP.
An edge server in the POP caches the file and returns the file to the original requestor (Alice). The file remains cached on the edge server in the
POP until the time-to-live (TTL) specified by its HTTP headers expires. If the origin server didn't specify a TTL, the default TTL is seven days.
Step 4: Subsequent requests for..
Additional users can then request the same file by using the same URL that the original user used, and can also be directed to the same POP.
If the TTL for the file hasn't expired, the POP edge server returns the file directly from the cache. This process results in a faster, more
responsive user experience.
Reference:
https://docs.microsoft.com/en-us/azure/cdn/cdn-overview
You are developing an Azure Cosmos DB solution by using the Azure Cosmos DB SQL API. The data includes millions of documents. Each
document may contain hundreds of properties.
The properties of the documents do not contain distinct values for partitioning. Azure Cosmos DB must scale individual containers in the
database to meet the performance needs of the application by spreading the workload evenly across all partitions over time.
You need to select a partition key.
Which two partition keys can you use? Each correct answer presents a complete solution.
A. a single property value that does not appear frequently in the documents
B. a value containing the collection name
C. a single property value that appears frequently in the documents
D. a concatenation of multiple property values with a random suffix appended
E. a hash suffix appended to a property value
Correct Answer: DE
You can form a partition key by concatenating multiple property values into a single artificial partitionKey property. These keys are referred to
as synthetic keys.
Another possible strategy to distribute the workload more evenly is to append a random number at the end of the partition key value. When you
distribute items in this way, you can perform parallel write operations across partitions.
Note: It's the best practice to have a partition key with many distinct values, such as hundreds or thousands. The goal is to distribute your data
and workload evenly across the items associated with these partition key values. If such a property doesn‫ג‬€™t exist in your data, you can
construct a synthetic partition key.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/synthetic-partition-keys
HOTSPOT -
You are developing an Azure-hosted e-commerce web application. The application will use Azure Cosmos DB to store sales orders. You are using
the latest SDK to manage the sales orders in the database.
You create a new Azure Cosmos DB instance. You include a valid endpoint and valid authorization key to an appSettings.json file in the code
project.
You are evaluating the following application code: (Line number are included for reference only.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Box 1: Yes -
The createDatabaseIfNotExistsAsync method checks if a database exists, and if it doesn't, create it.
The Database.CreateContainerAsync method creates a container as an asynchronous operation in the Azure Cosmos service.
Box 2: Yes -
The CosmosContainer.CreateItemAsync method creates an item as an asynchronous operation in the Azure Cosmos service.
Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.cosmos.cosmosclient.createdatabaseifnotexistsasync
https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.cosmos.database.createcontainerasync https://docs.microsoft.com/en-
us/dotnet/api/azure.cosmos.cosmoscontainer.createitemasync
DRAG DROP -
You develop an Azure solution that uses Cosmos DB.
The current Cosmos DB container must be replicated and must use a partition key that is optimized for queries.
You need to implement a change feed processor solution.
Which change feed processor components should you use? To answer, drag the appropriate components to the correct requirements. Each
component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view the content.
Select and Place:
Correct Answer:
Box 1: The monitored container -

The monitored container has the data from which the change feed is generated. Any inserts and updates to the monitored container are
reflected in the change feed of the container.
Box 2: The lease container -

The lease container acts as a state storage and coordinates processing the change feed across multiple workers. The lease container can be
stored in the same account as the monitored container or in a separate account.
Box 3: The host: A host is an application instance that uses the change feed processor to listen for changes. Multiple instances with the same
lease configuration can run in parallel, but each instance should have a different instance name.
Box 4: The delegate -

The delegate is the code that defines what you, the developer, want to do with each batch of changes that the change feed processor reads.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/change-feed-processor
Topic 3 - Question Set 3

Question #1 Topic 3
DRAG DROP -
You develop a web application.
You need to register the application with an active Azure Active Directory (Azure AD) tenant.
Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
Correct Answer:
Register a new application using the Azure portal

1. Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
2. If your account gives you access to more than one tenant, select your account in the upper right corner. Set your portal session to the Azure
AD tenant that you want.
3. Search for and select Azure Active Directory. Under Manage, select App registrations.
4. Select New registration. (Step 1)
5. In Register an application, enter a meaningful application name to display to users.
6. Specify who can use the application. Select the Azure AD instance. (Step 2)
7. Under Redirect URI (optional), select the type of app you're building: Web or Public client (mobile & desktop). Then enter the redirect URI, or
reply URL, for your application. (Step 3)
8. When finished, select Register.
Question #2 Topic 3
You have a new Azure subscription. You are developing an internal website for employees to view sensitive data. The website uses Azure Active
Directory (Azure
AD) for authentication.
You need to implement multifactor authentication for the website.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Configure the website to use Azure AD B2C.
B. In Azure AD, create a new conditional access policy.
C. Upgrade to Azure AD Premium.
D. In Azure AD, enable application proxy.
E. In Azure AD conditional access, enable the baseline policy.
Correct Answer: BC
B: MFA Enabled by conditional access policy. It is the most flexible means to enable two-step verification for your users. Enabling using
conditional access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD.
C: Multi-Factor Authentication comes as part of the following offerings:
✑ Azure Active Directory Premium licenses - Full featured use of Azure Multi-Factor Authentication Service (Cloud) or Azure Multi-Factor
Authentication Server
(On-premises).
✑ Multi-Factor Authentication for Office 365
✑ Azure Active Directory Global Administrators
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted
Question #3 Topic 3
You are developing a Java application that uses Cassandra to store key and value data. You plan to use a new Azure Cosmos DB resource and the
Cassandra
API in the application. You create an Azure Active Directory (Azure AD) group named Cosmos DB Creators to enable provisioning of Azure Cosmos
accounts, databases, and containers.
The Azure AD group must not be able to access the keys that are required to access the data.
You need to restrict access to the Azure AD group.
Which role-based access control should you use?
A. DocumentDB Accounts Contributor
B. Cosmos Backup Operator
C. Cosmos DB Operator
D. Cosmos DB Account Reader
Correct Answer: C
Azure Cosmos DB now provides a new RBAC role, Cosmos DB Operator. This new role lets you provision Azure Cosmos accounts, databases,
and containers, but can‫ג‬€™t access the keys that are required to access the data. This role is intended for use in scenarios where the ability to
grant access to Azure Active Directory service principals to manage deployment operations for Cosmos DB is needed, including the account,
database, and containers.
Reference:
https://azure.microsoft.com/en-us/updates/azure-cosmos-db-operator-role-for-role-based-access-control-rbac-is-now-available/
Question #4 Topic 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD)
credentials.
You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership
must be used to determine the permission level.
You need to configure authorization.
Solution: Configure the Azure Web App for the website to allow only authenticated requests and require Azure AD log on.
Does the solution meet the goal?
A. Yes
B. No
Correct Answer: B
Instead in the Azure AD application‫ג‬€™s manifest, set value of the groupMembershipClaims option to All.
Reference:
https://blogs.msdn.microsoft.com/waws/2017/03/13/azure-app-service-authentication-aad-groups/
Question #5 Topic 3
credentials.
Solution:
✑ Create a new Azure AD application. In the application's manifest, set value of the groupMembershipClaims option to All.
✑ In the website, use the value of the groups claim from the JWT for the user to determine permissions.
A. Yes
B. No
Correct Answer: A
To configure Manifest to include Group Claims in Auth Token
1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active Directory, and go to App registrations to find your application:
2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it.
3. Locate the ‫ג‬€groupMembershipClaims‫ג‬€ setting. Set its value to either ‫ג‬€SecurityGroup‫ג‬€ or ‫ג‬€All‫ג‬€. To help you decide which:
✑ ‫ג‬€SecurityGroup‫ג‬€ - groups claim will contain the identifiers of all security groups of which the user is a member.
✑ ‫ג‬€All‫ג‬€ - groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member
Now your application will include group claims in your manifest and you can use this fact in your code.
Reference:
Question #6 Topic 3
credentials.
Solution:
✑ Create a new Azure AD application. In the application's manifest, define application roles that match the required permission levels for the
application.
✑ Assign the appropriate Azure AD group to each role. In the website, use the value of the roles claim from the JWT for the user to determine
permissions.
A. Yes
B. No
Correct Answer: B
To configure Manifest to include Group Claims in Auth Token
1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active Directory, and go to App registrations to find your application:
2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it.
3. Locate the ‫ג‬€groupMembershipClaims‫ג‬€ setting. Set its value to either ‫ג‬€SecurityGroup‫ג‬€ or ‫ג‬€All‫ג‬€. To help you decide which:
✑ ‫ג‬€SecurityGroup‫ג‬€ - groups claim will contain the identifiers of all security groups of which the user is a member.
✑ ‫ג‬€All‫ג‬€ - groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member
Now your application will include group claims in your manifest and you can use this fact in your code.
Reference:
Question #7 Topic 3
DRAG DROP -
You are developing an application to securely transfer data between on-premises file systems and Azure Blob storage. The application stores keys,
secrets, and certificates in Azure Key Vault. The application uses the Azure Key Vault APIs.
The application must allow recovery of an accidental deletion of the key vault or key vault objects. Key vault objects must be retained for 90 days
after deletion.
You need to protect the key vault and key vault objects.
Which Azure Key Vault feature should you use? To answer, drag the appropriate features to the correct actions. Each feature may be used once,
more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: Soft delete -

When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further
provides a mechanism for recovering the deleted object, essentially undoing the deletion.
Box 2: Purge protection -

Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is
enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults
and objects can still be recovered, ensuring that the retention policy will be followed.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
Question #8 Topic 3
You provide an Azure API Management managed web service to clients. The back-end web service implements HTTP Strict Transport Security
(HSTS).
Every request to the backend service must include a valid HTTP authorization header.
You need to configure the Azure API Management instance with an authentication policy.
Which two policies can you use? Each correct answer presents a complete solution.
A. Basic Authentication
B. Digest Authentication
C. Certificate Authentication
D. OAuth Client Credential Grant
Correct Answer: CD
Question #9 Topic 3
DRAG DROP -
You are developing an ASP.NET Core website that can be used to manage photographs which are stored in Azure Blob Storage containers.
Users of the website authenticate by using their Azure Active Directory (Azure AD) credentials.
You implement role-based access control (RBAC) role permissions on the containers that store photographs. You assign users to RBAC roles.
You need to configure the website's Azure AD Application so that user's permissions can be used with the Azure Blob containers.
How should you configure the application? To answer, drag the appropriate setting to the correct location. Each setting can be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: user_impersonation -
Box 2: delegated -
Example:
1. Select the API permissions section
2. Click the Add a permission button and then:
Ensure that the My APIs tab is selected
3. In the list of APIs, select the API TodoListService-aspnetcore.
4. In the Delegated permissions section, ensure that the right permissions are checked: user_impersonation.
5. Select the Add permissions button.
Box 3: delegated -
Example -
1. Select the API permissions section
2. Click the Add a permission button and then,
Ensure that the Microsoft APIs tab is selected
3. In the Commonly used Microsoft APIs section, click on Microsoft Graph
4. In the Delegated permissions section, ensure that the right permissions are checked: User.Read. Use the search box if necessary.
5. Select the Add permissions button
Reference:
https://docs.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore/calling-a-web-
api-in-an-aspnet-core- web-application-using-azure-ad/
HOTSPOT -
You are developing an ASP.NET Core app that includes feature flags which are managed by Azure App Configuration. You create an Azure App
Configuration store named AppFeatureFlagStore that contains a feature flag named Export.
You need to update the app to meet the following requirements:
✑ Use the Export feature in the app without requiring a restart of the app.
✑ Validate users before users are allowed access to secure resources.
✑ Permit users to access secure resources.
How should you complete the code segment? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: UseAuthentication -
Need to validate users before users are allowed access to secure resources.
UseAuthentication adds the AuthenticationMiddleware to the specified IApplicationBuilder, which enables authentication capabilities.
Box 2: UseAuthorization -
Need to permit users to access secure resources.
UseAuthorization adds the AuthorizationMiddleware to the specified IApplicationBuilder, which enables authorization capabilities.
Box 3: UseStaticFiles -
Need to use the Export feature in the app without requiring a restart of the app.
UseStaticFiles enables static file serving for the current request path
Reference:
https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.iapplicationbuilder?view=aspnetcore-5.0
You have an application that includes an Azure Web app and several Azure Function apps. Application secrets including connection strings and
certificates are stored in Azure Key Vault.
Secrets must not be stored in the application or application runtime environment. Changes to Azure Active Directory (Azure AD) must be
minimized.
You need to design the approach to loading application secrets.
What should you do?
A. Create a single user-assigned Managed Identity with permission to access Key Vault and configure each App Service to use that Managed
Identity.
B. Create a single Azure AD Service Principal with permission to access Key Vault and use a client secret from within the App Services to
access Key Vault.
C. Create a system assigned Managed Identity in each App Service with permission to access Key Vault.
D. Create an Azure AD Service Principal with Permissions to access Key Vault for each App Service and use a certificate from within the App
Services to access Key Vault.
Correct Answer: C
Use Key Vault references for App Service and Azure Functions.
Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms.
If the stored intake forms are downloaded from storage by a third party, the contents of the forms must not be compromised.
You need to store the intake forms according to the requirements.
Solution:
1. Create an Azure Key Vault key named skey.
2. Encrypt the intake forms using the public key portion of skey.
3. Store the encrypted data in Azure Blob storage.
A. Yes
B. No
Correct Answer: A
Solution:
1. Create an Azure Cosmos DB database with Storage Service Encryption enabled.
2. Store the intake forms in the Azure Cosmos DB database.
A. Yes
B. No
Correct Answer: B
Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure Storage Blob storage.
Solution: Store the intake forms as Azure Key Vault secrets.
A. Yes
B. No
Correct Answer: B
Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure Storage Blob storage.
HOTSPOT -
You plan to deploy a new application to a Linux virtual machine (VM) that is hosted in Azure.
The entire VM must be secured at rest by using industry-standard encryption technology to address organizational security and compliance
requirements.
You need to configure Azure Disk Encryption for the VM.
How should you complete the Azure CLI commands? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: keyvault -
Create an Azure Key Vault with az keyvault create and enable the Key Vault for use with disk encryption. Specify a unique Key Vault name for
keyvault_name as follows: keyvault_name=myvaultname$RANDOM az keyvault create \
--name $keyvault_name \
--resource-group $resourcegroup \
--location eastus \
--enabled-for-disk-encryption True
Box 2: keyvault key -

The Azure platform needs to be granted access to request the cryptographic keys when the VM boots to decrypt the virtual disks. Create a
cryptographic key in your Key Vault with az keyvault key create. The following example creates a key named myKey: az keyvault key create \
--vault-name $keyvault_name \
--name myKey \
--protection software
Box 3: vm -
Create a VM with az vm create. Only certain marketplace images support disk encryption. The following example creates a VM named myVM
using an Ubuntu
16.04 LTS image:
az vm create \
--name myVM \
--image Canonical:UbuntuServer:16.04-LTS:latest \
--admin-username azureuser \
--generate-ssh-keys \
Box 4: vm encryption -
Encrypt your VM with az vm encryption enable:
az vm encryption enable \
--name myVM \
--disk-encryption-keyvault $keyvault_name \
--key-encryption-key myKey \
--volume-type all
Note: seems to an error in the question. Should have enable instead of create.
Box 5: all -
Encrypt both data and operating system.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-cli-quickstart
Your company is developing an Azure API hosted in Azure.

You need to implement authentication for the Azure API to access other Azure resources. You have the following requirements:
✑ All API calls must be authenticated.
✑ Callers to the API must not send credentials to the API.
Which authentication mechanism should you use?
A. Basic
B. Anonymous
C. Managed identity
D. Client certificate
Correct Answer: C
Azure Active Directory Managed Service Identity (MSI) gives your code an automatically managed identity for authenticating to Azure services,
so that you can keep credentials out of your code.
Note: Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity. This policy essentially
uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully
obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme.
Incorrect Answers:
A: Use the authentication-basic policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP
Authorization header to the value corresponding to the credentials provided in the policy.
B: Anonymous is no authentication at all.
D: Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible.
Ideally, they never appear on a developer‫ג‬€™s workstation or get checked-in to source control. Azure Key Vault can store credentials securely so
they aren‫ג‬€™t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential!
A classic bootstrap problem.
Reference:
https://azure.microsoft.com/en-us/blog/keep-credentials-out-of-code-introducing-azure-ad-managed-service-identity/
https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies
DRAG DROP -
You are developing an application. You have an Azure user account that has access to two subscriptions.
You need to retrieve a storage account key secret from Azure Key Vault.
In which order should you arrange the PowerShell commands to develop the solution? To answer, move all commands from the list of commands
to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Step 1: Get-AzSubscription -
If you have multiple subscriptions, you might have to specify the one that was used to create your key vault. Enter the following to see the
subscriptions for your account:
Get-AzSubscription -
Step 2: Set-AzContext -SubscriptionId
To specify the subscription that's associated with the key vault you'll be logging, enter:
Set-AzContext -SubscriptionId <subscriptionID>
Step 3: Get-AzStorageAccountKey -
You must get that storage account key.
Step 4: $secretvalue = ConvertTo-SecureString <storageAccountKey> -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName <vaultName> -Name <secretName> -SecretValue $secretvalue
After retrieving your secret (in this case, your storage account key), you must convert that key to a secure string, and then create a secret with
that value in your key vault.
Step 5: Get-AzKeyVaultSecret -
Next, get the URI for the secret you created. You'll need this URI in a later step to call the key vault and retrieve your secret. Run the following
PowerShell command and make note of the ID value, which is the secret's URI:
Get-AzKeyVaultSecret ‫ג‬€"VaultName <vaultName>
Reference:
https://docs.microsoft.com/bs-latn-ba/Azure/key-vault/key-vault-key-rotation-log-monitoring
You develop Azure solutions.
You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager.
You need to obtain an Azure Resource Manager access token.
Solution: Use an X.509 certificate to authenticate the VM with Azure Resource Manager.
A. Yes
B. No
Correct Answer: B
Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
Solution: Use the Reader role-based access control (RBAC) role to authenticate the VM with Azure Resource Manager.
A. Yes
B. No
Correct Answer: B
Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint.
Reference:
HOTSPOT -
You are building a website that is used to review restaurants. The website will use an Azure CDN to improve performance and add functionality to
requests.
You build and deploy a mobile app for Apple iPhones. Whenever a user accesses the website from an iPhone, the user must be redirected to the
app store.
You need to implement an Azure CDN rule that ensures that iPhone users are redirected to the app store.
How should you complete the Azure Resource Manager template? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: iOS -
Azure AD Conditional Access supports the following device platforms:
✑ Android
✑ iOS
✑ Windows Phone
✑ Windows
macOS
Box 2: DeliveryRuleIsDeviceConditionParameters
The DeliveryRuleIsDeviceCondition defines the IsDevice condition for the delivery rule. parameters defines the parameters for the condition.
Box 3: HTTP_USER_AGENT -
Incorrect Answers:
✑ The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain.
It is used for backwards compatibility with HTTP/1.0 caches.
✑ "X-Powered-By" is a common non-standard HTTP response header (most headers prefixed with an 'X-' are non-standard).
Box 4: DeliveryRuleRequestHeaderConditionParameters
DeliveryRuleRequestHeaderCondition defines the RequestHeader condition for the delivery rule. parameters defines the parameters for the
condition.
Box 5: iOS -
The Require approved client app requirement only supports the iOS and Android for device platform condition.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant
credentials.
Solution:
✑ Configure and use Integrated Windows Authentication in the website.
✑ In the website, query Microsoft Graph API to load the group to which the user is a member.
A. Yes
B. No
Correct Answer: B
Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources.
Instead in the Azure AD application‫ג‬€™s manifest, set value of the groupMembershipClaims option to All. In the website, use the value of the
groups claim from the
JWT for the user to determine permissions.
Reference:
Solution: Run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint.
A. Yes
B. No
Correct Answer: A
Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager
You will need to use PowerShell in this portion.
1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect.
2. Enter in your Username and Password for which you added when you created the Windows VM.
3. Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.
4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for
Azure Resource
Manager.
Example:
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://
management.azure.com/' -Method GET -Headers @{Metadata="true"}
Reference:
HOTSPOT -
You are building a website to access project data related to teams within your organization. The website does not allow anonymous access.
Authentication is performed using an Azure Active Directory (Azure AD) app named internal.
The website has the following authentication requirements:
✑ Azure AD users must be able to login to the website.
✑ Personalization of the website must be based on membership in Active Directory groups.
You need to configure the application's manifest to meet the authentication requirements.
How should you configure the manifest? To answer, select the appropriate configuration in the answer area.
Hot Area:
Correct Answer:
Box 1: groupMembershipClaims -
Scenario: Personalization of the website must be based on membership in Active Directory groups.
Group claims can also be configured in the Optional Claims section of the Application Manifest.
Enable group membership claims by changing the groupMembershipClaim
The valid values are:
"All"
"SecurityGroup"
"DistributionList"
"DirectoryRole"
Box 2: oauth2Permissions -
Scenario: Azure AD users must be able to login to the website. oauth2Permissions specifies the collection of OAuth 2.0 permission scopes that
the web API (resource) app exposes to client apps. These permission scopes may be granted to client apps during consent.
Incorrect Answers:
oauth2AllowImplicitFlow. oauth2AllowImplicitFlow specifies whether this web app can request OAuth2.0 implicit flow access tokens. The
default is false. This flag is used for browser-based apps, like Javascript single-page apps.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
You develop an app that allows users to upload photos and videos to Azure storage. The app uses a storage REST API call to upload the media to
a blob storage account named Account1. You have blob storage containers named Container1 and Container2.
Uploading of videos occurs on an irregular basis.
You need to copy specific blobs from Container1 to Container2 when a new video is uploaded.
What should you do?
A. Copy blobs to Container2 by using the Put Blob operation of the Blob Service REST API
B. Create an Event Grid topic that uses the Start-AzureStorageBlobCopy cmdlet
C. Use AzCopy with the Snapshot switch to copy blobs to Container2
D. Download the blob to a virtual machine and then upload the blob to Container2
Correct Answer: B
The Start-AzureStorageBlobCopy cmdlet starts to copy a blob.
Example 1: Copy a named blob -

C:\PS>Start-AzureStorageBlobCopy -SrcBlob "ContosoPlanning2015" -DestContainer "ContosoArchives" -SrcContainer "ContosoUploads"
This command starts the copy operation of the blob named ContosoPlanning2015 from the container named ContosoUploads to the container
named
ContosoArchives.
Reference:
https://docs.microsoft.com/en-us/powershell/module/azure.storage/start-azurestorageblobcopy?view=azurermps-6.13.0
You are developing an ASP.NET Core website that uses Azure FrontDoor. The website is used to build custom weather data sets for researchers.
Data sets are downloaded by users as Comma Separated Value (CSV) files. The data is refreshed every 10 hours.
Specific files must be purged from the FrontDoor cache based upon Response Header values.
You need to purge individual assets from the Front Door cache.
Which type of cache purge should you use?
A. single path
B. wildcard
C. root domain
Correct Answer: A
These formats are supported in the lists of paths to purge:
✑ Single path purge: Purge individual assets by specifying the full path of the asset (without the protocol and domain), with the file extension,
for example, /
[1]
✑ Wildcard purge: Asterisk (*) may be used as a wildcard. Purge all folders, subfolders, and files under an endpoint with /* in the path or purge
all subfolders and files under a specific folder by specifying the folder followed by /*, for example, /pictures/*.
✑ Root domain purge: Purge the root of the endpoint with "/" in the path.
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-caching
Your company is developing an Azure API.

You need to implement authentication for the Azure API. You have the following requirements:
All API calls must be secure.
✑ Callers to the API must not send credentials to the API.

Which authentication mechanism should you use?
A. Basic
B. Anonymous
C. Managed identity
D. Client certificate
Correct Answer: C
Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management
service. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified
resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme.
Reference:
https://docs.microsoft.com/bs-cyrl-ba/azure/api-management/api-management-authentication-policies
You are a developer for a SaaS company that offers many web services.
All web services for the company must meet the following requirements:
✑ Use API Management to access the services
✑ Use OpenID Connect for authentication
✑ Prevent anonymous usage
A recent security audit found that several web services can be called without any authentication.
Which API Management policy should you implement?
A. jsonp
B. authentication-certificate
C. check-header
D. validate-jwt
Correct Answer: D
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Incorrect Answers:
A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-
based clients.
JSONP is a method used in JavaScript programs to request data from a server in a different domain. JSONP bypasses the limitation enforced
by most web browsers where access to web pages must be in the same domain.
JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based
clients.
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
DRAG DROP -
Contoso, Ltd. provides an API to customers by using Azure API Management (APIM). The API authorizes users with a JWT token.
You must implement response caching for the APIM gateway. The caching mechanism must detect the user ID of the client that accesses data for
a given location and cache the response for that user ID.
You need to add the following policies to the policies file:
✑ a set-variable policy to store the detected user identity
✑ a cache-lookup-value policy
✑ a cache-store-value policy
✑ a find-and-replace policy to update the response body with the user profile information
To which policy section should you add the policies? To answer, drag the appropriate sections to the correct policies. Each section may be used
Select and Place:
Correct Answer:
Box 1: Inbound.
A set-variable policy to store the detected user identity.
Example:
<policies>
<inbound>

<set-variable
name="enduserid"
value="@(context.Request.Headers.GetValueOrDefault("Authorization","").Split(' ')[1].AsJwt()?.Subject)" />
Box 2: Inbound -
A cache-lookup-value policy -
Example:
<inbound>
<base />
<cache-lookup vary-by-developer="true | false" vary-by-developer-groups="true | false" downstream-caching-type="none | private | public" must-
revalidate="true | false">
<vary-by-query-parameter>parameter name</vary-by-query-parameter> 
</cache-lookup>
</inbound>
Box 3: Outbound -
A cache-store-value policy.
Example:
<outbound>
<base />
<cache-store duration="3600" />
</outbound>
Box 4: Outbound -
A find-and-replace policy to update the response body with the user profile information.
Example:
<outbound>

<find-and-replace
from='"$userprofile$"'
to="@((string)context.Variables["userprofile"])" />
<base />
</outbound>
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-caching-policies https://docs.microsoft.com/en-us/azure/api-
management/api-management-sample-cache-by-key
DRAG DROP -
You are developing an Azure solution.
You need to develop code to access a secret stored in Azure Key Vault.
How should you complete the code segment? To answer, drag the appropriate code segments to the correct location. Each code segment may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Correct Answer:
Box 1: SecretClient -
Box 2: DefaultAzureCredential -
In below example, the name of your key vault is expanded to the key vault URI, in the format "https://<your-key-vault-name>.vault.azure.net".
This example is using 'DefaultAzureCredential()' class from Azure Identity Library, which allows to use the same code across different
environments with different options to provide identity. string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME"); var
kvUri = "https://" + keyVaultName + ".vault.azure.net"; var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-net
You are developing an Azure App Service REST API.

The API must be called by an Azure App Service web app. The API must retrieve and update user profile information stored in Azure Active
Directory (Azure AD).
You need to configure the API to make the updates.
Which two tools should you use? Each correct answer presents part of the solution.
A. Microsoft Graph API
B. Microsoft Authentication Library (MSAL)
C. Azure API Management
D. Microsoft Azure Security Center
E. Microsoft Azure Key Vault SDK
Correct Answer: AC
A: You can use the Azure AD REST APIs in Microsoft Graph to create unique workflows between Azure AD resources and third-party services.
Enterprise developers use Microsoft Graph to integrate Azure AD identity management and other services to automate administrative
workflows, such as employee onboarding (and termination), profile maintenance, license deployment, and more.
C: API Management (APIM) is a way to create consistent and modern API gateways for existing back-end services.
API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and
services.
Reference:
https://docs.microsoft.com/en-us/graph/azuread-identity-access-management-concept-overview
You develop a REST API. You implement a user delegation SAS token to communicate with Azure Blob storage.
The token is compromised.
You need to revoke the token.
What are two possible ways to achieve this goal? Each correct answer presents a complete solution.
A. Revoke the delegation key.
B. Delete the stored access policy.
C. Regenerate the account key.
D. Remove the role assignment for the security principle.
Correct Answer: AB
A: Revoke a user delegation SAS -
To revoke a user delegation SAS from the Azure CLI, call the az storage account revoke-delegation-keys command. This command revokes all of
the user delegation keys associated with the specified storage account. Any shared access signatures associated with those keys are
invalidated.
B: To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks
the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately
effects all of the shared access signatures associated with it.
Reference:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/storage/blobs/storage-blob-user-delegation-sas-create-cli.md
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy#modifying-or-revoking-a-stored-access-policy
DRAG DROP -
You are developing an Azure-hosted application that must use an on-premises hardware security module (HSM) key.
The key must be transferred to your existing Azure Key Vault by using the Bring Your Own Key (BYOK) process.
You need to securely transfer the key to Azure Key Vault.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
To perform a key transfer, a user performs following steps:

✑ Generate KEK.
✑ Retrieve the public key of the KEK.
✑ Using HSM vendor provided BYOK tool - Import the KEK into the target HSM and exports the Target Key protected by the KEK.
✑ Import the protected Target Key to Azure Key Vault.
Step 1: Generate a Key Exchange Key (KEK).
Step 2: Retrieve the Key Exchange Key (KEK) public key.
Step 3: Generate a key transfer blob file by using the HSM vendor-provided tool.
Generate key transfer blob using HSM vendor provided BYOK tool
Step 4: Run the az keyvault key import command
Upload key transfer blob to import HSM-key.
Customer will transfer the Key Transfer Blob (".byok" file) to an online workstation and then run a az keyvault key import command to import
this blob as a new
HSM-backed key into Key Vault.
To import an RSA key use this command:
az keyvault key import
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification
You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure Function app includes an OpenAPI (Swagger) definition
and uses an
Azure Blob storage account. All resources are secured by using Azure Active Directory (Azure AD).
The Azure Logic app must securely access the Azure Blob storage account. Azure AD resources must remain if the Azure Logic app is deleted.
You need to secure the Azure Logic app.
What should you do?
A. Create a user-assigned managed identity and assign role-based access controls.
B. Create an Azure AD custom role and assign the role to the Azure Blob storage account.
C. Create an Azure Key Vault and issue a client certificate.
D. Create a system-assigned managed identity and issue a client certificate.
E. Create an Azure AD custom role and assign role-based access controls.
Correct Answer: A
To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity.
Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and
provide credentials or secrets, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages
this identity for you and helps secure your credentials because you don't have to provide or rotate secrets.
If you set up your logic app to use the system-assigned identity or a manually created, user-assigned identity, the function in your logic app can
also use that same identity for authentication.
Reference:
https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity https://docs.microsoft.com/en-us/azure/api-
management/api-management-howto-mutual-certificates-for-clients
HOTSPOT -
You are developing an application that uses a premium block blob storage account. You are optimizing costs by automating Azure Blob Storage
access tiers.
You apply the following policy rules to the storage account. You must determine the implications of applying the rules to the data. (Line numbers
are included for reference only.)
Hot Area:
Correct Answer:
Box 1: Yes -
Box 2: Yes -
Box 3: Yes -
Box 4: Yes -
You are developing a solution that will use a multi-partitioned Azure Cosmos DB database. You plan to use the latest Azure Cosmos DB SDK for
development.
The solution must meet the following requirements:
✑ Send insert and update operations to an Azure Blob storage account.
✑ Process changes to all partitions immediately.
✑ Allow parallelization of change processing.
You need to process the Azure Cosmos DB operations.
What are two possible ways to achieve this goal? Each correct answer presents a complete solution.
A. Create an Azure App Service API and implement the change feed estimator of the SDK. Scale the API by using multiple Azure App Service
instances.
B. Create a background job in an Azure Kubernetes Service and implement the change feed feature of the SDK.
C. Create an Azure Function to use a trigger for Azure Cosmos DB. Configure the trigger to connect to the container.
D. Create an Azure Function that uses a FeedIterator object that processes the change feed by using the pull model on the container. Use a
FeedRange objext to parallelize the processing of the change feed across multiple functions.
Correct Answer: C
Azure Functions is the simplest option if you are just getting started using the change feed. Due to its simplicity, it is also the recommended
option for most change feed use cases. When you create an Azure Functions trigger for Azure Cosmos DB, you select the container to connect,
and the Azure Function gets triggered whenever there is a change in the container. Because Azure Functions uses the change feed processor
behind the scenes, it automatically parallelizes change processing across your container's partitions.
Note: You can work with change feed using the following options:
✑ Using change feed with Azure Functions
✑ Using change feed with change feed processor
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/read-change-feed
HOTSPOT -
You have an Azure Web app that uses Cosmos DB as a data store. You create a CosmosDB container by running the following PowerShell script:
$resourceGroupName = "testResourceGroup"
$accountName = "testCosmosAccount"
$databaseName = "testDatabase"
$containerName = "testContainer"
$partitionKeyPath = "/EmployeeId"
$autoscaleMaxThroughput = 5000
New-AzCosmosDBSqlContainer -
-ResourceGroupName $resourceGroupName
-AccountName $accountName
-DatabaseName $databaseName
-Name $containerName
-PartitionKeyKind Hash
-PartitionKeyPath $partitionKeyPath
-AutoscaleMaxThroughput $autoscaleMaxThroughput
You create the following queries that target the container:
SELECT * FROM c WHERE c.EmployeeId > '12345'
SELECT * FROM c WHERE c.UserID = '12345'
Hot Area:
Correct Answer:
Box 1: No -
You set the highest, or maximum RU/s Tmax you don't want the system to exceed. The system automatically scales the throughput T such that
0.1* Tmax <= T <=
Tmax.
In this example we have autoscaleMaxThroughput = 5000, so the minimum throughput for the container is 500 R/Us.
Box 2: No -
First query: SELECT * FROM c WHERE c.EmployeeId > '12345'
Here's a query that has a range filter on the partition key and won't be scoped to a single physical partition. In order to be an in-partition query,
the query must have an equality filter that includes the partition key:
SELECT * FROM c WHERE c.DeviceId > 'XMS-0001'
Box 3: Yes -
Example of In-partition query:
Consider the below query with an equality filter on DeviceId. If we run this query on a container partitioned on DeviceId, this query will filter to a
single physical partition.
SELECT * FROM c WHERE c.DeviceId = 'XMS-0001'
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-choose-offer https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-query-
container
HOTSPOT -
You are developing a web application that makes calls to the Microsoft Graph API. You register the application in the Azure portal and upload a
valid X509 certificate.
You create an appsettings.json file containing the certificate name, client identifier for the application, and the tenant identifier of the Azure Active
Directory (Azure
AD). You create a method named ReadCertificate to return the X509 certificate by name.
You need to implement code that acquires a token by using the certificate.
How should you complete the code segment? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: ConfidentialClientApplicationBuilder
Here's the code to instantiate the confidential client application with a client secret: app =
ConfidentialClientApplicationBuilder.Create(config.ClientId)
.WithClientSecret(config.ClientSecret)
.WithAuthority(new Uri(config.Authority))
.Build();
Box 2: scopes -
After you've constructed a confidential client application, you can acquire a token for the app by calling AcquireTokenForClient, passing the
scope, and optionally forcing a refresh of the token.
Sample code: result = await app.AcquireTokenForClient(scopes)
.ExecuteAsync();
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-configuration https://docs.microsoft.com/en-
us/azure/active-directory/develop/scenario-daemon-acquire-token
Topic 4 - Question Set 4
Question #1 Topic 4
You are developing an ASP.NET Core Web API web service. The web service uses Azure Application Insights for all telemetry and dependency
tracking. The web service reads and writes data to a database other than Microsoft SQL Server.
You need to ensure that dependency tracking works for calls to the third-party database.
Which two dependency telemetry properties should you use? Each correct answer presents part of the solution.
A. Telemetry.Context.Cloud.RoleInstance
B. Telemetry.Id
C. Telemetry.Name
D. Telemetry.Context.Operation.Id
E. Telemetry.Context.Session.Id
Correct Answer: BD
Example:
public async Task Enqueue(string payload)
{
// StartOperation is a helper method that initializes the telemetry item
// and allows correlation of this operation with its parent and children. var operation = telemetryClient.StartOperation<DependencyTelemetry>
("enqueue " + queueName);
operation.Telemetry.Type = "Azure Service Bus";

operation.Telemetry.Data = "Enqueue " + queueName;
var message = new BrokeredMessage(payload);
// Service Bus queue allows the property bag to pass along with the message.
// We will use them to pass our correlation identifiers (and other context)
// to the consumer.
message.Properties.Add("ParentId", operation.Telemetry.Id);
message.Properties.Add("RootId", operation.Telemetry.Context.Operation.Id);
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/app/custom-operations-tracking
Question #2 Topic 4
HOTSPOT -
You are using Azure Front Door Service.
You are expecting inbound files to be compressed by using Brotli compression. You discover that inbound XML files are not compressed. The files
are 9 megabytes (MB) in size.
You need to determine the root cause for the issue.
To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: No -
Front Door can dynamically compress content on the edge, resulting in a smaller and faster response to your clients. All files are eligible for
compression.
However, a file must be of a MIME type that is eligible for compression list.
Box 2: No -
Sometimes you may wish to purge cached content from all edge nodes and force them all to retrieve new updated assets. This might be due to
updates to your web application, or to quickly update assets that contain incorrect information.
Box 3: Yes -
These profiles support the following compression encodings: Gzip (GNU zip), Brotli
Reference:
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-caching
Question #3 Topic 4
HOTSPOT -
You are developing an Azure App Service hosted ASP.NET Core web app to deliver video-on-demand streaming media. You enable an Azure
Content Delivery
Network (CDN) Standard for the web endpoint. Customer videos are downloaded from the web app by using the following example URL:
http://www.contoso.com/ content.mp4?quality=1
All media content must expire from the cache after one hour. Customer videos with varying quality must be delivered to the closest regional point
of presence
(POP) node.
You need to configure Azure CDN caching rules.
Which options should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Box 1: Override -
Override: Ignore origin-provided cache duration; use the provided cache duration instead. This will not override cache-control: no-cache.
Set if missing: Honor origin-provided cache-directive headers, if they exist; otherwise, use the provided cache duration.
Incorrect:
Bypass cache: Do not cache and ignore origin-provided cache-directive headers.
Box 2: 1 hour -
All media content must expire from the cache after one hour.
Box 3: Cache every unique URL -

Cache every unique URL: In this mode, each request with a unique URL, including the query string, is treated as a unique asset with its own
cache. For example, the response from the origin server for a request for example.ashx?q=test1 is cached at the POP node and returned for
subsequent caches with the same query string. A request for example.ashx?q=test2 is cached as a separate asset with its own time-to-live
setting.
Incorrect Answers:
Bypass caching for query strings: In this mode, requests with query strings are not cached at the CDN POP node. The POP node retrieves the
asset directly from the origin server and passes it to the requestor with each request.
Ignore query strings: Default mode. In this mode, the CDN point-of-presence (POP) node passes the query strings from the requestor to the
origin server on the first request and caches the asset. All subsequent requests for the asset that are served from the POP ignore the query
strings until the cached asset expires.
Reference:
https://docs.microsoft.com/en-us/azure/cdn/cdn-query-string
Question #4 Topic 4
DRAG DROP -
You develop a web app that uses tier D1 app service plan by using the Web Apps feature of Microsoft Azure App Service.
Spikes in traffic have caused increases in page load times.
You need to ensure that the web app automatically scales when CPU load is about 85 percent and minimize costs.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Correct Answer:
Step 1: Configure the web app to the Standard App Service Tier
The Standard tier supports auto-scaling, and we should minimize the cost.
Step 2: Enable autoscaling on the web app
First enable autoscale -
Step 3: Add a scale rule -

Step 4: Add a Scale condition -

Reference:
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-autoscale-get-started

AZ-204 Exam - 51 To 100

Uploaded by

Copyright:

Available Formats

AZ-204 Exam - 51 To 100

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AZ-204 Exam - 51 To 100

Uploaded by

Copyright:

Available Formats

10/11/2021 22:24 AZ-204 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

Question #13 Topic 2

Azure Instance Metadata Service endpoints "/oauth2/token"

Question #14 Topic 2

You need to configure a Cosmos DB policy to support the query.

Question #15 Topic 2

Question #16 Topic 2

Box 3: Ingress Controller -

Question #17 Topic 2

The system has the following requirements for subscriptions:

Question #18 Topic 2

Step 1: A user requests the image..

Question #19 Topic 2

B. a value containing the collection name

C. a single property value that appears frequently in the documents

D. a concatenation of multiple property values with a random suffix appended

E. a hash suffix appended to a property value

Question #20 Topic 2

Question #21 Topic 2

Box 1: The monitored container -

Box 2: The lease container -

Box 4: The delegate -

Topic 3 - Question Set 3

Register a new application using the Azure portal

A. Configure the website to use Azure AD B2C.

B. In Azure AD, create a new conditional access policy.

C. Upgrade to Azure AD Premium.

D. In Azure AD, enable application proxy.

E. In Azure AD conditional access, enable the baseline policy.

A. DocumentDB Accounts Contributor

B. Cosmos Backup Operator

D. Cosmos DB Account Reader

Box 1: Soft delete -

Box 2: Purge protection -

D. OAuth Client Credential Grant

Question #10 Topic 3

Question #11 Topic 3

Question #12 Topic 3

Question #13 Topic 3

Question #14 Topic 3

Question #15 Topic 3

Box 2: keyvault key -

Question #16 Topic 3

Your company is developing an Azure API hosted in Azure.

Question #17 Topic 3

Set-AzContext -SubscriptionId <subscriptionID>

Question #18 Topic 3

Question #19 Topic 3

Question #20 Topic 3

Question #21 Topic 3

Question #22 Topic 3

Question #23 Topic 3

Question #24 Topic 3

B. Create an Event Grid topic that uses the Start-AzureStorageBlobCopy cmdlet

C. Use AzCopy with the Snapshot switch to copy blobs to Container2

Example 1: Copy a named blob -

Question #25 Topic 3