az-204 practice-002
Question 4 of 50
You develop an application. The application will be accessed by a supplier.
The supplier requires a shared access signature (SAS) to access Azure services in your company’s subscription.
You need to secure the SAS.
Which three actions should you take? Each correct answer presents a complete solution.
Always use HTTPS.
Use Azure Monitor and Azure Storage logs to monitor the application.
Define a stored access policy for a service SAS.
This item tests the candidate’s knowledge of creating and implementing shared access signatures (SAS).
The recommendation of always using HTTPS is valid and should be followed.
Azure Monitor and storage analytics logging should be used to observe any spike in these types of authorization failures.
Stored access policies will give the option to revoke permissions for a service SAS without having to regenerate the storage account keys. A security best practice is to provide a user with the minimum required privileges. It is best to use near-term expiration times on an ad-hoc SAS service or account SAS so that even if a SAS is compromised it is valid only for a short time.
Control access to Azure Storage with shared access signatures - Training | Microsoft Learn
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
Question 5 of 50
You develop a multitenant web application named App1. You plan to register App1 with multiple Microsoft Entra ID tenants.
You need to identify the relationship between the application objects and security principals associated with App1.
Which relationship should you identify?
App1 will have a single application object and multiple service principals.
This item tests the candidate’s knowledge of configuring authentication of multitenant applications, which is a common scenario when implementing authentication.
App1 will have a single application object and multiple service principals. App1 will not have multiple application objects. multiple application objects and a single service principal., or a single service principal.
Explore service principals - Training | Microsoft Learn
Apps & service principals in Azure AD - Microsoft Entra | Microsoft Learn
Question 6 of 50
You manage an Azure App Service function app named app1 and a storage account named account1.
You have the following requirements:
- App1 should access account1 without managing credentials.
- The service principal associated with app1 cannot be explicitly deleted.
You need to configure a security principal for app1.
Which security principal should you use?
system-assigned managed identity
This item tests the candidate’s knowledge of implementing managed identities, which is part of implementing secure cloud solutions.
Managed identities for Azure resources eliminate the need to manage credentials in code. A system-assigned managed identity is restricted to one per resource and is tied to the lifecycle of the resource. Once enabled for app1, it will automatically create a service principal without the need to manage credentials and cannot be explicitly deleted.
A Microsoft Entra ID application is defined by its one and only application object, which resides in the Microsoft Entra ID tenant where the application was registered (known as the application's home tenant). It cannot be used by app1 to access a storage account without managing credentials.
A user-assigned managed identity can be created and assigned to one or more instances of an Azure service. Once enabled for app1, a user-assigned managed identity will automatically create a service principal without the need to manage but will need to be explicitly deleted.
The legacy service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. The legacy service principal cannot be used to access a storage account without managing credentials.
Implement managed identities - Training | Microsoft Learn
Apps & service principals in Azure AD - Microsoft Entra | Microsoft Learn
Question 7 of 50
You have 10 applications running in Azure App Service.
You need to ensure the applications have access to items stored in Azure App Configuration by using a common configuration. Passwords or keys must not be used.
Which solution should you use?
User-assigned managed identities
This item tests the candidate's knowledge of managed identities.
User-assigned managed identities are a way to reuse the permissions across applications. User-assigned managed identities associate the managed identity to the new applications, with no keys or passwords.
System-assigned managed identities use a new identity for each application, which does not meet the common configuration requirement.
A service principal has keys that need to be rotated.
The developer does not run the application, so the developer’s identity cannot be assumed.
Implement Azure App Configuration - Training | Microsoft Learn
Managed identities - Azure App Service | Microsoft Learn
Question 8 of 50
You plan to create a key namespace hierarchy in Azure App Configuration.
You need to separate individual key names.
Which character should you use?
:
This item tests the candidate’s knowledge of configuring key namespace hierarchy of App Configuration, which is part of implementing secure cloud solutions.
The colon character (:) is used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
The asterisk character (*) is one of reserved characters in Azure App Configuration, so it cannot be used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
The comma character (,) is one of reserved characters in Azure App Configuration, so it cannot be used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
The backslash character (\) is one of reserved characters in Azure App Configuration, so it cannot be used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
Create paired keys and values - Training | Microsoft Learn
Understand Azure App Configuration key-value store | Microsoft Learn
Question 10 of 50
You have an Azure Storage account container named container1.
You need to configure access to the container to meet the following requirements:
- The shared access signature (SAS) token should be secured with Microsoft Entra ID credentials.
- Role-based access control (RBAC) should be used.
- The SAS token should support granting access to containers.
Which type of SAS should you use?
user delegation
This item tests the candidate’s knowledge of securing an Azure Storage account, which is part of developing solutions that use blob storage.
User delegation SAS fulfills all the requirements, including securing the SAS token with Microsoft Entra ID credentials, RBAC support, and granting access to containers. Azure Storage supports creating a new type of SAS at the level of the storage account. A service SAS delegates access to a resource in just one of the storage services (i.e., Blob, Queue, Table, or File). A stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. The account, service, and stored access policy SAS types do not fulfill the requirement of securing the SAS token with Microsoft Entra ID credentials and RBAC support to manage permissions.
Store application data with Azure Blob storage - Training | Microsoft Learn
Secure your Azure Storage account - Training | Microsoft Learn
Create a user delegation SAS - Azure Storage | Microsoft Learn
Question 11 of 50
You are developing a solution that stores secrets in an Azure Key Vault named myvault.
You need to retrieve the value for a secret named mysecret that is stored in myvault.
Which CLI command should you use?
az keyvault secret show --name mysecret --vault-name myvault
This item tests the candidate’s knowledge of developing code that uses keys, secrets, and certificates stored in Azure Key Vault. The CLI command az keyvault offers several commands to work with secrets. The most commonly used commands are set for storing a secret and show to get the secret’s value. When using these commands, either an id specifying the full secret identification (in the format https://<keyvaultname>.vault.azure.net/secrets/<secret-name>/<secret-version> )or the secret and the vault name must be specified.
Exercise: Set and retrieve a secret from Azure Key Vault by using Azure CLI
Question 12 of 50
A company uses Azure API Management to expose some of its services.
Each developer consuming APIs must use a single key to obtain access to various APIs without requiring approval from the API publisher.
You need to recommend a solution.
Which solution should you recommend?
Define a subscription with product scope.
This item tests the candidate's knowledge of Azure API Management subscriptions.
When creating a product, several APIs can be added to the product and a subscription can be associated with it. Access should not be granted to all APIs. Developer access should be granted regardless of the caller IP.
A client certificate would require a policy to validate the certificate and specific logic to map the client to specific APIs.
Secure APIs by using subscriptions - Training | Microsoft Learn
Question 13 of 50
You manage an Azure event hub.
You need to ensure that multiple load-balanced instances of a .NET application (version 5.0) can be used to scale event processing.
Which event processor client should you use?
`EventProcessorClient`
This item tests the candidate’s knowledge of scaling event processing applications, which is part of developing event-based solutions.
EventProcessorClient balances the load between multiple instances of a program in newer .NET versions (version 5.0).
EventHubConsumerClient balances the load between multiple instances of a program in Python and JavaScript.
EventProcessorHost balances the load between multiple instances of a program in earlier .NET versions.
The EventHubProducerClient class is used to send events to an event hub.
Explore Azure Event Hubs - Training | Microsoft Learn
Scale your processing application - Training | Microsoft Learn
Question 16 of 50
You have an Azure Service Bus instance.
You need to provide first-in, first-out (FIFO) guarantee for message processing.
What should you configure?
message sessions
This item tests the candidate’s knowledge of setting up FIFO guarantees in Azure Service Bus, which is a common task when implementing solutions by using Azure Service Bus.
To provide FIFO guarantees in Service Bus, sessions must be configured. Message sessions enable exclusive, ordered handling of unbounded sequences of related messages.
A dead-letter queue holds messages that cannot be delivered to any receiver.
Message deferral makes it possible to defer retrieval of a message until a later time.
Scheduled delivery allows submitting messages to a queue or topic for delayed processing.
A dead-letter queue, message deferral, and scheduled delivery do not provide FIFO guarantees.
Explore Azure Service Bus - Training | Microsoft Learn
Azure Service Bus message sessions - Azure Service Bus | Microsoft Learn
Question 9 of 50
A company implements a multi-region Azure Cosmos DB account.
You need to configure the default consistency level for the account. The consistency level must ensure that update operations made as a batch within a transaction are always visible together.
Which consistency level should you use?
Consistent Prefix
This item tests the candidate’s knowledge of selecting the appropriate consistency level for operations in Azure Cosmos DB.
The Consistent Prefix consistency level ensures that updates made as a batch within a transaction are returned consistently with the transaction in which they were committed. Write operations within a transaction of multiple documents are always visible together.
The Bounded Staleness consistency level is used to manage the lag of data between any two regions based on an updated version of an item or the time intervals between read and write.
The Session consistency level is used to ensure that within a single client session, reads are guaranteed to honor the read-your-writes and write-follows-reads guarantees.
The Eventual consistency level is used when no ordering guarantee is required.
Consistency levels in Azure Cosmos DB
Question 10 of 50
You are planning to host a static website in an Azure Storage account.
The website must be accessible only through HTTPS by using a custom domain name.
You enable the static website hosting feature. You set the default page to index.html and the error page to error.html.
Which two actions should you perform next? Each correct answer presents part of the solution.
Integrate the static website with Azure Content Delivery Network (CDN).
Upload the index.html and error.html files to the web hosting container.
This item tests the candidate’s knowledge of implementing static site hosting. To host a static website in a storage account, the feature must be enabled. When enabling it, the names of the default and error documents must be informed. This creates a $web container, with private access, where the site files must be uploaded to. A custom domain can be added to the site. For HTTP only access, it can be registered to the networking tab of the storage account. For HTTPS access, Azure Content Delivery Network (CDN) must be used.
Question 12 of 50
You plan to use Azure Cache for Redis as the caching layer for several applications.
You have the following requirements:
- Prevent data loss if nodes are down.
- Minimize storage costs.
- Optimize performance.
Which solution should you use?
Redis database (RDB) persistence with the soft-delete feature disabled on the associated storage account.
This item tests the candidate's knowledge of data persistence in Azure Cache for Redis.
RDB persistence saves backups based on the configured backup interval with minimal effect on performance.
Disabling the soft-delete feature on a storage account means Azure Cache for Redis can minimize storage costs by deleting the old backup data.
Enabling the soft-delete feature on a storage account means Azure Cache for Redis cannot minimize storage costs by deleting the old backup data.
AOF persistence saves every write to a log, which has a significant effect on throughput. Disabling and enabling the soft-delete feature on a storage account means Azure Cache for Redis cannot minimize storage costs by deleting the old backup data.
Configure Azure Cache for Redis - Training | Microsoft Learn
Configure data persistence - Premium Azure Cache for Redis | Microsoft Learn
Question 20 of 50
You manage an Azure API Management instance.
You need to limit the maximum number of API calls allowed from a single source for a specific time interval.
What should you configure?
Policy
This item tests the candidate’s knowledge of polices in Azure API Management, which is part of implementing API Management.
API publishers can change API behavior through configuration using policies. Policies are a collection of statements that run sequentially on the request or response of an API. A product has one or more APIs, a usage quota, and the terms of use and cannot be used to restrict the number of API calls. Subscriptions are the most common way for API consumers to access APIs published through an API Management instance. API is a representation of a back-end API and needs to be configured with a policy to implement a rate limit.
How Azure API Management Works - Training | Microsoft Learn
Subscriptions in Azure API Management | Microsoft Learn
Question 22 of 50
A company implements a multi-region Azure Cosmos DB account.
You need to configure the default consistency level for the account. The consistency level must ensure that update operations made as a batch within a transaction are always visible together.
Which consistency level should you use?
Consistent Prefix
This item tests the candidate’s knowledge of selecting the appropriate consistency level for operations in Azure Cosmos DB. The Consistent Prefix consistency level ensures that updates made as a batch within a transaction are returned consistently with the transaction in which they were committed. Write operations within a transaction of multiple documents are always visible together. The Bounded Staleness consistency level is used to manage the lag of data between any two regions based on an updated version of an item or the time intervals between read and write. The Session consistency level is used to ensure that within a single client session, reads are guaranteed to honor the read-your-writes and write-follows-reads guarantees. The Eventual consistency level is used when no ordering guarantee is required.
Consistency levels in Azure Cosmos DB
Question 23 of 50
You need to capture events streaming from Azure Event Hubs.
To which three locations can you capture data? Each correct answer presents a complete solution.
Azure Blob storage
Azure Data Lake Storage Gen1
Azure Data Lake Storage Gen2
This item tests the candidate’s knowledge of implementing solutions that use Azure Event Hubs.
Azure Event Hubs Capture can automatically deliver the streaming data in Event Hubs to Azure Blob storage. Azure Event Hubs Capture can automatically deliver the streaming data in Event Hubs to Azure Data Lake Storage Gen1. Azure Event Hubs Capture can automatically deliver the streaming data in Event Hubs to Azure Data Lake Storage Gen2. Azure Functions and Azure Stream Analytics cannot be used to capture events from Azure Event Hubs.
Introduction to Event Hubs - Training | Microsoft Learn
Event Hubs - Capture streaming events using Azure portal - Azure Event Hubs | Microsoft Learn
Question 24 of 50
You have an Azure Service Bus instance.
You need to provide first-in, first-out (FIFO) guarantee for message processing.
What should you configure?
message sessions
This item tests the candidate’s knowledge of setting up FIFO guarantees in Azure Service Bus, which is a common task when implementing solutions by using Azure Service Bus.
To provide FIFO guarantees in Service Bus, sessions must be configured. Message sessions enable exclusive, ordered handling of unbounded sequences of related messages. A dead-letter queue holds messages that cannot be delivered to any receiver. Message deferral makes it possible to defer retrieval of a message until a later time. Scheduled delivery allows submitting messages to a queue or topic for delayed processing. A dead-letter queue, message deferral, and scheduled delivery do not provide FIFO guarantees.
Explore Azure Service Bus - Training | Microsoft Learn
Azure Service Bus message sessions - Azure Service Bus | Microsoft Learn
Question 32 of 50
You plan to enable a user to create a managed identity for an Azure virtual machine (VM).
You need to ensure the following requirements are met:
- The user account must have sufficient permissions to create the managed identity.
- The principle of least privilege must be used.
Which permission role should you assign?
Virtual Machine Contributor
This item tests the candidate’s knowledge of the principle of least privilege, which is an essential part of implementing secure cloud solutions.
Virtual Machine Contributor is the least privileged built-in role required to create a managed identity for an Azure VM.
Virtual Machine Administrator Login is not sufficient to create a managed identity for an Azure VM.
Global Administrator and Security Administrator have excessive permissions to Microsoft Entra ID, which does not follow the principle of least privilege. Global Administrator and Security Administrator do not provide sufficient permissions to the Azure resources.
Configure managed identities - Training | Microsoft Learn
Configure managed identities using the Azure portal - Azure AD - Microsoft Entra | Microsoft Learn
Question 33 of 50
You have 10 applications running in Azure App Service.
You need to ensure the applications have access to items stored in Azure App Configuration by using a common configuration. Passwords or keys must not be used.
Which solution should you use?
user-assigned managed identity
This item tests the candidate's knowledge of managed identities.
User-assigned managed identities are a way to reuse the permissions across applications. User-assigned managed identities associate the managed identity to the new applications, with no keys or passwords. System-assigned managed identities use a new identity for each application, which does not meet the common configuration requirement. A service principal has keys that need to be rotated. The developer does not run the application, so the developer’s identity cannot be assumed.
Implement Azure App Configuration - Training | Microsoft Learn
Managed identities - Azure App Service | Microsoft Learn
In summary, choose system-assigned managed identities when the identity's lifecycle is tied to a specific Azure resource, and choose user-assigned managed identities when you need more flexibility and want to share the identity across multiple resources or manage it independently.
Question 35 of 50
You manage an Azure App Service web app named app1 and an Azure Key Vault named vault1.
You need to ensure app1 can authenticate and conduct operations with vault1 without managing the rotation of a secret.
Which authentication method should you use for app1?
system-assigned managed identity
This item tests the candidate’s knowledge of implementing Azure Key Vault, which is part of implementing Secure Cloud solutions.
A system-assigned managed identity can be used to ensure app1 can authenticate and perform operations with vault1 without managing rotation of a secret. A user-assigned managed identity can be used to ensure app1 can authenticate and perform operations with vault1, but the secret rotation needs to be managed. A service principal and a secret can be used to authenticate to the key vault, but it is difficult to automatically rotate the secret that is used to authenticate to the key vault. A service principal and an associated certificate with access to the key vault can be used for authentication but would require managing the rotation of a secret.
Implement Azure Key Vault - Training | Microsoft Learn
Azure Key Vault soft-delete | Microsoft Learn
Assign an Azure Key Vault access policy (CLI) | Microsoft Learn
Question 36 of 50
You have an Azure Storage account container named container1.
You need to configure access to the container to meet the following requirements:
- The shared access signature (SAS) token should be secured with Microsoft Entra ID credentials.
- Role-based access control (RBAC) should be used.
- The SAS token should support granting access to containers.
Which type of SAS should you use?
user delegation
This item tests the candidate’s knowledge of securing an Azure Storage account, which is part of developing solutions that use blob storage.
User delegation SAS fulfills all the requirements, including securing the SAS token with Microsoft Entra ID credentials, RBAC support, and granting access to containers. Azure Storage supports creating a new type of SAS at the level of the storage account. A service SAS delegates access to a resource in just one of the storage services (i.e., Blob, Queue, Table, or File). A stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. The account, service, and stored access policy SAS types do not fulfill the requirement of securing the SAS token with Microsoft Entra ID credentials and RBAC support to manage permissions.
Store application data with Azure Blob storage - Training | Microsoft Learn
Secure your Azure Storage account - Training | Microsoft Learn
Create a user delegation SAS - Azure Storage | Microsoft Learn
Question 39 of 50
A company uses Azure Container Instances for an application.
You need to ensure that the containers are restarted when the process terminates with a nonzero exit code.
What should you do?
Define a container restart policy of `Always`.
This item tests the candidate's knowledge of restart policies in Azure Container Instances.
Containers in the container group are always restarted with an Always policy in effect, regardless of their exit code. Running containers using a managed identity would simplify the access to external Azure resources but doing so has no effect on when a container restarts. When the processes in the container fail (terminating with a nonzero exit code), they will not restart and will only run once at most. Init containers are meant to perform initialization logic for app containers, running to completion before the application containers start.
Run container images in Azure Container Instances - Training | Microsoft Learn
Restart policy for run-once tasks - Azure Container Instances | Microsoft Learn
Question 42 of 50
You plan to create an Azure function app named app1.
You need to ensure that app1 will satisfy the following requirements:
- Supports automatic scaling.
- Has event-based scaling behavior.
- Provides a serverless pricing model.
Which hosting plan should you use?
Consumption
This item tests the candidate’s knowledge of selecting the appropriate hosting plan, which is part of the implementation of Azure Functions.
The Consumption hosting plan satisfies all requirements. It supports autoscaling, has event-based scaling behavior, and provides a serverless pricing model. The App Service, App Service Environment, and Functions Premium hosting plans support autoscaling but does not provide the serverless pricing model. Its scaling behavior is not event based but performance based.
Compare Azure Functions hosting options - Training | Microsoft Learn
Question 43 of 50
A company plans to implement a Microsoft Defender for Cloud solution.
The company has the following requirements:
- Notifies when DNS domains are not deleted when a new function app is deleted.
- Use native alerting.
- Minimize costs.
You need to select a hosting plan.
Which hosting plan should you use?
Basic
This item tests the candidate's knowledge about securing Azure Functions.
The Basic plan supports both custom domains and Microsoft Defender for Cloud, which can automatically alert on dangling DNS domains. The Consumption plan is incorrect because it does not support Microsoft Defender for Cloud. This can automatically alert on dangling DNS domains. The Premium plan supports custom domains and Microsoft Defender for Cloud, which can automatically alert on dangling DNS domains. This, however, is not the lowest cost option. The Free plan does not support custom domains, although it does support Microsoft Defender for Cloud, which can automatically alert on dangling DNS domains.
AZ-204: Implement Azure Functions - Training | Microsoft Learn
Microsoft Defender for App Service - the benefits and features | Microsoft Learn
Question 45 of 50
You are developing a .NET application that includes multiple container images. The application will be deployed to Azure Container Instances (ACI).
You need to ensure that an Azure file share can be mapped to each container of the application.
Which configuration should you use?
container group
This item tests the candidate’s knowledge of running containers by using Azure Container Instances (ACI). The top-level resource in ACI is the container group. A container group is a collection of containers that get scheduled on the same host machine. You can specify external volumes to mount within a container group. You can map these volumes into specific paths within the individual containers in a group. A pod is a group of one or more containers with shared storage and network resources and specification for how to run the containers. Pods can be used in the Azure Kubernetes Service but not ACI. Confidential containers on ACI are used to ensure hardware-based confidentiality. ACI enables deployment of container instances into an Azure virtual network. A virtual network deployment cannot be used to map an Azure file share to each container in a multiple container scenario.
Question 48 of 50
You manage the deployment of an Azure Container Registry named registry1 for a company.
You need to ensure that registry1 can be shared across multiple groups in the company, enabling group isolation.
What should you use?
namespace
This item tests the candidate’s knowledge of publishing an image to Azure Container Registry. A repository is a collection of container images or other artifacts in a registry that have the same name but different tags. A namespace enables the identification of related repositories and artifact ownership by using forward slash-delimited names. A tag for an image specifies its version. An artifact can be, for instance, a text file, a docker image, or a Helm chart stored in the registry with one or more tags. Container images consist of layers. Layers are used to avoid transferring redundant information and to skip build steps that have not changed.
Manage container images in Azure Container Registry
