az-204 practice-003
Question 2 of 50
You manage an Azure API Management instance.
You need to limit the maximum number of API calls allowed from a single source for a specific time interval.
What should you configure?
Policy
This item tests the candidate’s knowledge of polices in Azure API Management, which is part of implementing API Management.
API publishers can change API behavior through configuration using policies. Policies are a collection of statements that run sequentially on the request or response of an API. A product has one or more APIs, a usage quota, and the terms of use and cannot be used to restrict the number of API calls. Subscriptions are the most common way for API consumers to access APIs published through an API Management instance. API is a representation of a back-end API and needs to be configured with a policy to implement a rate limit.
Question 5 of 50
You manage an Azure event hub.
You need to ensure that multiple load-balanced instances of a .NET application (version 5.0) can be used to scale event processing.
Which event processor client should you use?
`EventProcessorClient`
This item tests the candidate’s knowledge of scaling event processing applications, which is part of developing event-based solutions.
EventProcessorClient balances the load between multiple instances of a program in newer .NET versions (version 5.0). EventHubConsumerClient balances the load between multiple instances of a program in Python and JavaScript. EventProcessorHost balances the load between multiple instances of a program in earlier .NET versions. The EventHubProducerClient class is used to send events to an event hub.
Explore Azure Event Hubs - Training | Microsoft Learn
Scale your processing application - Training | Microsoft Learn
Question 6 of 50
You have an instance of Azure Event Grid.
You need to ensure an application can receive events filtered by values in the data field in the advanced filtering options.
Which filter should you use?
advanced
This item tests the candidate’s knowledge of using event filters, which is part of developing event-based solutions.
An advanced filter is used to filter events by values in the data fields and specify the comparison operator. An event type filter is used to send only certain event types to the endpoint. A subject filter is used to specify a starting or ending value for the subject. Topics is not a type of filter; the event grid topic provides an endpoint where the source sends events.
Filter events - Training | Microsoft Learn
Azure Event Grid concepts - Azure Event Grid | Microsoft Learn
Question 8 of 50
You have an Azure Service Bus queue.
You need to ensure a publisher can send messages into a topic and multiple subscribers can become eligible to consume the messages.
Which message routing pattern should you use?
multicast request/reply
This item tests the candidate’s knowledge of message routing in Azure Service Bus, which is part of developing message-based solutions.
A publisher can send a message into a topic and multiple subscribers can become eligible to consume the message. A publisher can send a message into a queue and expect a reply from the message consumer, but multiple subscribers cannot consume the message. This session feature enables multiplexing of streams of related messages through a single queue but cannot be consumed by multiple subscribers. This session feature enables multiplexed replies, allowing several publishers to share a reply queue, but a message cannot be consumed by multiple subscribers.
Explore Service Bus message payloads and serialization - Training | Microsoft Learn
Azure Service Bus messages, payloads, and serialization - Azure Service Bus | Microsoft Learn
Question 9 of 50
You manage a multiregion deployment of an Azure Cosmos DB account named account1.
You need to configure the default consistency level for account1. The consistency level must maximize throughput and minimize latency for write operations.
Which consistency level should you use?
eventual
This item tests the candidate’s knowledge of selecting the consistency level, which is part of developing Azure Cosmos DB solutions.
The eventual consistency level maximizes throughput and minimizes latency.
The bounded staleness consistency level provides lower throughput and higher latency comparing with the remaining answer choices.
The consistent prefix consistency level provides higher throughput and lower latency for write operations than the session consistency level but lower throughput and higher latency than the eventual consistency levels.
The session consistency level provides higher throughput and lower latency for write operations than the bounded staleness consistency level but lower throughput and higher latency than the eventual and consistent prefix consistency levels.
Choose the right consistency level - Training | Microsoft Learn
Question 11 of 50
You plan to implement a storage mechanism for managing state across multiple change feed consumers.
You need to configure the change feed processor in the .NET SDK for Azure Cosmos DB for NoSQL API.
Which component should you use?
Lease container
This item tests the candidate’s knowledge of configuring change feed processor as part of developing solutions that use Azure Cosmos DB.
The lease container component serves as a storage mechanism to manage state across multiple change feed consumers. The delegate component is the code within the client application that implements business logic for each batch of changes. The host component is a client application instance that listens for changes from the change feed. The monitored container component is monitored for any insert or update operations. It does not serve as a storage mechanism to manage state across multiple change feed consumers.
Understand change feed features in the SDK - Training | Microsoft Learn
How to use Azure Cosmos DB change feed with Azure Functions | Microsoft Learn
Question 13 of 50
You create the following retention policy. (Line numbers are included for reference only.)
1 {
2 "rules": [
3 {
4 "name": "agingRule",
5 "enabled": true,
6 "type": "Lifecycle",
7 "definition": {
8 "filters": {
9 "blobTypes": [ "blockBlob" ],
10 "prefixMatch": [ "sample-container/blob1" ]
11 },
12 "actions": {
13 "baseBlob": {
14
15 }
16 }
17 }
18 }
19 ]
20 }You need to transition blobs in the Hot access tier to an online tier if the blobs have not been modified in over 90 days.
Which code segment should you add to line 14?
`"tierToCool": { "daysAfterModificationGreaterThan": 90 }`
This item tests the candidate’s knowledge of blob tiers.
The code segment "tierToCool": { "daysAfterModificationGreaterThan": 90 } moves the blobs not modified after 90 days to the Cool tier, as defined by the requirement. The code segments that include "tierToArchive": move the blobs to the Archive tier, which is not an online access tier; it is an offline tier. The code segment "tierToCool": { "daysAfterCreationGreaterThan": 90 } moves the blobs to the Cool tier 90 days after creation, which does not meet the requirement to move blobs after 90 days without modification.
Implement Blob storage lifecycle policies - Training | Microsoft Learn
Optimize costs by automatically managing the data lifecycle - Azure Storage | Microsoft Learn
Question 15 of 50
You need to implement an Azure Storage lifecycle policy for append blobs.
Which rule action should you use?
delete
This item tests the candidate’s knowledge of configuring Azure Storage lifecycle policy for blobs, which is an essential part of developing solutions for blob storage.
The delete rule action supports both block blobs and append blobs. The enableAutoTierToHotFromCool, tierToArchive, and tierToCool rule actions only supports block blobs.
Discover Blob storage lifecycle policies - Training | Microsoft Learn
Optimize costs by automatically managing the data lifecycle - Azure Storage | Microsoft Learn
Question 16 of 50
You manage the deployment of an Azure Cosmos DB account.
You must define custom logic by using the .NET SDK change feed processor to process changes that the change feed reads.
You need to select the appropriate change feed processor component.
Which component should you use?
delegate
This item tests the candidate’s knowledge of implementing change feed notifications in Azure Cosmos DB. The change feed processor in Azure Cosmos DB simplifies the process of reading the change feed and can be used to distribute the event processing across multiple consumers effectively. There are four main components in the change feed processor: the monitored container, the lease container, the compute instance, and the delegate.
The monitored container has the data from which the change feed is generated.
The delegate component can be used to define custom logic to process the changes that the change feed reads.
The compute instance hosts the change feed processor to listen for changes. It can be represented by a VM, a Kubernetes pod, an Azure App Service instance, or an actual physical machine.
The lease container acts as a state storage and coordinates the processing of the change feed across multiple workers.
Question 18 of 50
You are developing an application.
You need to set the standard HTTP properties of containers in Azure Blob Storage.
Which two HTTP properties can you set? Each correct answer presents part of the solution.
ETag
Last-Modified
This item tests the candidate’s knowledge of setting and retrieving properties and metadata. Metadata in Azure Storage objects is defined through headers starting with x-ms-meta-. Some standard HTTP properties are also available for both objects and containers. The only two HTTP properties that are available for containers are ETag and Last-Modified.
Last-Modified, Cache-Control, Origin and Range are properties only available for blobs.
Set and retrieve properties and metadata for blob resources by using REST
Question 20 of 50
You manage an Azure Cache for Redis instance.
You need to load data on demand into the cache from a large database.
Which application architecture pattern should you use?
data cache
This item tests the candidate’s knowledge of application architecture design pattern, which is part of implementing caching for solutions.
Databases often are too large to load directly into a cache, so it is common to use data cache pattern. Session store is used to store user-session information instead of storing too much data in a cookie that can adversely affect performance. Distributed transactions allow a series of commands to run on a back-end datastore as a single operation. By using content cache, you can provide quicker access to static content compared to back-end datastores. Session store, distributed transactions, and content cache cannot be used to load data on demand.
What is Azure Cache for Redis? - Training | Microsoft Learn
Cache-Aside pattern - Azure Architecture Center | Microsoft Learn
Question 21 of 50
You have an Azure Cache for Redis instance.
You have the following requirements:
- Replica nodes must be hosted in different availability zones.
- Nonvolatile memory must be used.
You need to select a pricing tier.
Which pricing tier should you use?
Enterprise Flash
This item tests the candidate’s knowledge of Azure Cache for Redis pricing, which is part of implementing caching for solutions.
The Enterprise Flash tier is capable of hosting replica nodes in different availability zones and uses nonvolatile memory to reduce cost. The Standard tier is not capable of hosting replica nodes in different availability zones. The Premium and Enterprise tiers are capable of hosting replica nodes in different availability zones but do not use nonvolatile memory to reduce cost.
Question 22 of 50
You deploy a .NET web application to an on-premises web server. You plan to use Application Insights to monitor the web application’s performance.
You need to allow the web application to upload its telemetry to Application Insights.
Which authorization method should you use?
instrumentation key
This item tests the candidate’s knowledge of configuring Application Insights authorization, which is an essential part of configuring an app or service to use Application Insights.
An instrumentation key uniquely designates an Application Insights resource and is the only piece of information required to provide authorized access for the purpose of uploading telemetry from monitored applications to Application Insights. Access keys are used by a variety of Azure resources, such as Azure Storage, but not Application Insights. Microsoft Entra ID system-assigned managed identities and Microsoft Entra ID user-assigned managed identities are not supported as an authorization mechanism by Application Insights.
Explore Application Insights - Training | Microsoft Learn
Question 23 of 50
A company uses Application Insights to instrument an application hosted in Azure App Service.
Instrumentation data that is collected by using API calls in the code is not available in Application Insights.
You need to ensure the collected data is available in Application Insights.
What should you do?
Enable manual instrumentation.
This question tests the candidate's knowledge of enabling Application Insights.
Manual instrumentation must be enabled to emit telemetry using API calls. Because some data is being collected, Application Insights is available. Because the application is running, Azure App Service is available.
Instrument an app for monitoring - Training | Microsoft Learn
Monitor Azure App Service performance - Azure Monitor | Microsoft Learn
Question 24 of 50
You need to track the availability of an Azure App Service web app by using an Application Insights multi-step availability test.
Which tool should you use?
Visual Studio
This item tests the candidate’s knowledge of configuring multi-step tests, which is an essential part of implementing Application Insights web tests and alerts.
To create multi-step tests, Visual Studio is required, not Azure portal, Azure CLI, or Visual Studio Code.
Select an availability test - Training | Microsoft Learn
Monitor with multistep web tests - Application Insights - Azure Monitor | Microsoft Learn
Question 25 of 50
You have an Application Insights instance named insight1.
You need to configure a web app to send telemetry data to insight1.
Which Application Insights parameter should you use?
instrumentation key
This item tests the candidate’s knowledge of configuring an app to use Application Insights, which is part of troubleshooting solutions by using metrics and log data.
To send telemetry data to an Application Insights resource from an app, you need to configure the app with the instrumentation key of the Application Insights instance. You can use alerts to ensure your team is aware of critical issues immediately. Alerts need to be configured inside insight1 and not the web app. You can use the data shown with each component to diagnose performance bottlenecks and failure hotspots. It needs to be configured inside insight1 and not the web app. Usage analysis provides information about an app's users and needs to be configured in insight1, not the web app.
Enable Application Insights on an Azure web app - Training | Microsoft Learn
Application Insights overview - Azure Monitor | Microsoft Learn
Question 28 of 50
You need to delete an image with the tag dev/nginx:latest from an Azure container registry named devregistry.
Which code segment should you use?
`az acr repository delete --name devregistry --image dev/nginx:latest`
This item tests the candidate’s knowledge of publishing or deleting an image to Azure Container Registry.
The code segment az acr repository delete --name devregistry --image dev/nginx:latest will delete the image from a container registry. The code segments that include the suffix parameter should be used if you are accessing the registry from a different subscription or have permission to access images but not permission to manage the registry resource. The code segments that include the manifest parameters delete the manifest of the artifact not the image.
Build and store container images with Azure Container Registry - Training | Microsoft Learn
Question 30 of 50
You manage a multi-instance deployment of an Azure App Service web app named app1.
You need to ensure a client application is routed to the same instance for the life of the session.
Which platform setting should you use?
ARR Affinity
This item tests the candidate’s knowledge of configuring web app settings, which is part of creating Azure App Service Web Apps.
In a multi-instance deployment, the ARR Affinity setting ensures a client application is routed to the same instance for the life of the session. WebSocket is a standardized protocol that provides full-duplex communication. Always on keeps the app loaded even when there is no traffic. In HTTP/2, a persistent connection can be used to service multiple simultaneous requests. WebSocket, Always on, and HTTP version are not used to ensure a client application is routed to the same instance for the life of the session.
Configure web app settings - Training | Microsoft Learn
Announcing HTTP/2 support in Azure App Service | Azure Blog and Updates | Microsoft Azure
Question 31 of 50
You plan to create a C# script-based Azure function app.
You need to configure the trigger and bindings for the functions of the function app.
What should you do?
Create a function.json file for each function.
This item tests the candidate’s knowledge of configuring triggers and bindings.
When using scripting languages, such as C# script, the function.json file for each function contains its triggers and bindings, and it needs to be explicitly created. The file host.json has runtime-specific configurations, not definitions of triggers and bindings. Decorating methods and Decorating parameters are used to define triggers and bindings when using compiled languages, not scripted ones.
Question 32 of 50
You create a batch routine by using a timer trigger in Azure Functions.
You need to configure the batch routine to execute every 15 minutes.
Which code segment should you use?
```[FunctionName("TimerTriggerCSharp")] public static void Run([TimerTrigger("0 */15 * * * 1-5")]TimerInfo myTimer, ILogger log) { if (myTimer.IsPastDue) { log.LogInformation("Timer is running late!"); } log.LogInformation($"C# Timer trigger function executed at: {DateTime.Now}"); }```
This item tests the candidate’s knowledge of working with timer triggers in Azure Functions.
The code segment that includes Run([TimerTrigger("0 */15 * * * 1-5") executes the function every 15 minutes from Monday to Friday. The code segment that includes Run([TimerTrigger("*/15 * * * 0-4") is missing the second part, and it is not using the proper range for days of the week. The code segment that includes Run([TimerTrigger("0 15 * * * ") executes only once at 15:00 (3 PM). The code segment that includes Run([TimerTrigger("* 15 * * 1-5") is missing the seconds attribute and the step (‘/’) part for the minutes.
Execute an Azure Function with triggers - Training | Microsoft Learn
Question 33 of 50
You are developing a .NET application that includes multiple container images. The application will be deployed to Azure Container Instances (ACI).
You need to ensure that an Azure file share can be mapped to each container of the application.
Which configuration should you use?
container group
This item tests the candidate’s knowledge of running containers by using Azure Container Instances (ACI). The top-level resource in ACI is the container group. A container group is a collection of containers that get scheduled on the same host machine. You can specify external volumes to mount within a container group. You can map these volumes into specific paths within the individual containers in a group. A pod is a group of one or more containers with shared storage and network resources and specification for how to run the containers. Pods can be used in the Azure Kubernetes Service but not ACI. Confidential containers on ACI are used to ensure hardware-based confidentiality. ACI enables deployment of container instances into an Azure virtual network. A virtual network deployment cannot be used to map an Azure file share to each container in a multiple container scenario.
Question 36 of 50
You are developing a cloud native containerized background task application.
You need to choose the appropriate container deployment option based on the following requirements:
- Minimize cost
- Support service discovery and traffic splitting
- Enable event-driven application architecture
- Do not require access to native Kubernetes API
What should you use?
Azure Container Apps
This item tests the candidate’s knowledge of creating solutions by using Azure Container Apps. Azure Container Apps enables you to build serverless microservices based on containers. It is optimized for running general purpose containers and provides many application-specific concepts on top of containers. Azure Spring Apps is a fully managed service for Spring developers. It provides lifecycle management to run Spring Boot, Spring Cloud, or any other Spring applications on Azure. Azure Container Instances does not support scaling, load balancing, revisions, scale, or environments and does not meet the mentioned requirements. Azure Functions is a serverless Function as a Service (FaaS) solution. It can be used for running event-driven applications by using the functions programming model. However, it cannot be used to deploy a container image.
Question 38 of 50
You develop an App Service app hosted on Windows Platform. Users report that the app is failing.
You need to begin troubleshooting the app by inspecting a copy of the page that is returned when the HTTP return code is greater than 400.
Which type of log should you review?
detailed error
This item tests the candidate’s knowledge of using logs to troubleshoot web apps. The detailed error log contains copies of the error pages, produced in response to HTTP codes greater than 400, that would have been sent to clients. These pages are not sent due to security reasons. The web server log shows information about the raw HTTP request, such as method, bytes, and client user agent. The application log is application specific, logging information that your application code or components that are used by your application writes. The deployment log stores information to diagnose the reasons for a failed deployment.
Question 39 of 50
A company has an App Service web app that requires a TLS/SSL certificate. The certificate will be used in other App Service apps. The certificate must be automatically renewed with the least management overhead.
You need to add the certificate.
What should you do?
Purchase an App Service certificate.
This item tests the candidate’s knowledge of configuring web app settings including SSL, API settings, and connection strings. Purchasing an App Service certificate automates the process of requesting, renewing, and synchronizing the certificate with the App Service apps that use them. Free App Service certificates offer basic functionalities and cannot be exported. Obtaining the certificate from a third party and uploading it to Azure App Service is also an option but lacks the automation and integration offered by the App Service certificates. It is recommended to store certificates in and retrieve them from a Key Vault, but if they are obtained from a third party, the renewal and synchronization with the App Service apps need to be automated in other ways.
Configure security certificates - Training | Microsoft Learn
Get started with Key Vault certificates | Microsoft Learn
Purchase an App Service certificate:A private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options. 这个证书直接从微软的平台购买,初始的签发和后续的续期,都被承包了
Upload a private certificate:If you already have a private certificate from a third-party provider, you can upload it.
Question 40 of 50
You manage an Azure App Service web app named app1. App1 is registered as an application in Microsoft Entra ID.
You need to ensure that Microsoft Entra ID signed-in user information can be retrieved by app1 by using Microsoft Graph.
What should you configure?
delegated permissions
This item tests the candidate’s knowledge of accessing user data from Microsoft Graph, which is part of implementing user authentication and authorization.
Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app can function as the signed-in user when making calls to Microsoft Graph. appRoles is an attribute in the application manifest of the registered application that specifies the collection of roles that an app may declare. These roles can be assigned to users, groups, or service principals. Application permissions are used by apps that run without a signed-in user present. For example, apps that run as background services or daemons. An administrator can only permit application permissions. groupMembershipClaims is an attribute in the application manifest of the registered application that configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. AppRoles, application permissions, and groupMembershipClaims will not allow signed-in user information to be retrieved in the code.
Access User Data from Microsoft Graph - Training | Microsoft Learn
Understanding the Azure Active Directory app manifest - Microsoft Entra | Microsoft Learn
Authentication and authorization basics - Microsoft Graph | Microsoft Learn
Question 41 of 50
You manage an Azure App Service web app named app1. App1 is registered as a multi-tenant application in a Microsoft Entra ID tenant named tenant1.
You need to grant app1 the permission to access the Microsoft Graph API in tenant1.
Which service principal should you use?
application
This item tests the candidate’s knowledge of accessing user data from Microsoft Graph, which is part of implementing user authentication and authorization.
A Microsoft Entra ID application is defined by its one and only application object, which resides in the Microsoft Entra ID tenant where the application was registered (known as the application's home tenant). The application service principal is used to configure permission for app1 in tenant1 to access the Microsoft Graph API. The legacy service principal is a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. Managed identities eliminate the need to manage credentials in code. A system-assigned managed identity is restricted to one per resource and is tied to the lifecycle of the resource. Managed identities for Azure resources eliminate the need to manage credentials in code. A user-assigned managed identity can be created and assigned to one or more instances of an Azure service. The legacy, system-assigned managed identity, and user-assigned managed identity cannot be used to assign permission for app1 in tenant1 to access the Microsoft Graph API.
Explore the Microsoft identity platform - Training | Microsoft Learn
Explore service principals - Training | Microsoft Learn
Apps & service principals in Azure AD - Microsoft Entra | Microsoft Learn
Question 43 of 50
You manage a Microsoft Entra ID registered application named app1. App1 calls a web API, which then calls Microsoft Graph.
You need to ensure the signed-in user identity is delegated through the request chain.
Which authentication flow should you use?
On-Behalf-Of
This item tests the candidate’s knowledge of accessing user data from Microsoft Graph, which is part of implementing user authentication and authorization.
OAuth 2.0 On-Behalf-Of flow (OBO) is used when an application invokes a service or web API, which in turn needs to call another service or web API. The idea is to propagate the delegated user identity and permissions through the request chain. The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. Implicit is a redirection-based flow. The client must be capable of interacting with the resource owner's user-agent (typically a web browser). Authorization code, On-Behalf-Of, and implicit cannot be used to delegate user permission and identity.
Implement authentication by using the Microsoft Authentication Library - Training | Microsoft Learn
Microsoft identity platform and OAuth2.0 On-Behalf-Of flow - Microsoft Entra | Microsoft Learn
Question 44 of 50
You plan to generate a shared access signature (SAS) token for read access to a blob in a storage account.
You need to secure the token from being compromised.
What should you use?
Microsoft Entra ID credentials assigned the Contributor role
This item tests the candidate's knowledge of Azure Storage shared access signatures (SAS).
Microsoft Entra ID credentials are required to generate the SAS token. The account used must have the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey permission, which is present in the following built-in roles: Contributor, Storage Account Contributor, Storage Blob Data Contributor, Storage Blob Data Owner, Storage Blob Data Reader, and Storage Blob Delegator. The account key can be used to generate the SAS token, but it can be more easily compromised.
Discover shared access signatures - Training | Microsoft Learn
Create a user delegation SAS - Azure Storage | Microsoft Learn
Question 49 of 50
You need to generate a new version of a key stored in Azure Key Vault.
Which code segment should you use?
`az keyvault key rotate --vault-name mykeyvault --name mykey`
This item tests the candidate’s knowledge of setting key rotation by using the Azure CLI.
The Rotate operation will generate a new version of the key based on the key policy. The Rotation Policy operation updates the rotation policy of a key vault key. The Purge Deleted Key operation is applicable for soft-delete enabled vaults or HSMs. The Set Attributes operation changes specified attributes of a stored key.
Control Azure services with the CLI - Training | Microsoft Learn
