AZ-204 Question Set11

 Question 1: Correct

You are developing a web service that should prevent anonymous usage and use OpenID connect for authentication.

You need to implement an API Management policy for the web service. Which policy should you use?

• Convert XML to JSON

• validate-client-certificate

• Check-header

• Validate-jwt

  (Correct)

Explanation

Correct Answers:

Validate-jwt - The requirement from the question to validate requests using API management policy. You can use the Validate JWT policy to pre-authorize requests in API Management, by validating the access tokens of each incoming request. If a request does not have a valid token, API Management blocks it.

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests

Wrong Answers:

Convert XML to JSON – This converts a request or response body from XML to JSON.

Validate-client-certificate – This policy enforces a certificate presented by a client matches with specified validation rules and claims.

Check-header – Check HTTP header policy enforces existence of a HTTP Header.

Question 2: Correct

You are developer for a company named Company1.

Company1 has an application that uses Azure Cosmos DB configured with Azure Cosmos DB SQL API.

The database contains millions of documents without distinct values for partitioning.

You need to implement a scaling strategy for the database to scale individual containers.

The database must meet the performance requirements of the application by spreading the workload evenly across all partitions over time.

You need to select a partition key.

Which two partition keys can you use?

• a concatenation of multiple property values with a random suffix appended

  (Correct)
• a single property value that does not appear frequently in the documents

• a hash suffix appended to a property value

  (Correct)
• a value containing the collection name

• a single property value that appears frequently in the documents

Explanation

The goal is to distribute your data and workload evenly across the items associated with these partition key values. If such a property doesn’t exist in your data, you can construct a synthetic partition key.

You can form a partition key by concatenating multiple property values into a single artificial partition Key property. These keys are referred to as synthetic keys.

Another possible strategy to distribute the workload more evenly is to append a random number at the end of the partition key value. When you distribute items in this way, you can perform parallel write operations across partitions.

https://docs.microsoft.com/en-us/azure/cosmos-db/synthetic-partition-keys

Question 3: Incorrect

You developing an application named Application1 that uses Azure Blob storage named Storage1.

For audit purposes, Application1 must read the transaction logs of all changes that occur to the blobs and blob metadata in Storage1.

The changes must be in the order in which they occurred.

You need to process the logs asynchronously and should include only create, update, delete and copy operations.

What should you do to implement audit requirement?

• Process Blob storage events by using Azure Function app and scan the request body for successful blob events.

  (Incorrect)
• Enable the change feed on the storage account and process all changes for available events.

  (Correct)
• Process all Azure Storage logs for successful blob events.

• Configure the Azure Monitor HTTP Data Collector API and scan the request body for successful blob events

Explanation

Change feed provides transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account.

The change feed provides ordered, guaranteed, durable, immutable, read-only log of these changes. Client applications can read these logs at any time, either in streaming or in batch mode.

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal

Question 4: Correct

You are a developer for a company that publishes APIs using Azure API Management. You need to strip AspNet-Version from the response of the APIs.

What should you implement?

• A new product

• A URL Scheme

• A new policy

  (Correct)
• A new version

Explanation

You need to transform your API so it does not reveal info about the private backend. To delete the following headers in the HTTP response, you need to set a transformation policy.

X-Powered-By

X-AspNet-Version

https://docs.microsoft.com/en-us/azure/api-management/transform-api#transform-an-api-to-strip-response-headers

Question 5: Correct

You need to consume messages from a messaging component that is developed using Azure Service Bus publish-subscribe model.

You have initialized a subscription client object using correct details to process messages. However, the subscription application is still not consuming the messages.

Which of the below code segment should you use?

• await subscriptionClient.AddRuleAsync(new RuleDescription(RuleDescription.DefaultRuleName, new TrueFilter()));

• subscriptionClient = new SubscriptionClient(ServiceBusConnectionString, TopicName, SubscriptionName);

• await subscriptionClient.CloseAsync();

• subscriptionClient.RegisterMessageHandler(ProcessMessageAsync, messageHandlerOptions);

  (Correct)

Explanation

RegisterMessageHandler handles messages one by one and completes them in the end.

https://docs.azure.cn/en-us/dotnet/api/microsoft.azure.servicebus.queueclient.registermessagehandler?view=azure-dotnet

Question 6: Correct

You have an Azure Storage account named StorageAccount1.

You plan to store data that is rarely accessed in StorageAccount1 for several years.

You must ensure that the data in Blob storage is always available for immediate access.

The solution must minimize storage costs.

Which storage tier should you use?

• Cool

  (Correct)
• Archive

• Hot

Explanation

The cool access tier has lower storage costs and higher access costs compared to hot storage. This tier is intended for data that will remain in the cool tier for at least 30 days. Example usage scenarios for the cool access tier include:

Short-term backup and disaster recovery datasets.

Older media content not viewed frequently anymore but is expected to be available immediately when accessed.

Large data sets that need to be stored cost effectively while more data is being gathered for future processing. (For example, long-term storage of scientific data, raw telemetry data from a manufacturing facility)

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-storage-tiers?tabs=azure-portal

Question 7: Correct

You have a service principal named ServicePrincipal1.

You need to provide read access to ServicePrincipal1 to read the resources in a resource group named ResourceGroup1.

Select the actions that should you perform in the correct sequence?

• Navigate to ServicePrincipal1 in Azure Active Directory – App registrations

  Select Access Control (IAM)

  Add role assignment with role as Reader

• Navigate to ResourceGroup1

  Select Access Control (IAM)

  Add role assignment with role as Reader

  (Correct)
• Navigate to ResourceGroup1

  Select Access Control (IAM)

  Add role assignment with role as Contributor

Explanation

To access resources in your subscription, you must assign a role to the application. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.

To assign a role at the resource group scope, search for and select “Resource Groups”, select the particular resource group, select Access Control (IAM), Select Add -> Add role assignment, Select the role you wish to add.

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#assign-a-role-to-the-application

Question 8: Correct

You are developing an application that executes short lived processes on a schedule.

You need to recommend a service that keeps costs and admin activities minimal.

What should you recommend?

• Azure Web App

• Azure Function

  (Correct)
• Azure Virtual Machine

• Azure Logic Apps

Explanation

Azure Functions allows you to run small pieces of code (called "functions") without worrying about application infrastructure. A function is "triggered" by a specific type of event. Supported triggers include responding to changes in data, responding to messages, running on a schedule, or as the result of an HTTP request.

https://docs.microsoft.com/en-us/azure/azure-functions/functions-overview

Question 9: Correct

Which Azure RBAC roles allows you to upload images to an Azure Container Registry?

• AcrPush

  (Correct)
• AcrPull

• AcrImageSigner

• Contributor

  (Correct)

Explanation

The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry.

https://docs.microsoft.com/bs-latn-ba/azure/container-registry/container-registry-roles

Question 10: Correct

You have a mobile app that connects to the Azure App Service API to upload and extract metadata from the documents.

The process of extracting metadata is CPU-intensive operation. Usage of the mobile app has increased drastically.

You need to modify the App Service API to use a queue. The revised solution must scale and handle spikes in the number of requests.

You need to recommend a solution keeping costs minimal between request spikes.

What should you recommend?

• Configure a CPU Optimized virtual machine (VM)

• Configure a number of CPU Optimized virtual machine (VM) instances and deploy extraction logic to process a queue.

• Create a queue triggered Azure function to process the queue and move extraction logic to the Azure function.

  (Correct)

Question 11: Correct

You define an API Policy object by using the below XML markup:

<set-variable name="bodySize" value="@(context.Request.Headers["Content-Length"][0])" />

<choose>

<when condition="@(int.Parse(context.Variables.GetValueOrDefault<string>("bodySize"))<400000)">

</when>

<otherwise>

<rewrite-uri template="/put"/>

<set-backend-service base-url="http://preparationlabs.com/api/8.1/"/>

</otherwise>

</choose>

Select Yes if the below statement is true. Otherwise, select No

1. The XML Segment is part of the <inbound> section of the API policy.

2. An error will be thrown if the body size is >265K

3. The policy will retain the higher version if the request is http://preparationlabs.com/api/8.2/

• Yes, Yes, Yes

• No, No, No

• Yes, No, No

  (Correct)
• No, Yes, Yes

• Yes, No, Yes

Explanation

1. The set-backend-service policy is used to redirect incoming requests. Therefore, this policy definition is part of inbound section

https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#choose

2. The condition on body size 400K. So, you will not get an error.

3. There are conditions defined in the policy based on the body size. So, it will not retain the higher version always. The default/otherwise is version 8.1

Question 12: Correct

You have deployed several web applications into Azure App Service. You need to collect detailed resource logs for monitoring health and availability of Azure App Service.

Select the following options should you consider as destination?

• Log Analytics

• Storage Account

• Event Hub

• All of the above

  (Correct)

Explanation

https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#destinations

Question 13: Correct

A software as a service (SaaS) company is developing a web service for several customers.

The web service connects to a SQL database in an on-premise environment. You plan to deploy the web service to an Azure Web App.

The web service also includes a WebJob that processes data and each instance of WebJob must process data for a single customer.

You need to configure Azure resources in an isolated network.

Which pricing tier should you consider for the App Service plan keeping costs minimal?

• Standard

• Isolated

  (Correct)
• Premium

• Consumption

Explanation

The Isolated service plan is designed to run mission-critical workloads that are required to run in a virtual network. The Isolated plan allows customers to run their apps in a private, dedicated environment in an Azure data centre.

https://azure.microsoft.com/en-au/pricing/details/app-service/windows/

Question 14: Correct

You have an application named Application1 in an Azure App Service named AppService1.

Your application users are currently accessing Application1 using http://employeerewards.com.

You need to enforce Application1 users to use https://employeerewards.com.

What changes should you implement?

• Upload a certificate to AppService1

  (Correct)
• Add a custom domain preparationlabs.com to AppService1

• Upgrade App Service Plan to Premium

• Set HTTPS Only to On

  (Correct)

Explanation

By default, you can access your app using HTTP. You can redirect all HTTP requests to the HTTPS port.

In your app page, in the left navigation, select SSL settings. Then, in HTTPS Only, select On.

https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https

Question 15: Correct

You have uploaded a certificate to an Azure Web App named Application1.

You need to access the certificate from the app code of Application1.

What should you configure?

• Add a managed identity to Application1.

• Add an app setting (WEBSITE_LOAD_CERTIFICATES) to the Application1 configuration.

  (Correct)
• Configure the TLS/SSL binding for Application1.

Explanation

In your application code, you can access the public or private certificates you add to App Service. Your app code may act as a client and access an external service that requires certificate authentication, or it may need to perform cryptographic tasks.

The WEBSITE_LOAD_CERTIFICATES app setting makes the specified certificates accessible to your Windows hosted app in the Windows certificate store,

https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code

Question 16: Correct

You have an Azure Active Directory (Azure AD) tenant.

You need to register an application with your Azure AD tenant.

Which three actions should you perform in sequence?

• In App Registrations, select New registration

  Select the Azure AD Instance

  Create a new application and provide the name, account type and redirect URL

• Select the Azure AD Instance

  In App Registrations, select New registration

  Create a new application and provide the name, account type and redirect URL

  (Correct)
• In App Registrations, select New registration

  Select the Azure AD Instance

  Use an access token to access the secure resource

Explanation

Registering your application establishes a trust relationship between your app and the Microsoft identity platform.

Follow these steps to create the app registration:

Sign in to the Azure portal.

If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.

Search for and select Azure Active Directory.

Under Manage, select App registrations > New registration.

Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.

Specify who can use the application, sometimes called its sign-in audience.

Don't enter anything for Redirect URI (optional). You'll configure a redirect URI in the next section.

Select Register to complete the initial app registration.

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Question 17: Correct

You are developing multiple ASP.NET applications that will be deployed to several Azure App Services.

You need to save session state that can be shared across all ASP.NET applications.

Session data can be accessed by multiple concurrent readers at a time, but will have a single writer.

To achieve the above requirement, you have enabled application request routing to save session state.

Did you achieve the requirement?

• Yes

• No

  (Correct)

Explanation

ARR directs request to same instance of the application. Instead, you can use a caching solution like Azure Redis Cache.

https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview

Question 18: Correct

You are developing multiple ASP.NET applications that will be deployed to several Azure App Services.

You need to save session state that can be shared across all ASP.NET applications.

Session data can be accessed by multiple concurrent readers at a time, but will have a single writer.

To achieve the above requirement, you have deployed Azure PostgreSQL to save session state.

Did you achieve the requirement?

• Yes

• No

  (Correct)

Explanation

Instead, you can use a caching solution like Azure Redis Cache.

https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview

Question 19: Correct

You are developing multiple ASP.NET applications that will be deployed to several Azure App Services.

You need to save session state that can be shared across all ASP.NET applications.

Session data can be accessed by multiple concurrent readers at a time, but will have a single writer.

To achieve the above requirement, you have deployed Azure Cache for Redis to save session state.

Did you achieve the requirement?

• Yes

  (Correct)
• No

Explanation

Azure Cache for Redis provides an in-memory data store based on the open-source software Redis. Redis improves the performance and scalability of an application that uses on backend data stores heavily.

Azure Cache for Redis can be used as a distributed data or content cache, a session store, a message broker.

https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/cache-overview

Question 20: Correct

You have a web application that is deployed to an Azure App Service.

You need to implement an Azure monitoring service that can log requests and exceptions to a specific line of code within the application.

Which service should you use?

• Azure Application Insights

  (Correct)
• Azure Log Analytics

• Azure Activity Log

Explanation

Application Insights is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It will automatically detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js, Java, and Python hosted on-premises, hybrid, or any public cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview

Question 21: Correct

You have a web application that is deployed to an Azure App Service.

You need to implement an Azure monitoring service that can analyze how many users return to the application and how often they select a particular dropdown value.

Which service should you use?

• Azure Application Insights

  (Correct)
• Azure Log Analytics

• Azure Activity Log

Explanation

Custom events and metrics in App insights allow you write yourself in the client or server code, to track business events such as items sold or games won.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview

Question 22: Correct

You have a web application that is deployed to an Azure App Service.

You need to implement an Azure monitoring service that can visualize the relationships between application components.

Which service should you use?

• Azure Application Insights

  (Correct)
• Azure Log Analytics

• Azure Activity Log

Explanation

Application Map helps you spot performance bottlenecks or failure hotspots across all components of your distributed application. You can see the full application topology across multiple levels of related application components. Components could be different Application Insights resources, or different roles in a single resource. The app map finds components by following HTTP dependency calls made between servers with the Application Insights SDK installed.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-map?tabs=net

Question 23: Correct

You are developing a solution that uses publish-subscribe model and eliminates the need for constant polling.

Select the two possible Azure messaging services to achieve the requirement.

• Service Bus

  (Correct)
• Event Hub

• Event Grid

  (Correct)
• Queue

Explanation

Event Grid - Event Grid is an eventing backplane that enables event-driven, reactive programming. It uses a publish-subscribe model. Publishers emit events, but have no expectation about which events are handled. Subscribers decide which events they want to handle.

Service Bus Topics and subscriptions enable relationships between publishers and subscribers.

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview

https://docs.microsoft.com/en-us/azure/event-grid/compare-messaging-services#event-vs-message-services

Question 24: Correct

You have an Azure API Management service. You have deployed the API back end in an Azure App Service.

What should you configure as target and gateway credential type for back-end authentication?

• Target – Azure Resource

  Gateway credential Type – Client cert

• Target – Azure Resource

  Gateway credential Type – Basic

• Target – Http(s) endpoint

  Gateway credential Type – Client cert

  (Correct)

Explanation

API Management allows you to secure access to the back-end service of an API using client certificates.

The target endpoint should be HTTP(s) as shown below.

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates

Incorrect Answers:

Target – Azure Resource & Gateway credential Type – Client cert – Target should be https.

Target – Azure Resource & Gateway credential Type – Basic – Using basic authentication is not a recommended solution as it led to security issues.

Question 25: Correct

You have a storage account named Storage1. You need to create a copy of Storage1 in another region and copy data to newly created storage account.

Select the order in which should you perform the below actions?

1. Use AZCopy to copy the data.

2. Deploy the template to create a new storage account in the target region.

3. Export a Resource Manager template.

4. Create a new template deployment.

5. Modify the template by changing the storage account name and region.

• 3, 5, 2, 4, 1

• 3, 5, 4, 2, 1

  (Correct)
• 3, 1, 5, 2, 4

Explanation

To move a storage account, create a copy of your storage account in another region. Then, move your data to that account by using AzCopy, or another tool of your choice.

Export a template.

Modify the template by adding the target region and storage account name.

Deploy the template to create the new storage account.

Configure the new storage account.

Move data to the new storage account.

https://docs.microsoft.com/en-us/azure/storage/common/storage-account-move

Question 26: Correct

You are creating a CLI script that creates an Azure web app and related services in Azure App Service.

You need to automatically deploy code from Git-Hub to the newly created web app.

The web app uses the following variables:

$gitrepo=https://github.com/samples/app1

$webappname=mywebapp

Select the correct script from below

• az group create --location westeurope --name myResourceGroup

  az webapp create --name $webappname --resource-group myResourceGroup --plan $webappname

  az appservice plan create --name $webappname --resource-group myResourceGroup --sku FREE

  az webapp deployment source config --name $webappname --resource-group myResourceGroup --repo-url $gitrepo --branch master --manual-integration

• az group create --location westeurope --name myResourceGroup

  az appservice plan create --name $webappname --resource-group myResourceGroup --sku FREE

  az webapp create --name $webappname --resource-group myResourceGroup --plan $webappname

  az webapp deployment source config --name $webappname --resource-group myResourceGroup --repo-url $gitrepo --branch master --manual-integration

  (Correct)
• az group create --location westeurope --name myResourceGroup

  az appservice plan create --name $webappname --resource-group myResourceGroup --sku FREE

  az webapp create --name $webappname --resource-group myResourceGroup --plan $webappname

  az webapp create source config --name $webappname --resource-group myResourceGroup --repo-url $gitrepo --branch master --manual-integration

• az group create --location westeurope --name myResourceGroup

  az appservice plan create --name $webappname --resource-group myResourceGroup --sku FREE

  az webapp create --name $webappname --resource-group myResourceGroup --plan $webappname

  az webapp deployment source config --name $webappname --resource-group myResourceGroup git clone $gitrepo

Explanation

The correct script is

$gitrepo=https://github.com/samples/app1

$webappname=mywebapp

# Create a resource group.

az group create --location westeurope --name myResourceGroup

# Create an App Service plan in `FREE` tier.

az appservice plan create --name $webappname --resource-group myResourceGroup --sku FREE

# Create a web app.

az webapp create --name $webappname --resource-group myResourceGroup --plan $webappname

# Deploy code from a public GitHub repository.

az webapp deployment source config --name $webappname --resource-group myResourceGroup \

--repo-url $gitrepo --branch master --manual-integration

https://docs.microsoft.com/en-us/azure/app-service/scripts/cli-deploy-github?toc=/cli/azure/toc.json

Question 27: Correct

A user named User1 has access to multiple subscriptions. User1 must be able to store and retrieve a storage account key and secret from Azure Key Vault.

Select the order in which should you arrange the below PowerShell commands to achieve the goal?

1.Get-AzStorageAccountKey -ResourceGroupName $resGroup -Name $storAcct

2.Get-AzKeyVaultSecret -VaultName $vaultName

3.Get-AzSubscription

4.$secretvalue = ConvertTo-SecureString $storAcctKey -AsPlainText -Force

Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue $secretvalue

5.Set-AzContext -SubscriptionId $subscriptionID

• 1,2,3,4,5

• 3,5,1,4,2

  (Correct)
• 3,2,1,4,5

Explanation

The correct script is

1.Get-AzSubscription

2.Set-AzContext -SubscriptionId $subscriptionID

3.Get-AzStorageAccountKey -ResourceGroupName $resGroup -Name $storAcct

4.$secretvalue = ConvertTo-SecureString $storAcctKey -AsPlainText -Force

Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue $secretvalue

5.Get-AzKeyVaultSecret -VaultName $vaultName

https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-powershell

Question 28: Correct

You are developing an ASP.NET Core Web API web service.

The web service uses Azure Application Insights for all telemetry and dependency tracking.

The web service reads and writes data to a third-party database other than Microsoft SQL Server.

You need to ensure that dependency tracking works for requests to the third-party database.

Which of the following dependency telemetry properties should you use? Choose 2 answers.

• Telemetry.Context.Cloud.RoleInstance

• Telemetry.Id

  (Correct)
• Telemetry.Name

• Telemetry.Context.Operation.Id

  (Correct)
• Telemetry.Context.Session.Id

Explanation

The correlation identifiers are Telemetry.Id & Telemetry.Context.Operation.Id

https://docs.microsoft.com/en-us/azure/azure-monitor/app/custom-operations-tracking

Question 29: Correct

You are developing a web application using ASP.NET Core that is planned to deploy to Azure Web App for Containers.

The application needs to store runtime diagnostic data that must be persisted across application restarts. You have the following code:

You need to configure the application settings so that diagnostic data is stored as required.

How should you configure the web app's settings?

• LOCALAPPDATA = true

  DIAGDATA = /home

• WEBSITES_ENABLE_APP_SERVICE_STORAGE = true

  DIAGDATA = /home

  (Correct)
• WEBSITES_ENABLE_APP_SERVICE_STORAGE= false

  DIAGDATA = /local

• WEBSITES_ENABLE_APP_SERVICE_STORAGE= false

  DIAGDATA = /home

Explanation

If WEBSITES_ENABLE_APP_SERVICE_STORAGE setting is unspecified or set to true, the /home/ directory will be shared across scale instances, and files written will persist across restarts. Explicitly setting WEBSITES_ENABLE_APP_SERVICE_STORAGE to false will disable the mount.

https://docs.microsoft.com/en-us/azure/app-service/faq-app-service-linux

Question 30: Correct

You are developing an application for your client that uses Azure Storage Queues.

One of the method in the application contains the following code:

Select Yes if the below statement is true. Select No if the below statement is false.

1. The code configures the lock duration for the queue

2. After the code runs, the last message read remains in the queue

3. After the code runs, the storage queue remains in the storage account

• Yes, No, No

• No, No, Yes

• No, No, No

• No, Yes, Yes

  (Correct)

Explanation

1. Code is not implementing any locks on the queue. So it is NO

2. Messages are not deleted automatically from Azure Storage account queues and program is not deleting. So it is Yes

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-service-bus-queues-compared-contrasted#comparing-storage-queues-and-service-bus-queues

3. The queue remains in the storage account because the code is not deleting it.

Question 31: Correct

You are developing a web application that will be hosted in an Azure Web App.

The users for web application will be authenticated by using their Azure Active Directory (Azure AD).

Users will be assigned with one of the following permission levels: admin, normal, and reader.

A user's Azure AD group membership must be used to determine the permission level.

To achieve the above requirement, you have created a new Azure AD application and configured the value of the groupMembershipClaims option to All in the application's manifest. In the web application, you use the value of the groups claim from the JWT for the user to determine permissions.

Did you achieve the requirement?

• Yes

  (Correct)
• No

Explanation

To configure group’s optional claims through the application manifest, use groupMembershipClaims.

The valid values for groupMembershipClaims are:

"All" (this option includes SecurityGroup, DirectoryRole, and DistributionList)

"SecurityGroup"

"DirectoryRole"

"ApplicationGroup" (this option includes only groups that are assigned to the application)

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Question 32: Correct

You are developing a web application that will be hosted in an Azure Web App.

The users for web application will be authenticated by using their Azure Active Directory (Azure AD).

Users will be assigned with one of the following permission levels: admin, normal, and reader.

A user's Azure AD group membership must be used to determine the permission level.

To achieve the above requirement, you have configured the Azure Web App for the website to allow only authenticated requests and require Azure AD log on

Did you achieve the requirement?

• Yes

• No

  (Correct)

Explanation

You also need to configure app manifest file to get the user's groups.

Question 33: Correct

You are developing a web application that will be hosted in an Azure Web App.

The users for web application will be authenticated by using their Azure Active Directory (Azure AD).

Users will be assigned with one of the following permission levels: admin, normal, and reader.

A user's Azure AD group membership must be used to determine the permission level.

To achieve the above requirement, you have assigned the appropriate Azure AD groups to each role. You have created a new Azure AD application and defined application roles that match the required permission levels for the application in the applications manifest. In the web application, you use the value of the groups claim from the JWT for the user to determine permissions.

Did you achieve the requirement?

• Yes

  (Correct)
• No

Explanation

You define app roles by using the Azure portal. App roles are usually defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a roles claim for each role that the user or service principal has been granted individually to the user and from their group membership.

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-manifest-editor

Question 34: Correct

You are developing a web application that will be hosted in an Azure Web App.

The users for web application will be authenticated by using their Azure Active Directory (Azure AD).

Users will be assigned with one of the following permission levels: admin, normal, and reader.

A user's Azure AD group membership must be used to determine the permission level.

To achieve the requirement, you configure and use Integrated Windows Authentication in the website. In the website, query Microsoft Graph API to load the group to which the user is a member.

Did you achieve the requirement?

• Yes

• No

  (Correct)

Explanation

It is not possible to configure windows authentication in Azure web app. You can use Azure AD.

Question 35: Correct

You are implementing authentication for an Azure API.

All calls to the API must be secure and callers should not send credentials to the API.

All callers to the API are hosted in Azure services.

Which authentication mechanism should you implement?

• Basic

• Anonymous

• Managed Identity

  (Correct)
• Client Certificate

Explanation

The managed identity policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme.

For managed identity, we no need to send any credentials.

https://docs.microsoft.com/bs-cyrl-ba/azure/api-management/api-management-authentication-policies#ManagedIdentity

Question 36: Correct

You are developing an ASP.NET web app that will be deployed to an Azure App Service.

You use Application Insights telemetry to monitor the app. You need to configure a test for the web app.

You must test the app to ensure that the app is available and responsive from various points around the world and at regular intervals.

If the app is not responding, you must send an alert to support staff.

Which two test types should you use?

• Integration

• multi-step web

  (Correct)
• URL ping

  (Correct)
• Unit

• load

Explanation

After you've deployed your web app/website, you can set up recurring tests to monitor availability and responsiveness. Azure Application Insights sends web requests to your application at regular intervals from points around the world. It can alert you if your application isn't responding, or if it responds too slowly.

Types of availability tests:

There are three types of availability tests:

URL ping test: a simple test that you can create in the Azure portal.

Multi-step web test: A recording of a sequence of web requests, which can be played back to test more complex scenarios. Multi-step web tests are created in Visual Studio Enterprise and uploaded to the portal for execution.

Custom Track Availability Tests: If you decide to create a custom application to run availability tests, the TrackAvailability() method can be used to send the results to Application Insights.

https://docs.microsoft.com/en-us/azure/azure-monitor/app/monitor-web-app-availability

Question 37: Correct

You are developing an application that uses a micro service architecture.

You need to design a communication service for communicating transactional messages between various parts of the solution.

Messages must be communicated in first-in-first-out (FIFO) order.

What service should you consider?

• Azure Storage Queue

• Azure Service Bus

  (Correct)
• Azure Event Grid

• Azure Event Hub

Explanation

Azure Service Bus queue provides a guaranteed first-in-first-out (FIFO) ordered delivery.

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-azure-and-service-bus-queues-compared-contrasted

Question 38: Correct

You have an application that use Azure API Management to publish APIs for external partners.

You must change the behavior of the API to support alternative input parameters

Which type of policy should you implement to rewrite the request URL to match to the format expected by the web service?

• Inbound

  (Correct)
• Outbound

• Backend

Explanation

The rewrite-uri policy converts a request URL from its public form to the form expected by the web service. Rewrite URI is part of Inbound section.

https://docs.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#RewriteURL

Question 39: Correct

You have an application that use Azure API Management to publish APIs for external partners.

You must change the behavior of the API to remove formatting text from responses

Which type of policy should you implement?

• Inbound

• Outbound

  (Correct)
• Backend

Explanation

As we need to remove the text from the response, it should be in outbound section.
https://docs.microsoft.com/en-us/azure/api-management/policies/filter-response-content

Question 40: Correct

You have an application that use Azure API Management to publish APIs for external partners.

You must change the behavior of the API to provide additional context to back-end services

Which type of policy should you implement to forward the user ID that is associated with the subscription key for the original request to the back-end service?

• Inbound

  (Correct)
• Outbound

• Backend

Explanation

Below is the sample snippet of the policy to send user context to backend service.

<policies>

<inbound>

<base />

<!-- Forward the name of the product associated with the subscription key in the request to the backend service. -->

<set-query-parameter name="x-product-name" exists-action="override">

<value>@(context.Product.Name)</value>

</set-query-parameter>

<!-- Forward the user id associated with the subscription key in the request as well as the region where the proxy processing the request is hosted. -->

<set-header name="x-request-context-data" exists-action="override">

<value>@(context.User.Id)</value>

<value>@(context.Deployment.Region)</value>

</set-header>

</inbound>

The configuration is part of inbound section.

https://docs.microsoft.com/en-us/azure/api-management/policies/send-request-context-info-to-backend-service

Question 41: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to add code at line AM09 to ensure that users can review content using ContentAnalysisService.

How should you complete the code?

• "oauth2AllowImplicitFlow" : true

  "preAuthorizedApplications" : ["SPA"]

• "oauth2AllowImplicitFlow" : true

  "oauth2AllowIdTokenImplicitFlow" : true

  (Correct)
• "allowPublicClient" : true

  "oauth2AllowIdTokenImplicitFlow" : true

• "oauth2Permissions" : ["login"]

  "oauth2AllowIdTokenImplicitFlow" : true

Explanation

Scenario: The website is built using React and all pages and API endpoints require authentication

oauth2AllowImplicitFlow - Specifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is false. This flag is used for browser-based apps, like JavaScript single-page apps

oauth2AllowIdTokenImplicitFlow - Specifies whether this web app can request OAuth2.0 implicit flow ID tokens. The default is false. This flag is used for browser-based apps, like JavaScript single-page apps.

https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest

https://spblog.net/post/2019/06/04/building-single-page-application-with-react-msal-js-and-pnpjs

Question 42: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to ensure that network security policies are met. How should you configure network security?

• SSL Certificate : Valid root certificate

  Proxy Type : ngnix

• SSL Certificate : Self-signed certificate

  Proxy Type : ngnix

• SSL Certificate : Self-signed certificate

  Proxy Type : Azure Application Gateway

• SSL Certificate : Valid root certificate

  Proxy Type : Azure Application Gateway

  (Correct)

Explanation

Scenario: All websites and services must use SSL from a valid root certificate authority.

So, certificate must be valid root certificate.

Scenario: Any web service accessible over the Internet must be protected from cross site scripting attacks.

Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks.

Application Gateway supports autoscaling, SSL offloading, and end-to-end SSL, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, redirection, rewrite HTTP headers and other features.

Question 43: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to configure the ContentUploadService deployment. Which two actions should you perform?

• Add the following markup to line number 34: types: Private

  (Correct)
• Add the following markup to line number 34: types: Public

• Add the following markup to line number 35: osType: Windows

• Add the following markup to line number 35: osType: Linux

  (Correct)

Explanation

Scenario: All Internal services must only be accessible from Internal Virtual Networks (VNets)

Currently, only Linux containers are supported in a container group deployed to a virtual network and the type must be Private.

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-vnet

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-virtual-network-concepts#unsupported-networking-scenarios

Question 44: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to add markup at line AM04 to implement the ContentReview role.

How should you complete the markup?

• "appRoles" : [

  {

  "allowedMemberTypes" : [

  "User"

  ],

  "displayName" : "ContentReviewer",

  "id" : "e1c2ade8-98f8-45fd-aa4a-6d24b512c22a",

  "isEnabled" : true,

  "role" : "ContentReviewer"

  }

  ],

• "appRoles" : [

  {

  "allowedMemberTypes" : [

  "User"

  ],

  "displayName" : "ContentReviewer",

  "id" : "e1c2ade8-98f8-45fd-aa4a-6d24b512c22a",

  "isEnabled" : true,

  "value" : "ContentReviewer"

  
  

  }

  ],

  (Correct)
• "appRoles" : [

  {

  "allowedAccountTypes" : [

  "User"

  ],

  "displayName" : "ContentReviewer",

  "id" : "e1c2ade8-98f8-45fd-aa4a-6d24b512c22a",

  "isEnabled" : true,

  "value" : "ContentReviewer"

  
  

  }

  ],

• "appRoles" : [

  {

  "allowedAccountTypes" : [

  "User"

  ],

  "displayName" : "ContentReviewer",

  "id" : "e1c2ade8-98f8-45fd-aa4a-6d24b512c22a",

  "isEnabled" : true,

  "role" : "ContentReviewer"

  
  

  }

  ],

Explanation

Scenario: In order to review content a user must be part of a ContentReviewer role.

The following example shows an appRole that you can assign to users.

"appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a",

"appRoles": [

{

"allowedMemberTypes": [

"User"

],

"displayName": "Writer",

"id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",

"isEnabled": true,

"description": "Writers Have the ability to create tasks.",

"value": "Writer"

}

],

"availableToOtherTenants": false

https://docs.microsoft.com/en-us/graph/api/resources/approle

Question 45: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to investigate the http server log output to resolve the issue with the ContentUploadService.
Which command should you use first?

• az webapp log

• az ams live-output

• az monitor activity-log

• az container attach

  (Correct)

Explanation

Scenario: The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages. The solution will use eight CPU cores.

When you have a misbehaving container in Azure Container Instances, start by viewing its logs with az container logs, and stream its standard out and standard error with az container attach.

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-get-logs

Question 46: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to ensure that validation testing is triggered per the requirements.
How should you complete the code segment?

var event = getEvent();

if (event.eventType === '<CodeBlock1>'

&& event.data.target.<CodeBlock2> === 'contentanalysisservice'

&& event.<CodeBlock3>.contains('amyimages'))

{

startValidationTesting();

}

• CodeBlock1: ImagePushed

  (Correct)
• CodeBlock1: ImageDeployed

• CodeBlock1: RepositoryUpdated

• CodeBlock2: aci

• CodeBlock2: repository

  (Correct)
• CodeBlock2: image

• CodeBlock3: topic

  (Correct)
• CodeBlock3: imageCollection

• CodeBlock3: repository

Explanation

Scenario: When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Here is the sample event grid schema shows the schema of an image pushed event

[{

"id": "831e1650-001e-001b-66ab-eeb76e069631",

"topic": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<name>",

"subject": "aci-helloworld:v1",

"eventType": "ImagePushed",

"eventTime": "2018-04-25T21:39:47.6549614Z",

"data": {

"id": "31c51664-e5bd-416a-a5df-e5206bc47ed0",

"timestamp": "2018-04-25T21:39:47.276585742Z",

"action": "push",

"target": {

"mediaType": "application/vnd.docker.distribution.manifest.v2+json",

"size": 3023,

"digest": "sha256:213bbc182920ab41e18edc2001e06abcca6735d87782d9cef68abd83941cf0e5",

"length": 3023,

"repository": "aci-helloworld",

"tag": "v1"

},

"request": {

"id": "7c66f28b-de19-40a4-821c-6f5f6c0003a4",

"host": "demo.azurecr.io",

"method": "PUT",

"useragent": "docker/18.03.0-ce go/go1.9.4 git-commit/0520e24 os/windows arch/amd64 UpstreamClient(Docker-Client/18.03.0-ce \\\\(windows\\\\))"

}

},

"dataVersion": "1.0",

"metadataVersion": "1"

}]

https://docs.microsoft.com/en-us/azure/event-grid/event-schema-container-registry?tabs=event-grid-event-schema

Question 47: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to add YAML markup at line 22 to ensure that the ContentUploadService can access Azure Storage access keys.
How should you complete the YAML markup?

• CodeBlock1: volumes

• CodeBlock1: volumeMounts

  (Correct)
• CodeBlock1: environmentVariables

• CodeBlock2: volumes

  (Correct)
• CodeBlock2: secret

• CodeBlock2: evnVar

• CodeBlock3: secret

  (Correct)
• CodeBlock3: secretValues

Explanation

Sample YAML file is as below to mount secret volume.

apiVersion: '2019-12-01'

location: eastus

name: secret-volume-demo

properties:

containers:

- name: aci-tutorial-app

properties:

environmentVariables: []

image: mcr.microsoft.com/azuredocs/aci-helloworld:latest

ports: []

resources:

requests:

cpu: 1.0

memoryInGB: 1.5

volumeMounts:

- mountPath: /mnt/secrets

name: secretvolume1

osType: Linux

restartPolicy: Always

volumes:

- name: secretvolume1

secret:

mysecret1: TXkgZmlyc3Qgc2VjcmV0IEZPTwo=

mysecret2: TXkgc2Vjb25kIHNlY3JldCBCQVIK

tags: {}

type: Microsoft.ContainerInstance/containerGroups

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-volume-secret

Question 48: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to add code at line AM10 of the application manifest to ensure that the requirement for manually reviewing content can be met.

How should you complete the code?

• “optionalClaims”:[

  “acct”,

  “email”

  ],

• “optionalClaims”:[

  “sid”,

  “email”

  ],

  (Correct)
• “optionalClaims”:[

  “sid”,

  “upn”

  ],

Explanation

Scenario:

To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials. The website is built using React and all pages and API endpoints require authentication. In order to review content a user must be part of a ContentReviewer role.

Sid - Provides Session ID, used for per-session user sign-out if user type is Personal and Azure AD accounts.

Email - The addressable email for this user, if the user has one.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Question 49: Correct

This is a case study.

Overview -
You are a developer for Amy, Ltd.

The company has a social networking website that is developed as a Single Page Application (SPA).

The social networking website loads user uploaded content from an Azure blob storage.
You are developing a solution to monitor the user uploaded data for inappropriate content.

The following process occurs when users upload content by using the social networking website:
Messages are sent to ContentUploadService.
Content is processed by ContentAnalysisService.
After processing is complete, the content is either posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named AmyImages.
The solution will use eight CPU cores.

Azure Active Directory -
Azure Active Directory (Azure AD) is used for both internal and guest accounts.

Requirements -

ContentAnalysisService -
The Company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content.

Any values over a specific threshold must be reviewed by an employee of Amy, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs -
The solution must minimize costs for all Azure services.

Manual review -
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials.

The website is built using React and all pages and API endpoints require authentication.

In order to review content a user must be part of a ContentReviewer role.

All completed reviews must include the reviewer's email address for auditing purposes.

High availability -
The region failures must not impact overall application availability.

Monitoring -
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores.

Security Requirements-
Any web service accessible over the Internet must be protected from cross site scripting attacks.
All websites and services must use SSL from a valid root certificate authority.
Azure Storage access keys must only be stored in memory and must be available only to the service.
All Internal services must only be accessible from Internal Virtual Networks (VNets)
All parts of the system must support inbound and outbound traffic restrictions.
All service calls must be authenticated by using Azure AD.

User agreements -
Users must agree to a user agreement before submitting content.

The agreement allows employees of Amy.Ltd to review content, store cookies on user devices and track user's IP addresses.
Information regarding agreements is used by multiple divisions within Amy, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime.

The volume of agreements is expected to be in the millions per hour.

Validation testing -
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues -
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

ContentUploadService code is as below.

ApplicationManifest code is as below

Question
You need to monitor ContentUploadService according to the requirements.

Which command should you use?

• az monitor metrics alert create ""n alert ""g "¦ - -scopes "¦ - -condition "avg Percentage CPU > 8"

• az monitor metrics alert create ""n alert ""g "¦ - -scopes "¦ - -condition "avg Percentage CPU > 800"

• az monitor metrics alert create ""n alert ""g "¦ - -scopes "¦ - -condition "CPU Usage > 800"

  (Correct)
• az monitor metrics alert create ""n alert ""g "¦ - -scopes "¦ - -condition "CPU Usage > 8"

Explanation

Scenario: An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU-cores

Azure Monitor provides the following metrics for Azure Container Instances. These metrics are available for a container group and individual containers. By default, the metrics are aggregated as averages.

CPU Usage - measured in millicores. One millicore is 1/1000th of a CPU core, so 500 millicores represents usage of 0.5 CPU core.

Memory Usage - in bytes.

Network Bytes Received Per Second and Network Bytes Transmitted Per Second.

https://docs.microsoft.com/en-us/azure/container-instances/container-instances-monitor

Question 50: Incorrect

You are developing an Azure Function which process the messages in a queue. The outcome of the process must be stored in an Azure Cosmos DB.

Select the following code snippet that will suffice the requirement.

• [FunctionName("QueueToDocDB")]

  public static void Run(

  [CosmosDBTrigger("myqueue-items", Connection = "AzureWebJobsStorage")] string myQueueItem,

  [Queue("ToDoList", "Items", Id = "id", ConnectionStringSetting = "myCosmosDB")] out dynamic document)

  {

  ...

  }

• [FunctionName("QueueToDocDB")]

  public static void Run(

  [QueueTrigger("myqueue-items", Connection = "AzureWebJobsStorage")] string myQueueItem,

  [CosmosDB("ToDoList", "Items", Id = "id", ConnectionStringSetting = "myCosmosDB")] in dynamic document)

  {

  ...

  }

  (Incorrect)
• [FunctionName("QueueToDocDB")]

  public static void Run(

  [QueueTrigger("myqueue-items", Connection = "AzureWebJobsStorage")] string myQueueItem,

  [CosmosDB("ToDoList", "Items", Id = "id", ConnectionStringSetting = "myCosmosDB")] out dynamic document)

  {

  ...

  }

  (Correct)

Explanation

The QueueTrigger lets you trigger the Function when a message arrives in the queue.

The Azure Cosmos DB output binding lets you write a new document to an Azure Cosmos DB database using the SQL API.

The direction must be set to out.

https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-cosmosdb-v2-output?tabs=csharp#attributes-and-annotations

Question 51: Correct

You have a new Azure subscription.

You are developing an internal website for employees to view sensitive data.

The website uses Azure Active Directory (Azure AD) for authentication.

You need to implement multifactor authentication for the website.

Which two actions should you perform?

• Configure the website to use Azure AD B2C.

• In Azure AD, create a new conditional access policy.

  (Correct)
• Upgrade to Azure AD Premium.

  (Correct)
• In Azure AD, enable application proxy.

• In Azure AD conditional access, enable the baseline policy.

Explanation

Correct Answer(s):

Multi-factor authentication (MFA) is a process in which a user is prompted for additional forms of identification during a sign-in event. For example, the prompt could be to enter a code on their cellphone or to provide a fingerprint scan. When you require a second form of identification, security is increased because this additional factor isn't easy for an attacker to obtain or duplicate.

Azure AD Multi-Factor Authentication and Conditional Access policies give you the flexibility to require MFA from users for specific sign-in events.

Prerequisite to configure conditional access policy is at least an Azure AD Premium P1 license.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa

Wrong Answers:

Configure the website to use Azure AD B2C - Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.

In Azure AD, enable application proxy - Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.

In Azure AD conditional access, enable the baseline policy -Baseline Policy in Conditional Access are part of Baseline Protection in Azure Active Directory (Azure AD) and the goal of these policies is to ensure that you have at least the baseline level of security enabled in Azure AD.