You create and publish a new Azure App Service web app. User authentication and authorization must use Azure Active Directory (Azure AD). You need to con...

To configure authentication and authorization for an Azure App Service web app using Azure Active Directory (Azure AD), the first step is to enable Azure AD authentication and set up the necessary configurations. Let’s break down the options and determine which one is the correct first step. Explanation of Each Option: 1. A) Add an identity provider - Selected Option: This is the correct first step. To integrate Azure AD authentication with an Azure App Service web app, you need to add Azure AD as an identity provider in the App Service Authentication settings. This enables the app to authenticate users using Azure AD and also handle authorization based on Azure AD roles and permissions. Once this is done, users can log in with their Azure AD credentials. - Adding Azure AD as the identity provider establishes the connection between your app and the Azure AD tenant, which is necessary for user authentication and authorization. 2. B) Map an existing custom DNS name - Rejected: While mapping a custom DNS name to your app is a useful configuration for providing your app with a branded URL (e.g., `www.yourapp.com`), it is not related to configuring authentication or authorization. Mapping a custom domain is typically done after setting up authentication and ensuring the application is working properly. 3. C) Create and configure a new app setting - Rejected: App settings are typically used for configuring application-specific settings (like database connection strings, keys, or environment-spe...

Author: Jack · Last updated May 11, 2026

DRAG DROP - You have an Azure Cosmos DB for NoSQL account. You plan to develop two apps named App1 and App2 that will use the change feed functionality to track changes to containers. App1 will use the pull model and App2 will use the push model. You need to choose the method to track the most recently processed change in App1 and App2. Which component should you use? To answer, drag the appropriate components to the correct apps....

Author: Scarlett · Last updated May 11, 2026

You have a Linux container-based console application that uploads image files from customer sites all over the world. A back-end system that runs on Azure virtual machines processes the images by using the Azure Blobs API. You are not permitted to make changes to the application. Some customer sites only...

In this scenario, you're working with a Linux container-based console application that uploads image files from customer sites across the world. Since some customer sites only have phone-based internet connections, the solution must efficiently access and upload images while dealing with potential limitations in bandwidth. Let's review the options provided: Explanation of Each Option: 1. A) Azure BlobFuse - Selected Option: Azure BlobFuse is a virtual file system driver that allows you to mount an Azure Blob Storage container as a local directory on a Linux machine. It provides a way to access Azure Blob Storage in a more native way, as if it's a filesystem. Given the scenario, BlobFuse is a good choice because it allows the application to access Azure Blob Storage without needing to make significant changes to the application itself. It provides a seamless interface for accessing image files directly from Blob Storage using standard Linux file system operations. - Key Benefit: BlobFuse is particularly useful when working with applications that require file-based access to Blob Storage and do not need to make changes to the application itself. It can handle low-bandwidth scenarios like phone-based internet connections by efficiently interacting with Azure Blob Storage, avoiding complex protocols and reducing the need for heavy data manipulation. 2. B) Azure Disks - Rejected: Azure Disks are block-level storage that are typically used for virtual machine disks (OS or data disks). They are not intended for direct application-level access or for use with containerized applications. Moreove...

Author: Olivia Johnson · Last updated May 11, 2026

DRAG DROP - You are developing several microservices named serviceA, serviceB, and serviceC. You deploy the microservices to a new Azure Container Apps environment. You have the following requirements: * The microservices must persist data to storage. * serviceA must persist data only visible to the current container and the storage must be restricted to the amount of disk space available in the container. * serviceB must persist data for the lifetime of the replica and allow multiple containers in the replica to mount the same storage location. * serviceC must persist data beyond the lifetime of the replica while allowing multiple containers to access the storage and enable per object permissions. You need to configure storage for e...

Author: Ming · Last updated May 11, 2026

DRAG DROP - You are developing a web service that will run on Azure virtual machines that use Azure Storage. You configure all virtual machines to use managed identities. You have the following requirements: * Secret-based authentication mechanisms are not permitted for accessing an Azure Storage account. * Must use only Azure Instance Metadata Service endpoints. You need to write code to retrieve an access token to access Azure Storage. To answer, drag the appropriate code ...

Author: Max · Last updated May 11, 2026

HOTSPOT - You are developing an Azure Function app. The Azure Function app must enable a WebHook to read an image from Azure Blob Storage and create a new Azure Cosmos DB document. You need to implement the Azure Function app. Which configuration should you u...

Author: Victoria · Last updated May 11, 2026

You create an Azure Cosmos DB for NoSQL database. You plan to use the Azure Cosmos DB .NET SDK v3 API for NoSQL to upload the following files: You receive the following error message when uploading the files: '413 Entity too large'. You need to...

Author: Samuel · Last updated May 11, 2026

You are developing an app to store globally distributed data in several Azure Blob Storage containers. Each container hosts multiple blobs where each instance of the app will store the data. You enable versioning and soft delete for the blobs. App testing and incorrect code have frequently corrupted data. Development of the app must allow dat...

In this scenario, you need to restore data to a previous point in time for testing purposes and support the development process while using Azure Blob Storage. The app uses versioning and soft delete, but the critical requirement is to be able to restore data to a specific day for testing when data is corrupted. Let's analyze the options and determine the best one. Explanation of Each Option: 1. A) Enable the change feed on the storage account to begin capturing and recording changes - Selected Option: Enabling the change feed on the storage account is the best choice to meet the requirement for point-in-time restore. The Azure Blob Storage change feed provides a chronological log of all operations that modify or delete blobs in the storage account. By using the change feed, you can track changes and restore blobs to a specific point in time by replaying the operations up to the desired date. - Why Selected: This is specifically designed for tracking changes and enabling point-in-time restores by allowing you to go back and replay actions on blobs. The change feed provides a complete audit trail, making it easy to restore data to a known state before corruption or erroneous changes occurred. 2. B) Configure object replication and specify replication rules - Rejected: Object replication helps replicate data across regions for disaster recovery and high availability. However, it does not directly support point-in-time restoration of blobs. It is not designed to track specific changes or versions of the blobs, but instead ensures ...

Author: Matthew · Last updated May 11, 2026

A company uses an Azure Blob Storage for archiving. The company requires that data in the Blob Storage is only in the archive tier. You need to ensure data copied...

Let's analyze each option and explain why it might or might not be appropriate for this scenario, where the company requires that data in the Azure Blob Storage is only in the Archive tier: Option A: Use a Put Block List operation with a request header of x-ms-immutability-policy-mode - Explanation: The `x-ms-immutability-policy-mode` header is used to enforce retention policies on data by making it immutable, meaning no one can delete or modify the data until the retention period expires. However, this doesn't move the data to the Archive tier. The focus here is on data protection rather than tiering. - Rejection Reason: This option does not address the requirement to move data to the Archive tier; it is more about enforcing immutability for compliance purposes. - Scenario Use: This would be used when you need to prevent the deletion or modification of data (e.g., for regulatory reasons), but not for archiving. Option B: Create a lifecycle policy with an action of tierToArchive and configure daysAfterModificationGreaterThan for 0 - Explanation: A lifecycle policy can automate actions like moving blobs to different access tiers based on specific criteria. The `tierToArchive` action moves blobs to the Archive tier after the specified condition is met. Configuring `daysAfterModificationGreaterThan` for 0 ensures that blobs are moved to the Archive tier as soon as they are created or modified. - Selected Option Justification: This option directly satisfies the requirement to move data to the Archive tier. It automates the process by applying the tiering policy based on modification times, which fits the company’s needs of ensuring that all data in the Blob Storage is moved to the Archive tier. - Scenario Use: This option is perfect when you need automatic data tiering based on the age or modification time of the blobs, particularly when no other tiering conditions are involved. ...

Author: David · Last updated May 11, 2026

HOTSPOT - You have the following data lifecycle management policy: You plan to implement an Azure Blob Storage account and apply to it Policy1. The solution should maximize resiliency and performance. You need to configure the account to support the policy. Which redundancy option and storage accoun...

Author: Joseph · Last updated May 11, 2026

HOTSPOT - You have an Azure Cosmos DB for NoSQL API account named account1. Multiple instances of an on-premises application named app1 read data from account1. You plan to implement integrated cache for connections from the instances of app to account1. You need to set the connection mode and maximum consistency level of app1. Which values shoul...

Author: MoonlitPantherX · Last updated May 11, 2026

You are developing a Cosmos DB solution that will be deployed to multiple Azure regions. Your solution must meet the following requirements: * Read operations will never receive write operations that are out of order. * Maximize concurrency of read operations in ...

Let's break down each consistency level option and evaluate which one best meets the requirements of ensuring no out-of-order writes during read operations and maximizing read concurrency across multiple regions in a Cosmos DB solution. Option A: Session - Explanation: The Session consistency level ensures that reads within a single session (i.e., the same client or request) are consistent with respect to the writes made during that session. It allows for high read and write availability within a session but doesn’t guarantee consistency between sessions. This consistency level is primarily useful for scenarios where each client requires a consistent view of their own data but does not care about other clients’ view of data. - Rejection Reason: This consistency level does not ensure global consistency (across regions) and could allow reads to receive stale data or out-of-order writes in a multi-region setup, which violates the first requirement. Also, it may not maximize concurrency across all regions. - Scenario Use: This would be useful if you wanted to ensure consistency for a single user's session but not across multiple regions or clients. Option B: Eventual - Explanation: The Eventual consistency level provides the highest availability and lowest latency. It ensures that updates to a Cosmos DB are propagated to all regions eventually, but there is no guarantee about when the data will become consistent across regions. Reads can potentially receive stale or out-of-order data during periods of replication delay. - Rejection Reason: This option fails to meet the requirement that read operations will never receive write operations that are out of order. Eventual consistency allows for out-of-order reads, meaning that it does not ensure global consistency or prevent reading inconsistent data. - Scenario Use: This is suitable for scenarios where availability and performance are prioritized over consistency, such as for non-critical applications where data accuracy can tolerate some delays. Option C: Bounded Staleness - Explanation: Bounded Staleness allows for a defined lag between when data is written and when it becomes available for reads in other regions. It guaran...

Author: Olivia · Last updated May 11, 2026

You have an Azure Queue Storage named queue1. You plan to develop code that will process messages in queue1. You need to implement a queue operation to set the visibility timeout value of individual messages in queue1. Which two operations can y...

Let's break down each option and determine which ones can be used to set the visibility timeout value of individual messages in Azure Queue Storage. Option A: Peek at a message in the queue - Explanation: Peek allows you to retrieve a message from the queue without changing its visibility or state. It doesn't affect the message in the queue at all, and the message remains visible to other consumers. - Rejection Reason: The Peek operation does not allow you to modify the visibility timeout or perform any updates to the message. Therefore, it does not meet the requirement to set the visibility timeout. - Scenario Use: This would be used when you want to examine a message without removing it or altering its state, but it cannot be used for visibility timeout modifications. Option B: Delete a message in the queue - Explanation: Delete removes a message from the queue permanently after it has been processed. The visibility timeout is not directly involved in the delete operation itself. - Rejection Reason: The Delete operation removes a message and does not allow for the modification of the visibility timeout of a message that is still in the queue. Therefore, it cannot be used to set the visibility timeout. - Scenario Use: This operation is useful for finalizing message processing by removing it from the queue, but it doesn't affect visibility timeouts. Option C: Add a message to the queue - Explanation: Add inserts a new message into the queue. While you can specify a visibility timeout when adding a message, this operation is used for adding new messages, not modifying existing ones. - Rejection Reason: This operation is used for adding messages to the queue and does not allow you to modify the visibility timeout of messages already in the queue. - Scenario Use: Useful when you need to enqueue a new message, but it does not support modifying existing messages' visib...

Author: Amira99 · Last updated May 11, 2026

HOTSPOT - Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background - Fo...

Author: Olivia Johnson · Last updated May 11, 2026

HOTSPOT - A company has an Azure Cosmos DB for NoSQL account. The account is configured for session consistency. Data is written to a single Azure region and data can be read from three Azure regions. An application that will access the Azure Cosmos DB for NoSQL container data using an SDK has the following requirements: * Reads from the application must return the most recent committed version of an item from any Azure region. * The container items should not automatically be deleted....

Author: IronLion88 · Last updated May 11, 2026

You manage an Azure Cosmos DB for a NoSQL API account named account1. The account contains a database named db1, which contains a container named container1. You configure account1 with a session consistency level. You plan to develop an application named App1 that will access container1. Individual instances of App1 must perform reads and writes. App1 must allow mul...

Let's evaluate the different options and determine the appropriate object to share the session token between multiple nodes in your Azure Cosmos DB setup. Session Consistency and the Session Token - In Azure Cosmos DB, the session consistency level guarantees that within a single session (e.g., a single application or client), reads will always see the latest writes made by that session. For multiple nodes or instances of an application (App1) to access the same session data, they must use the same session token. This ensures that all nodes read and write data in the correct order relative to their own session. Now, let's examine the possible options for sharing the session token between nodes: Option A: Document Response - Explanation: A DocumentResponse refers to the result returned after querying or performing operations on a document in Cosmos DB. While it contains the data, it also includes metadata, such as the session token used to track session consistency for the particular operation. However, the DocumentResponse object is returned after each operation, meaning it’s a result object and not an object specifically designed to share the session token across multiple nodes. - Rejection Reason: The DocumentResponse will give you the session token for individual operations, but it is not an object designed to share that token across nodes. You would need to extract the session token from each response, which would be cumbersome and inefficient when handling multiple nodes. Option B: Request Options - Explanation: RequestOptions in Azure Cosmos DB allows you to specify various options for an individual request, including consistency level and session token. You can set the session token explicitly when making requests so that all reads and writes in the same session are consistent across nodes. - Selected Option Justification: RequestOptions is the correct object for configuring and sharing the session token. When multiple nodes are i...

Author: Manish · Last updated May 11, 2026

DRAG DROP - Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background - ...

Author: Noah · Last updated May 11, 2026

DRAG DROP - You have a static website hosted in an Azure Storage account named storage1. You access the website by using a URL that ends with the web.core.windows.net suffix. You plan to configure the website to be accessible through the URL www.contoso.com. The website must be accessible during configuration. The contoso.com zone is hosted in Azure DNS. You need to complete the website configuration. Which four actions should yo...

Author: RadiantJaguar56 · Last updated May 11, 2026

You have an Azure Queue Storage account that contains a queue named queue1. You plan to use Azure SDK for .NET to develop a solution that uses queue1. You need to author C# code that will return an approximate number of messages in q...

Let's evaluate each option based on the goal of retrieving the approximate number of messages in an Azure Queue Storage queue and minimizing development effort. Option A: GetProperties method of the QueueClient class - Explanation: The GetProperties method of the `QueueClient` class is used to retrieve metadata about the queue, such as the approximate number of messages in the queue. This method provides properties of the queue, including `ApproximateMessagesCount`, which gives the approximate number of messages in the queue. - Selected Option Justification: This method directly addresses the requirement. It provides the approximate number of messages in the queue with minimal effort, as it only requires calling the method and accessing the `ApproximateMessagesCount` property from the result. - Scenario Use: This is the most straightforward and efficient way to retrieve the approximate number of messages in a queue, as it is specifically designed for that purpose and requires minimal code. Option B: GetProperties method of the QueueServiceClient class - Explanation: The GetProperties method of the `QueueServiceClient` class is used to retrieve properties of the entire Queue Storage service, such as the account's configuration and performance metrics. This does not provide detailed queue-specific metrics, like the approximate number of messages in a specific queue. - Rejection Reason: This method is for service-level properties and does not return the number of messages in an individual queue, so it is not appropriate for this task. - Scenario Use: This method is useful when managing the entire Queue Storage service but does not help with querying the number of messages in a specific queue. ...

Author: MysticJaguar44 · Last updated May 11, 2026

You manage an Azure Storage account named storage1. You plan to load 1 million blobs into storage1. You must assign key-value pairs to blobs so that both keys and their values are automatically indexed and searchable by using the built-in serv...

To assign key-value pairs to blobs in Azure Storage and make them searchable, let's examine each command option to determine which one is appropriate for this task. Option A: Update -AzStorageBlobServiceProperty - Explanation: The `Update-AzStorageBlobServiceProperty` command is used to update properties related to the blob service itself (like setting properties for lifecycle management, soft delete policies, and other service configurations). However, this does not directly handle tagging or key-value pairs for individual blobs. - Rejection Reason: This command is more about configuring service properties at the storage account level, not for assigning tags (key-value pairs) to individual blobs. It doesn’t facilitate indexing or searching for blobs based on key-value pairs. - Scenario Use: This is useful for changing global blob service properties like versioning, soft delete, or immutability, but not for assigning metadata or key-value pairs to individual blobs. Option B: Set-AzStorageBlobTag - Explanation: The `Set-AzStorageBlobTag` command allows you to assign key-value pairs (tags) to individual blobs. Azure Blob Storage supports tagging, and this command specifically facilitates the assignment of these tags to blobs, which are indexed and searchable by Azure services such as the Azure Blob Indexer. - Selected Option Justification: This command is the correct one for assigning key-value pairs (tags) to blobs, which are automatically indexed and can be searched through Azure's built-in indexing services. This directly addresses the requirement of assigning key-value pairs to 1 million blobs for indexing and searchability. - Scenario Use: This is the recommended command to use when you need to tag blobs w...

Author: StarlightBear · Last updated May 11, 2026

DRAG DROP - You manage an Azure Cosmos DB for a NoSQL API account named account1. You configure account1 with the default consistency level. An application named app1 must access containers in account1 to perform read and write operations. The connections from app1 to account1 must be established by using the direct mode. You plan to configure app1 to override the default consistency level by using the Azure Cosmos DB SDK client. You need to set the maximum consistency level for app1 to use for read and write operations. Which consistency level should you se...

Author: Noah · Last updated May 11, 2026

DRAG DROP - You manage an Azure subscription associated with a Microsoft Entra tenant named contoso.com. The subscription contains an Azure Blob Storage account named storage1. Your user account has the Contributor Azure role-based access control (RBAC) role within the scope of the subscription. You plan to implement secure access to containers and blobs in storage1. Your solution must satisfy the following requirements: * Authorization requests to access storage1 content must be authenticated by using Microsoft Entra credentials. * Authorized access to storage1 content must be time-limited based on arbitrary values specified when requests are raised. * The principle of l...

Author: Lina Zhang · Last updated May 11, 2026

Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background - Fourth Coffee is a gl...

Author: Sophia Clark · Last updated May 11, 2026

HOTSPOT - You have an Azure Blob Storage account named account1. You plan to grant permissions for access to blobs in account1 by using a combination of a shared access signature token and a stored access policy. You must set the duration of the token validity by using the stored access policy. You need to complete the configuration of the stored access policy and generate the shared access signatu...

Author: Liam · Last updated May 11, 2026

You are developing a Java application that uses Cassandra to store key and value data. You plan to use a new Azure Cosmos DB resource and the Cassandra API in the application. You create an Azure Active Directory (Azure AD) group named Cosmos DB Creators to enable provisioning of Azure Cosmos accounts, databases, and containers. The Azure AD group must not be able...

Let's analyze the role-based access control (RBAC) options available for restricting access to the Azure AD group (Cosmos DB Creators) while ensuring they cannot access keys required to access data in Azure Cosmos DB. Option A: DocumentDB Accounts Contributor - Explanation: The DocumentDB Accounts Contributor role allows users to create, configure, and manage Cosmos DB accounts. However, it does not allow access to keys or data within the accounts, which fits the requirement of not granting access to the keys. - Rejection Reason: This role allows account creation and configuration, but the primary task here is restricting access to keys. While it does restrict data access, it doesn't address the specific concern of denying key access sufficiently, since it might still permit some higher-level configurations that could inadvertently expose sensitive data. - Scenario Use: This role is useful for users who need to configure and manage the account and resources but does not specifically focus on restricting access to keys. Option B: Cosmos Backup Operator - Explanation: The Cosmos Backup Operator role is designed to allow users to manage backups of Azure Cosmos DB accounts and databases, which includes performing backup and restore operations. It does not grant access to data or keys, focusing only on backup operations. - Rejection Reason: This role is focused solely on backup and restore operations and does not provide general administrative or management permissions for Cosmos DB accounts or databases. It also does not directly address the need to manage access to the keys required to access data. - Scenario Use: This role is suitable for users who need to manage Cosmos DB backups but is not suitable for restricting access to keys in a broader context of application development or configuration management. Option C: Cosmos DB Operator - Explanation: The Cosmos DB Operator...

Author: GlowingTiger · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, norm...

Scenario Understanding You are developing a website that will run as an Azure Web App and require Azure Active Directory (Azure AD) authentication. You want the website to assign users permission levels such as admin, normal, and reader based on their Azure AD group membership. The solution provided suggests configuring the Azure Web App to allow only authenticated requests and require Azure AD logon. The question asks whether this solution meets the goal of assigning permission levels based on Azure AD group membership. Solution Breakdown Solution Provided: - Authenticated Requests Only: Configuring the Azure Web App to allow only authenticated requests and to require Azure AD logon ensures that only users who are authenticated by Azure AD can access the web app. This is necessary for any form of authorization based on Azure AD groups, as it confirms that the user is who they claim to be. Missing Component: - Role-Based Authorization: The key missing part in the solution is the authorization based on Azure AD group membership. To achieve the goal, once a user is authenticated, you need to use role-based access control (RBAC) or Azure AD group claims in the token to map the user's group membership t...

Author: Sophia · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the perm...

Solution Breakdown: The goal is to configure authorization for a website that uses Azure Active Directory (Azure AD) authentication, where users' permission levels (admin, normal, and reader) are determined by their Azure AD group membership. The solution provided suggests two key steps: 1. Create a new Azure AD application and set the `groupMembershipClaims` option in the application's manifest to All. 2. Use the `groups` claim from the JWT token to determine the user's permission levels. Step-by-step Evaluation of the Solution: 1. Setting the `groupMembershipClaims` option to "All": - In Azure AD, the `groupMembershipClaims` setting controls whether group membership information is included in the token. By setting it to All, the JWT token will contain a `groups` claim, which includes the groups the user belongs to. This is necessary to retrieve the user's group memberships and use them for authorization. - This part of the solution is correct because it ensures that the group membership information will be included in the user's token, which is crucial for assigning permissions based on Azure AD groups. 2. Using the `groups` claim from the JWT token for authorization: - After configuring the Azure AD...

Author: Leah · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level. You need to configure authorization. Soluti...

The solution involves creating an Azure AD application, defining roles in the application manifest, and assigning those roles to Azure AD groups. The website would then use the roles claim in the user's JWT to determine permissions. Let's analyze if this solution meets the goal: Key Factors: 1. Azure AD Application and Manifest: Defining application roles in the manifest and assigning them to groups ensures that users who belong to those groups are automatically granted the corresponding roles. 2. Role-based Access Control: The solution uses the roles claim in the JWT token to determine user permissions, which is a standard practice in Azure AD to manage access based on user roles. 3. Azure AD Groups and Roles: Assigning Azure AD groups to roles allows centralized management of permissions. For instance, you can easily add or remove users from a group, which will automatically up...

Author: Charlotte · Last updated May 11, 2026

DRAG DROP - You are developing an application to securely transfer data between on-premises file systems and Azure Blob storage. The application stores keys, secrets, and certificates in Azure Key Vault. The application uses the Azure Key Vault APIs. The application must allow recovery of an accidental deletion of the key vault or key vault objects. Key vault objects must be retained for 90 days after deletion. You need to protect the key vault and key vault objects. Which Azure Key Vault feature should you use? To answer, drag the appropriate f...

Author: Isabella1 · Last updated May 11, 2026

You provide an Azure API Management managed web service to clients. The back-end web service implements HTTP Strict Transport Security (HSTS). Every request to the backend service must include a valid HTTP authorization header. You need to configure the Azure API Management instance with an authentication polic...

Let's review the options in the context of securing an Azure API Management (APIM) instance with an authentication policy, ensuring that every request to the backend service includes a valid HTTP authorization header. Key Considerations: - Backend Web Service Implements HSTS: This means that HTTP requests to the backend must be secure (over HTTPS). - Every Request Requires a Valid HTTP Authorization Header: This implies some form of authentication will be required, and the API Management service needs to pass the correct credentials in the `Authorization` header when forwarding requests to the backend. - API Management Authentication Policies: In Azure API Management, authentication policies ensure that requests are properly authenticated before being passed to the backend. Option A: Basic Authentication - Explanation: Basic Authentication involves passing the username and password as part of the `Authorization` header in the format `Basic <encoded_credentials>`. This is a simple and often used approach for securing APIs. - Why it Works: In the Azure API Management instance, you can configure a policy to add the `Authorization` header with Basic Authentication credentials. This can be done in the policy definition, allowing you to authenticate requests before they reach the backend service. Best Use Case: Basic Authentication is typically used when the backend expects basic user/pass credentials in the `Authorization` header. Option B: Digest Authentication - Explanation: Digest Authentication is a more secure alternative to Basic Authentication. It involves hashing the credentials, so the password is not sent in plain text. The header contains a hashed version of the credentials along with some other parameters. - Why it Works: Similar to Basic Authentication, you could configure Azure API Management to add the appropriate `Authorization` header, but Digest Authentication requires more complex header construction (hashing) and is not as commonly used with modern APIs compared to Basic Authentication or token-based approaches. Best Use Case: Digest Authentication might be used in legacy systems that require it, but it can be more complex to set up and...

Author: Sam · Last updated May 11, 2026

DRAG DROP - You are developing an ASP.NET Core website that can be used to manage photographs which are stored in Azure Blob Storage containers. Users of the website authenticate by using their Azure Active Directory (Azure AD) credentials. You implement role-based access control (RBAC) role permissions on the containers that store photographs. You assign users to RBAC roles. You need to configure the website's Azure AD Application so that user's permissions can be used with the Azure Blob containers. How should you configure the application? To answer, drag the app...

Author: IronLion88 · Last updated May 11, 2026

HOTSPOT - You are developing an ASP.NET Core app that includes feature flags which are managed by Azure App Configuration. You create an Azure App Configuration store named AppFeatureFlagStore that contains a feature flag named Export. You need to update the app to meet the following requirements: * Use the Export feature in the app without requiring a restart of the app. * Validate users before users are allowed access to secure resources. * Permit...

Author: Olivia Johnson · Last updated May 11, 2026

You have an application that includes an Azure Web app and several Azure Function apps. Application secrets including connection strings and certificates are stored in Azure Key Vault. Secrets must not be stored in the application or application runtime environment. Changes to Azure Active...

To determine the best approach for loading application secrets from Azure Key Vault without storing them in the application or runtime environment, we need to consider security, scalability, ease of management, and the minimization of changes to Azure Active Directory (Azure AD). Analysis of each option: A) Create a single user-assigned Managed Identity with permission to access Key Vault and configure each App Service to use that Managed Identity. - Pros: - Using a user-assigned managed identity centralizes access management. It simplifies the configuration since you assign permissions at the Key Vault level to this single identity, and multiple resources can use the same identity. - A single identity minimizes the complexity of managing multiple identities. - This method does not require storing secrets or certificates in the app, as the app can leverage Azure's Managed Identity feature to authenticate securely. - Cons: - Centralized access could be a risk if a single identity is compromised, as all app services would be affected. - The management overhead of the user-assigned Managed Identity may increase as your applications grow. - When to use: This option is ideal for scenarios where you have many Azure services that require access to Key Vault, and centralization of identity is desired to reduce complexity. B) Create a single Azure AD Service Principal with permission to access Key Vault and use a client secret from within the App Services to access Key Vault. - Pros: - The Azure AD Service Principal is an appropriate option when working with Azure AD-based authentication. - It can allow multiple services to share the same access credentials. - Cons: - Storing client secrets within your application is not recommended due to security risks. This breaks the requirement of not storing secrets in the application or its runtime environment. - Management of Service Principals requires careful handling of secrets and certificates, and if the secret is exposed, it could lead to security vulnerabilities. - When to use: This option is typically used in scenarios where you must use a Service Principal to grant access to resources but not in cases where secrets should not be stored in the app. C) Create a system-assigned Managed Identity in each App Service with permission to access Key Vault. - Pros: - System-assig...

Author: Ella · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms. If the stored intake forms are downloaded from storage by a third party, the contents of the forms must not ...

Analysis: The scenario requires ensuring that the contents of patient intake forms are not compromised if they are downloaded by a third party. The solution involves the following steps: 1. Create an Azure Key Vault key named skey. - This is a good start, as it ensures that the encryption key is managed securely by Azure Key Vault. 2. Encrypt the intake forms using the public key portion of skey. - Encryption using the public key is a method where only the private key can decrypt the data, which ensures confidentiality. This seems like a logical approach to protect the data from unauthorized access. 3. Store the encrypted data in Azure Blob storage. - Storing the encrypted data in Azure Blob storage ensures that the encrypted intake forms are stored securely, as access to the encrypted data would require decryption using the private key. Key Considerations: - Encryption Mechanism: Public key encryption (using the public key portion of skey) ensures that only someone with access to the private key can decrypt the ...

Author: Victoria · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms. If the stored intake forms are downloaded from storage by a third party, the contents of t...

Analysis: The scenario specifies that the contents of patient intake forms must be protected, ensuring they are not compromised if downloaded by a third party. The proposed solution involves using Azure Cosmos DB with Storage Service Encryption enabled, followed by storing the intake forms in that database. Let's break down the key components: 1. Create an Azure Cosmos DB database with Storage Service Encryption enabled: - Azure Cosmos DB automatically enables Storage Service Encryption for all data at rest, which means the data in Cosmos DB is encrypted using encryption keys managed by Azure. This ensures that the data is secure while stored and that unauthorized parties cannot easily access or read the data from storage. 2. Store the intake forms in the Azure Cosmos DB database: - Storing the intake forms in Azure Cosmos DB would leverage the built-in encryption to protect the data at rest. Azure Cosmos DB ensures that only authorized users with proper access permissions can read the data, ensuring the confidentiality of sensitive patient information. Key Considerations: - Encryption at Rest: - Storage Service Encryption in Azure Cosmos DB ensures the data is encrypted while stored in the database, which aligns with the goal of protecting the content...

Author: Ming · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms. If the stored intake forms a...

Analysis: The goal is to ensure that the contents of the intake forms are protected and not compromised if they are downloaded by a third party. The solution proposes storing the intake forms as Azure Key Vault secrets. Let's break down the key factors: 1. Storing intake forms as Azure Key Vault secrets: - Azure Key Vault is a service that securely stores and manages sensitive information, such as secrets (passwords, API keys), certificates, and cryptographic keys. - Secrets in Key Vault are typically small pieces of sensitive information, such as connection strings or credentials. They are not designed to store large binary objects, like scanned copies of documents, which are typically large files (images or PDFs). 2. Azure Key Vault Use Case: - Key Vault is not optimized for storing large files such as scanned patient intake forms (which are usually in image or PDF format). - Storing large documents in Key Vault would be inefficient, and would also violate the best practices for Key Vault, which is better suited for small pieces of sensitive data (such as keys, certificates, or short secr...

Author: Leah · Last updated May 11, 2026

HOTSPOT - You plan to deploy a new application to a Linux virtual machine (VM) that is hosted in Azure. The entire VM must be secured at rest by using industry-standard encryption technology to address organizational security and compliance requirements. You need to configure Azure Disk Encryption for the VM. How should you complete ...

Author: Mia · Last updated May 11, 2026

Your company is developing an Azure API hosted in Azure. You need to implement authentication for the Azure API to access other Azure resources. You have the following requirements: * All API calls must be authenticated. * Cal...

Option Analysis: 1. Basic Authentication (A): - Explanation: Basic Authentication requires the caller to send credentials (username and password) with every API request. - Why rejected: The requirement is that "callers must not send credentials to the API." This directly rules out Basic Authentication since it involves sending credentials with each request. - Use case: This could be used if credentials need to be provided directly by the caller for access, but it's not suitable here. 2. Anonymous Authentication (B): - Explanation: Anonymous authentication allows access without requiring any form of user or service identity. No authentication is involved in the process. - Why rejected: This is incompatible with the requirement that "all API calls must be authenticated." Anonymous authentication does not provide any form of authentication, which violates the specified requirements. - Use case: This might be used for public APIs or scenarios where security is not a concern, but it doesn’t fit the requirement to authenticate all calls. 3. Managed Identity (C): - Explanation: A Managed Identity is an identity automatically managed by Azure for services like Azure Functions, Web Apps, and Azure API Management. It allows services to authenticate to Azure resources without needing credentials stored in the code. Managed identities work by using Azure Active Directory (AAD) to authenticate. - Why selected: This i...

Author: GlowingTiger · Last updated May 11, 2026

DRAG DROP - You are developing an application. You have an Azure user account that has access to two subscriptions. You need to retrieve a storage account key secret from Azure Key Vault. In which order should you arrange the PowerShell commands to develop the solution? To answer...

Author: Elizabeth · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure solutions. You must grant a virtual machine (VM) access to specific...

Analysis: 1. Solution Explanation: - The goal is to grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager (ARM) by obtaining an ARM access token. The proposed solution is to use an X.509 certificate for authentication. - X.509 certificates are generally used in public key infrastructure (PKI) for secure authentication in various scenarios. In Azure, certificates can be used for client authentication, but this is not a typical method for authenticating a VM directly to Azure Resource Manager (ARM). - Normally, Azure Managed Identity or service principal with secret/certificate is used to authenticate a VM to Azure services. 2. Why this solution might not meet the goal: - While X.509 certificates can be used for secure authentication in Azure, they are not the most common or recommended method to authenticate a VM to obtain an Azure Resource Manager access token. Typically, Azure Managed Identity is used for VM authentication to Azure resources, as it simplifies the authentication process and doesn’t require managing certificates or secrets. - Using a certificate for authentication wou...

Author: Liam123 · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure solutions. You must grant a virtual machine (VM) access to specific resource groups in ...

Analysis: 1. Solution Explanation: - The goal is to grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager (ARM) and obtain an ARM access token. - The proposed solution involves using the Reader role-based access control (RBAC) role to authenticate the VM with ARM. 2. Role-Based Access Control (RBAC): - RBAC is the primary method to manage access to Azure resources, allowing you to assign roles to users, groups, or service principals to grant permissions. - The Reader role allows read-only access to Azure resources. It would allow the VM to access information about resources but does not allow the VM to authenticate or obtain an ARM access token by itself. - In Azure, RBAC roles are typically assigned to users, groups, or service principals, but VMs themselves need a way to authenticate to Azure (like through a Managed Identity or a Service Principal). - Therefore, the VM cannot directly use the Reader role to authenticate itself and obtain an access token. Instead, it would need a Managed Identity or a Service Principal to authenticate and obtain tok...

Author: Olivia Johnson · Last updated May 11, 2026

HOTSPOT - You are building a website that is used to review restaurants. The website will use an Azure CDN to improve performance and add functionality to requests. You build and deploy a mobile app for Apple iPhones. Whenever a user accesses the website from an iPhone, the user must be redirected to the app store. You need to implement an Azure CDN rule that ensures that iPhone users are redirected to the app store. ...

Author: Benjamin · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group me...

The solution provided involves configuring Integrated Windows Authentication (IWA) and using the Microsoft Graph API to query the user's Azure AD group memberships. Key factors for reasoning: 1. Integrated Windows Authentication (IWA) is typically used in on-premises environments and works well with Windows authentication for applications. It integrates with Active Directory but does not directly align with Azure AD authentication, which is required in this scenario. 2. Microsoft Graph API is the correct approach for querying Azure AD group memberships. It can provide information about the user's Azure AD group memberships, which is essential for determining their permission level for the website. Issues with the solution: - T...

Author: GlowingTiger · Last updated May 11, 2026

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure solutions. You must grant a virtual machine (VM) access to specific resource groups in Azur...

To assess whether the solution meets the goal of granting a virtual machine (VM) access to specific resource groups in Azure Resource Manager (ARM), let's break down the solution provided: Key factors for reasoning: 1. Managed Identity: Azure provides managed identities (either system-assigned or user-assigned) for Azure resources like VMs, which can be used to authenticate to Azure services and resources without needing credentials stored in the application code. 2. Access Token: To interact with Azure Resource Manager (ARM) via its REST API, you need an access token for authentication. Managed identities can be used to request Azure Active Directory (Azure AD) tokens, which are required to authenticate against ARM. 3. Invoke-RestMethod cmdlet: This cmdlet can ...

Author: Samuel · Last updated May 11, 2026

HOTSPOT - You are building a website to access project data related to teams within your organization. The website does not allow anonymous access. Authentication is performed using an Azure Active Directory (Azure AD) app named internal. The website has the following authentication requirements: * Azure AD users must be able to login to the website. * Personalization of the website must be based on membership in Active Directory groups. You need to configure the application's manif...

Author: Isabella · Last updated May 11, 2026

You develop an app that allows users to upload photos and videos to Azure storage. The app uses a storage REST API call to upload the media to a blob storage account named Account1. You have blob storage containers named Container1 and Container2. Uploading of videos occurs on an irregu...

To determine the correct approach for copying blobs from `Container1` to `Container2` when a new video is uploaded, let's evaluate each option carefully based on the requirements and scenario. Key factors: - The goal is to copy blobs from `Container1` to `Container2` when a new video is uploaded. - Irregular uploads suggest an automated, event-driven approach, where the system detects and acts upon the upload. - Storage REST API: The app already uses REST API calls to interact with the blob storage, so we want a solution that integrates well with this environment and is efficient. Option Analysis: A) Copy blobs to Container2 by using the Put Blob operation of the Blob Service REST API - The Put Blob operation is used to upload blobs to a container, not to copy them. While it could potentially be used to upload a new blob to `Container2`, this doesn't directly address copying an existing blob from `Container1`. It would require downloading the blob first and then uploading it again, which is not ideal. - Rejection: This method involves extra steps (downloading then uploading), which is inefficient and doesn't directly copy the blob. B) Create an Event Grid topic that uses the Start-AzureStorageBlobCopy cmdlet - Event Grid can detect changes in a blob container (like a new blob upload) and trigger actions based on those events. The Start-AzureStorageBlobCopy cmdlet can be used to copy blobs between containers in Azure Storage. - Recommendation: This solution is efficient because Event Grid can automatically trigger the copy process as soon as a new video blob is uploaded to `Containe...

Author: MoonlitPantherX · Last updated May 11, 2026

You are developing an ASP.NET Core website that uses Azure FrontDoor. The website is used to build custom weather data sets for researchers. Data sets are downloaded by users as Comma Separated Value (CSV) files. The data is refreshed every 10 hours. Specific files must be purged from the FrontDoor cache based ...

To determine the correct type of cache purge to use with Azure Front Door, let's analyze each option based on the requirements and scenario: Key factors: - The website delivers CSV files that need to be purged from the cache on an individual basis based on Response Header values. - The cache purge should be specific to certain files rather than a general cache clearing for the entire site. - Purging needs to occur based on specific assets (i.e., individual files) rather than bulk purging. Option Analysis: A) Single Path - Single path purge allows you to purge a specific asset or file from the cache by specifying its exact path (e.g., `/files/weatherdata.csv`). - This method is ideal for purging individual assets like specific CSV files that need to be cleared from the cache when their data is refreshed or updated. - Recommendation: Since you are targeting specific files for cache purging, this option directly fits the requirement. B) Wildcard - Wildcard purge allows you to purge multiple assets tha...

Author: Leo · Last updated May 11, 2026

Your company is developing an Azure API. You need to implement authentication for the Azure API. You have the following requirements: All API calls must be secure. * Callers to the API m...

Author: ShadowWolf101 · Last updated May 11, 2026

You are a developer for a SaaS company that offers many web services. All web services for the company must meet the following requirements: * Use API Management to access the services * Use OpenID Connect for authentication * Prevent anonymous usage A recent security audit f...

Key factors for reasoning: - Requirements: - The services must use API Management. - The authentication must be done using OpenID Connect. - Anonymous usage should be prevented, meaning only authenticated users should have access. Given these requirements, let's evaluate the options: Option Analysis: A) jsonp - JSONP (JSON with Padding) is a technique used for making cross-origin requests by injecting a `<script>` tag to bypass same-origin policies. However, this is not related to authentication or access control. - Rejection: This option doesn't address authentication or prevent anonymous access. It is not suited for securing web services. B) authentication-certificate - This policy is used for enforcing certificate-based authentication. It requires clients to provide a certificate in the request to authenticate. This is useful when you need to authenticate based on a client certificate, but it doesn't align with the requirement of using OpenID Connect for authentication. - Rejection: This option is not related to OpenID Connect and doesn’t address the requirement to prevent anonymous access through OpenID Connect. C) check-header - This policy is used to check for the pres...

Author: Layla · Last updated May 11, 2026

DRAG DROP - Contoso, Ltd. provides an API to customers by using Azure API Management (APIM). The API authorizes users with a JWT token. You must implement response caching for the APIM gateway. The caching mechanism must detect the user ID of the client that accesses data for a given location and cache the response for that user ID. You need to add the following policies to the policies file: * a set-variable policy to store the detected user identity * a cache-lookup-value policy * a cache-store-value policy * a find-and-replace policy to update the response body with the user profile information To which policy section should you add th...

Author: Scarlett · Last updated May 11, 2026