HomeCertificationsPMIProject Management Professional (PMP)Agile Certified Practitioner (PMI-ACP)Program Management Professional (PgMP)Oracle1Z0-1127-25:OCI Generative AI ProfessionalPython InstitutePCEP™ 30-02 – Certified Entry-Level Python ProgrammerScrumProfessional Scrum Master PSM IGoogleMachine Learning EngineerAssociate Cloud EngineerProfessional Cloud ArchitectProfessional Cloud DevOps EngineerProfessional Data EngineerProfessional Cloud Security EngineerProfessional Cloud Network EngineerCloud Digital LeaderProfessional Cloud DeveloperGenerative AI LeaderGitHubGitHub CopilotAmazonAWS Certified AI Practitioner (AIF-C01)AWS Certified Cloud Practitioner (CLF-C02)AWS Certified Data Engineer - Associate (DEA-C01)AWS Certified Developer - Associate (DVA-C02)AWS Certified DevOps Engineer - Professional (DOP-C02)AWS Certified Solutions Architect - Associate (SAA-C03)AWS Certified Security - Specialty (SCS-C02)AWS Certified SysOps Administrator - Associate (SOA-C02)AWS Certified Advanced Networking - Specialty (ANS-C01)AWS Certified Solutions Architect - Professional (SAP-C02)AWS Certified Machine Learning - Specialty (MLS-C01)AWS Certified Machine Learning - Associate (MLA-C01)MicrosoftAZ-900: Microsoft Azure FundamentalsAI-900: Microsoft Azure AI FundamentalsDP-900: Microsoft Azure Data FundamentalsAI-102: Designing and Implementing a Microsoft Azure AI SolutionAZ-204: Developing Solutions for Microsoft AzureAZ-400: Designing and Implementing Microsoft DevOps SolutionsAZ-500: Microsoft Azure Security TechnologiesAZ-305: Designing Microsoft Azure Infrastructure SolutionsDP-203: Data Engineering on Microsoft AzureAZ-104: Microsoft Azure AdministratorAZ-120: Planning and Administering Azure for SAP WorkloadsMS-900: Microsoft 365 FundamentalsAZ-700: Designing and Implementing Microsoft Azure Networking SolutionsPL-900: Microsoft Power Platform FundamentalsPRINCE2PRINCE2 FoundationITILITIL® 4 Foundation - IT Service Management CertificationSign In
logo
Home
Sign In
logo

A cutting-edge learning platform that provides professionals with the latest industry insights and skills. Stay ahead with up-to-date courses and resources designed for continuous growth.

About Us

  • Home
  • About

Links

  • Privacy policy
  • Terms of Service
  • Contact Us

Copyright © 2026 Nxt Exam

shapeshape

What Our Friends Say

Microsoft Certification

Microsoft Practice Questions, Discussions & Exam Topics by our Authors

DRAG DROP - You are developing an Azure solution. You need to develop code to access a secret stored in Azure Key Vault. How should you complete the code segment? To answer, drag the appropriate code segments to the correct location. Each code segment may be used once, more than once, or not at all. You may n...

Author: Samuel · Last updated May 11, 2026

You are developing an Azure App Service REST API. The API must be called by an Azure App Service web app. The API must retrieve and update user profile information stored in Azure Active Directory (Azure AD). You need to configure the API to make the updates. Which two too...

Key factors for reasoning: - The task involves configuring an Azure App Service REST API that interacts with Azure Active Directory (Azure AD) to retrieve and update user profile information. - We need to consider tools that handle authentication (to securely authenticate the app) and interact with Azure AD to manage user profile data. Let's evaluate each option: Option Analysis: A) Microsoft Graph API - Microsoft Graph API is a REST API that allows developers to interact with a wide range of Microsoft services, including Azure AD. It provides endpoints to retrieve, create, and update user profile information within Azure AD. - Recommendation: Microsoft Graph API is the primary tool for interacting with Azure AD, especially when it comes to retrieving and updating user profile data. - Selected: This is one of the correct answers because it directly provides the functionality needed for interacting with Azure AD. B) Microsoft Authentication Library (MSAL) - The Microsoft Authentication Library (MSAL) is used to authenticate users and acquire access tokens. MSAL simplifies the process of obtaining the necessary access tokens to authenticate the application with Azure AD. - Recommendation: MSAL is crucial for authenticating the app and acquiring the necessary tokens to make authorized requests to Azure AD, which is required to interact with the Microsoft Graph API. - Selected: MSAL is another correct answer because it handles authentication and obtaining tokens for secure communication with Azure AD and the Microsoft Graph API. ...

Author: Sam · Last updated May 11, 2026

You develop a REST API. You implement a user delegation SAS token to communicate with Azure Blob storage. The token is compromised. You need to revoke the token. What are two possible ways to achieve this goal? Each ...

To revoke a compromised SAS token, you need to invalidate the token or prevent its usage. Let’s evaluate the possible options: A) Revoke the delegation key - Explanation: This option refers to revoking the key used to generate a SAS token for user delegation, which would render the SAS token invalid. However, Azure doesn't provide a direct API or mechanism to "revoke" a SAS token once it's been created. A delegation key could refer to the access token for user delegation, but simply revoking it may not directly invalidate the SAS token if it is already issued. - Reasoning: Not applicable because Azure does not support the direct revocation of SAS tokens once issued. B) Delete the stored access policy - Explanation: If a stored access policy is used to generate the SAS token, deleting this policy will invalidate any SAS token that is based on that policy. This can be done to revoke a compromised SAS token, as it invalidates the policy associated with the token. - Reasoning: This is an effective way to revoke a SAS token, assuming the token was created using a stored access policy. By deleting the policy, you prevent further usage of any SAS tokens generated from it. C) Regenerate the account key - Explanation: Regenerating the storage account key will invalidate all SAS tokens that were created using that account key, as the SAS tokens are signed with the account key. Regen...

Author: Alexander · Last updated May 11, 2026

DRAG DROP - You are developing an Azure-hosted application that must use an on-premises hardware security module (HSM) key. The key must be transferred to your existing Azure Key Vault by using the Bring Your Own Key (BYOK) process. You need to securely transfer the key to Azure Key Vault. Which four actions should you perform in sequ...

Author: Nathan · Last updated May 11, 2026

You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure Function app includes an OpenAPI (Swagger) definition and uses an Azure Blob storage account. All resources are secured by using Azure Active Directory (Azure AD). The Azure Logic app must securely access the Azure Blob storage ...

Let's break down the options for securing the Azure Logic app that needs to securely access the Azure Blob storage account while ensuring Azure AD resources remain intact if the Azure Logic app is deleted. A) Create a user-assigned managed identity and assign role-based access controls. - Explanation: A user-assigned managed identity can be created independently of the Azure Logic app, which is beneficial because it ensures that the managed identity persists even if the Logic app is deleted. You would assign the required Azure AD roles (e.g., Storage Blob Data Reader/Writer) to the managed identity, ensuring that the Logic app can securely access the Azure Blob storage account using Azure AD authentication. - Reasoning: This is a valid option because the user-assigned managed identity is decoupled from the Logic app lifecycle, meaning that even if the Logic app is deleted, the identity and its access permissions will remain intact, fulfilling the requirement of Azure AD resources persisting after deletion. B) Create an Azure AD custom role and assign the role to the Azure Blob storage account. - Explanation: Azure AD custom roles are typically used to define specific access permissions for users or groups. While a custom role can be created and assigned, it does not solve the issue of the Logic app's access to the Blob storage. The role assignment would generally need to be linked to a user, group, or managed identity. - Reasoning: While the custom role approach is useful, it does not specify how to securely authenticate the Logic app with Azure Blob storage. There’s no indication of a managed identity or service principal to facilitate secure authentication. Hence, this is not the best approach in this case. C) Create an Azure Key Vault and issue a client certificate. - Explanation: Azure Key Vault can be used to store secrets or certificates securely, and client certificates can be issued to secure communication. However, for Azure Logic app to authenticate to Azure Blob storage using Azure AD, it's typically better to use a managed identity instead of a client certificate. - Reasoning: While Key Vault and ce...

Author: Isabella · Last updated May 11, 2026

HOTSPOT - You are developing an application that uses a premium block blob storage account. You are optimizing costs by automating Azure Blob Storage access tiers. You apply the following policy rules to the storage account. You must determine the implications of applying the rules to the data. (Line numbers are included for reference only.) For e...

Author: Nia · Last updated May 11, 2026

You are developing a solution that will use a multi-partitioned Azure Cosmos DB database. You plan to use the latest Azure Cosmos DB SDK for development. The solution must meet the following requirements: * Send insert and update operations to an Azure Blob storage account. * Process changes to all partitions immediately. * Allow parallelization of change processing. You need to process the Az...

To process changes in an Azure Cosmos DB database with multiple partitions, meet the specified requirements, and achieve parallelized processing, let’s analyze each of the given options: A) Create an Azure App Service API and implement the change feed estimator of the SDK. Scale the API by using multiple Azure App Service instances. - Explanation: The change feed estimator isn't a common feature for processing changes; it's primarily used for tracking throughput changes in Cosmos DB. Scaling an Azure App Service API may allow the processing of changes, but it won't inherently parallelize the change feed processing across partitions. Using multiple instances of Azure App Service might lead to overhead and may not fully leverage Cosmos DB's optimized change feed processing. - Reasoning: While it could work for some scenarios, it isn't the most optimized or efficient method for handling Cosmos DB's change feed. It lacks direct integration with Cosmos DB's change feed and does not inherently optimize parallelism at the partition level. B) Create a background job in an Azure Kubernetes Service and implement the change feed feature of the SDK. - Explanation: Azure Kubernetes Service (AKS) can provide scalability and flexibility for background jobs, and implementing the change feed feature within AKS could work. However, AKS is more complex to set up and manage compared to Azure Functions for serverless, event-driven workloads. Additionally, scaling change feed processing and managing the load might require additional configurations, leading to increased operational complexity. - Reasoning: Although feasible, using AKS for this task is overkill for most scenarios. Azure Functions are a more streamlined and easier solution for processing the Cosmos DB change feed. C) Create an Azure Function to use a trigger for Azure Cosmos DB. Configure the trigger to connect to the container. - Explanation: Azure Functions can be directly triggered by changes in an Azure Cosmos DB container using the Cosmos DB trigger. This option works well for serverless, event-dr...

Author: Ethan Smith · Last updated May 11, 2026

HOTSPOT - You have an Azure Web app that uses Cosmos DB as a data store. You create a CosmosDB container by running the following PowerShell script: $resourceGroupName = "testResourceGroup" $accountName = "testCosmosAccount" $databaseName = "testDatabase" $containerName = "testContainer" $partitionKeyPath = "/EmployeeId" $autoscaleMaxThroughput = 5000 New-AzCosmosDBSqlContainer - -ResourceGroupName $resourceGroupName -AccountName $accountName -DatabaseName $databaseName -Name $containerName -PartitionKeyKind Hash -PartitionKeyPath $partitionKeyPath -AutoscaleMaxThroughput $autoscaleMaxThroughput You create the following qu...

Author: Stella · Last updated May 11, 2026

HOTSPOT - You are developing a web application that makes calls to the Microsoft Graph API. You register the application in the Azure portal and upload a valid X509 certificate. You create an appsettings.json file containing the certificate name, client identifier for the application, and the tenant identifier of the Azure Active Directory (Azure AD). You create a method named ReadCertificate to return the X509 certificate by name. You need to implement code that acq...

Author: Noah · Last updated May 11, 2026

HOTSPOT - You develop a containerized application. You plan to deploy the application to a new Azure Container instance by using a third-party continuous integration and continuous delivery (CI/CD) utility. The deployment must be unattended and include all application assets. The third-party utility must only be able to push and pull images from the registry. The authentication must be managed by Azure Active Directory (Azure AD). The solution must use the principle of least privilege. You need to ensure t...

Author: James · Last updated May 11, 2026

You deploy an Azure App Service web app. You create an app registration for the app in Azure Active Directory (Azure AD) and Twitter. The app must authenticate users and must use SSL for all communications. The app must use Twitter as the i...

To validate the Azure Active Directory (Azure AD) request in the app code for the authentication process, we need to ensure that the information being sent and received is legitimate and comes from a trusted source. Let’s review each of the given options to determine what should be validated: A) ID token header - Explanation: The ID token header typically contains information about the signing algorithm and token type. While it is important in understanding the ID token's structure, validating just the header is not sufficient to ensure the integrity and authenticity of the ID token itself. - Reasoning: You must validate the actual content of the ID token (its signature and claims) to ensure it hasn't been tampered with, rather than just checking the header. Therefore, validating only the ID token header is insufficient. B) ID token signature - Explanation: The ID token signature is the part of the ID token that proves the token has been issued by a trusted identity provider (Azure AD, in this case) and hasn’t been altered. Validating the signature ensures the token is legitimate and issued by Azure AD. You would validate the signature using a public key that Azure AD exposes. - Reasoning: This is the most correct answer. Validating the ID token's signature guarantees that the token is valid and hasn't been tampered with. It’s the key step in validating any authentication...

Author: Elijah · Last updated May 11, 2026

A development team is creating a new REST API. The API will store data in Azure Blob storage. You plan to deploy the API to Azure App Service. Developers must access the Azure Blob storage account to develop the API for the next two months. The Azure Blob storage account must not be accessible by the deve...

Let's evaluate the given options based on the requirement that developers need temporary access to the Azure Blob storage account for two months, after which the access should be revoked. A) Generate a shared access signature (SAS) for the Azure Blob storage account and provide the SAS to all developers. - Explanation: A Shared Access Signature (SAS) provides a secure, temporary, and limited access mechanism to Azure Blob storage. By generating a SAS token, you can specify an expiration date, granting access for a defined time period. This means developers will only have access to the storage account during the specified period (in this case, two months). - Reasoning: This option meets the requirement perfectly. You can set an expiration date for the SAS token, and after two months, the SAS token will no longer be valid, thereby preventing further access to the Blob storage account. This solution is flexible and secure, as it allows for granular control over access permissions. B) Create and apply a new lifecycle management policy to include a last accessed date value. Apply the policy to the Azure Blob storage account. - Explanation: Lifecycle management policies are primarily used to automate data movement or deletion in Azure Blob storage based on certain criteria, such as file age or last access date. However, lifecycle management does not control who can access the storage account or the associated data. - Reasoning: This option is not applicable to granting access. Lifecycle management is useful for optimizing data storage but doesn't control user access or meet the specific requirement of temporarily granting access to developers. Therefore, it's not a suitable choice for the scenario. C) Provide all developers with the access key for the Azure Blob storage account. Update the API to include the Coordinated Universal Time (UT...

Author: SolarFalcon11 · Last updated May 11, 2026

DRAG DROP - You develop a web application. You need to register the application with an active Azure Active Directory (Azure AD) tenant. Which three actions should you perform in sequence? To answer, move all actions from...

Author: Daniel · Last updated May 11, 2026

You have a new Azure subscription. You are developing an internal website for employees to view sensitive data. The website uses Azure Active Directory (Azure AD) for authentication. You need to implement multifactor authentication for the website. Which two actions sho...

To implement multifactor authentication (MFA) for an internal website using Azure Active Directory (Azure AD), let's evaluate the options: A) Configure the website to use Azure AD B2C. - Explanation: Azure AD B2C is typically used for external-facing applications where you authenticate users outside of your organization (e.g., customers or partners). It provides authentication services for applications that need to manage users from various identity providers. - Reasoning: Since the website is for internal employees, Azure AD B2C is not necessary or applicable in this case. You should use Azure AD for internal user authentication, not B2C. B) In Azure AD, create a new conditional access policy. - Explanation: Conditional Access policies in Azure AD allow you to enforce various authentication requirements, such as requiring multifactor authentication (MFA) based on conditions like user group, device, location, etc. By creating a conditional access policy, you can configure MFA requirements for employees accessing the internal website. - Reasoning: This is the correct approach. You can define policies that require MFA under specific conditions (such as access to sensitive data), making it highly relevant for enforcing MFA. C) Upgrade to Azure AD Premium. - Explanation: Azure AD Premium includes more advanced features for conditional access and identity management, but MFA itself is available in both Azure AD Free and Premium versions, though Premium offers more advanced conditional access features and reporting. However, MFA functionality can still be enabled with Azure AD Free. - Reasoning: While upgrading to Azure AD Premium would provide more advanced features like conditional access policies and detailed reporting, MF...

Author: Samuel · Last updated May 11, 2026

DRAG DROP - An organization plans to deploy Azure storage services. You need to configure shared access signature (SAS) for granting access to Azure Storage. Which SAS types should you use? To answer, drag the appropriate SAS types to the correct requirements. Each SAS type may be used once, more than once, or not at all. Yo...

Author: RadiantJaguar56 · Last updated May 11, 2026

HOTSPOT - You are developing an ASP.NET Core app that includes feature flags which are managed by Azure App Configuration. You create an Azure App Configuration store named AppFeatureflagStore as shown in the exhibit: You must be able to use the feature in the app by using the following markup: You need to update the app to use the feature flag....

Author: Alexander · Last updated May 11, 2026

HOTSPOT - You have a single page application (SPA) web application that manages information based on data returned by Microsoft Graph from another company's Azure Active Directory (Azure AD) instance. Users must be able to authenticate and access Microsoft Graph by using their own company's Azure AD instance. You need to configure the application manifest for the app registrati...

Author: CrystalWolfX · Last updated May 11, 2026

You manage a data processing application that receives requests from an Azure Storage queue. You need to manage access to the queue. You have the following requirements: * Provide other applications access to the Azure queue. * Ensure that you can revoke access to the queue without having to regenerate the storage account ...

To address the given requirements, we need to carefully consider the different types of Shared Access Signatures (SAS) that Azure offers. Let's evaluate each option: A) Service SAS with a stored access policy - Service SAS allows granting access to specific resources (such as a queue, blob, or file) within a storage account. - Stored Access Policy provides a way to define a set of access policies at the storage service level. It allows for more control by specifying permissions (read, write, etc.), expiration time, and other settings at the resource level. - Advantages: The key benefit of this option is that it allows you to grant access to a specific resource (in this case, the queue) and manage permissions through the stored access policy. You can revoke access by updating or deleting the stored access policy without needing to regenerate the storage account keys, addressing the requirement for easy revocation. - Rejection of Other Options: - Unlike ad hoc SAS, which is generated on the fly, the stored access policy provides flexibility in managing multiple SAS tokens for the same resource. - Why it’s a better option: You don’t need to regenerate storage account keys, and access is granted at the queue level, not the entire storage account. B) Account SAS - Account SAS grants access to all services (Blob, Queue, File, and Table) at the storage account level, and permissions are assigned across the entire account. - Why it’s rejected: This does not meet the requirement to restrict access at the queue level. If you grant access at the account level, you can’t c...

Author: Rohan · Last updated May 11, 2026

HOTSPOT - You are developing an application to store and retrieve data in Azure Blob storage. The application will be hosted in an on-premises virtual machine (VM). The VM is connected to Azure by using a Site-to-Site VPN gateway connection. The application is secured by using Azure Active Directory (Azure AD) credentials. The application must be granted access to the Azure Blob storage account with a start time, expiry time, and read permissions. The Azure Blob storage account access must use the Azure AD credentials of the application to secure data access. Data access must be able to be revoked if the cl...

Author: Emma · Last updated May 11, 2026

You are building a web application that uses the Microsoft identity platform for user authentication. You are implementing user identification for the web application. You need to ...

When implementing user identification for a web application using the Microsoft identity platform, the goal is to retrieve a claim that uniquely identifies the user. Let’s evaluate each option based on the requirements: A) aud (Audience) - aud is a claim that identifies the intended recipient of the token (the audience). It specifies the application or service that the token is intended for. - Why it's rejected: While the aud claim helps ensure the token is sent to the correct application, it does not uniquely identify a user. Instead, it identifies the target application or service. - Use case: The aud claim is primarily used to verify the intended audience of the token and is not used for uniquely identifying users. B) nonce - nonce is a claim used to prevent replay attacks. It ensures that a token is not reused inappropriately. - Why it's rejected: The nonce claim is a security measure to prevent attacks and is not used for identifying a user. It is a unique value associated with the authentication request but does not provide a permanent or unique user identifier. - Use case: Nonce is useful in protecting the integrity of the authentication process but does not serve the purpose of uniquely identifying users. C) oid (Object ID) - oid represents the Object ID of the user in Azure ...

Author: Oscar · Last updated May 11, 2026

You are developing an Azure Function that calls external APIs by providing an access token for the API. The access token is stored in a secret named token in an Azure Key Vault named mykeyvault. You need to ensure the Azure Func...

To ensure that an Azure Function can securely access a secret (in this case, an access token) stored in Azure Key Vault, you need to use the correct configuration syntax in the Azure Function App settings. Let's go through each option and evaluate it. Analysis of Options: Option A: KeyVault:mykeyvault;Secret:token - This option implies a format where the Key Vault name and secret name are specified directly. However, Azure Functions do not support this syntax to reference secrets. It does not match the expected way of linking a secret in Azure Key Vault to an Azure Function App. - Rejected: This format is not valid for referencing secrets in Azure Key Vault in the Azure Function App configuration. Option B: App:Settings:Secret:mykeyvault:token - This option seems to suggest that a secret is being referenced in an app setting using some custom format, but it does not follow the correct Azure syntax. The Azure Functions configuration does not use this format for referencing secrets stored in Azure Key Vault. - Rejected: This is not a valid way to reference secrets in Azure Key Vault within an Azure Function's app settings. Option C: AZUREKVCONNSTR_ https://mykeyvault.vault.azure.net/secrets/token/ - This option resembles a connection string format for accessing a service (such as Azure ...

Author: Aarav2020 · Last updated May 11, 2026

A company maintains multiple web and mobile applications. Each application uses custom in-house identity providers as well as social identity providers. You need to impl...

To implement Single Sign-On (SSO) for multiple web and mobile applications that use custom in-house identity providers as well as social identity providers, it's important to choose the right solution based on the flexibility and functionality required. Analysis of Options: Option A: Use Azure Active Directory B2C (Azure AD B2C) with custom policies - Azure AD B2C (Business to Consumer) is a service that allows businesses to build customer-facing applications that can authenticate users via both social accounts (such as Facebook, Google) and local/custom identity providers. Custom policies allow for complete control over the authentication process, enabling complex scenarios such as integrating multiple identity providers, custom authentication flows, and more. - Why Selected: This option is ideal for this scenario because Azure AD B2C supports SSO for both custom in-house identity providers and social identity providers, offering full flexibility with custom policies. Custom policies are particularly useful when you need to customize and fine-tune the authentication process, especially when dealing with diverse identity sources. - Best Scenario: Companies with complex or highly customized authentication requirements, such as integrating in-house identity systems with a variety of social logins. Option B: Use Azure Active Directory B2B (Azure AD B2B) and enable external collaboration - Azure AD B2B allows businesses to enable secure access to internal applications for external users (e.g., partners or contractors). It works by inviting external users to the directory, allowing them to authenticate using their own credentials. - Rejected: Azure AD B2B is designed for collaboration between organizations (external partners) and is not a solution for handling SSO within customer-facing web and mobile applications with a mix of internal and external identity providers. It does not provide the necessary flexibility to integrate custom in-house identity providers o...

Author: Leo · Last updated May 11, 2026

You develop a Python application for image rendering that uses GPU resources to optimize rendering processes. You deploy the application to an Azure Container Instances (ACI) Linux container. The application requires a secret value to be passed when the container is started. The value must only be accessed from within the container. You need to pass the secret...

To pass a secret value to an Azure Container Instance (ACI) Linux container securely and ensure that the value is accessible only from within the container, let's evaluate the options provided. A) Create an environment variable. Set the secureValue property to the secret value. - Reasoning: You can pass secret values securely using environment variables, but environment variables are not inherently secure, as they can potentially be exposed in logs or other outputs within the container. However, ACI supports the Azure Key Vault integration to inject secrets into the container via environment variables, which would be a secure way to handle secrets. - Usage: This can be used in scenarios where you want the secret to be passed securely into the container, utilizing Azure Key Vault to keep it protected. B) Add the secret value to the container image. Use a managed identity. - Reasoning: Storing secrets directly in the container image is highly insecure because it would expose the secret whenever the container image is accessed or shared. While managed identities provide a secure way to access Azure resources (like Azure Key Vault), the secret itself should not be hardcoded into the image. - Usage: This option is not recommended because storing sensitive data directly in the container image defeats the purpose of keeping it secure. C) Add the secret value to the application code. Set the container startup command. - Reasoning: Embedding the secret value directly in the application code is insecure. If anyone gains access to the code, they could retrieve the secret. Additionally, passing secrets this way does not leverage Azure's built-in security mechanisms (such as Azure Key Vault), ma...

Author: Isabella · Last updated May 11, 2026

You are developing a user portal for a company. You need to create a report for the portal that lists information about employees who are subject matter experts for a specific topic. You must ensure that adm...

To decide which technology to use to create a report for the portal, it's important to consider the needs of the system in terms of data access, control, and consent. Let's evaluate the given options: A) Microsoft Graph Data Connect - Reasoning: Microsoft Graph Data Connect is a service that allows organizations to integrate their data from Microsoft 365 services (like Office 365, Azure Active Directory, and others) into a data warehouse or data lake. This service is designed for ETL (Extract, Transform, Load) processes and can provide access to data in a controlled and structured manner. It ensures administrators can manage and consent to the access, which aligns well with your requirement for administrators to have full control over the data. - Usage: This solution would be appropriate if you need to integrate Microsoft 365 data into a centralized data platform for reporting and analytics, and it fits scenarios where consent and full control by administrators are necessary. - Why selected: It provides a secure, compliant, and controlled way to access data across Microsoft 365 services for reporting purposes. B) Microsoft Graph API - Reasoning: The Microsoft Graph API is a comprehensive API that allows you to access and interact with data from various Microsoft services (like Office 365, Azure Active Directory, Teams, SharePoint, etc.). The Graph API can be used to query data, including employee details, roles, and permissions. While it provides great flexibility, you would still need to implement controls around data access and consent manually. This might involve extra development and security mechanisms to ensure administrators maintain control. - Usage: This is a suitable option for pro...

Author: Olivia Johnson · Last updated May 11, 2026

HOTSPOT - You are a developer building a web site using a web app. The web site stores configuration data in Azure App Configuration. Access to Azure App Configuration has been configured to use the identity of the web app for authentication. Security requirements specify that no other authentication systems must be used. You need to load configuration data from Azure App Configu...

Author: Oliver · Last updated May 11, 2026

HOTSPOT - You are building an application that stores sensitive customer data in Azure Blob storage. The data must be encrypted with a key that is unique for each customer. If the encryption key has been corrupted it must not be used for encryption. You need to ensure that the blob is encrypted. How should you complete ...

Author: Ella · Last updated May 11, 2026

HOTSPOT - You are developing a web application that uses the Microsoft Identity platform for user and resource authentication. The web application called several REST APIs. You are implementing various authentication and authorization flows for the web application. You need to validate the claims in the authentication token. ...

Author: CrimsonViperX · Last updated May 11, 2026

HOTSPOT - You are developing a content management application for technical manuals. The application is deployed as an Azure Static Web app. Authenticated users can view pages under/manuals but only contributors can access the page /manuals/new.html. You need to configure the routing for the web app. How should you...

Author: Ahmed97 · Last updated May 11, 2026

You are developing a web application that uses the Microsoft identity platform for user and resource authentication. The web application calls several REST APIs. A REST API call must read the user's calendar. The web application requires permission to send a...

To authorize the web application and allow it to call the APIs for reading the user's calendar and sending an email, you must provide specific permissions during the OAuth 2.0 authorization flow. Let's evaluate the options given: A) tet - Reasoning: This seems to be a typo or an invalid option. "tet" does not refer to any known OAuth 2.0 or Microsoft identity platform concept or parameter. Therefore, it cannot be the correct choice. - Usage: Invalid. B) code_challenge - Reasoning: The code_challenge parameter is used as part of the PKCE (Proof Key for Code Exchange) flow. It is designed to protect authorization code flows, especially in public client scenarios like mobile apps or single-page applications (SPAs). However, this is unrelated to the actual authorization scope or the permissions for the web application to access user resources. - Usage: This is used in public client scenarios for security but is not directly related to the specific permissions required for the web application to access the calendar and send emails. - Why rejected: It does not pertain to the OAuth scope or permissions for resource access. C) state - Reasoning: The state parameter is used to maintain state between the request and callback in the OAuth 2.0 authorization flow. It helps to mitigate CSRF (Cross-Site Request Forgery) attacks by associating the request with a unique identifier. While this is useful for security, it does not specify the permissions or scope required to read the calendar or send emails. - Usage: This is important for security, but it does not provide the specific API permissions for calendar or email actions. - Why reje...

Author: Carlos Garcia · Last updated May 11, 2026

HOTSPOT - You develop and deploy a web app to Azure App service. The web app allows users to authenticate by using social identity providers through the Azure B2C service. All user profile information is stored in Azure B2C. You must update the web app to display common user properties from Azure B2C to include the following information: * Email address * Job title * First name * Last name * Office location You need to implement t...

Author: Liam · Last updated May 11, 2026

HOTSPOT - You develop and deploy the following staticwebapp.config.json file to the app_location value specified in the workflow file of an Azure Static Web app: For each of the following statements, select Yes if...

Author: Emily · Last updated May 11, 2026

You develop and deploy an Azure App Service web app named App1. You create a new Azure Key Vault named Vault1. You import several API keys, passwords, certificates, and cryptographic keys into Vault1. You need to grant App1 access to Vau...

To grant App1 access to Vault1 while ensuring that credentials are not stored in the code and can be automatically rotated, let’s analyze the provided options: A) Enable App Service authentication for App1. Assign a custom RBAC role to Vault1. - Reasoning: Enabling App Service authentication would authenticate users accessing the app (e.g., users or clients), not the web app itself to access resources like Azure Key Vault. While Role-Based Access Control (RBAC) can be used to control access to Key Vault, the custom RBAC role for Vault1 is not an ideal method here since Azure Key Vault access is better handled by managed identities rather than App Service authentication. - Usage: This option is more about securing user access to the app rather than giving the app itself secure access to the Key Vault. - Why rejected: It is unnecessary and less secure than using managed identities, which are specifically designed for secure resource access without requiring secrets in code. B) Add a TLS/SSL binding to App1. - Reasoning: Adding a TLS/SSL binding to App1 secures the communication between the client and the web app using HTTPS. This ensures that data in transit is encrypted, but it doesn’t address the core requirement, which is granting App1 access to the Key Vault to read secrets and rotate credentials automatically. - Usage: This is related to securing the transport layer but doesn't involve managing or securing credentials with Azure Key Vault. - Why rejected: This option does not help with the specific requirement of granting access to Azure Key Vault or credential management. C) Upload a self-signed client certificate to Vault1. Update App1 to use the client certificate. - Reasoning: While client certificates can be used for authentication, this solution would require manual ce...

Author: Isabella · Last updated May 11, 2026

You are developing a Java application to be deployed in Azure. The application stores sensitive data in Azure Cosmos DB. You need to configure Always Encrypted to encry...

To configure Always Encrypted for encrypting sensitive data inside a Java application deployed on Azure, the first step is to ensure that you have the necessary encryption keys in place. Let's break down each option and see which one fits the requirement. A) Create a new container to include an encryption policy with the JSON properties to be encrypted. - Why it's rejected: This option is related to creating containers and defining policies for JSON data in Azure Cosmos DB. It doesn't directly relate to configuring Always Encrypted in the context of encryption key management, which is the main concern for securing sensitive data in the application. - Relevant scenario: This option might be used when you're setting up Cosmos DB containers and need to define encryption policies at the container level, but it doesn't help with configuring Always Encrypted. B) Create a customer-managed key (CMK) and store the key in a new Azure Key Vault instance. - Why it's rejected: Although this option is relevant for key management, Always Encrypted doesn't directly require a customer-managed key in Azure Key Vault for Cosmos DB. Always Encrypted primarily relies on data encryption keys (DEKs), and these keys are stored within Cosmos DB, not in Azure Key Vault. - Relevant scenario: This option might be used if you're working with Azure SQL Database and need to configure Always Encrypted with a CMK, but it's not the right choice for Azure Cosmos DB. C) Create a data encryption key (DEK) by using the Azure Cosmos DB SDK and store the key in Azure Cosmos DB. - Why this i...

Author: Alexander · Last updated May 11, 2026

HOTSPOT - You develop a web app that interacts with Azure Active Directory (Azure AD) groups by using Microsoft Graph. You build a web page that shows all Azure AD groups that are not of the type 'Unified'. You need to build the Microsoft Graph query for the page. How should you compl...

Author: Lucas Carter · Last updated May 11, 2026

DRAG DROP - You are developing an Azure solution. You need to develop code to access a secret stored in Azure Key Vault. How should you complete the code segment? To answer, drag the appropriate code segments to the correct location. Each code segment may be used once, more than once, or not at ...

Author: Sophia Clark · Last updated May 11, 2026

HOTSPOT - You are a developer building a web site using a web app. The web site stores configuration data in Azure App Configuration. Access to Azure App Configuration has been configured to use the identity of the web app for authentication. Security requirements specify that no other authentication systems must be used. You need to load configuration data from Azure App ...

Author: FrozenWolf2022 · Last updated May 11, 2026

You are developing several microservices to deploy to a new Azure Kubernetes Service cluster. The microservices manage data stored in Azure Cosmos DB and Azure Blob storage. The data is secured by using customer-managed keys stored in Azure Key Vault. You must automate key rotation for all Azure Key Vault keys and allow for manual key rotation. Keys must rotate every three months. Notifications of expiring keys must be sent before key expiry. You need to co...

To automate key rotation for all Azure Key Vault keys and enable notifications of expiring keys, the solution must ensure that key management is streamlined, automated, and allows manual intervention when necessary. Let's go over each option and explain the reasoning behind the selected options and the rejection of others. A) Create and configure a new Azure Event Grid instance. - Why it's rejected: While Azure Event Grid is useful for routing events to different services, it is not directly responsible for configuring key rotation or expiry notifications in Azure Key Vault. Event Grid can help trigger events, but it does not handle the automatic rotation or notification setup for keys in Key Vault. - Relevant scenario: Event Grid could be part of a broader solution where other components are listening for events, but it is not the most appropriate tool for key rotation or expiry notifications directly within Key Vault. B) Configure Azure Key Vault alerts. - Why this is selected: Azure Key Vault supports the configuration of alerts for specific events, such as expiring keys or keys nearing expiration. By setting up Key Vault alerts, you can configure notifications to be sent before the key expiry occurs, meeting the requirement for expiring key notifications. This would ensure that you receive timely reminders about expiring keys, allowing you to rotate or renew them before they expire. - Relevant scenario: This option is a direct fit for notifying users about expiring keys in Azure Key Vault, allowing you to manage the keys and ensure that the application remains functional without issues related to...

Author: Mia · Last updated May 11, 2026

You are developing a web application that uses the Microsoft identity platform to authenticate users and resources. The web application calls several REST APIs. The APIs require an access token from the Microsoft identity platform. You need to request a token. Which three prope...

To request an access token from the Microsoft identity platform, you need to configure your application to interact with Azure AD and ensure the authentication and authorization process works properly. The three properties that are essential for requesting an access token are: A) Redirect URI/URL - Explanation: The redirect URI (or redirect URL) is where the authentication response is sent after a user has authenticated. It is a required parameter for OAuth 2.0 and OpenID Connect flows in the Microsoft identity platform. It ensures that the user’s authentication response is correctly routed to the web application after login. - Reason for Selection: Without the redirect URI, the platform will not know where to send the token or authorization code. It is a fundamental part of securing the authentication flow. B) Application ID - Explanation: The application (client) ID is a unique identifier for your application in Azure Active Directory (Azure AD). This ID is required when the application makes a request for an access token because the Microsoft identity platform needs to know which application is requesting access. - Reason for Selection: The application ID is essential for identifying the app that is requesting the token. It ties your request to the registered app in Azure AD. E) Supported Account Type - Explanation: The supported account type defines which users or types of accounts are allowed to authenticate and use the application. This includes the following options: ...

Author: Aria · Last updated May 11, 2026

HOTSPOT - You are developing an application that uses Azure Storage to store customer data. The data must only be decrypted by the customer and the customer must be provided a script to rotate keys. You need to provide a script to rotate keys to the customer. How should you complete ...

Author: Sofia · Last updated May 11, 2026

You are developing several Azure API Management (APIM) hosted APIs. You must transform the APIs to hide private backend information and obscure the technology stack used to implement...

To protect APIs hosted in Azure API Management (APIM) and obscure private backend information, the goal is to transform and secure responses so that sensitive backend details, such as technology stack information, are not exposed to the API consumer. This requires the use of policies that can manipulate or filter the response data and headers. A) Configure and apply a new inbound policy scoped to a product - Explanation: Inbound policies are applied to requests before they reach the backend service. While you can use inbound policies to authenticate, validate, or transform incoming requests, it is not the most suitable choice for hiding backend information or obscuring the technology stack. Inbound policies primarily focus on securing incoming requests, not on transforming or hiding information in the response. - Reason for Rejection: This option is more about request validation, security, and transformation, but not about response obfuscation or hiding backend details. B) Configure and apply a new outbound policy scoped to the operation - Explanation: Outbound policies are applied to responses coming from the backend before they are sent to the client. You can use outbound policies to modify or filter the response content, which is the appropriate place to remove or obscure backend technology information. By applying outbound policies at the operation level, you can target specific APIs and manage the response for those APIs effectively. - Reason for Selection: This option allows you to directly manipulate the response and ensure that private backend details (e.g., headers, technology stack) are either removed or obfuscated. It's the...

Author: Arjun · Last updated May 11, 2026

HOTSPOT - You are developing an Azure Function App named App1. You also plan to use cross-origin requests (CORS). You have the following requirements: * App1 functions must securely access an Azure Blob Storage account. * Access to the Azure Blob Storage account must not require the provisioning or rotation of secrets. * JavaScript code running in a browser on an external host must not be allowed to interact with the funct...

Author: Zara1234 · Last updated May 11, 2026

HOTSPOT - You develop a containerized application. The application must be deployed to an existing Azure Kubernetes Service (AKS) cluster from an Azure Container Registry (ACR) instance. You use the Azure command-line interface (Azure CLI) to deploy the application image to AKS. Images must be pulled from the registry. You must be able to view all registries within the current Azure subscription. Authentication must be managed by Microsoft Entra ID and removed when the registry is deleted. The solution must use the principle of least privilege...

Author: Charlotte · Last updated May 11, 2026

Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background - Munson's Pickles and ...

To implement farmer authentication as per the requirements of Munsons Pickles and Preserves Farm, we need to ensure that the authentication mechanism is set up using Microsoft Entra ID. The options provided are related to setting up the authentication for the farmers. Let's break down each option: A) Add the shared access signature (SAS) token to the app. - A Shared Access Signature (SAS) token is typically used to provide delegated access to Azure resources. However, this is not directly related to authentication using Microsoft Entra ID. SAS tokens are generally used for access to Azure Storage or for secure communication with services, not for user authentication. This option is not suitable for setting up user authentication via Microsoft Entra ID. B) Create a shared access signature (SAS) token. - Similar to option A, creating a SAS token is for securing access to Azure resources, not for authenticating users to applications. This does not address the farmer authentication requirement via Microsoft Entra ID. Therefore, this option is not suitable. C) Create a user flow. - A user flow in Microsoft Entra ID is a pre-built, configurable authentication experience for users. It can be used to manage authentication flows for users, such as sign-ups, sign-ins, or password resets. ...

Author: Henry · Last updated May 11, 2026

Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background - Munson's Pickles and ...

To secure the corporate website, we need to address several key security requirements outlined in the scenario: Key Security Requirements: 1. All web communications must be secured using TLS/HTTPS: This ensures that data is encrypted during transit. 2. Web content must be restricted by country/region: This ensures compliance with corporate standards. 3. The principle of least privilege: This is about securing access rights to services. 4. Managed identities for Azure resources must be used to authenticate services that support Microsoft Entra ID authentication: This ensures secure authentication for services without using credentials in code. Now, let's evaluate each option: A) Create an Azure Cache for Redis instance. Update the code to support the cache. - Azure Cache for Redis is a service used for improving performance by caching frequently accessed data. While this can help with performance optimization (e.g., faster webpage load times), it does not directly address security requirements, such as TLS/HTTPS or restricting web content by country/region. This option is not suitable for securing the website. B) Create an Azure Content Delivery Network profile and endpoint. Configure the endpoint. - Azure Content Delivery Network (CDN) improves the performance and speed of content delivery by caching content at edge locations closer to the user. While a CDN can help improve webpage load times, it is primarily focused on content delivery and performance. It does not directly address the security requirements like end-to-end TLS encryption, managed identities, or web content restriction by country/region. Therefore, this option is not sufficient...

Author: Aarav · Last updated May 11, 2026

HOTSPOT - Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background - Mu...

Author: Noah · Last updated May 11, 2026

Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background - Munson's Pickles and ...

To configure site configuration settings for the corporate website, we need to take actions that meet the requirements mentioned in the case study. Here's the analysis of each option: A) Create a managed identity. - A managed identity is used to authenticate services securely without storing credentials in code. It's required for authentication when accessing Azure resources. However, this is more relevant for securing access to other Azure resources like databases or services, but the question specifically asks for configuring settings for the website. While creating a managed identity is useful in other scenarios (like for services that require access to Azure resources), it is not the primary action needed for configuring the website settings in this scenario. B) Update the role assignments for the Azure Key Vault. - Azure Key Vault is a service that stores secrets, certificates, and other sensitive data. While it is critical for securing sensitive information (which is part of the corporate website’s security requirement), this option pertains specifically to adjusting access control for the Key Vault, which doesn’t directly address the overall configuration settings for the website itself. C) Create an Azure App Configuration store. - This is the correct answer. Azure App Configuration is a service designed for central management of application settings and feature flags. It can be used to store and manage the configuration settings for the website, ensuring that settings are centrally stored and secured, as required by the case study. App Configuration supports encryption and can store non-sensitive settings like URLs, feature flags, etc. In this case, it als...

Author: Ethan · Last updated May 11, 2026

You are developing an application that uses keys stored in Azure Key Vault. You need to enforce a specific cryptographic algorithm and ke...

In this scenario, you need to enforce a specific cryptographic algorithm and key size for keys stored in Azure Key Vault. Let’s evaluate the available options: A) Secret versioning - Secret versioning in Azure Key Vault refers to keeping track of multiple versions of a secret. It allows you to manage different versions of secrets over time, but it does not control or enforce cryptographic algorithms or key sizes. Secret versioning is more about managing the lifecycle of secrets, and it doesn’t apply to setting specific key algorithms or sizes for encryption keys. - Rejected because it doesn’t apply to enforcing cryptographic standards for keys. B) Azure Policy - This is the correct answer. Azure Policy is used to enforce compliance with certain configurations, standards, or rules across Azure resources. Azure Policy can be used to define rules for Key Vault, such as enforcing the use of specific cryptographic algorithms or key sizes for keys stored in the vault. You can create a custom policy definition that requires the use of specific algorithms or key sizes, and apply that policy to your Key Vault. - Selected because Azure Pol...

Author: Noah · Last updated May 11, 2026

HOTSPOT - A company has an Azure storage static website with a custom domain name. The company informs you that unauthorized users from a different country/region are accessing the website. The company provides the following requirements for the static website: * Unauthorized users must not be able to access the website. * Users must be able to access the website using the HTTPS protocol. You need to i...

To meet the company's requirements of blocking unauthorized users from accessing the static website while ensuring that users can access the site using HTTPS, you need to consider the following options: Requirements: 1. Unauthorized users must not be able to access the website — This implies blocking access based on region or country. 2. Users must be able to access the website using the HTTPS protocol — This indicates enabling SSL/TLS encryption. Key Concepts: 1. Azure Storage Static Website: Azure Blob Storage allows hosting static websites. You can configure custom domains, HTTPS, and enforce security rules. 2. Geo-blocking: This is the method for restricting access based on the user's geographical location (country or region). 3. HTTPS: To secure traffic, HTTPS should be enforced via an SSL certificate. Options to Consider: 1. Enforce HTTPS (via Azure CDN or Azure Front Door) - To ensure HTTPS traffic, you need to enforce SSL/TLS encryption. Azure Front Door or Azure CDN can be used to enforce HTTPS by redirecting HTTP requests to HTTPS. - Azure Storage static websites by themselves can serve content over HTTPS if configured with a custom domain and SSL certificate. 2. Geo-blocking (via Azure Front Door or Azure CDN) - Azure Front Door and Azure CDN allow geo-blocking features where you can restrict access to the website based on geographic regions. - By enabli...

Author: Sofia · Last updated May 11, 2026

DRAG DROP - Case study - This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided. To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study. At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section. To start the case study - To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question. Background -...

To secure the corporate website for users and meet the requirements stated in the case study, we need to follow a systematic process of implementing security measures. Below is a detailed explanation of how to approach this and the steps to follow. Requirements for Securing the Corporate Website: - User Authentication: Allowing one-time passcode sign-in and social identity providers (Google or Facebook). - Secure Data Access: The Inventory Items API should securely access Azure Cosmos DB data. - Securing Credentials: Azure Cosmos DB credentials must be securely stored and not in clear text. - Image Upload: Ensuring image files are stored securely (JPEG format with EXIF data). Sequence of Actions: 1. Configure Authentication and Authorization: - Action: Integrate Microsoft Entra ID to support social identity providers (Google, Facebook) and one-time passcodes. - Reasoning: The requirement states that users need to sign in through social identity provider...

Author: Sofia2021 · Last updated May 11, 2026

You are developing a Microsoft Entra ID integrated app that interacts with Microsoft Graph. You must allow GET operations to receive unknown members that might be defined in the future in Microsoft Graph API. You plan to include support for evolvable enumerations in the app. You need to spec...

In this scenario, you need to support evolvable enumerations in a Microsoft Entra ID integrated app that interacts with Microsoft Graph. Evolvable enumerations allow future members to be included in API responses without breaking backward compatibility, ensuring that your application can handle unknown members that might be defined in the future. Analysis of the Options: 1. A) Accept: - The `Accept` header in HTTP is used to specify the desired response format, such as `application/json`. However, it is not related to enabling support for evolvable enumerations. This header simply tells the API what kind of response the client expects. - Rejected: `Accept` does not provide evolvable enumeration support. 2. B) Content-Type: - The `Content-Type` header is used in HTTP requests to indicate the type of data being sent (e.g., `application/json`). This header is used to describe the data format of the request body, but it is not involved in specifying evolvable enumeration support. - Rejected: `Content-Type` is for request body format, not for enabling evolvable enumerations. 3. C) If-Match: - The `If-Match` header...

Author: Ryan · Last updated May 11, 2026