AZ-204
108. You need to add markup at line AM04 to implement the ContentReviewRole. How should you complete the markup? To answer, drag the appropriate json segments to the correct locations. Each json segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. (Each correct selection is worth one point)
"appRoles": [ { "allowedMemberTypes" : [ "User" ], "displayName": "ContentReviewer", "id': "e1c2ade8-98f8-45fd-aa4a-6d24b512c22a", "isEnabled" : true, "value": "ContentReviewer" } ], [Answer] 1. allowedMemberTypes 2. User 3. value Explanation: 1. allowedMemberTypes specifies whether this app role definition can be assigned to users and groups by setting to "User", or to other application (that are accessing this application in daemon services scenarios) by setting to "Application", or to both. 2. In order to review content a user must be part of a ContentReviewer role. 3. value specifies the value which will be included in the roles claim in the authentication and access tokens.
112. You need to add code at line AM10 of the application manifest to ensure that the requirement for manually reviewing content can be met. How should you complete the code? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
"optionalClaims" : [ "sid" , "email"], [Answer] 1. sid - Session ID, used for pre-session user sign-out. Personal and Azure AD accounts. 2. email - All completed reviews must include the reviewer's email address for auditing purposes
70. You are developing an application that needs access to an Azure virtual machine (VM). The access lifecycle for the application must be associated with the VM service instance You need to enable managed identity for the VM. How should you complete the PowerShell segment? To answer, select the appropriate options in the answer area. $vm = Get-AzVM -ResourceGroupName "ContosoRG" -Name "ContosoVM" Update-AzVM - ResourceGroupName "ContosORG" -VM $vm _____(1)_____ _____(2)______ 1) -IdentityID: -AssignIdentity 2) $SystemAssigned $UserAssigned
$vm = Get-AzVM -ResourceGroupName "ContosoRG" -Name "ContosoVM" Update-AzVM - ResourceGroupName "ContosORG" -VM $vm -IdentityID: $SystemAssigned 1) -IdentityID: 2) $SystemAssigned Explanation: Box 1: Identity Type Enable system-assigned managed identity on an existing Azure VM: To enable a system-assigned managed identity, use the -Identity Type switch on the Update-AzVM cmdlet (see below). Box 2: $SystemAssigned Svm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM Update-AzVM-ResourceGroupName myResource Group -VM $vm-Identity Type System Assigned
109. You need to add code at line AM09 to ensure that users can review content using ContentAnalysisService. How should you complete the code? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
1. "oauth2Permissions":["login"] -Specifies the collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. These permission scope may be granted to client apps during consent. 2. "oauth2AllowImplicitFlow":true - For applications (Angular, Ember.js, React.js, and so on), Microsoft identity platform support the OAuth 2.0 Implicit Grant Flow.
30. DRAG DROP You are a developer for a company that provides a bookings management service in the tourism industry. You are implementing Azure Search for the tour agencies listed in your company's solution. You create the index in Azure Search. You now need to use the Azure Search .NET SDK to import the relevant data into the Azure Search service. Which three action should you perform in sequence? -Create a DataSource instance and set its Container property to the DataContainer. -Create an IndexBatch that contains the documents which must be added -Set the DataSources property of the SearchServiceClient. -Create a SearchIndexClient object to connect to the search index. -Call the Documents.Index method of the SearchIndexCLient and pass the IndexBatch -Call the Documents.Suggest method of the SearchIndexClient and pass the DataSource
1. Create a SearchIndexClient object to connect to the search index. 2. Create an IndexBatch that contains the documents which must be added. 3. Call the Documents.Index method of the SearchIndexClient and pass the IndexBatch. Explanation: Populate the Index by using SearchIndexClient. You can construct it or by calling Indexes.GetClient on the SearchServiceClient. Here we will use the first method. 2. Create the indexBatch with the documents. Something like: Var hotels = new Hotel[]; { new Hotel () { Hoteld= "3", BaseRate = 129.99, Descripttion = "Close to town hall and the river" } }; ...... Var batch = IndexBatch.Upload(hotels); 3. The next step is to populate the newly created index Example: Var batch = IndexBatch.Upload(hotels); Try { indexClient.Documents.Index(batch); }
67. You are developing an application to use Azure Blob storage. You have configure Azure Blob storage to include change feeds. A copy of your storage account must be created in another region. Data must be copied from the current storage account the the new one directly between storage servers. You need to create a copy of the storage account in another region and copy the data. In which order should you perform the actions? Actions: - Use AZCopy to copy the data to the new storage account. - Deploy the template to create a new storage account in the target region. - Export a Resource Manager template. - Create a new template deployment. - Modify the template by changing the storage account name and region.
1. Create a new template deployment. 2. Export a Resource Manager template. 3. Modify the template by changing the storage account name and region. 4. Deploy the template to create a new storage account in the target region. 5. Use AZCopy to copy the data to the new storage account. Explanation: To move a storage account, create a copy of your storage account in another region. Then, move your data to that account by using AZCOPY, or another tool of your choice. Steps: 1. Export a template. 2. Modify the template by adding the target region and storage account name. 3. Deploy the template to create the new storage account. 4. Configure the new storage account. 5. Move data to the new storage account. 6. Delete the resources in the source region. Note: You must enable the change feed on your storage account to begin capturing and recording changes. You can enable and disable changes b using Azure Resource Manager template on Portal or Powershell.
68. You are preparing to deploy an Azure VM-based application. The VMs that run the application have the following requirements: - When a VM is provisioned the firewall must be automatically configured before it can access Azure resources. - Supporting services must be installed by using an Azure PowerShell script that is stored in Azure Storage. You need to ensure that the requirements are met. Which features should you use? Match the features to the right requirements. Each feature may be used once, more than once, or not at all. Features: - Run command. - Serial console. - Hybrid runbook worker. - Custom script extension. Requirements: 1. Firewall configuration. 2. Supporting services script
1. Firewall configuration: Run command 2. Supporting services scrip: Hybrid runbook worker.
65. You are configuring a development environment for your team. You deploy the latest Visual Studio image from the Azure Marketplace to your Azure subscription. The development environment requires several software development kits (SDKs) and third-party components to support application development across the organization. You install and customize the deployed virtual machine for your development team. the customized VM must be saved to allow provisioning of a new team member development environment. You need to save the customized VM for future provisioning. Which tools or services should you use? Action: 1. Generalize the VM. Tool or service: - Azure PowerShell - Visual Studio command prompt - Azure Migrate - Azure Backup Action: 2. Store images. Tool or service: - Azure Blob Storage - Azure Data Lake Storage - Azure File Storage - Azure Table Storage
1. Generalize the VM: Azure PowerShell 2. Store images: Azure Blob Storage Explanation: 1. Creating an image directly from the VM ensures that the image includes all of the disks with the VM, including the OS disk and any data disks. Before you begin, make sure that you have the latest version of the Azure PowerShell module. 2. You can store images in Azure Blob Storage.
139. You are developing an application. You have an Azure user account that has access to two subscriptions. You need to retrieve a storage account key secret from Azure Key Vault. In which order should you arrange the PowerShell commands to develop the solution? To answer, move all commands from the list of commands to the answer area and arrange them in the correct order.
1. Get-AzSubscription 2. Set-AzContext -SubscriptionId $subscriptionID 3. Get-AzStorageAccountKey — ResourceGroupName $resGroup -Name $storAcct 4. $secretvalue = ConvertTo-SecureString $storAcctkey -AsPlainText -Force Set-AzKeyVaultSecret —VaultName $vaultName -Name $secretName -SecretValue $secretvalue 5. Get-AzKeyVaultSecret -VaultName $vaultName Explanation: Step 1: Get-AzSubscription If you have multiple subscriptions, you might have to specify the one that was used to create your key vault. Enter the following to see the subscriptions for your account: Get-AzSubscription Step 2: Set-AzContext -Subscriptionld To specify the subscription that's associated with the key vault you'll be logging, enter: Set-AzContext -Subscriptionld Step 3: Get-AzStorageAccountkey.You must get that storage account key. Step 4: $secretvalue = ConvertTo-SecureString <storageAccountKey> -AsPlainText -Force Set-AzKeyVaultSecret -VaultName <vaultName> -Name <secretName> -SecretValue $secretvalue After retrieving your secret (in this case, your storage account key), you must convert that key to a secure string, and then create a secret with that value in your key vault Step 5: Get-AzKeyVaultSecret. Next, get the URI for the secret you created. You'll need this URI in a later step to call the key vault and retrieve your secret. Run the following PowerShell command and make note of the ID value, which is the secret's URI: Get-AzKeyVaultSecret —VaultName <vaultName>
115. You need to retrieve the database connection string. Which values should you use? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
1. REST API Endpoint https:// cpandlkeyvault. vault.azure.net/secrets/PostgreSQLConn/ 2. Variable type to access Azure Key Vault secret values: Querystring Answer: 1. cpandlkeyvault 2. PostgreSQLConn 3. Querystring Explanation: Azure database connection string retrieve REST API vault.azure.net/secrets/ 1. We specify the key vault, cpandlkeyvault 2. We specify the secret, PostgreSQLConn
64. You are developing a solution for a hospital to support the following use cases: - The most recent patient status details must be retrieved even if multiple users in different location have updated the patient record. - Patient health monitoring data retrieved must be the current version or the prior version. - After a patient is discharged and all changes have been assessed, the patient billing record contains the final charges. You provision a Cosmos DB NoSQL database and set the default consistency level for the database account to "Strong". You set the value for Indexing Mode to "Consistent". You need to minimize latency and any impact to the availability of the solution. You must override the default consistency level at the query level to meet the required consistency guarantees for the scenarios. Which consistency levels should you implement? To answer, drag the appropriate consistency levels to the correct requirements. Each consistency level may be used once, more than once, or not at all. Consistency level: - Strong - Boundless Staleness - Consistent Prefix - Eventual Requirements: - Return the most recent patient status. - Return health monitoring data that is no less than one version behind. - After patient is discharged and all charges are assessed, retrieve the correct billing data with the final charges.
1. Return the most recent patient status. "Strong" 2. Return health monitoring data that is no less than one version behind. "Bounded Staleness" 3. After patient is discharged and all charges are assessed, retrieve the correct billing data with the final charges. "Eventual" Explanation: 1. "Strong" consistency offers a linearizability guarantee. The reads are guaranteed to return the most recent committed version of an item. A client never sees an uncommitted or partial write. Users are always guaranteed to read the latest committed write. 2. The reads are guaranteed to honor the consistent-prefix guarantee. The reads might lag behind writes by at most "K" versions (that is "updates") of an item or by "t" time interval. When you choose "Bounded Staleness", the "staleness" can be configured in two ways: - The number of versions (K) of the item. - The time interval (t) by which the reads might lag behind the writes. 3. There's no ordering guarantee for reads. In the absence of any further writes, the replicas eventually converge. Wrong: "Consistent Prefix". Updates that are returned contain some prefix of all updates, with no gaps. Consistent prefix guarantees that reads never see out-of-order writes.
16. HOTSPOTYou have developed a Web App for your company. The Web App provides services and must run in multiple regions. You want to be notified whenever the Web App uses more than 85 percent of the available CPU cores over a 5 minute period. Your solution must minimize costs. Which command should you use? Fill in the blank az monitor metrics alert create -n myAlert -g myResourceGroup -scopes targetResourceID -condition "________>85" _________ 1st Blank A.CPU Usage B. Percentage CPU C. avg Percentage CPU 2nd Blank A. -window size B. -evaluation-frequency C. --auto-mitigate
1st Blank avg Percentage CPU 2nd Blank --window size
7. Your company has an Azure subscription You need to deploy a number of Azure virtual machines to the subscription by using Azure Resource Manager (ARM) templates. The virtual machines will be included in a single availability set. You need to ensure that the ARM templates allows for as many virtual machines as possible to remain accessible in the event of fabric failure or maintenance. Which of the following is the value that you should configure for the platformFaultDomainCount property? A.10 B.20 C.30 D.40
40 Each virtual machine in your availability set is assigned an update domain and a fault domain by the underlying Azure platform. For a given availability set, 5 non-user-configurable update domains are assigned by default (Resource Manager deployments can then be increased to provide up to 20 update domains) to indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same time.
You are building a traffic monitoring system that monitors traffic along six highways. The system produces time series analysis-based reports for each highway. Data from traffic sensors are stored in Azure Event Hub. Traffic data is consumed by four departments. Each department has an Azure Web App that displays the time series-based reports and contains a WebJob that processes the incoming data from Event Hub. All Web Apps run on App Service Plans with three instances. Data throughput must be maximized. Latency must be minimized. You need to implement the Azure Event Hub. Which settings should you use? Select appropriate answers from below. Number of partitions: 3, 4, 6, or 12. Partition Key: Highway, Department, Timestamp, or VM name.
6 & Highway. There are 6 highways. Note: number of partition is specified at creation and must be between 2 and 32.
165. You need to investigate the Azure Function app error message in the development environment. What should you do? A Connect Live Metrics Stream from Application Insights to the Azure Function app and filter the metrics B. Create a new Azure Log Analytics workspace and instrument the Azure Function app with Application Insights. C. Update the Azure Function app with extension methods from Microsoft.Extensions.Logging to log events by using the log instance. D. Add a new diagnostic setting to the Azure Function app to send logs to Log Analytics.
A Connect Live Metrics Stream from Application Insights to the Azure Function app and filter the metrics Explanation: Azure Functions offers built-in integration with Azure Application Insights to monitor functions The following areas of Application Insights can be helpful when evaluating the behavior, performance, and errors in your functions: Live Metrics: View metrics data as it's created in near real-time. Failures Performance Metrics
155. You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure Function app includes an OpenAPI (Swagger) definition and uses an Azure Blob storage account. All resources are secured by using Azure Active Directory (Azure AD). The Azure Logic app must securely access the Azure Blob storage account. Azure AD resources must remain if the Azure Logic app is deleted. You need to secure the Azure Logic app. What should you do? A Create a user-assigned managed identity and assign role-based access controls. B. Create an Azure AD custom role and assign the role to the Azure Blob storage account. C. Create an Azure Key Vault and issue a client certificate. D. Create a system-assigned managed identity and issue a client certificate. E. Create an Azure AD custom role and assign role-based access controls.
A Create a user-assigned managed identity and assign role-based access controls. Explanation: To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity. Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secret s , your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. If you set up your logic app to use the system-assigned identity or a manually created, user-assigned identity, the function in y our logic app c an also use that same identity for authentication.
162. A development team is creating a new REST API. The API will store data in Azure Blob storage. You plan to deploy the API to Azure App Service. Developers must access the Azure Blob storage account to develop the API for the next two months. The Azure Blob storage account must not be accessible by the developers after the two-month time period. You need to grant developers access to the Azure Blob storage account. What should you do? A Generate a shared access signature (SAS) for the Azure Blob storage account and provide the SAS to all developers. B. Create and apply a new lifecycle management policy to include a last accessed date value. Apply the policy to the Azure Blob storage account. C. Provide all developers with the access key for the Azure Blob storage account. Update the API to include the Coordinated Universal Time (UTC) timestamp for the request header. D. Grant all developers access to the Azure Blob storage account by assigning role-based access control (RBAC) roles.
A Generate a shared access signature (SAS) for the Azure Blob storage account and provide the SAS to all developers.
161.You deploy an Azure App Service web app. You create an app registration for the app in Azure Active Directory (Azure AD) and Twitter. The app must authenticate users and must use SSL for all communications. The app must use Twitter as the identity provider. You need to validate the Azure AD request in the app code. What should you validate? A ID token header B. ID token signature C. HTTP response code D. Tenant ID
A ID token header
153. You develop a REST API. You implement a user delegation SAS token to communicate with Azure Blob storage. The token is compromised. You need to revoke the token. What are two possible ways to achieve this goal? Each correct answer presents a complete solution NOTE: Each correct selection is worth one point. A Revoke the delegation key. B Delete the stored access policy C. Regenerate the account key. D. Remove the role assignment for the security principle.
A Revoke the delegation key. B Delete the stored access policy Explanation: A: Revoke a user delegation SAS To revoke a user delegation SAS from the Azure CLI, c all the az storage account revoke-delegation-keys command. This command revokes all of the user delegation keys associated with the specified storage account. Any shared access signatures associated with those keys are invalidated. B: To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it.
You manage an Azure SQL database that allows for Azure AD Authentication. You need to make sure that database developers can connect to the SQL database via Microsoft SQL Server Management Studio (SSMS). You also need to make sure the developers use their on-premises Active Directory account for authentication. Your strategy should allow for authentication prompts to be kept to a minimum. Which of the following should you implement?
Active Directory integrated authentication - Azure AD can be the initial Azure AD managed domain. Azure AD can also be an on-premises Active Directory Domain Services that is federated with the Azure AD.
66. You are preparing to deploy a website to an Azure Web App from a GitHub repository. The website includes static content generated by a script. You plan to use the Azure Web App continuous deployment feature. You need to run the static generation script before the website starts serving traffic. What are two possible ways to achieve this goal? Each correct answer presents a complete solution. A. Add the path to the static content generation tool to WEBSITE_RUN_FROM_PACKAGE setting in the host.json file. B. Add a PreBuild target in the websites csproj project file that runs the static content generation script. C. Create a file named run.cmd in the folder /run that calls a script which generates the static content and deploys the website. D. Create a file names .deployment in the root of the repository that call a script which generates the static content and deploys the website.
A. Add the path to the static content generation tool to WEBSITE_RUN_FROM_PACKAGE setting in the host.json file. D. Create a file names .deployment in the root of the repository that call a script which generates the static content and deploys the website. Explanation: A. In Azure, you can run your functions directly from a deployment package file in your function app. The other option is to deploy your files in the d:\home\site\wwwroot directory of your function app (see A). To enable your function app to run from a package, you just add a WEBSITE_RUN_FROM_PACKAGE setting to your function app settings. Note: the host.json metadata file contaons global configuration options that affect all functions for a function app. D. To customize your deplyment, include a .deployment file in the repository root. You just need to add a file to the root of your repository with the name .deployment and the content: [config] command = YOUR COMMAND TO RUN FOR DEPLOYMENT this command can be just running a script (batch file) that has all that is required for your deployment, like copying files from the repository to the web root directory for example.
11. Your Azure Active Directory Azure (Azure AD) tenant has an Azure subscription linked to it. Your developer has created a mobile application that obtains Azure AD access tokens using the OAuth2 implicit grant type. The mobile application must be registered in Azure AD. You require a redirect URL from the developer for registration purposes. Is the statement correct? A. No change required B. a secret C. a login hint D. a client ID
A. No change required
127. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level You need to configure authorization. Solution: - Create a new Azure AD application. In the application's manifest, set value of the groupMembershipClaims option to All - In the website, use the value of the groups claim from the JWT for the user to determine permissions. Does the solution meet the goal? A. Yes B. No
A. Yes Explanation : To configure Manifest to include Group Claims in Auth Token 1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active Directory, and go to App registrations to find your application. 2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it. 3. Locate the "groupMembershipClaims" setting. Set its value to either "SecurityGroup" or "All". To help you decide which: + "SecurityGroup" - groups claim will contain the identifiers of all security groups of which the user is a member. + "AIl" groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member. Now your application will include group claims in your manifest and you can use this fact in your code.
144. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure Solutions. You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager. You need to obtain an Azure Resource Manager access token. Solution: Run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resource endpoint. Does the solution meet the goal? A. Yes B. No
A. Yes Explanation: Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager. You will need to use PowerShell in this portion. 1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect 2. Enter in your Username and Password for which you added when you created the Windows VM. 3. Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session 4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager. Example: $response = Invoke-WebRequest -Uri "http://169.254. 169. 254/metadatalidentity/oauth2/token ?api-version=20 18-02-01 &resource=https://management. azure. com/" -Method GET Headers @{Metadata = "true"}
147. You are developing an ASP.NET Core website that uses Azure FrontDoor. The website is used to build custom weather data sets for researchers. Data sets are downloaded by users as Comma Separated Value (CSV ) files. The data is refreshed every 10 hours. Specific files must be purged from the FrontDoor cache based upon Response Header values. You need to purge individual assets from the Front Door cache. Which type of cache purge should you use? A. single path B. wildcard C. root domain
A. single path Explanation: These formats are supported in the lists of paths to purge: Single path purge: Purge individual assets by specifying the full path of the asset (without the protocol and domain), with the file extension, for example, /pictures/strasbourg.png; • Wildcard purge: Asterisk e) may be used as a wildcard. Purge all folders, subfolders, and files under an endpoint with r in the path or purge all subfolders and files under a specific folder by specifying the folder followed by r. for example, /picturesr _ • Root domain purge: Purge the root of the endpoint with "f' in the path.
152. You are developing an Azure App Service REST API The API must be called by an Azure App Service web app. The API must retrieve and update user profile information stored in Azure Active Directory (Azure AD). You need to configure the AP1 to make the updates. Which two tools should you use? Each correct answer presents part of the solution NOTE: Each correct selection is worth one point. A.Microsoft Graph API B Microsoft Authentication Library (MSAL) C Azure API Management D. Microsoft Azure Security Center E. Microsoft Azure Key Vault SOK
A.Microsoft Graph API C Azure API Management Explanation: A : You can use the Azure AD REST APls in Microsoft Graph to create unique workflows between Azure AD resources and third-party services . Enterprise developers use Microsoft Graph to integrate Azure AD identity management and other services to automate administrative workflows. such as employee onboarding (and termination), profile maintenance, license deployment, and more. C: API Management (APIM) is a way to create consistent and modern API gateways for existing back-end services. API Management helps organizations publish APls to external, partner. and internal developers to unlock the potential of their data and services.
134. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms. If the stored intake forms are downloaded from storage by a third party, the contents of the forms must not be compromised. You need to store the intake forms according to the requirements. Solution: 1. Create an Azure Key Vault key named skey 2. Encrypt the intake forms using the public key portion of skey 3. Store the encrypted data in Azure Blob storage. Does the solution meet the goal? A. Yes B. No
A.Yes
14. You manage an Azure SQL database that allows for Azure AD authentication. You need to make sue that database can connect to the SQL database via Microsoft SQL Server Management Studio (SSMS). You also need to make sure the developers use their on-premises Active Directory account for authentication. Your strategy should allow for authentication prompts to be kept to a minimum. Which of the following should you implement?A. Azure AD token B .Azure Multi-Factor authentication C. Azure Directory integrated authentication D. OATH software tokens.
Active Directory integrated authentication.
2.You have downloaded an Azure Resource Manager template to deploy numerous virtual machines. The template is based on a current virtual machine, but must be adapted to reference an administrative password You need to make sure that the password is not stored in plain text You are preparing to create the necessary components to achieve your goal. Which of the following should you create to achieve your goal?
An Azure Key Vault An Access Policy
71. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop a software as a service (SaaS) offering to manage photographs. Users upload photos to a web service which then stores the photos in Azure Storage Blob storage. The storage account type is General-purpose V2. When photos are uploaded, they must be processed to produce and save a mobile-friendly version of the image. The process to produce a mobile-friendly version of the image must start in less than one minute You need to design the process that starts the photo processing. Solution: Create an Azure Function app that uses the Consumption hosting model and that is triggered from the blob upload. Does the solution meet the goal? Yes or No?
Answer: Yes Explanation: In the Consumption hosting plan, resources are added dynamically as required by your functions.
13 .You have an Azure Active Directory (Azure AD) tenant. You want to implement multi-factor authentication by making use of a conditional access policy. The conditional access policy must be applied to all users when they access the the Azure portal. Which three settings should you configure?
Assignments: -Users and groups -Cloud apps Access controls: -Grant Enable policy: - On
24. You are developing a solution for a public facing API. The API back end is hosted in an Azure App Service instance. You have implemented a RESTful service for the API back end. You must configure the back-end authentication for the API Management service instance. Solution: You configure Basic gateway credentials for the Azure resource. Does the solution meet the goal?
No Explanation:API Management allows to secure access to the back-end service of an API using client certificates.
15. You are developing an application to transfer data between on-premises file servers and Azure Blob storage. The application stores keys, secrets and certificates in Azure Key Vault and makes use of the Azure Key Vault APIs. You want to configure the application to allow recovery of an accidental deletion of the key vault or key vault objects for 90 days after deletion. What should you do? A. Run the Add-AzKeyVaultKey cmdlet B Run the az keyvault update -enable-soft-delete true -enable-purge-protection true CLI C. Implement virtual network service endpoints for Azure Key Vault. D. Run the az keyvault update -enable-soft-delete false CLI
B. Run the az keyvault update -enable-soft-delete true -enable-purge-protection true CLI
Your Azure Active Directory Azure (Azure AD) tenant has an Azure subscription linked to it. Your developer has created a mobile application that obtains Azure AD access tokens using the OAuth 2 implicit grant type. The mobile application must be registered in Azure AD. You require a redirect URL from the developer for registration purposes Is the statement correct? - No change required - a secret -a login hint -a client ID
No change required. For Native Application, you need to provide a Redirect URL, which Azure AD will use to return token responses.
122. You need to ensure the security policies are met. What code do you add at line CS07 of Configure.SSE.ps1? A. -PermissionToKeys create, encrypt,decrypt B. -PermissionToCertificates create,encrypt,decrypt C. -PermissionsToCertificates wrapkey,unwrapkey,get D. -PermissionsToKeys wrapkey,unwrapkey,get
B. -PermissionToCertificates create,encrypt,decrypt Explanation: The Set-AzureRmKeyVaultAccessPolicy parameter -PermissionsToKeys specifies an array of key operation permissions to grant to a user or service principal. The acceptable values for this parameter are; - decrypt , encrypt - unwrapKey , wrapKey - verify - sign - get - list - update, create, import, delete - backup, restore , recover, purge
135. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms. If the stored intake forms are downloaded from storage by a third party, the contents of the forms must not be compromised. You need to store the intake forms according to the requirements. Solution: 1. Create an Azure Cosmos DB database with Storage Service Encryption enabled 2. Store the intake forms in the Azure Cosmos DB database. Does the solution meet the goal? A. Yes B. No
B. No Explanation: Instead use an Azure Key Vault and public key encryption, store the encrypted form Azure Storage Blob Storage.
146. You develop an app that allows users to upload photos and videos to Azure storage. The app uses a storage REST API call to upload the media to a blob storage account named A ccount1. You have blob storage containers named Container1 and Container2. Uploading of videos occurs on an irregular basis. You need to copy specific blobs from Container1 to Container2 when a new video is uploaded. What should you do? A. Copy blobs to Container2 by using the Put Blob operation of the Blob Service REST API B. Create an Event Grid topic that uses the Start.-AzureStorageBlobCopy cmdlet C. Use AzCopy with the Snapshot switch to copy blobs to Container2 D. Download the blob to a virtual machine and then upload the blob to Container2
B. Create an Event Grid topic that uses the Start.-AzureStorageBlobCopy cmdlet Explanation· The Start-AzureStorageBlobCopy cmdlet starts to copy a blob. Example 1: Copy a named blob C:\PS>Start-AzureStorageBlobCopy -SrcBlob "ContosoPlanning2015" -DestContainer "ContosoArchives" -SrcContainer "ContosoUploads" This command starts the copy operation of the blob named ContosoPlanning2015 from the container named ContosoUploads to the container named ContosoArchives.
124. You have a new Azure subscription. You are developing an internal website for employees to view sensitive data. The website uses Azure Active Directory (Azure AD) for authentication. You need to implement multifactor authentication for the website. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Configure the website to use Azure AD B2C B. In Azure AD, create a new conditional access policy C. Upgrade to Azure AD Premium D. In Azure AD, enable application proxy E. In Azure AD conditional access, enable the baseline policy
B. In Azure AD, create a new conditional access policy. C. Upgrade to Azure AD Premium. Explanation: B: MFA Enabled by conditional access policy. It is the most flexible means to enable two-step verification for your users. Enabling using conditional access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD. C: Multi-Factor Authentication comes as part of the following offerings: a. Azure Active Directory Premium licenses - Full featured use of Azure Multi-Factor Authentication Service (Cloud) or Azure Multi-Factor Authentication Server (On-premises) b. Multi-Factor Authentication for Office 365 c. Azure Active Directory Global Administrators
114. You need to secure the Shipping Logic App. What should you use? A. Azure App Service Environment (ASE) B. Integration Service Environment (ISE) C. VNet service endpoint D. Azure AD B2B integration
B. Integration Service Environment Explanation: You can access to Azure Virtual Network resources from Azure Logic Apps by using integration service environments (ISEs). Sometimes, your logic apps and integration accounts need accees to secured resources, such as virtual machines (VMs) and other systems or services, that are inside an Azure virtual network. To set up this access, you can create an integration service environment (ISE) where you can run your logic apps and create your integration accounts.
128. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level You need to configure authorization. Solution: - Create a new Azure AD application. In the application's manifest, define application roles that match the required permission levels for the application. - Assign the appropriate Azure AD group to each role. In the website, use the value of the roles claim from the JWT for the user to determine permissions. Does the solution meet the goal? A .Yes B. No
B. No Explanation : To configure Manifest to include Group Claims in Auth Token 1. Go to Azure Active Directory to configure the Manifest. Click on Azure Active Directory, and go to App registrations to find your application. 2. Click on your application (or search for it if you have a lot of apps) and edit the Manifest by clicking on it. 3. Locate the "groupMembershipClaims" setting. Set its value to either "SecurityGroup" or "All". To help you decide which: + "SecurityGroup" - groups claim will contain the identifiers of all security groups of which the user is a member. + "AIl" groups claim will contain the identifiers of all security groups and all distribution lists of which the user is a member. Now your application will include group claims in your manifest and you can use this fact in your code.
140. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure Solutions. You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager. You need to obtain an Azure Resource Manager access token. Solution: Use an X.509 certificate to authenticate the VM with Azure Resource Manager. Does the solution meet the goal? A. Yes B. No
B. No Explanation: Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resource endpoint.
141. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You develop Azure Solutions. You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager. You need to obtain an Azure Resource Manager access token. Solution: Use the Reader role-based access control (RBAC) role to authenticate the VM Azure Resource Manager. Does the solution meet the goal? A. Yes B. No
B. No Explanation: Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resource endpoint.
136. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms. If the stored intake forms are downloaded from storage by a third party, the contents of the forms must not be compromised. You need to store the intake forms according to the requirements. Solution: Store the intake forms as Azure Key Vault secrets Does the solution meet the goal? A. Yes B. No
B. No Explanation: Instead use an Azure Key Vault and public key encryption, store the encrypted form Azure Storage Blob Storage.
126. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level. You need to configure authorization. Solution: Configure the Azure Web App for the website to allow only authenticated requests and require Azure AD log on. Does the solution meet the goal? A. Yes B. No
B. No Explanation: Instead in the Azure AD application's manifest, set value of the groupMembershipClaims option to All
143. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web Apps. User will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level. You need to configure authorization. Solution: - Configure and use Integrated Windows Authentication in the website. - In the website, query Microsoft Graph API to load the group to which the user is a member. Does the solution meet the goal? A. Yes B. No
B. No Explanation: Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. Instead in the Azure AD application's manifest, set value of the groupMembershipClaims option to All. In the website, use the value of the groups claim from the JWT for the user to determine permissions.
163. You need to monitor ContentUploadService according to the requirements . Which command should you use? A. az monitor metrics alert create -n alert -g ... - - scopes ...- condition "avg Percentage CPU > 8 " B. az monitor metrics alert create -n alert -g ... - - scopes ...- condition "avg Percentage CPU > 800" C. az monitor metrics alert create -n alert -g ... - - scopes ...- condition "CPU Usage > 800" D. az monitor metrics alert create -n alert -g ... - - scopes ...- condition " CPU Usage > 8 "
B. az monitor metrics alert create -n alert -g ... - - scopes ...- condition "avg Percentage CPU > 800" Explanation: Scenario: An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU cores
159. You are developing a web application that makes calls to the Microsoft Graph API. You register the application in the Azure portal and upload a valid X509 certificate. You create an appsettings.json file containing the certificate name, client identifier for the application and the tenant identifier of the Azure Active Directory (Azure AD). You create a method named ReadCertificate to return the X509 certificate by name. You need to implement code that acquires a token by using the certificate How should you complete the code segment? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Box 1: ConfidentialClientApplicationBuilder Here"s the code to instantiate the confidential client application with a client secret : app = ConfidentialClientApplicationBuilder.Create(config.Client).WithClientSecret(config.ClientSecret).WithAuthority(new Uri(config.Authority)).Build(); Box 2: scopes After you've constructed a confidential client application, you can acquire a token for the app by calling AcquireTokenForClient, passing the scope, and optionally forcing a refresh of the token. Sample code: result = await app.AcquireTokenForClient (scopes).ExecuteAsync();
160. You develop a containerized application. You plan to deploy the application to a new Azure Container instance by using a third-party continuous integration and continuous delivery (Cl/CD) utility. The deployment must be unattended and include all application assets. The third-party utility must only be able to push and pull images from the registry. The authentication must be managed by Azure Active Directory (Azure AD). The solution must use the principle of least privilege. You need to ensure that the third-party utility can access the registry. Which authentication options should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Registry authentication method(Choose 1): Service principal Individual identity Repository-scoped access token Managed identity for Azure resources RBAC role(Choose 1): AcrPull Owner AcrPush Contributor
Box 1: Service principal Applications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) service principal. Incorrect Answers: • Individual AD identity does not support unattended push/pull • Repository-scoped access token is not integrated with AD identity • Managed identity for Azure resources is used to authenticate to an Azure container registry from another Azure resource. Box 2: AcrPush AcrPush provides pull/ push permissions only and meets the principle of least privilege. Incorrect Answers: • AcrPull only allows pull permissions it does not allow push permissions. • Owner and Contributor allow pull/push permissions but does not meet the principle of least privilege.
130. You provide an Azure API Management managed web services to clients. The back-end web service implements HTTP Strict Transport Security (HSTS). Every request to the backend service must include a valid HTTP authorization header. You need to configure the Azure API Management instance with an authentication policy. Which two policies can you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Basic Authentication B. Digest Authentication C. Certificate Authentication D. OAuth Client Credential Grant
C. Certificate Authentication D. OAuth Client Credential Grant
125. You are developing a Java application that uses Cassandra to store key and value data. You plan to use a new Azure Cosmos DB resource and the Cassandra API in the application. You create an Azure Active Directory (Azure AD) group named Cosmos DB Creators to enable provisioning of Azure Cosmos accounts, databases, and containers. The Azure AD group must not be able to access the keys that are required to access the data. You need to restrict access to the Azure AD group. Which role-based access control should you use? A. DocumentDB Accounts Contributor B. Cosmos Backup Operator C. Cosmos DB Operator D. Cosmos DB Account Reader
C. Cosmos DB Operator Explanation: Azure Cosmos DB now provides a new RBAC role, Cosmos DB Operator. This new role lets you provision Azure Cosmos accounts, databases, and containers, but can't access the keys that are required to access the data. This role is intended for use in scenarios where the ability to grant access to Azure Active Directory service principals to manage deployment operations for Cosmos DB is needed, including the account, database, and containers.
133. You have an application that includes an Azure Web app and several Azure Function apps. Application secrets including connection strings and certificates are stored in Azure Key Vault. Secrets must not be stored in the application or application runtime environment. Changes to Azure Active Directory (Azure AD) must be minimized. You need to design the approach to loading application secrets. What should you do? A. Create a single user-assigned Managed Identity with permission to access Key Vault and configure each App Service to use that Managed Identity B. Create a single Azure AD Service Principal with permission to access Key Vault and use a client secret from within the App Services to access Key Vault C. Create a system assigned Managed Identity in each App Service with permission to access Key Vault D. Create an Azure AD Service Principal with Permissions to access Key Vault for each App Service and use a certificate from within the App Services to access Key Vault
C. Create a system assigned Managed Identity in each App Service with permission to access Key Vault Explanation: Use Key Vault references for App Service and Azure Functions. Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.
157. You are developing a solution that will use a multi-partitioned Azure Cosmos DB database. You plan to use the latest Azure Cosmos DB SDK for development. The solution must meet the following requirements: Send insert and update operations to an Azure Blob storage account. • Process changes to all partitions immediately. • Allow parallelization of change processing You need to process the Azure Cosmos DB operations. What are two possible ways to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A Create an Azure App Service API and implement the change feed estimator of the SDK . Scale the API by using multiple Azure App Service instances. B. Create a background job in an Azure Kubernetes Service and implement the change feed feature of the SDK. C. Create an Azure Function to use a trigger for Azure Cosmos DB. Configure the trigger to connect to the container D. Create an Azure Function that uses a Feedlterator object that processes the change feed by using the pull model on the container. Use a FeedRange object to parallelize the processing of the change feed across multiple functions.
C. Create an Azure Function to use a trigger for Azure Cosmos DB. Configure the trigger to connect to the container Explanation: Azure Functions is the simplest option if you are just getting started using the change feed. Due to its simplicity, it is also the recommended option for most change feed use cases. When you create an Azure Functions trigger for Azure Cosmos DB, you select the container to connect, and the Azure Function gets triggered whenever there is a change In the container. Because Azure Functions uses the change feed processor behind the scenes, it automatically parallelizes change processing across y our c ontainer's partitions. Note: You can work with change feed using the following opt ions: • Using change feed with Azure Functions • Using change feed with change feed processor
138. Your company is developing an Azure API hosted in Azure. You need to implement authentication for the Azure API to access other Azure resources. You have the following requirements: - All API calls must be authenticated - Callers to the API must not send credentials to the API Which authentication mechanism should you use? A. Basic B. Anonymous C. Managed identity D. Client certificate
C. Managed identity Explanation: Azure Active Directory Managed Service Identity (MSI) gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code Note: Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme. Incorrect Answers: A: Use the authentication-basic policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy. B: Anonymous is no authentication at all D: Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible. Ideally, they never appear on a developer's workstation or get checked-in to source control. Azure Key Vault can store credentials securely so they aren't in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential! A classic bootstrap problem.
148. Your company is developing an Azure API. You need to implement authentication for the Azure API. You have the following requirements: • All APl calls must be secure. • Callers to the API must not send credentials to the API Which authentication mechanism should you use? A. Basic B. Anonymous C. Managed identity D. Client certificate
C. Managed identity Explanation: Use the authentication-managed-identity policy t o authenticate with a backend service using the managed identity of the API Management service. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme.
164. You need to investigate the http server log output to resolve the issue with the ContentUploadService. Which command should you use first? A. az webapp log B. az ams live-output C. az monitor activity-log D. az container attach
C. az monitor activity-log Explanation: Scenario: Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages "502 bad gateway" and "503 service unavailable" are common errors in your app hosted in Azure App Service. Microsoft Azure publicizes each time there is a service interruption or performance degradation. The az monitor activity-log command manages activity logs. Note: Troubleshooting can be divided into three distinct tasks, in sequential order: 1. Observe and monitor application behavior 2. Collect data 3. Mitigate the issue
121. You need to add code at line PC26 of Processing.cs to ensure that security policies are met. How should you complete the code that you will add at line PC26? To answer, select appropriate options in the answer area. (Each correct answer is worth one point)
Code: var resolver = new KeyVaultKeyResolver(_keyVaultClient); var keyBundle = await_keyVaultClient.GetKeyAsync("...","..."); [Answer]: 1. var key = await resolver.ResolveKeyAnsync(keyBundle.KeyIdentifier.Identifier,CancellationToken.None); 2. var x = new BlobEncryptionPolicy(key,resolver); 3. cloudBlobClient.DefaultRequestOptions.EncryptionPolicy = x;
28. You are developing a .NET Core MVC application that allows customers to research independent holiday accommodation providers.You want to implement Azure Search to allow the application to search the index using various criteria to locate the documents related to accommodation venues. You wan the application to list holiday accommodation venues that fall within a specific price range and are within a specified distance to an airport. What should you do? A. Configure the SearchMode property of the SearchParameters class B. Configure the QueryType property of the SearchParameters class. C. Configure the Facets property of the SearchParameters class. Configure the Filter property of the SearchParameters class.
Configure the Filter property of the SearchParameters class. Explanation: The Filter property gets or sets the OData $ filter expression to apply to the search query.
22. You are developing a .NET Core MVC application that allows customers to research independent holiday accommodation providers.You want to implement Azure Search to allow the application to search the index using various criteria to locate the documents related to accommodation. You want to the application to allows customers to search the index by using regular expressions. What should you do? A. Configure the SearchMode property of the SearchParameters class. B. Configure the QueryType property of the SearchParameters class. C. Configure the Facets property of the SearchParameters class. D. Configure the Filter property of the SearchParameters class.
Configure the QueryType property of the SearchParameters class.
8. You are creating an Azure Cosmos DB account that makes use of the SQL API. Data will be added to the account every day by a web application. You need to ensure that an email notification is sent when information is received from IoT devices, and that compute cost is reduced. You decide to deploy a function app. Which of the following should you configure the function app to use? -Azure Cosmos DB connector -SendGrid action -Consumption plan -Azure Event Hubs binding -SendGrid binding
Consumption plan SendGrid binding
10. You are developing an e-COmmerce Web App. You want to use Azure Key Vault to ensure that sign-ins to the e-Commerce Web App are secured by using Azure App Service authentication and Azure Active Directory (AAD). What should you do on the e-Commerce Web App? -Run the az keyvault secret command -Enable Azure AD Connect -Enable Managed Service Identity (MSI) -Create an Azure AD service principal.
Enable Managed Service Identity (MSI) - A managed identity from Azure Active Directory allows your app to easily access other AAD-protected resources such as Azure Key Vault.
12. You are creating an Azure key vault using PowerShell. Objected deleted from the key vault must be kept for a set period of 90 days. Which two of the following parameters must be used in conjunction to meet the requirement? -EnabledForDeployment -EnablePurgeProtection -EnabledForTemplateDeployment -EnableSoftDelete
EnablePurgeProtection EnableSoftDelete
116. You need to correct the corporate website error. Which four actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Step 1: Generate a certificate Step 2: Upload the certificate to Azure Key Vault Step 3: Import the certificate to Azure App Service Step 4: Update line SC05 of Security.cs to include error handling and then redeploy the code.
149. You are a developer for a SaaS company that offers many web services. All web services for the company must meet the following requirements: Use API Management to access the services • Use OpenlD Connect for authentication • Prevent anonymous usage A recent security audit found that several web services can be called without any authentication. Which API Management policy should you implement? A. jsonp B. authentication-certificate C. check-header D. validate-JWI
Explanation: Add the validate-jwt policy to validate the OAuth token for every incoming request. Incorrect Answers: A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-Domain ca!ls from JavaScript browser-based clients. JSONP is a method used in JavaScript programs to request data from a server in a different domain. JSONP bypasses the limitation enforced by most web browsers where access to web pages must be in the same domain. JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients_
150. Contoso, Ltd. provides an API to customers by using Azure API Management (APIM). The API authorizes users with a JWT token. You must implement response caching for the APIM gateway. The caching mechanism must detect the user ID of the client that accesses data for a given location and cache the response for that user ID. You need to add the following policies to the policies file: - a set.-Variable policy to store the detected user identity - a cache-lookup-value policy - a cache-store-value policy - a find-and-replace policy to update the response body with the user profile information To which policy section should you add the policies? To answer, drag the appropriate sections to the correct policies. Each sect ion may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point
Explanation: Box 1: Inbound. A set -variable policy to store the detected user identity. Example: <policies> <inbound> <!- How you determine user identity is application dependent - > <set-variable name="enduserid" value="@( cont ext .Request.Headers. Get Value OrDefaultf'Authorization".""). Split[ ')[ 1 J.AsJwt ( )?.Subject)" /> Box 2: Inbound A cache-lookup-value policy Example: <inbound> <base /> <cache-lookup vary-by-developer="true I false" vary-by-developer-groups="t rue I false" downstream--caching-type="none I private I public" must-revalidate="t rue I false"> <Vary-by-query-parameter>parameter name</vary-by-query-parameter> <!- optional, can repeated several times - > </cache-lookup> </inbound> Box 3: Outbound A cache-store-value policy. Example: <outbound> <base /> <cache-store duration="3600" /> </outbound> Box 4: Outbound A find-and-replace policy to update the response body with the user profile information. Example: <outbound> <!- Update response body with user profile-> <find-and-replace from="'$userprofiIe$ '" to="@((string)context.Variables(["userprofile"])" /> <base /> </outbound>
151. You are developing an Azure solution. You need to develop code to access a secret stored in Azure Key Vault. How should you complete the code segment? To answer, drag the appropriate code segments to the correct location Each code segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content NOTE: Each correct selection is worth one point.
Explanation: Box 1: Secret Client Box 2: DefaultAzureCredential In below example, the name of your key vault is expanded to the key vault URI, in the format "https://<your-key-vault -name> .vault.azure.net". This example is using 'DefaultAzureCredential()' class from Azure Identity Library, which allows to use the same code across different environments with different options to provide identity. string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME"); var kvUri = "https://" + keyVaultName + "_vault .azure.net"; var client = new SecretClient(new Uri(kvUri). new DefaultAzureCredential());
1. You have two Hyper-V hosts name Host1 and Host2. Host1 has an Azure virtual machine named VM1 that was deployed by using custom AZURE RESOURCE MANAGER template. You need to move VM1 to Host2. What should you do?
From Redeploy blade, Click Redeploy. When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure and then powers it back on, retaining all your configuration options and associated resources.
154. You are developing an Azure-hosted application that must use an on-premises hardware security module (HSM) key. The key must be transferred to your existing Azure Key Vault by using the Bring Your Own Key (BYOK) process. You need to securely transfer the key to Azure Key Vault_ Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Create a custom policy definition in Azure Policy. Run the az keyvault key restore command. Generate a Key Exchange Key (KEK). Retrieve the Key Exchange Key (KEK) public key. Generate a key transfer blob file by using the HSM vendor-provided tool. Run the az keyvault key import command.
Generate a Key Exchange Key (KEK). Retrieve the Key Exchange Key (KEK) public key. Generate a key transfer blob file by using the HSM vendor-provided tool. Run the az keyvault key import command. Explaination: To perform a key transfer, a user performs following steps: • Generate KEK. • Retrieve the public key of the KEK. • Using HSM vendor provided BYOK tool - Import the KEK into the target HSM and exports the Target Key protected by the KEK. • Import the protected Target Key to Azure Key Vault. Step 1: Generate a Key Exchange Key (KEK). Step 2: Retrieve the Key Exchange Key (KEK) public key. Step 3: Generate a key transfer blob file by using the HSM vendor-provided tool. Generate key transfer blob using HSM vendor provided BYOK tool Step 4: Run the az keyvault key import command Upload key transfer blob to import HSM-key. Customer will transfer the Key Transfer Blob (".byok" file) to an online workstation and then run a az keyvault key import command to import this blob as a new HSM-backed key into Key Vault. To import an RSA key use this command: az keyvault key import
6. Your company has an Azure subscription You need to deploy a number of Azure virtual machines to the subscription by using Azure Resource Manager (ARM) templates. The virtual machines will be included in a single availability set. You need to ensure that the ARM templates allows for as many virtual machines as possible to remain accessible in the event of fabric failure or maintenance. Which of the following is the value that you should configure for the platformFaultDomainCount property? A.10 B.20 C.MIN Value D.Max Value
Max Value - The number of fault domains for managed availability sets varies by region - either two or three per region
17.You are configuring a web app the delivers streaming video to users. The application makes use of continuous integration and deployment. You need to ensure that the application is highly available and that the users streaming experience is constant. You also want to configure the application to store data in a geographic location that is nearest to the user. Solution: You include the use of Azure Redis Cache in your design. Does the solution meet the goal? A. Yes No
No
19. You are configuring a web app the delivers streaming video to users. The application makes use of continuous integration and deployment. You need to ensure that the application is highly available and that the users streaming experience is constant. You also want to configure the application to store data in a geographic location that is nearest to the user. Solution: You include the use of Storage Area Network (SAN) in your region. Does the solution meet the goal? A. Yes B. No
No
4. Your company has an Azure Kubernetes Service (AKS) cluster that you manage from an Azure AD-joined Device. The cluster is located in a resource group. Developers have created an application named MyApp. MyApp was packaged into a container image. You need to deploy the YAML manifest file for the application. Solution: You install the docker client on the device and run the docker run -it microsoft/azure-cli:0.10.17 command. Does this meet the goal?
No
25. You are developing a solution for a public facing API. The API back end is hosted in an Azure App Service instance. You have implemented a RESTful service for the API back end. You must configure the back-end authentication for the API Management service instance. Solution: You configure Client cert gateway credentials for the HTTP(s) endpoint. Does the solution meet the goal?
No Explanation: The API back end is hosted in an Azure App Service instance. IT is an Azure resource and not an HTTP(s) endpoint.
26. You are developing a solution for a public facing API. The API back end is hosted in an Azure App Service instance. You have implemented a RESTful service for the API back end. You must configure the back-end authentication for the API Management service instance. Solution: You configure Basic gateway credentials for the HTTP(s) endpoint. Does the solution meet the goal?
No Explanation:API Management allows to have access to the back-end service of an API using client certificates. Furthermore, the API back end is hosted in an Azure APP Service instance. It is an Azure resource and not an HTTP(s) endpoint.
106. You develop an Azure solution that uses Cosmos DB. The current Cosmos DB container must be replicated and must use a partition key that is optimized for queries. You need to implement a change feed processor solution. Which change feed processor components should you use? To answer, drag the appropriate components to the correct requirements. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view the content. (Each correct selection is worth one point)
Requirement: 1. Store the data from which the change feed is generated 2. Coordinate processing of the change feed across multiple workers. 3. Use the change feed processor to listen for changes 4. Handle each batch of changes Component [Answer]: 1. Monitored container 2. Lease container 3. Host 4. Delegate Explanation: 1. The monitored container has the data from which the change feed is generated. Any inserts and updates to the monitored containers are reflected in the change feed of the container. 2. The lease container acts as a state storage and coordinates processing the change feed across multiple workers. The lease container can be stored in the same account as the monitored container or in a separate account. 3. A host is an application instance that uses the change feed processor to listen for changes. Multiple instances with the same lease configuration can run in parallel, but each instance should have a different instance name. 4. The delegate is the code that defines what you, the developer, want to do with each batch of changes that the change feed processor reads.
107. You are developing a web application that will use Azure Storage. Older data will be less frequently used than more recent data. You need to configure data storage for the application. You have the following requirements: - Retain copies of data for 5 years - Minimize costs associated with storing data that is over 1 year old - Implement Zone Redundant Storage for application data What should you do? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
Requirement: 1. Configure an Azure Storage account 2. Configure data retention Solution [Answer]: 1. Implement StorageV2 (general purpose v2) 2. Set a lifecycle management policy to move blobs to the cool tier
You are developing an application to transfer data between on-premises file servers and Azure Blob Storage. The application stores keys, secrets, and certificates in Azure Key Vault and makes use of the Azure Key Vault APIs. You want to configure the application to allow recovery of an accidental deletion of the key vault or key vault objects for 90 days after deletion. What should you do?
Run the az keyvault update --enable-soft-delete true --enable-purge-protection true CLI - When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion. - Purge protection is an optional key vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled.
117. You need to configure API Management for authentication. Which policy values should you use? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
Setting - Value [Answer] 1. Policy - Validate JWT 2. Policy section - Outbound Explanation: 1. The validate-jwt policy enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter. Scenario : User Authentication The following steps detail the user authentication process: a. The user selects Sign-in in the website b. The browser redirects the user to the Azure Active Directory (Azure AD) sign-in page. c. The user signs in d. Azure AD redirects the user's session back to the web application. The URL includes an access token. e. The web application calls an API and includes the access token in the authentication header. The application ID is sent as the audience ("aud") claim in the access token. f. The back-end API validates the access token. Incorrect answers: 1. Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis. 2. Restrict caller IPs - Filters (allows/denies) calss from specific IP addresses and/or address ranges. 3. Check HTTP Header - enforces existence and/or value of a HTTP Header.
119. You need to correct the Azure Logic App error message. Which configuration values should you use? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
Setting - value [Answer] 1. Authentication level - function 2. Managed identity - system-assigned Explanation: 1. Function - if you have an Azure function where you want to use the system-assigned identity, first enable authentication for Azure functions. 2. System-assigned - Your logic apps or individual connections can use either the system-assigned identity or a single user-assigned identity, which you can share across a group of logic apps, but not both.
113. You need to secure the Shipping Function app. How should you configure the app? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
Setting: 1. Authorization level 2. User claims 3. Trigger type Value [Answer]: 1. Function 2. JSON Web Token (JWT) 3. HTTP Explanation: 2. Azure AD uses JSON based tokens (JWTs) that contain claims 3. How a web app delegates sign-in to Azure AD and obtains token. User authentication happens via the browser and OpenID protocol uses standard HTTP protocol messages.
123. You develop a web application. You need to register the application with an active Azure Active Directory (Azure AD) tenant. Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.
Step 1 : In App Registrations, select New registration Step 2 : Select the Azure AD instance Step 3 : Create a new application and provide the name, account type, and redirect URI Explanation: Register a new application using the Azure portal 1. Sign in to the Azure portal using either a work or school account or a personal Microsoft account. 2. If your account gives you access to more than one tenant, select your account in the upper right corner. Set your portal session to the Azure AD tenant that you want 3. Search for and select Azure Active Directory. Under Manage, select App registrations. 4. Select New registration. (Step 1) 5. In Register an application, enter a meaningful application name to display to users. 6. Specify who can use the application. Select the Azure AD instance. (Step 2) 7. Under Redirect URI (optional), select the type of app you're building: Web or Public client (mobile & desktop). Then enter the redirect URI, or reply URL, for your application. (Step 3) 8. When finished, select Register
20. You develop a Web App on a tier D1 app service plan. You notice that page load increase during periods of peak traffic. You want to implement automatic scaling when CPU load is above 80 percent. Your solution must minimize costs. What should you do first? A. Enable Autoscaling on the Web App. B. Switch to the Premium App Service tier plan. C. Switch to the Standard App Service tier plan D. Switch to the Azure App Services consumption plan.
Switch to the standard App Service tier plan
110. You need to ensure that network security policies are met. How should you configure network security? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
Technology: 1. SSL certificate 2. Proxy type Value [Answer]: 1. Valid root certificate 2. Azure Application Gateway Explanation: 1. All websites and services must use SSL from a valid root certificate authority 2. Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web apps are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL Injection and cross-site scripting are the most common attacks.
29. You are a developer at your company. You need to edit the workflows for an existing Logic App. What should you use? A. the Enterprise Integration Pack (EIP) B. the Logic App Code View C. the API Connections D.the logic Apps Designer
The Enterprise Integration Pack (EIP) Explanation: For business-to-business (B2B) solutions and seamless communication between organizations, you can build automated scalable enterprise integrations workflows by using the Enterprise Integration Pack (EIP) with Azure Logic Apps.
23. You are a developer at your company. You need to update the definitions for an existing Logic App. What should you use? A. The Enterprise Integration Pack (EIP) B. The Logic App Code View C. The API Connections D. The Logic Apps Designers
The Logic App Code View
Your company's Azure subscription includes an Azure Log Analytics workspace. Your company has a hundred on-premises servers that run either Windows Server 2012 R2 or windows Server 2016, and is linked to the Azure Log Analytics workspace. The Azure Log Analytics workspace is set up to gather performance counters associated with security from these linked servers. You have to make sure that alerts rules allow for dimensions and that alert creation time should be kept to a minimum. Furthermore, a single alert notification must b created when the alert is created when the alert is resolved. You need to make use of the necessary signal type when creating the alert rules. Which of the following is the option you should use? A. The Activity log signal type B. The Application Log signal type C. The Metric signal type D. The Audit Log signal type
The Metric signal type. Explanation:Metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a threshold. Metric alerts work on a range of multi-dimensional platform metrics, custom metrics, Application Insights standard and custom metrics.
158. You have an Azure Web app that uses Cosmos DB as a data store. You create a CosmosDB container by running the following PowerShell script: $resource GroupName = "testResourceGroup" $accountName = "testCosmosAccount" $database Name = "testDatabase" $containerName = "test Container " $partitionKeyPath = "/ EmployeeId" $autoscaleMaxThroughput = 5000 New-AzCosmosDBSqlContainer - Resource GroupName $resourceGroupName - AccountName $accountName - DatabaseName $databaseName - Name $containerName - Partit:onKeyKind Hash - PartitionKeyPath$partitionKeyPath - AutoscaleMaxThroughput $autoscaleMaxThroughput You create the following queries that target the container: SELECT * FROM c WHERE c.EmployeeId > '12345 ' SELECT * FROM c WHERE c.UserID = ' 12345 ' For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct select ion is worth one point. The minimum throughput for the container is 400 R/Us: The first query statement is an in-partition query: The second query statement is a cross- partition query:
The minimum throughput for the container is 400 R/Us: No The first query statement is an in-partition query: No The second query statement is a cross- partition query: Yes Explanation: Box 1: No You set the highest, or maximum Ru/s Tmax you don't want the system t o exceed. The system automatically scales the throughput T such that 0.1• Tmax <= T <= Tmax . In this example we have autoscaleMaxThroughput=5000, so the minimum throughput for the container is 500 R/Us. Box 2: No First query: SELECT * FROM c WHERE c . Employee Id > '12345 ' Here's a query that has a range filter on the partition key and won't be scoped to a single physical partition. In order to be an in-partition query, the query must have an equality filter that includes the partition key: SELECT • FROM c WHERE c.Deviceld > 'XMS-0001' Box 3: Yes Example of In-partition query: Consider the below query with an equality filter on Device Id. If we run this query on a container partitioned on Deviceld, this query will filter to a single physical partition. SELECT • FROM c WHERE c.Deviceld = 'XMS-0001'
120. You need to configure Azure Service Bus to Event Grid integration. Which Azure Service Bus settings should you use? To answer, select the appropriate options in the answer area. (Each correct selection is worth one point)
Tier a. Basic b. Standard c. Premium RBAC role a. Owner b. Contributor c. Azure Service Bus Data Owner d. Azure Service Bus Data Receiver [Answer] Tier - Premium RBAC role - Contributor Explanation: 1. Service Bus can now emit events to Event Grid when there are messages in a queue or a subscription when no receivers are present. You can create Event Grid subscriptions to your Service Bus namespaces, listen to these events, and then react to the events by starting a receiver. With this feature, you can use Service Bus in reactive programming models. To enable the feature, you need the following items: A Service Bus Premium namespaces with at least one Service Bus queue or Service Bus Topic with at least one subscription. Contributor access to the Service Bus namespace.
5. Your company has a web app named WebApp1. You use the WebJobs SDK to design a triggered App Service background task that automatically invokes a function in the code every time new data is received in a queue. You are preparing to configure the service processes a queue data item. Which of the following is the service you should use?
WebJobs
18. You are configuring a web app the delivers streaming video to users. The application makes use of continuous integration and deployment. You need to ensure that the application is highly available and that the users streaming experience is constant. You also want to configure the application to store data in a geographic location that is nearest to the user. Solution: You include the use of an Azure Content Deliver Network (CDN) in your design.Does the solution meet the goal? A. Yes No
Yes
3. Your company has an Azure Kubernetes Service (AKS) cluster that you manage from an Azure AD-joined Device. The cluster is located in a resource group. Developers have created an application named MyApp. MyApp was packaged into a container image. You need to deploy the YAML manifest file for the application. Solution: You install the Azure CLI on the device and run the kubectl apply -if myapp.yaml command. Does this meet the goal?
Yes - kubectl apply -f myapp.yaml applies a configuration change to a resource from a file or stdin
27. You are developing a solution for a public facing API. The API back end is hosted in an Azure App Service instance. You have implemented a RESTful service for the API back end. You must configure the back-end authentication for the API Management service instance. Solution : You configure Client cert gateway credentials for the Azure resource .
Yes Explanation: API Management allows to secure access to the back-end service of an API using client certificates.
You have developed a Web App for your company. The Web App provides services and must run in multiple regions. You want to be notified whenever the Web App uses more than 85% of the available CPU cores over a 5 minute period. Your solution must minimize costs. Which command should you use? To answer, select the appropriate settings in the answer area.
az monitor metrics alert create -n myAlert -g myResourceGroup --scopes targetResourceID --condition "avg Percentage CPU > 85" --window size
131. You are developing an ASP.NET Core website that can be used to manage photographs which are stored in Azure Blob Storage containers. Users of the website authenticate by using their Azure Active Directory (Azure AD) credentials. You implement role-based access control (RBAC) role permissions on the containers that store photographs. You assign users to RBAC roles You need to configure the website's Azure AD Application so that user's permissions can be used with the Azure Blob containers. How should you configure the application? To answer, drag the appropriate setting to the correct location. Each setting can be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content NOTE: Each correct selection is worth one point.
[API] - [Permission] - [Type] 1. Azure Storage - user_impersonation - delegated 2. Microsoft Graph - User.Read - delegated Explanation: Box 1 : user_impersonation Box 2: delegated Example: 1. Select the API permissions section 2. Click the Add a permission button and then ensure that the My APIs tab is selected. 3. In the list of APIs, select the API TodoListSenice-aspnetcore. 4. In the Delegated permissions section, ensure that the right permissions are checked: user_impersonation. 5. Select the Add permissions button Box 3: delegated Example: 1. Select the API permissions section 2. Click the Add a permission button and then Ensure that the Microsoft APIs tab is selected 3. In the Commonly used Microsoft APIs section, click on Microsoft Graph 4. In the Delegated permissions section, ensure that the right permissions are checked: User Read. Use the search box if necessary. 5. Select the Add permissions button
129. You are developing an application to securely transfer data between on-premises file systems and Azure Blob storage. The application stores keys, secrets, and certificates in Azure Key Vault. The application uses the Azure Key Vault APIs. The application must allow recovery of an accidental deletion of the key vault or key vault objects. Key vault objects must be retained for 90 days after deletion. You need to protect the key vault and key vault objects. Which Azure Key Vault feature should you use? To answer, drag the appropriate features to the correct actions. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content NOTE: Each correct selection is worth one point.
[Action] - [Feature] 1. Enable retention period and accidental deletion - Soft delete 2. Enforce retention period and accidental deletion - Purge Protection Explanation 1. Soft delete When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion. 2. Purge protection Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled . When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.
118. You need to authenticate the user to the corporate website as indicated by the architectural diagram. Which two values should you use? Each correct answer presents part of the solution. (Each correct selection is worth one point) A. ID token signature B. ID token claims C. HTTP response code D. Azure AD endpoint URI E. Azure AD tenant ID
[Answer] A. ID token signature D. Azure AD endpoint URI Explanation: A. Claims in access tokens JWTs (JSON Web Tokens) are split into 3 pieces: 1. Header - provides information about how to validate the token including information about the type of token and how it was signed. 2. Payload - contains all of the important data about the user or app that is attempting to call your services. 3. Signature - is the raw material used to validate the token. D. Your client can get an access token from either the v1.0 endpoint or the v2.0 endpoint using variety of protocols.
61. You are developing an Azure Function App that processes images that are uploaded to an Azure Blob container. Images must be processed as quickly as possible after they are uploaded, and the solution must minimize latency. You create code to process images when the Function App is triggered. You need to configure the Function App. What should you do? a) Use an App Service plan. Configure the Function App to use an Azure Blob Storage input trigger. b) Use a Consumption plan. Configure the Function App to use an Azure Blob Storage trigger. c) Use a Consumption plan. Configure the Function App to use a Timer trigger. d) Use a App Service plan. Configure the Function App to use an Azure Blob Storage trigger. e) Use a Consumption plan. Configure the Function App to use an Azure Blob Storage input trigger.
b) Use a Consumption plan. Configure the Function App to use an Azure Blob Storage trigger. The Blob storage trigger starts a function when a new or updated blob is detected. The blob contents are provided as input to the function. The Consumption plan limits a function app on one virtual machine to 1.5 GB of memory.
9. Your company has an on-premises deployment of MongoDB, and an Azure Cosmos DB account that makes use of the MongoDB API. You need to devise a strategy to migrate MongoDB to the Azure Cosmos DB account. You include the DATA MANAGEMENT GATEWAY TOOL in your migration strategy. Is the strategy correct? -No change required -mongorestore -Azure Storage Explorer -AzCopy
mongorestore
111. You need to add YAML markup at line CS17 to ensure that the ContentUploadService can access Azure Storage access keys. How should you complete the YAML markup? To answer, drag the appropriate YAML segments to the correct locations. Each YAML segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. (Each correct selection is worth one point)
volumeMounts : - mountPath : /mnt/secrets name : accesskey volumes : - name : accesskey secret : - key : TXkgZmlyc3Qgc2VjcmV0IEZPTwo= [Answer] 1. volumeMounts 2. volumes 3. secret
145. You are building a website to access project data related to teams within your organization. The website does not allow anonymous access. Authentication is performed using an Azure Active Directory (Azure AD) app named internal. The website has the following authentication requirements: • Azure AD users must be able to login to the website. • Personalization of the website must be based on membership in Active Directory groups. You need to configure the application's manifest to meet the authentication requirements. How should you configure the manifest? To answer, select the appropriate configuration in the answer area. NOTE: Each correct selection is worth one point.
{ ..... "appld": "d61126e3-089b-4adb-b 721-d5023213df7d", "displayName": "internal", all: "optionalClaims" "groupMembershipClaims" true: "allowPublicClient" "oauth2Permissions" "requiredResourceAccess" 'Oauth2AllowImplicitFlow'', ..... } Explaination: Box 1: groupMembershipClaims Scenario: Personalization of the website must be based on membership in Active Directory groups. Group claims can also be configured in the Optional Claims section of the Applicat ion Manifest. Enable group membership claims by changing the groupMembershipClaim The valid values are: "All" "SecurityGroup" "Distribut ionlist" "DirectoryRole" Box 2: oauth2Permissions Scenario: Azure AD users must be able to login to the website. oauth2Permissions specifies the collect ion of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. These permission scopes may be granted to client apps during c onsent. Incorrect Answers: oauth2AllowlmplicitFlow. oauth2AllowlmplicitFlow s pecifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is false. This flag is used for browser-based apps, like Javascript single-page apps.