Microsoft Microsoft Certifications AZ-204 Questions & Answers

• Question 41:

  You need to authenticate the user to the corporate website as indicated by the architectural diagram. Which two values should you use? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  A. ID token signature

  B. ID token claims

  C. HTTP response code

  D. Azure AD endpoint URI

  E. Azure AD tenant ID

  Correct Answer: BE

  Claims in access tokens

  JWTs (JSON Web Tokens) are split into three pieces:

  1.

  Header - Provides information about how to validate the token including information about the type of token and how it was signed.

  2.

  Payload - Contains all of the important data about the user or app that is attempting to call your service.

  3.

  Signature - Is the raw material used to validate the token.

  Your client can get an access token from either the v1.0 endpoint or the v2.0 endpoint using a variety of protocols.

  Scenario: User authentication (see step 5 below)

  The following steps detail the user authentication process:

  1.

  The user selects Sign in in the website.

  2.

  The browser redirects the user to the Azure Active Directory (Azure AD) sign in page.

  3.

  The user signs in.

  4.

  Azure AD redirects the user's session back to the web application. The URL includes an access token.

  5.

  The web application calls an API and includes the access token in the authentication header. The application ID is sent as the audience (‘aud’) claim in the access token.

  6.

  The back-end API validates the access token.

  Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-accessrestriction-policies

• Question 42:

  You need to troubleshoot the order workflow.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Review the API connections.

  B. Review the activity log.

  C. Review the run history.

  D. Review the trigger history.

  Correct Answer: CD

  Scenario: The order workflow fails to run upon initial deployment to Azure.

  Check runs history: Each time that the trigger fires for an item or event, the Logic Apps engine creates and runs a separate workflow instance for each item or event. If a run fails, follow these steps to review what happened during that run,

  including the status for each step in the workflow plus the inputs and outputs for each step.

  Check the workflow's run status by checking the runs history. To view more information about a failed run, including all the steps in that run in their status, select the failed run.

  Example:

  

  Check the trigger's status by checking the trigger history

  To view more information about the trigger attempt, select that trigger event, for example:

  

  Reference: https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-diagnosing-failures

• Question 43:

  You are developing a road tollway tracking application that sends tracking events by using Azure Event Hubs using premium tier.

  Each road must have a throttling policy uniquely assigned.

  You need to configure the event hub to allow for per-road throttling.

  What should you do?

  A. Use a unique consumer group for each road.

  B. Ensure each road stores events in a different partition.

  C. Ensure each road has a unique connection string.

  D. Use a unique application group for each road.

  Correct Answer: B

• Question 44:

  You are developing an Azure Function that calls external APIs by providing an access token for the API. The access token is stored in a secret named token in an Azure Key Vault named mykeyvault.

  You need to ensure the Azure Function can access to the token. Which value should you store in the Azure Function App configuration?

  A. KeyVault:mykeyvault;Secret:token

  B. App:Settings:Secret:mykeyvault:token

  C. AZUREKVCONNSTR_ https://mykeyveult.vault.ezure.net/secrets/token/

  D. @Microsoft.KeyVault(SecretUri=https://mykeyvault.vault.azure.net/secrets/token/)

  Correct Answer: D

  Add Key Vault secrets reference in the Function App configuration.

  Syntax: @Microsoft.KeyVault(SecretUri={copied identifier for the username secret})

  Reference: https://daniel-krzyczkowski.github.io/Integrate-Key-Vault-Secrets-With-Azure-Functions/

• Question 45:

  An organization deploys Azure Cosmos DB.

  You need to ensure that the index is updated as items are created, updated, or deleted.

  What should you do?

  A. Set the indexing mode to Lazy.

  B. Set the value of the automatic property of the indexing policy to False.

  C. Set the value of the EnableScanInQuery option to True.

  D. Set the indexing mode to Consistent.

  Correct Answer: D

  Azure Cosmos DB supports two indexing modes:

  Consistent: The index is updated synchronously as you create, update or delete items. This means that the consistency of your read queries will be the consistency configured for the account.

  None: Indexing is disabled on the container.

  Reference: https://docs.microsoft.com/en-us/azure/cosmos-db/index-policy

• Question 46:

  You develop an Azure App Service web app and deploy to a production environment. You enable Application Insights for the web app.

  The web app is throwing multiple exceptions in the environment.

  You need to examine the state of the source code and variables when the exceptions are thrown.

  Which Application Insights feature should you configure?

  A. Smart detection

  B. Profiler

  C. Snapshot Debugger

  D. Standard test

  Correct Answer: C

  Exceptions in web applications can be reported with Application Insights. You can correlate failed requests with exceptions and other events on both the client and server so that you can quickly diagnose the causes.

  When an exception occurs, you can automatically collect a debug snapshot from your live web application. The debug snapshot shows the state of source code and variables at the moment the exception was thrown. The Snapshot Debugger

  in Azure Application Insights:

  Monitors system-generated logs from your web app.

  Collects snapshots on your top-throwing exceptions.

  Provides information you need to diagnose issues in production.

  Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/snapshot-debugger/snapshot-debugger

• Question 47:

  You are building an application to track cell towers that are available to phones in near real time. A phone will send information to the application by using the Azure Web PubSub service. The data will be processed by using an Azure

  Functions app. Traffic will be transmitted by using a content delivery network (CDN).

  The Azure function must be protected against misconfigured or unauthorized invocations.

  You need to ensure that the CDN allows for the Azure function protection.

  Which HTTP header should be on the allowed list?

  A. Authorization

  B. WebHook-Request-Callback

  C. Resource

  D. WebHook-Request-Origin

  Correct Answer: D

  CloudEvents extension for Azure Web PubSub event handler with HTTP protocol

  The Web PubSub service delivers client events to the upstream webhook using the CloudEvents HTTP protocol binding.

  Webhook validation

  The Webhook validation follows CloudEvents. The request always contains WebHook-Request-Origin: xxx.webpubsub.azure.com in the header.

  If and only if the delivery target does allow delivery of the events, it MUST reply to the request by including WebHook-Allowed-Origin header, for example:

  WebHook-Allowed-Origin: *

  Or:

  WebHook-Allowed-Origin: xxx.webpubsub.azure.com

  For now, WebHook-Request-Rate and WebHook-Request-Callback are not supported.

  Incorrect:

  * WebHook-Request-Callback. An optional field that provides the webhook with an alternative to grant permission asynchronously, by way of a HTTP callback.

  Reference: https://learn.microsoft.com/en-us/azure/azure-web-pubsub/reference-cloud-events

• Question 48:

  You are developing a web application that uses the Microsoft identity platform for user and resource authentication. The web application calls several REST APIs.

  A REST API call must read the user's calendar. The web application requires permission to send an email as the user.

  You need to authorize the web application and the API.

  Which parameter should you use?

  A. tenant

  B. code_challenge

  C. state

  D. client_id

  E. scope

  Correct Answer: E

  Microsoft identity platform and OAuth 2.0 authorization code flow, Request an authorization code

  https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?

  The authorization code flow begins with the client directing the user to the /authorize endpoint. In this request, the client requests the openid, offline_access, and https://graph.microsoft.com/mail.read permissions from the user.

  Parameters include:

  *

  scope required

  A space-separated list of scopes that you want the user to consent to. For the /authorize leg of the request, this parameter can cover multiple resources. This value allows your app to get consent for multiple web APIs you want to call.

  Incorrect:

  *

  tenant required

  The {tenant} value in the path of the request can be used to control who can sign into the application. Valid values are common, organizations, consumers, and tenant identifiers. For guest scenarios where you sign a user from one tenant into

  another tenant, you must provide the tenant identifier to sign them into the resource tenant.

  *

  code_challenge recommended / required

  Used to secure authorization code grants by using Proof Key for Code Exchange (PKCE). Required if code_challenge_method is included. This parameter is now recommended for all application types, both public and confidential clients, and

  required by the Microsoft identity platform for single page apps using the authorization code flow.

  *

  client_id

  The Application (client) ID that the Azure portal – App registrations experience assigned to your app.

  Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

• Question 49:

  You are developing several Azure API Management (APIM) hosted APIs.

  You must transform the APIs to hide private backend information and obscure the technology stack used to implement the backend processing.

  You need to protect all APIs.

  What should you do?

  A. Configure and apply a new inbound policy scoped to a product.

  B. Configure and apply a new outbound policy scoped to the operation.

  C. Configure and apply a new outbound policy scoped to global.

  D. Configure and apply a new backend policy scoped to global.

  Correct Answer: B

  Reference: https://learn.microsoft.com/en-us/azure/api-management/transform-api

• Question 50:

  You develop Azure solutions.

  You must connect to a No-SQL globally-distributed database by using the .NET API.

  You need to create an object to configure and execute requests in the database.

  Which code segment should you use?

  A. database_name = 'MyDatabase'database = client.create_database_if_not_exists(id=database_name)

  B. client = CosmosClient(endpoint, key)

  C. container_name = 'MyContainer'container = database.create_container_if_not_exists(id=container_name, partition_key=PartitionKey(path="/lastName"), offer_throughput=400 )

  Correct Answer: B

  CosmosClient has to be created before you can do option A and C to create databases and execute requests.client = CosmosClient(endpoint, key)database_name = 'MyDatabase'database = client.create_database_if_not_exists (id=database_name)container_name = 'MyContainer'container = database.create_container_if_not_exists(id=container_name, partition_key=PartitionKey(path="/lastName"), offer_throughput=400 )