Microsoft Microsoft Certifications AZ-204 Questions & Answers

• Question 51:

  You develop a solution that uses Azure Virtual Machines (VMs).

  The VMs contain code that must access resources in an Azure resource group. You grant the VM access to the resource group in Resource Manager.

  You need to obtain an access token that uses the VM's system-assigned managed identity.

  Which two actions should you perform? Each correct answer presents part of the solution.

  A. From the code on the VM, call Azure Resource Manager using an access token.

  B. Use PowerShell on a remote machine to make a request to the local managed identity for Azure resources endpoint.

  C. Use PowerShell on the VM to make a request to the local managed identity for Azure resources endpoint.

  D. From the code on the VM, call Azure Resource Manager using a SAS token.

  E. From the code on the VM, generate a user delegation SAS token.

  Correct Answer: BD

• Question 52:

  You are developing several microservices to run on Azure Container Apps. External HTTP ingress traffic has been enabled for the microservices.

  The microservices must be deployed to the same virtual network and write logs to the same Log Analytics workspace.

  You need to deploy the microservices.

  What should you do?

  A. Enable single revision mode.

  B. Use a separate environment for each container.

  C. Use a private container registry image and single image for all containers.

  D. Use a single environment for all containers.

  E. Enable multiple revision mode.

  Correct Answer: A

  Reference: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/serverless/microservices-with-container-apps

• Question 53:

  You are developing an inventory tracking solution. The solution includes an Azure Function app containing multiple functions triggered by Azure Cosmos DB. You plan to deploy the solution to multiple Azure regions.

  The solution must meet the following requirements:

  Item results from Azure Cosmos DS must return the most recent committed version of an item.

  Items written to Azure Cosmos DB must provide ordering guarantees.

  You need to configure the consistency level for the Azure Cosmos DB deployments.

  Which consistency level should you use?

  A. consistent prefix

  B. eventual

  C. bounded staleness

  D. strong

  E. session

  Correct Answer: D

  Explanation:

  Strong consistency

  Strong consistency offers a linearizability guarantee. Linearizability refers to serving requests concurrently. The reads are guaranteed to return the most recent committed version of an item. A client never sees an uncommitted or partial write.

  Users are always guaranteed to read the latest committed write.

  Incorrect:

  * bounded staleness (and the other weaker consistency levels)

  With Bounded Staleness consistency, reads issued against a non-primary region may not necessarily return the most recent version of the data globally, but are guaranteed to return the most recent version of the data in that region, which will

  be within the maximum staleness boundary globally.

  Note: Azure Cosmos DB offers five well-defined levels. From strongest to weakest, the levels are:

  Strong Bounded staleness Session Consistent prefix Eventual

  Reference: https://learn.microsoft.com/en-us/azure/cosmos-db/consistency-levels

• Question 54:

  You create and publish a new Azure App Service web app.

  User authentication and authorization must use Azure Active Directory (Azure AD).

  You need to configure authentication and authorization.

  What should you do first?

  A. Add an identity provider.

  B. Map an existing custom DNS name.

  C. Create and configure a new app setting.

  D. Add a private certificate.

  E. Create and configure a managed identity.

  Correct Answer: A

  Explanation:

  Configure your App Service or Azure Functions app to use Azure AD login

  You configure authentication for Azure App Service or Azure Functions so that your app signs in users with the Microsoft identity platform (Azure AD) as the authentication provider.

  The App Service Authentication feature can automatically create an app registration with the Microsoft identity platform. You can also use a registration that you or a directory admin creates separately.

  Option 1: Create a new app registration automatically

  Use this option unless you need to create an app registration separately. It makes enabling authentication simple and requires just a few clicks. You can customize the app registration in Azure AD once it's created.

  Sign in to the Azure portal and navigate to your app.

  Select Authentication in the menu on the left. Click Add identity provider.

  Select Microsoft in the identity provider dropdown. The option to create a new registration is selected by default. You can change the name of the registration or the supported account types.

  Etc.

  Reference:

  https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad

• Question 55:

  DRAG DROP

  You need to deploy a new version of the LabelMaker application to ACR.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Step 1: Build a new application image by using dockerfile

  Step 2: Create an alias if the image with the fully qualified path to the registry

  Before you can push the image to a private registry, you’ve to ensure a proper image name. This can be achieved using the docker tag command. For demonstration purpose, we’ll use Docker's hello world image, rename it and push it to

  ACR.

  # pulls hello-world from the public docker hub

  $ docker pull hello-world

  # tag the image in order to be able to push it to a private registry

  $ docker tag hello-word /hello-world

  # push the image

  $ docker push /hello-world

  Step 3: Log in to the registry and push image

  In order to push images to the newly created ACR instance, you need to login to ACR form the Docker CLI. Once logged in, you can push any existing docker image to your ACR instance.

  Scenario:

  Coho Winery plans to move the application to Azure and continue to support label creation.

  LabelMaker app

  Azure Monitor Container Health must be used to monitor the performance of workloads that are deployed to Kubernetes environments and hosted on Azure Kubernetes Service (AKS).

  You must use Azure Container Registry to publish images that support the AKS deployment.

  Reference:

  https://thorsten-hans.com/how-to-use-a-private-azure-container-registry-with-kubernetes-9b86e67b93b6

  https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task

• Question 56:

  HOTSPOT

  You need to implement the retail store location Azure Function.

  How should you configure the solution? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Scenario: Retail store locations: Azure Functions must process data immediately when data is uploaded to Blob storage.

  Box 1: HTTP

  Binding configuration example: https://.blob.core.windows.net

  Box 2: Input

  Read blob storage data in a function: Input binding

  Box 3: Blob storage

  The Blob storage trigger starts a function when a new or updated blob is detected.

  Azure Functions integrates with Azure Storage via triggers and bindings. Integrating with Blob storage allows you to build functions that react to changes in blob data as well as read and write values.

  Reference:

  https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-storage-blob-trigger

• Question 57:

  HOTSPOT

  You need to implement the Log policy.

  How should you complete the EnsureLogging method in EventGridController.cs? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: logdrop

  All log files should be saved to a container named logdrop.

  Box 2: 15

  Logs must remain in the container for 15 days.

  Box 3: UpdateApplicationSettings

  All Azure App Service Web Apps must write logs to Azure Blob storage.

  Reference:

  https://blog.hompus.nl/2017/05/29/adding-application-logging-blob-to-a-azure-web-app-service-using-powershell/

• Question 58:

  HOTSPOT

  You need to add code at line PC26 of Processing.cs to ensure that security policies are met.

  How should you complete the code that you will add at line PC26? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: var key = await Resolver.ResolveKeyAsyn(keyBundle,KeyIdentifier.CancellationToken.None);

  Box 2: var x = new BlobEncryptionPolicy(key,resolver);

  Example:

  // We begin with cloudKey1, and a resolver capable of resolving and caching Key Vault secrets.

  BlobEncryptionPolicy encryptionPolicy = new BlobEncryptionPolicy(cloudKey1, cachingResolver);

  client.DefaultRequestOptions.EncryptionPolicy = encryptionPolicy;

  Box 3: cloudblobClient. DefaultRequestOptions.EncryptionPolicy = x;

  Reference:

  https://github.com/Azure/azure-storage-net/blob/master/Samples/GettingStarted/EncryptionSamples/KeyRotation/Program.cs

• Question 59:

  HOTSPOT

  You need to insert code at line LE03 of LoginEvent.cs to ensure that all authentication events are processed correctly.

  How should you complete the code? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: id

  id is a unique identifier for the event.

  Box 2: eventType

  eventType is one of the registered event types for this event source.

  Box 3: dataVersion

  dataVersion is the schema version of the data object. The publisher defines the schema version.

  Scenario: Authentication events are used to monitor users signing in and signing out. All authentication events must be processed by Policy service. Sign outs must be processed as quickly as possible.

  The following example shows the properties that are used by all event publishers:

  [

  {

  "topic": string,

  "subject": string,

  "id": string,

  "eventType": string,

  "eventTime": string,

  "data":{

  object-unique-to-each-publisher

  },

  "dataVersion": string,

  "metadataVersion": string

  } ]

  Reference: https://docs.microsoft.com/en-us/azure/event-grid/event-schema

• Question 60:

  HOTSPOT

  You need to configure security and compliance for the corporate website files.

  Which Azure Blob storage settings should you use? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: role-based access control (RBAC)

  Azure Storage supports authentication and authorization with Azure AD for the Blob and Queue services via Azure role-based access control (Azure RBAC).

  Scenario: File access must restrict access by IP, protocol, and Azure AD rights.

  Box 2: storage account type

  Scenario: The website uses files stored in Azure Storage

  Auditing of the file updates and transfers must be enabled to comply with General Data Protection Regulation (GDPR).

  Creating a diagnostic setting:

  1.

  Sign in to the Azure portal.

  2.

  Navigate to your storage account.

  3.

  In the Monitoring section, click Diagnostic settings (preview).

  4.

  Choose file as the type of storage that you want to enable logs for.

  5.

  Click Add diagnostic setting.

  

  Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction https://docs.microsoft.com/en-us/azure/storage/files/storage-files-monitoring