Question 4 of 50
You develop an application. The application will be accessed by a supplier.
The supplier requires a shared access signature (SAS) to access Azure services in your company’s subscription.
You need to secure the SAS.
Which three actions should you take? Each correct answer presents a complete solution.
Always use HTTPS.
Use Azure Monitor and Azure Storage logs to monitor the application.
Define a stored access policy for a service SAS.
This item tests the candidate’s knowledge of creating and implementing shared access signatures (SAS).
The recommendation of always using HTTPS is valid and should be followed.
Azure Monitor and storage analytics logging should be used to observe any spike in these types of authorization failures.
Stored access policies will give the option to revoke permissions for a service SAS without having to regenerate the storage account keys. A security best practice is to provide a user with the minimum required privileges. It is best to use near-term expiration times on an ad-hoc SAS service or account SAS so that even if a SAS is compromised it is valid only for a short time.
Control access to Azure Storage with shared access signatures - Training | Microsoft Learn
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
Question 5 of 50
You develop a multitenant web application named App1. You plan to register App1 with multiple Microsoft Entra ID tenants.
You need to identify the relationship between the application objects and security principals associated with App1.
Which relationship should you identify?
App1 will have a single application object and multiple service principals.
This item tests the candidate’s knowledge of configuring authentication of multitenant applications, which is a common scenario when implementing authentication.
App1 will have a single application object and multiple service principals. App1 will not have multiple application objects. multiple application objects and a single service principal., or a single service principal.
Explore service principals - Training | Microsoft Learn
Apps & service principals in Azure AD - Microsoft Entra | Microsoft Learn
Question 6 of 50
You manage an Azure App Service function app named app1 and a storage account named account1.
You have the following requirements:
- App1 should access account1 without managing credentials.
- The service principal associated with app1 cannot be explicitly deleted.
You need to configure a security principal for app1.
Which security principal should you use?
system-assigned managed identity
This item tests the candidate’s knowledge of implementing managed identities, which is part of implementing secure cloud solutions.
Managed identities for Azure resources eliminate the need to manage credentials in code. A system-assigned managed identity is restricted to one per resource and is tied to the lifecycle of the resource. Once enabled for app1, it will automatically create a service principal without the need to manage credentials and cannot be explicitly deleted.
A Microsoft Entra ID application is defined by its one and only application object, which resides in the Microsoft Entra ID tenant where the application was registered (known as the application's home tenant). It cannot be used by app1 to access a storage account without managing credentials.
A user-assigned managed identity can be created and assigned to one or more instances of an Azure service. Once enabled for app1, a user-assigned managed identity will automatically create a service principal without the need to manage but will need to be explicitly deleted.
The legacy service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. The legacy service principal cannot be used to access a storage account without managing credentials.
Implement managed identities - Training | Microsoft Learn
Apps & service principals in Azure AD - Microsoft Entra | Microsoft Learn
Question 7 of 50
You have 10 applications running in Azure App Service.
You need to ensure the applications have access to items stored in Azure App Configuration by using a common configuration. Passwords or keys must not be used.
Which solution should you use?
User-assigned managed identities
This item tests the candidate's knowledge of managed identities.
User-assigned managed identities are a way to reuse the permissions across applications. User-assigned managed identities associate the managed identity to the new applications, with no keys or passwords.
System-assigned managed identities use a new identity for each application, which does not meet the common configuration requirement.
A service principal has keys that need to be rotated.
The developer does not run the application, so the developer’s identity cannot be assumed.
Implement Azure App Configuration - Training | Microsoft Learn
Managed identities - Azure App Service | Microsoft Learn
Question 8 of 50
You plan to create a key namespace hierarchy in Azure App Configuration.
You need to separate individual key names.
Which character should you use?
:
This item tests the candidate’s knowledge of configuring key namespace hierarchy of App Configuration, which is part of implementing secure cloud solutions.
The colon character (:) is used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
The asterisk character (*) is one of reserved characters in Azure App Configuration, so it cannot be used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
The comma character (,) is one of reserved characters in Azure App Configuration, so it cannot be used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
The backslash character (\) is one of reserved characters in Azure App Configuration, so it cannot be used to separate names of individual keys when creating a namespace hierarchy in Azure App Configuration.
Create paired keys and values - Training | Microsoft Learn
Understand Azure App Configuration key-value store | Microsoft Learn
Question 10 of 50
You have an Azure Storage account container named container1.
You need to configure access to the container to meet the following requirements:
- The shared access signature (SAS) token should be secured with Microsoft Entra ID credentials.
- Role-based access control (RBAC) should be used.
- The SAS token should support granting access to containers.
Which type of SAS should you use?
user delegation
This item tests the candidate’s knowledge of securing an Azure Storage account, which is part of developing solutions that use blob storage.
User delegation SAS fulfills all the requirements, including securing the SAS token with Microsoft Entra ID credentials, RBAC support, and granting access to containers. Azure Storage supports creating a new type of SAS at the level of the storage account. A service SAS delegates access to a resource in just one of the storage services (i.e., Blob, Queue, Table, or File). A stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. The account, service, and stored access policy SAS types do not fulfill the requirement of securing the SAS token with Microsoft Entra ID credentials and RBAC support to manage permissions.
Store application data with Azure Blob storage - Training | Microsoft Learn
Secure your Azure Storage account - Training | Microsoft Learn
Create a user delegation SAS - Azure Storage | Microsoft Learn
Question 11 of 50
You are developing a solution that stores secrets in an Azure Key Vault named myvault.
You need to retrieve the value for a secret named mysecret that is stored in myvault.
Which CLI command should you use?
az keyvault secret show --name mysecret --vault-name myvault
This item tests the candidate’s knowledge of developing code that uses keys, secrets, and certificates stored in Azure Key Vault. The CLI command az keyvault offers several commands to work with secrets. The most commonly used commands are set for storing a secret and show to get the secret’s value. When using these commands, either an id specifying the full secret identification (in the format https://<keyvaultname>.vault.azure.net/secrets/<secret-name>/<secret-version> )or the secret and the vault name must be specified.
Exercise: Set and retrieve a secret from Azure Key Vault by using Azure CLI
Question 12 of 50
A company uses Azure API Management to expose some of its services.
Each developer consuming APIs must use a single key to obtain access to various APIs without requiring approval from the API publisher.
You need to recommend a solution.
Which solution should you recommend?
Define a subscription with product scope.
This item tests the candidate's knowledge of Azure API Management subscriptions.
When creating a product, several APIs can be added to the product and a subscription can be associated with it. Access should not be granted to all APIs. Developer access should be granted regardless of the caller IP.
A client certificate would require a policy to validate the certificate and specific logic to map the client to specific APIs.
Secure APIs by using subscriptions - Training | Microsoft Learn
Question 13 of 50
You manage an Azure event hub.
You need to ensure that multiple load-balanced instances of a .NET application (version 5.0) can be used to scale event processing.
Which event processor client should you use?
`EventProcessorClient`
This item tests the candidate’s knowledge of scaling event processing applications, which is part of developing event-based solutions.
EventProcessorClient balances the load between multiple instances of a program in newer .NET versions (version 5.0).
EventHubConsumerClient balances the load between multiple instances of a program in Python and JavaScript.
EventProcessorHost balances the load between multiple instances of a program in earlier .NET versions.
The EventHubProducerClient class is used to send events to an event hub.
Explore Azure Event Hubs - Training | Microsoft Learn
Scale your processing application - Training | Microsoft Learn
Question 16 of 50
You have an Azure Service Bus instance.
You need to provide first-in, first-out (FIFO) guarantee for message processing.
What should you configure?
message sessions
This item tests the candidate’s knowledge of setting up FIFO guarantees in Azure Service Bus, which is a common task when implementing solutions by using Azure Service Bus.
To provide FIFO guarantees in Service Bus, sessions must be configured. Message sessions enable exclusive, ordered handling of unbounded sequences of related messages.
A dead-letter queue holds messages that cannot be delivered to any receiver.
Message deferral makes it possible to defer retrieval of a message until a later time.
Scheduled delivery allows submitting messages to a queue or topic for delayed processing.
A dead-letter queue, message deferral, and scheduled delivery do not provide FIFO guarantees.
Explore Azure Service Bus - Training | Microsoft Learn
Azure Service Bus message sessions - Azure Service Bus | Microsoft Learn