Test Online Free Microsoft AZ-204 Exam Questions and Answers

• A. Configure and apply a new inbound policy scoped to a product.
• B. Configure and apply a new outbound policy scoped to the operation.
• C. Configure and apply a new outbound policy scoped to global.
• D. Configure and apply a new backend policy scoped to global.

Show Answer

• A. Set Always On to true.
• B. Ensure that the Azure Function is using an App Service plan.
• C. Set Always On to false.
• D. Ensure that the Azure Function is set to use a consumption plan.

Show Answer

HOTSPOT
You plan to deploy a new application to a Linux virtual machine (VM) that is hosted in Azure.
The entire VM must be secured at rest by using industry-standard encryption technology to address organizational security and compliance requirements.
You need to configure Azure Disk Encryption for the VM.
How should you complete the Azure Cli commands? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Show Answer

Answer:


Explanation:
Box 1: keyvault
Create an Azure Key Vault with az keyvault create and enable the Key Vault for use with disk encryption. Specify a unique Key Vault name for keyvault_name as follows:
keyvault_name=myvaultname$RANDOM
az keyvault create \
--name $keyvault_name \
--resource-group $resourcegroup \
--location eastus \
--enabled-for-disk-encryption True
Box 2: keyvault key
The Azure platform needs to be granted access to request the cryptographic keys when the VM boots to decrypt the virtual disks. Create a cryptographic key in your Key Vault with az keyvault key create. The following example creates a key named myKey:
az keyvault key create \
--vault-name $keyvault_name \
--name myKey \
--protection software
Box 3: vm
Create a VM with az vm create. Only certain marketplace images support disk encryption.
The following example creates a VM named myVM using an Ubuntu 16.04 LTS image:
az vm create \
--resource-group $resourcegroup \
--name myVM \
--image Canonical:UbuntuServer:16.04-LTS:latest \ --admin-username azureuser \ --generate-ssh-keys \
Box 4: vm encryption
Encrypt your VM with az vm encryption enable:
az vm encryption enable \
--resource-group $resourcegroup \
--name myVM \
--disk-encryption-keyvault $keyvault_name \
--key-encryption-key myKey \
--volume-type all
Note: seems to an error in the question. Should have enable instead of create.
Box 5: all
Encrypt both data and operating system.
References: https://docs.microsoft.com/bs-latn-ba/azure/virtual-machines/linux/encrypt-disks

DRAG DROP
You need to deploy a new version of the LabelMaker application to ACR.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Show Answer

Answer:


Explanation:
A picture containing timeline
Description automatically generated
Step 1: Build a new application image by using dockerfile
Step 2: Create an alias if the image with the fully qualified path to the registry
Before you can push the image to a private registry, you’ve to ensure a proper image name. This can be achieved using the docker tag command. For demonstration purpose, we’ll use Docker’s hello world image, rename it and push it to ACR.
# pulls hello-world from the public docker hub $ docker pull hello-world
# tag the image in order to be able to push it to a private registry $ docker tag hello-word <REGISTRY_NAME>/hello-world
# push the image
$ docker push <REGISTRY_NAME>/hello-world
Step 3: Log in to the registry and push image
In order to push images to the newly created ACR instance, you need to login to ACR form the Docker CLI. Once logged in, you can push any existing docker image to your ACR instance.
Scenario:
Coho Winery plans to move the application to Azure and continue to support label creation.
LabelMaker app
Azure Monitor Container Health must be used to monitor the performance of workloads that are deployed to Kubernetes environments and hosted on Azure Kubernetes Service (AKS).
You must use Azure Container Registry to publish images that support the AKS deployment.

HOTSPOT
You have an Azure Batch project that processes and converts files and stores the files in Azure storage. You are developing a function to start the batch job.
You add the following parameters to the function.



You must ensure that converted files are placed in the container referenced by the outputContainerSasUrl parameter. Files which fail to convert are places in the container referenced by the failedContainerSasUrl parameter.
You need to ensure the files are correctly processed.
How should you complete the code segment? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Show Answer

Answer:


Explanation:
Box 1: CreateJob
Box 2: TaskSuccess
TaskSuccess: Upload the file(s) only after the task process exits with an exit code of 0.
Incorrect: TaskCompletion: Upload the file(s) after the task process exits, no matter what the exit code was.
Box 3: TaskFailure
TaskFailure:Upload the file(s) only after the task process exits with a nonzero exit code.
Box 4: OutputFiles
To specify output files for a task, create a collection of OutputFile objects and assign it to the CloudTask.OutputFiles property when you create the task.
References:
https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.batch.protocol.models.outputfileuploadcondition
https://docs.microsoft.com/en-us/azure/batch/batch-task-output-files

• A. Store the RSA-HSM key in Azure Key Vault with soft-delete and purge-protection features enabled
• B. Store the RSA-HSM key in Azure Blob storage with an immutability policy applied to the container.
• C. Store the RSA-HSM key in Azure Cosmos D
• D. Apply the built-in policies for customer-managed Keys and allowed locations
• E. Create a standard tier Azure App Configuration instance with an assigned Azure AD managed identity.
• F. Create a free tier Azure App Configuration instance with a new Azure AD service principal.

Show Answer

DRAG DROP
You are developing an ASP.NET Core website that can be used to manage photographs which are stored in Azure Blob Storage containers.
Users of the website authenticate by using their Azure Active Directory (Azure AD) credentials.
You implement role-based access control (RBAC) role permission on the containers that store photographs. You assign users to RBAC role.
You need to configure the website’s Azure AD Application so that user’s permissions can be used with the Azure Blob containers.
How should you configure the application? To answer, drag the appropriate setting to the correct location. Each setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Show Answer

Answer:


Explanation:
Box 1: user_impersonation
Box 2: delegated
Example:

Topic 3, City Power & Light

Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Background
City Power & Light company provides electrical infrastructure monitoring solutions for homes and businesses. The company is migrating solutions to Azure.

Current environment
Architecture overview
The company has a public website located at http://www.cpandl.com/. The site is a single-page web application that runs in Azure App Service on Linux. The website uses files stored in Azure Storage and cached in Azure Content Delivery Network (CDN) to serve static content.

API Management and Azure Function App functions are used to process and store data in Azure Database for PostgreSQL. API Management is used to broker communications to the Azure Function app functions for Logic app integration. Logic apps are used to orchestrate the data processing while Service Bus and Event Grid handle messaging and events.

The solution uses Application Insights, Azure Monitor, and Azure Key Vault.

Architecture diagram
The company has several applications and services that support their business. The company plans to implement serverless computing where possible.
The overall architecture is shown below.




User authentication
The following steps detail the user authentication process:
✑ The user selects Sign in in the website.
✑ The browser redirects the user to the Azure Active Directory (Azure AD) sign in page.
✑ The user signs in.
✑ Azure AD redirects the user’s session back to the web application. The URL includes an access token.
✑ The web application calls an API and includes the access token in the authentication header. The application ID is sent as the audience (‘aud’) claim in the access token.
✑ The back-end API validates the access token.

Requirements
Corporate website
✑ Communications and content must be secured by using SSL.
✑ Communications must use HTTPS.
✑ Data must be replicated to a secondary region and three availability zones.
✑ Data storage costs must be minimized.

Azure Database for PostgreSQL
The database connection string is stored in Azure Key Vault with the following attributes:
✑ Azure Key Vault name: cpandlkeyvault
✑ Secret name: PostgreSQLConn
✑ Id: 80df3e46ffcd4f1cb187f79905e9a1e8

The connection information is updated frequently. The application must always use the latest information to connect to the database.

Azure Service Bus and Azure Event Grid
✑ Azure Event Grid must use Azure Service Bus for queue-based load leveling.
✑ Events in Azure Event Grid must be routed directly to Service Bus queues for use in buffering.
✑ Events from Azure Service Bus and other Azure services must continue to be routed to Azure Event Grid for processing.

Security
✑ All SSL certificates and credentials must be stored in Azure Key Vault.
✑ File access must restrict access by IP, protocol, and Azure AD rights.
✑ All user accounts and processes must receive only those privileges which are essential to perform their intended function.

Compliance
Auditing of the file updates and transfers must be enabled to comply with General Data Protection Regulation (GDPR). The file updates must be read-only, stored in the order in which they occurred, include only create, update, delete, and copy operations, and be retained for compliance reasons.

Issues
Corporate website
While testing the site, the following error message displays:
CryptographicException: The system cannot find the file specified.

Function app
You perform local testing for the RequestUserApproval function. The following error
message displays:
'Timeout value of 00:10:00 exceeded by function: RequestUserApproval'

The same error message displays when you test the function in an Azure development environment when you run the following Kusto query: FunctionAppLogs
| where FunctionName = = "RequestUserApproval"

Logic app
You test the Logic app in a development environment. The following error message displays:
'400 Bad Request'
Troubleshooting of the error shows an HttpTrigger action to call the RequestUserApproval function.

Code
Corporate website
Security.cs:




Function app
RequestUserApproval.cs:




DRAG DROP
You need to correct the corporate website error.
Which four actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Show Answer

Answer:


Explanation:
Scenario: Corporate website
While testing the site, the following error message displays:
Cryptographic Exception: The system cannot find the file specified.
Step 1: Generate a certificate
Step 2: Upload the certificate to Azure Key Vault
Scenario: All SSL certificates and credentials must be stored in Azure Key Vault.
Step 3: Import the certificate to Azure App Service
Step 4: Update line SCO5 of Security.cs to include error handling and then redeploy the code

HOTSPOT
You need to ensure that validation testing is triggered per the requirements.
How should you complete the code segment? To answer, select the appropriate values in the answer area. NOTE: Each correct selection is worth one point.

Show Answer

Answer:


Explanation:
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.
Box 2: service
Box 3: imageCollection

DRAG DROP
You need to implement telemetry for non-user actions.
How should you complete the Filter class? To answer, drag the appropriate code segments to the correct locations. Each code segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Show Answer

Answer:


Explanation:
Scenario: Exclude non-user actions from Application Insights telemetry.
Box 1: ITelemetryProcessor
To create a filter, implement ITelemetryProcessor. This technique gives you more direct control over what is included or excluded from the telemetry stream.
Box 2: ITelemetryProcessor
Box 3: ITelemetryProcessor
Box 4: RequestTelemetry
Box 5: /health
To filter out an item, just terminate the chain.

• A. Create a new composite index for the store location data queries in Azure Cosmos D
• B. Modify the queries to support parameterized SQL and update the Azure function app to call the new Queries.
• C. Configure Azure Cosmos DB consistency to strong consistency Increase the RUs for the container supporting store location data.
• D. Provision an Azure Cosmos OB dedicated gateway, update blob storage to use the new dedicated gateway endpoint.
• E. Configure Azure Cosmos DB consistency to session consistency. Cache session tokens in a new Azure Redis cache instance after every write. Update reads to use the session token stored in Azure Redis.
• F. Provision an Azure Cosmos DB dedicated gateway Update the Azure Function app connection string to use the new dedicated gateway endpoint.

Show Answer

• A. AppServiceEnvironmentPlatformLogs
• B. AppServiceApplogs
• C. AppServiceAuditLogs
• D. AppServiceConsoteLogs

Show Answer

Topic 2, Contoso, Ltd

Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Background
Overview
You are a developer for Contoso, Ltd. The company has a social networking website that is developed as a Single Page Application (SPA). The main web application for the social networking website loads user uploaded content from blob storage.
You are developing a solution to monitor uploaded data for inappropriate content.

The following process occurs when users upload content by using the SPA:
• Messages are sent to ContentUploadService.
• Content is processed by ContentAnalysisService.
• After processing is complete, the content is posted to the social network or a rejection message is posted in its place.

The ContentAnalysisService is deployed with Azure Container Instances from a private Azure Container Registry named contosoimages.
The solution will use eight CPU cores.

Azure Active Directory
Contoso, Ltd. uses Azure Active Directory (Azure AD) for both internal and guest accounts.

Requirements
ContentAnalysisService
The company’s data science group built ContentAnalysisService which accepts user generated content as a string and returns a probable value for inappropriate content. Any values over a specific threshold must be reviewed by an employee of Contoso, Ltd.
You must create an Azure Function named CheckUserContent to perform the content checks.

Costs
You must minimize costs for all Azure services.

Manual review
To review content, the user must authenticate to the website portion of the ContentAnalysisService using their Azure AD credentials. The website is built using React and all pages and API endpoints require authentication. In order to review content a user must be part of a ContentReviewer role. All completed reviews must include the reviewer’s email address for auditing purposes.

High availability
All services must run in multiple regions. The failure of any service in a region must not impact overall application availability.

Monitoring
An alert must be raised if the ContentUploadService uses more than 80 percent of available CPU cores.

Security
You have the following security requirements:
- Any web service accessible over the Internet must be protected from cross site scripting attacks.
- All websites and services must use SSL from a valid root certificate authority.
- Azure Storage access keys must only be stored in memory and must be available only to the service.
- All Internal services must only be accessible from internal Virtual Networks (VNets).
- All parts of the system must support inbound and outbound traffic restrictions.
- All service calls must be authenticated by using Azure AD.

User agreements
When a user submits content, they must agree to a user agreement. The agreement allows employees of Contoso, Ltd. to review content, store cookies on user devices, and track user’s IP addresses.
Information regarding agreements is used by multiple divisions within Contoso, Ltd.
User responses must not be lost and must be available to all parties regardless of individual service uptime. The volume of agreements is expected to be in the millions per hour.

Validation testing
When a new version of the ContentAnalysisService is available the previous seven days of content must be processed with the new version to verify that the new version does not significantly deviate from the old version.

Issues
Users of the ContentUploadService report that they occasionally see HTTP 502 responses on specific pages.

Code
ContentUploadService







HOTSPOT
You need to add code at line AM09 to ensure that users can review content using Content Analysis Service.
How should you complete the code? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Show Answer

Answer:


Explanation:
Box 1: "oauth2Permissions": ["login"]
oauth2Permissions specifies the collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. These permission scopes may be granted to client apps during consent.
Box 2: "oauth2AllowImplicitFlow":true
For applications (Angular, Ember.js, React.js, and so on), Microsoft identity platform supports the OAuth 2.0 Implicit Grant flow.

• A. Yes
• B. No

Show Answer

• A. Connect Live Metrics Stream from Application Insights to the Azure Function app and filter the metrics.
• B. Create a new Azure Log Analytics workspace and instrument the Azure Function app with Application Insights.
• C. Update the Azure Function app with extension methods from Microsoft.Extensions.Logging to log events by using the log instance.
• D. Add a new diagnostic setting to the Azure Function app to send logs to Log Analytics.

Show Answer