AZ-204 : Developing Solutions for Microsoft Azure : Part 07

AZ-204 : Developing Solutions for Microsoft Azure : Part 07

1. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You develop Azure solutions.

   You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager.

   You need to obtain an Azure Resource Manager access token.

   Solution: Use an X.509 certificate to authenticate the VM with Azure Resource Manager.

   Does the solution meet the goal?

   • Yes
   • No

   Explanation:

   Explanation:
   Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint.

2. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You develop Azure solutions.

   You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager.

   You need to obtain an Azure Resource Manager access token.

   Solution: Use the Reader role-based access control (RBAC) role to authenticate the VM with Azure Resource Manager.

   Does the solution meet the goal?

   • Yes
   • No
   Explanation:

   Explanation:
   Instead run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint.

3. HOTSPOT

   You are building a website that is used to review restaurants. The website will use an Azure CDN to improve performance and add functionality to requests.

   You build and deploy a mobile app for Apple iPhones. Whenever a user accesses the website from an iPhone, the user must be redirected to the app store.

   You need to implement an Azure CDN rule that ensures that iPhone users are redirected to the app store.

   How should you complete the Azure Resource Manager template? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

   Explanation:

   Box 1: iOS
   Azure AD Conditional Access supports the following device platforms:
   Android
   iOS
   Windows Phone
   Windows
   macOS

   Box 2: DeliveryRuleIsDeviceConditionParameters
   The DeliveryRuleIsDeviceCondition defines the IsDevice condition for the delivery rule. parameters defines the parameters for the condition.

   Box 3: HTTP_USER_AGENT

   Incorrect Answers:
   The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. It is used for backwards compatibility with HTTP/1.0 caches.
   “X-Powered-By” is a common non-standard HTTP response header (most headers prefixed with an ‘X-‘ are non-standard).

   Box 4: DeliveryRuleRequestHeaderConditionParameters
   DeliveryRuleRequestHeaderCondition defines the RequestHeader condition for the delivery rule. parameters defines the parameters for the condition.

   Box 5: iOS
   The Require approved client app requirement only supports the iOS and Android for device platform condition.

4. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials.

   You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user’s Azure AD group membership must be used to determine the permission level.

   You need to configure authorization.

   Solution:
   -Configure and use Integrated Windows Authentication in the website.
   -In the website, query Microsoft Graph API to load the group to which the user is a member.

   Does the solution meet the goal?

   • Yes
   • No
   Explanation:

   Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources.

   Instead in the Azure AD application’s manifest, set value of the groupMembershipClaims option to All. In the website, use the value of the groups claim from the JWT for the user to determine permissions.

5. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

   After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

   You develop Azure solutions.

   You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager.

   You need to obtain an Azure Resource Manager access token.

   Solution: Run the Invoke-RestMethod cmdlet to make a request to the local managed identity for Azure resources endpoint.

   Does the solution meet the goal?

   • Yes
   • No
   Explanation:

   Get an access token using the VM’s system-assigned managed identity and use it to call Azure Resource Manager
   You will need to use PowerShell in this portion.

   1.In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect.
   2.Enter in your Username and Password for which you added when you created the Windows VM.
   3.Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.
   4.Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager.

   Example:
   $response = Invoke-WebRequest -Uri ‘http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/’ -Method GET -Headers @{Metadata=”true”}

6. HOTSPOT

   You are building a website to access project data related to teams within your organization. The website does not allow anonymous access. Authentication is performed using an Azure Active Directory (Azure AD) app named internal.

   The website has the following authentication requirements:

   -Azure AD users must be able to login to the website.
   -Personalization of the website must be based on membership in Active Directory groups.

   You need to configure the application’s manifest to meet the authentication requirements.

   How should you configure the manifest? To answer, select the appropriate configuration in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

7. You develop an app that allows users to upload photos and videos to Azure storage. The app uses a storage REST API call to upload the media to a blob storage account named Account1. You have blob storage containers named Container1 and Container2.

   Uploading of videos occurs on an irregular basis.

   You need to copy specific blobs from Container1 to Container2 when a new video is uploaded.

   What should you do?

   • Copy blobs to Container2 by using the Put Blob operation of the Blob Service REST API
   • Create an Event Grid topic that uses the Start-AzureStorageBlobCopy cmdlet
   • Use AzCopy with the Snapshot switch to copy blobs to Container2
   • Download the blob to a virtual machine and then upload the blob to Container2
   Explanation:

   The Start-AzureStorageBlobCopy cmdlet starts to copy a blob.
   Example 1: Copy a named blob
   C:\PS>Start-AzureStorageBlobCopy -SrcBlob “ContosoPlanning2015” -DestContainer “ContosoArchives” -SrcContainer “ContosoUploads”

   This command starts the copy operation of the blob named ContosoPlanning2015 from the container named ContosoUploads to the container named ContosoArchives.

8. You are developing an ASP.NET Core website that uses Azure FrontDoor. The website is used to build custom weather data sets for researchers. Data sets are downloaded by users as Comma Separated Value (CSV) files. The data is refreshed every 10 hours.

   Specific files must be purged from the FrontDoor cache based upon Response Header values.

   You need to purge individual assets from the Front Door cache.

   Which type of cache purge should you use?

   • single path
   • wildcard
   • root domain
   Explanation:

   These formats are supported in the lists of paths to purge:
   -Single path purge: Purge individual assets by specifying the full path of the asset (without the protocol and domain), with the file extension, for example, /pictures/strasbourg.png;
   -Wildcard purge: Asterisk (*) may be used as a wildcard. Purge all folders, subfolders, and files under an endpoint with /* in the path or purge all subfolders and files under a specific folder by specifying the folder followed by /*, for example, /pictures/*.
   -Root domain purge: Purge the root of the endpoint with “/” in the path.

9. Your company is developing an Azure API.

   You need to implement authentication for the Azure -API. You have the following requirements:

   -All API calls must be secure.
   -Callers to the API must not send credentials to the API.

   Which authentication mechanism should you use?

   • Basic
   • Anonymous
   • Managed identity
   • Client certificate
   Explanation:

   Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme.

10. You are a developer for a SaaS company that offers many web services.

    All web services for the company must meet the following requirements:

    -Use API Management to access the services
    -Use OpenID Connect for authentication
    -Prevent anonymous usage

    A recent security audit found that several web services can be called without any authentication.

    Which API Management policy should you implement?

    • jsonp
    • authentication-certificate
    • check-header
    • validate-jwt
    Explanation:

    Add the validate-jwt policy to validate the OAuth token for every incoming request.

    Incorrect Answers:
    A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. JSONP is a method used in JavaScript programs to request data from a server in a different domain. JSONP bypasses the limitation enforced by most web browsers where access to web pages must be in the same domain.

    JSONP – Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.

11. DRAG DROP

    Contoso, Ltd. provides an API to customers by using Azure API Management (APIM). The API authorizes users with a JWT token.

    You must implement response caching for the APIM gateway. The caching mechanism must detect the user ID of the client that accesses data for a given location and cache the response for that user ID.

    You need to add the following policies to the policies file:

    -a set-variable policy to store the detected user identity
    -a cache-lookup-value policy
    -a cache-store-value policy
    -a find-and-replace policy to update the response body with the user profile information

    To which policy section should you add the policies? To answer, drag the appropriate sections to the correct policies. Each section may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: Inbound.
    A set-variable policy to store the detected user identity.
    Example:
    <policies>
    <inbound>
    <!– How you determine user identity is application dependent –>
    <set-variable
    name=”enduserid”
    value=”@(context.Request.Headers.GetValueOrDefault(“Authorization”,””).Split(‘ ‘)[1].AsJwt()?.Subject)” />

    Box 2: Inbound
    A cache-lookup-value policy
    Example:
    <inbound>
    <base />
    <cache-lookup vary-by-developer=”true | false” vary-by-developer-groups=”true | false” downstream-caching-type=”none | private | public” must-revalidate=”true | false”>
    <vary-by-query-parameter>parameter name</vary-by-query-parameter> <!– optional, can repeated several times –>
    </cache-lookup>
    </inbound>

    Box 3: Outbound
    A cache-store-value policy.
    Example:
    <outbound>
    <base />
    <cache-store duration=”3600″ />
    </outbound>

    Box 4: Outbound
    A find-and-replace policy to update the response body with the user profile information.
    Example:
    <outbound>
    <!– Update response body with user profile–>
    <find-and-replace
    from='”$userprofile$”‘
    to=”@((string)context.Variables[“userprofile”])” />
    <base />
    </outbound>

12. DRAG DROP

    You are developing an Azure solution.

    You need to develop code to access a secret stored in Azure Key Vault.

    How should you complete the code segment? To answer, drag the appropriate code segments to the correct location. Each code segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: SecretClient

    Box 2: DefaultAzureCredential

    In below example, the name of your key vault is expanded to the key vault URI, in the format “https://<your-key-vault-name>.vault.azure.net”. This example is using ‘DefaultAzureCredential()’ class from Azure Identity Library, which allows to use the same code across different environments with different options to provide identity.

    string keyVaultName = Environment.GetEnvironmentVariable(“KEY_VAULT_NAME”);
    var kvUri = “https://” + keyVaultName + “.vault.azure.net”;

    var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

13. You are developing an Azure App Service REST API.

    The API must be called by an Azure App Service web app. The API must retrieve and update user profile information stored in Azure Active Directory (Azure AD).

    You need to configure the API to make the updates.

    Which two tools should you use? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Microsoft Graph API
    • Microsoft Authentication Library (MSAL)
    • Azure API Management
    • Microsoft Azure Security Center
    • Microsoft Azure Key Vault SDK
    Explanation:

    Explanation:
    A: You can use the Azure AD REST APIs in Microsoft Graph to create unique workflows between Azure AD resources and third-party services.

    Enterprise developers use Microsoft Graph to integrate Azure AD identity management and other services to automate administrative workflows, such as employee onboarding (and termination), profile maintenance, license deployment, and more.

    C: API Management (APIM) is a way to create consistent and modern API gateways for existing back-end services.

    API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services.

    Reference:
    https://docs.microsoft.com/en-us/graph/azuread-identity-access-management-concept-overview

14. You develop a REST API. You implement a user delegation SAS token to communicate with Azure Blob storage.

    The token is compromised.

    You need to revoke the token.

    What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • Revoke the delegation key.
    • Delete the stored access policy.
    • Regenerate the account key.
    • Remove the role assignment for the security principle.
    Explanation:

    A: Revoke a user delegation SAS
    To revoke a user delegation SAS from the Azure CLI, call the az storage account revoke-delegation-keys command. This command revokes all of the user delegation keys associated with the specified storage account. Any shared access signatures associated with those keys are invalidated.

    B: To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it.

15. DRAG DROP

    You are developing an Azure-hosted application that must use an on-premises hardware security module (HSM) key.

    The key must be transferred to your existing Azure Key Vault by using the Bring Your Own Key (BYOK) process.

    You need to securely transfer the key to Azure Key Vault.

    Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

    Explanation:

    To perform a key transfer, a user performs following steps:
    Generate KEK.
    Retrieve the public key of the KEK.
    Using HSM vendor provided BYOK tool – Import the KEK into the target HSM and exports the Target Key protected by the KEK.
    Import the protected Target Key to Azure Key Vault.

    Step 1: Generate a Key Exchange Key (KEK).

    Step 2: Retrieve the Key Exchange Key (KEK) public key.

    Step 3: Generate a key transfer blob file by using the HSM vendor-provided tool.
    Generate key transfer blob using HSM vendor provided BYOK tool

    Step 4: Run the az keyvault key import command
    Upload key transfer blob to import HSM-key.
    Customer will transfer the Key Transfer Blob (“.byok” file) to an online workstation and then run a az keyvault key import command to import this blob as a new HSM-backed key into Key Vault.

    To import an RSA key use this command:
    az keyvault key import

16. You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure Function app includes an OpenAPI (Swagger) definition and uses an Azure Blob storage account. All resources are secured by using Azure Active Directory (Azure AD).

    The Azure Logic app must securely access the Azure Blob storage account. Azure AD resources must remain if the Azure Logic app is deleted.

    You need to secure the Azure Logic app.

    What should you do?

    • Create a user-assigned managed identity and assign role-based access controls.
    • Create an Azure AD custom role and assign the role to the Azure Blob storage account.
    • Create an Azure Key Vault and issue a client certificate.
    • Create a system-assigned managed identity and issue a client certificate.
    • Create an Azure AD custom role and assign role-based access controls.
    Explanation:

    To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity.

    Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages this identity for you and helps secure your credentials because you don’t have to provide or rotate secrets.

    If you set up your logic app to use the system-assigned identity or a manually created, user-assigned identity, the function in your logic app can also use that same identity for authentication.

17. HOTSPOT

    You are developing an application that uses a premium block blob storage account. You are optimizing costs by automating Azure Blob Storage access tiers.

    You apply the following policy rules to the storage account. You must determine the implications of applying the rules to the data. (Line numbers are included for reference only.)

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:
    

    

    

    

18. You are developing a solution that will use a multi-partitioned Azure Cosmos DB database. You plan to use the latest Azure Cosmos DB SDK for development.

    The solution must meet the following requirements:

    -Send insert and update operations to an Azure Blob storage account.
    -Process changes to all partitions immediately.
    -Allow parallelization of change processing.

    You need to process the Azure Cosmos DB operations.

    What are two possible ways to achieve this goal? Each correct answer presents a complete solution.

    NOTE: Each correct selection is worth one point.

    • Create an Azure App Service API and implement the change feed estimator of the SDK. Scale the API by using multiple Azure App Service instances.
    • Create a background job in an Azure Kubernetes Service and implement the change feed feature of the SDK.
    • Create an Azure Function to use a trigger for Azure Cosmos DB. Configure the trigger to connect to the container.
    • Create an Azure Function that uses a FeedIterator object that processes the change feed by using the pull model on the container. Use a FeedRange objext to parallelize the processing of the change feed across multiple functions.
    Explanation: 

    Azure Functions is the simplest option if you are just getting started using the change feed. Due to its simplicity, it is also the recommended option for most change feed use cases. When you create an Azure Functions trigger for Azure Cosmos DB, you select the container to connect, and the Azure Function gets triggered whenever there is a change in the container. Because Azure Functions uses the change feed processor behind the scenes, it automatically parallelizes change processing across your container’s partitions.

    Note: You can work with change feed using the following options:
    -Using change feed with Azure Functions
    -Using change feed with change feed processor

19. HOTSPOT

    You have an Azure Web app that uses Cosmos DB as a data store. You create a CosmosDB container by running the following PowerShell script:

    $resourceGroupName = "testResourceGroup"
    $accountName = "testCosmosAccount"
    $databaseName = "testDatabase"
    $containerName = "testContainer"
    $partitionKeyPath = "/EmployeeId"
    $autoscaleMaxThroughput = 5000
    
    New-AzCosmosDBSqlContainer 
    -ResourceGroupName $resourceGroupName 
    -AccountName $accountName 
    -DatabaseName $databaseName 
    -Name $containerName 
    -PartitionKeyKind Hash 
    -PartitionKeyPath $partitionKeyPath 
    -AutoscaleMaxThroughput $autoscaleMaxThroughput

    You create the following queries that target the container:

    SELECT * FROM c WHERE c.EmployeeId > '12345'
    SELECT * FROM c WHERE c.UserID = '12345'

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: No
    You set the highest, or maximum RU/s Tmax you don’t want the system to exceed. The system automatically scales the throughput T such that 0.1* Tmax <= T <= Tmax.

    In this example we have autoscaleMaxThroughput = 5000, so the minimum throughput for the container is 500 R/Us.

    Box 2: No
    First query: SELECT * FROM c WHERE c.EmployeeId > ‘12345’

    Here’s a query that has a range filter on the partition key and won’t be scoped to a single physical partition. In order to be an in-partition query, the query must have an equality filter that includes the partition key:

    SELECT * FROM c WHERE c.DeviceId > ‘XMS-0001’

    Box 3: Yes
    Example of In-partition query:
    Consider the below query with an equality filter on DeviceId. If we run this query on a container partitioned on DeviceId, this query will filter to a single physical partition.

    SELECT * FROM c WHERE c.DeviceId = ‘XMS-0001’

20. HOTSPOT

    You are developing a web application that makes calls to the Microsoft Graph API. You register the application in the Azure portal and upload a valid X509 certificate.

    You create an appsettings.json file containing the certificate name, client identifier for the application, and the tenant identifier of the Azure Active Directory (Azure AD). You create a method named ReadCertificate to return the X509 certificate by name.

    You need to implement code that acquires a token by using the certificate.

    How should you complete the code segment? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: ConfidentialClientApplicationBuilder
    Here’s the code to instantiate the confidential client application with a client secret:
    app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
    .WithClientSecret(config.ClientSecret)
    .WithAuthority(new Uri(config.Authority))
    .Build();

    Box 2: scopes
    After you’ve constructed a confidential client application, you can acquire a token for the app by calling AcquireTokenForClient, passing the scope, and optionally forcing a refresh of the token.

    Sample code: result = await app.AcquireTokenForClient(scopes)
    .ExecuteAsync();