You are developing an ASP.NET Core website that uses Azure FrontDoor. The website is used to build custom weather data sets for researchers. Data sets are downloaded by users as Comma Separated Value (CSV) files. The data is refreshed every 10 hours. Specific files must be purged from the FrontDoor cache based upon Response Header values. You need to purge individual assets from the Front Door cache. Which type of cache purge should you use?
A. single path
B. wildcard
C. root domain
These formats are supported in the lists of paths to purge: - Single path purge: Purge individual assets by specifying the full path of the asset (without the protocol and domain), with the file extension, for example, / [1] - Wildcard purge: Asterisk (*) may be used as a wildcard. Purge all folders, subfolders, and files under an endpoint with /* in the path or purge all subfolders and files under a specific folder by specifying the folder followed by /*, for example, /pictures/*. - Root domain purge: Purge the root of the endpoint with "/" in the path. Reference: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-caching
Question 162
Your company is developing an Azure API. You need to implement authentication for the Azure API. You have the following requirements: All API calls must be secure. - Callers to the API must not send credentials to the API. Which authentication mechanism should you use?
A. Basic
B. Anonymous
C. Managed identity
D. Client certificate
Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service. This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource. After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme. Reference: https://docs.microsoft.com/bs-cyrl-ba/azure/api-management/api-management-authentication-policies
Question 163
You are a developer for a SaaS company that offers many web services. All web services for the company must meet the following requirements: - Use API Management to access the services - Use OpenID Connect for authentication - Prevent anonymous usage A recent security audit found that several web services can be called without any authentication. Which API Management policy should you implement?
A. jsonp
B. authentication-certificate
C. check-header
D. validate-jwt
Add the validate-jwt policy to validate the OAuth token for every incoming request. Incorrect Answers: A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. JSONP is a method used in JavaScript programs to request data from a server in a different domain. JSONP bypasses the limitation enforced by most web browsers where access to web pages must be in the same domain. JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
Question 164
DRAG DROP - Contoso, Ltd. provides an API to customers by using Azure API Management (APIM). The API authorizes users with a JWT token. You must implement response caching for the APIM gateway. The caching mechanism must detect the user ID of the client that accesses data for a given location and cache the response for that user ID. You need to add the following policies to the policies file: - a set-variable policy to store the detected user identity - a cache-lookup-value policy - a cache-store-value policy - a find-and-replace policy to update the response body with the user profile information To which policy section should you add the policies? To answer, drag the appropriate sections to the correct policies. Each section may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:
Box 1: Inbound. A set-variable policy to store the detected user identity. Example: <policies> <inbound> <!-- How you determine user identity is application dependent --> <set-variable name="enduserid" value="@(context.Request.Headers.GetValueOrDefault("Authorization","").Split()[1].AsJwt()?.Subject)" /> Box 2: Inbound - A cache-lookup-value policy - Example: <inbound> <base /> <cache-lookup vary-by-developer="true | false" vary-by-developer-groups="true | false" downstream-caching-type="none | private | public" must- revalidate="true | false"> <vary-by-query-parameter>parameter name</vary-by-query-parameter> <!-- optional, can repeated several times --> </cache-lookup> </inbound> Box 3: Outbound - A cache-store-value policy. Example: <outbound> <base /> <cache-store duration="3600" /> </outbound> Box 4: Outbound - A find-and-replace policy to update the response body with the user profile information. Example: <outbound> <!-- Update response body with user profile--> <find-and-replace from='"$userprofile$"' to="@((string)context.Variables["userprofile"])" /> <base /> </outbound> Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-caching-policies https://docs.microsoft.com/en-us/azure/api-management/api-management-sample-cache-by-key
Question 165
DRAG DROP - You are developing an Azure solution. You need to develop code to access a secret stored in Azure Key Vault. How should you complete the code segment? To answer, drag the appropriate code segments to the correct location. Each code segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:
Box 1: SecretClient - Box 2: DefaultAzureCredential - In below example, the name of your key vault is expanded to the key vault URI, in the format " https://<your-key-vault-name>.vault.azure.net". This example is using 'DefaultAzureCredential()' class from Azure Identity Library, which allows to use the same code across different environments with different options to provide identity. string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME"); var kvUri = " https://" + keyVaultName + ".vault.azure.net"; var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential()); Reference: https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-net
Question 166
You are developing an Azure App Service REST API. The API must be called by an Azure App Service web app. The API must retrieve and update user profile information stored in Azure Active Directory (Azure AD). You need to configure the API to make the updates. Which two tools should you use? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Microsoft Graph API
B. Microsoft Authentication Library (MSAL)
C. Azure API Management
D. Microsoft Azure Security Center
E. Microsoft Azure Key Vault SDK
A: You can use the Azure AD REST APIs in Microsoft Graph to create unique workflows between Azure AD resources and third-party services. Enterprise developers use Microsoft Graph to integrate Azure AD identity management and other services to automate administrative workflows, such as employee onboarding (and termination), profile maintenance, license deployment, and more. C: API Management (APIM) is a way to create consistent and modern API gateways for existing back-end services. API Management helps organizations publish APIs to external, partner, and internal developers to unlock the potential of their data and services. Reference: https://docs.microsoft.com/en-us/graph/azuread-identity-access-management-concept-overview
Question 167
You develop a REST API. You implement a user delegation SAS token to communicate with Azure Blob storage. The token is compromised. You need to revoke the token. What are two possible ways to achieve this goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
A. Revoke the delegation key.
B. Delete the stored access policy.
C. Regenerate the account key.
D. Remove the role assignment for the security principle.
A: Revoke a user delegation SAS - To revoke a user delegation SAS from the Azure CLI, call the az storage account revoke-delegation-keys command. This command revokes all of the user delegation keys associated with the specified storage account. Any shared access signatures associated with those keys are invalidated. B: To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it. Reference: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/storage/blobs/storage-blob-user-delegation-sas-create-cli.md https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy#modifying-or-revoking-a-stored-access-policy
Question 168
DRAG DROP - You are developing an Azure-hosted application that must use an on-premises hardware security module (HSM) key. The key must be transferred to your existing Azure Key Vault by using the Bring Your Own Key (BYOK) process. You need to securely transfer the key to Azure Key Vault. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:
To perform a key transfer, a user performs following steps: - Generate KEK. - Retrieve the public key of the KEK. - Using HSM vendor provided BYOK tool - Import the KEK into the target HSM and exports the Target Key protected by the KEK. - Import the protected Target Key to Azure Key Vault. Step 1: Generate a Key Exchange Key (KEK). Step 2: Retrieve the Key Exchange Key (KEK) public key. Step 3: Generate a key transfer blob file by using the HSM vendor-provided tool. Generate key transfer blob using HSM vendor provided BYOK tool Step 4: Run the az keyvault key import command Upload key transfer blob to import HSM-key. Customer will transfer the Key Transfer Blob (".byok" file) to an online workstation and then run a az keyvault key import command to import this blob as a new HSM-backed key into Key Vault. To import an RSA key use this command: az keyvault key import Reference: https://docs.microsoft.com/en-us/azure/key-vault/keys/byok-specification
Question 169
You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure Function app includes an OpenAPI (Swagger) definition and uses an Azure Blob storage account. All resources are secured by using Azure Active Directory (Azure AD). The Azure Logic app must securely access the Azure Blob storage account. Azure AD resources must remain if the Azure Logic app is deleted. You need to secure the Azure Logic app. What should you do?
A. Create a user-assigned managed identity and assign role-based access controls.
B. Create an Azure AD custom role and assign the role to the Azure Blob storage account.
C. Create an Azure Key Vault and issue a client certificate.
D. Create a system-assigned managed identity and issue a client certificate.
E. Create an Azure AD custom role and assign role-based access controls.
To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity. Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. If you set up your logic app to use the system-assigned identity or a manually created, user-assigned identity, the function in your logic app can also use that same identity for authentication. Reference: https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients
Question 170
HOTSPOT - You are developing an application that uses a premium block blob storage account. You are optimizing costs by automating Azure Blob Storage access tiers. You apply the following policy rules to the storage account. You must determine the implications of applying the rules to the data. (Line numbers are included for reference only.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area: