DRAG DROP - You need to ensure disaster recovery requirements are met. What code should you add at line PC16? To answer, drag the appropriate code fragments to the correct locations. Each code fragment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:
Scenario: Disaster recovery. Regional outage must not impact application availability. All DR operations must not be dependent on application running and must ensure that data in the DR region is up to date. Box 1: DirectoryTransferContext - We transfer all files in the directory. Note: The TransferContext object comes in two forms: SingleTransferContext and DirectoryTransferContext. The former is for transferring a single file and the latter is for transferring a directory of files. Box 2: ShouldTransferCallbackAsync The DirectoryTransferContext.ShouldTransferCallbackAsync delegate callback is invoked to tell whether a transfer should be done. Box 3: False - If you want to use the retry policy in Copy, and want the copy can be resume if break in the middle, you can use SyncCopy (isServiceCopy = false). Note that if you choose to use service side copy ('isServiceCopy' set to true), Azure (currently) doesn't provide SLA for that. Setting 'isServiceCopy' to false will download the source blob loca Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-data-movement-library https://docs.microsoft.com/en-us/dotnet/api/microsoft.windowsazure.storage.datamovement.directorytransfercontext.shouldtransfercallbackasync?view=azure- dotnet
Question 302
HOTSPOT - You need to configure Azure Cosmos DB. Which settings should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Strong - When the consistency level is set to strong, the staleness window is equivalent to zero, and the clients are guaranteed to read the latest committed value of the write operation. Scenario: Changes to the Order data must reflect immediately across all partitions. All reads to the Order data must fetch the most recent writes. Note: You can choose from five well-defined models on the consistency spectrum. From strongest to weakest, the models are: Strong, Bounded staleness, Session, Consistent prefix, Eventual Box 2: SQL - Scenario: You identify the following requirements for data management and manipulation: Order data is stored as nonrelational JSON and must be queried using Structured Query Language (SQL).
Question 303
HOTSPOT - You need to retrieve all order line items from Order.json and sort the data alphabetically by the city. How should you complete the code? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: orders o - Scenario: Order data is stored as nonrelational JSON and must be queried using SQL. Box 2:li - Box 3: o.line_items - Box 4: o.city - The city field is in Order, not in the 2s.
Question 304
HOTSPOT - You need to implement the Azure Function for delivery driver profile information. Which configurations should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Azure Identity library - Store delivery driver profile information in Azure Active Directory (Azure AD) by using an Azure Function called from the corporate website. We recommend that you use a managed identity for applications deployed to Azure. The preceding authentication scenarios are supported by the Azure Identity client library and integrated with Key Vault SDKs. Note: What is Managed Service Identity? Azure Key Vault avoids the need to store keys and secrets in application code or source control. However, in order to retrieve keys and secrets from Azure Key Vault, you need to authorize a user or application with Azure Key Vault, which in its turn needs another credential. Managed Service Identity avoids the need of storing credentials for Azure Key Vault in application or environment settings by creating a Service Principal for each application or cloud service on which Managed Service Identity is enabled. This Service Principal enables you to call a local MSI endpoint to get an access token from Azure AD using the credentials of the Service Principal. This token is then used to authenticate to an Azure Service, for example Azure Key Vault. Box 2: Azure Key Vault - Azure Key Vault allows you to securely access sensitive information from within your applications: * Keys, secrets, and certificates are protected without your having to write the code yourself, and you can easily use them from your applications. Use Azure Key Vault to store only secrets for your application. Examples of secrets that should be stored in Key Vault include: Client application secrets - Connection strings - Passwords - Shared access keys - SSH keys - Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/developers-guide https://integration.team/blog/retrieve-azure-key-vault-secrets-using-azure-functions-and-managed-service-identity
Question 305
You need to grant access to the retail store location data for the inventory service development effort. What should you use?
A. Azure AD access token
B. Azure RBAC role
C. Shared access signature (SAS) token
D. Azure AD ID token
E. Azure AD refresh token
A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example: What resources the client may access. What permissions they have to those resources. How long the SAS is valid. Note: Inventory services: The company has contracted a third-party to develop an API for inventory processing that requires access to a specific blob within the retail store storage account for three months to include read-only access to the data. Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Question 306
HOTSPOT - You need to reliably identify the delivery driver profile information. How should you configure the system? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: ID - Scenario: Store delivery driver profile information in Azure Active Directory (Azure AD) by using an Azure Function called from the corporate website. ID token - A JWT that contains claims that you can use to identify users in your application. This token is securely sent in HTTP requests for communication between two components of the same application or service. You can use the claims in an ID token as you see fit. They're commonly used to display account information or to make access control decisions in an application. ID tokens are signed, but the're not encrypted. When your application or API receives an ID token, it must validate the signature to prove that the token is authentic. Your application or API must also validate a few claims in the token to prove that it's valid. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario. Box 2: Oid - Oid - The immutable identifier for the "principal" of the request - the user or service principal whose identity has been verified. In ID tokens and app+user tokens, this is the object ID of the user. In app-only tokens, this is the object ID of the calling service principal. It can also be used to perform authorization checks safely and as a key in database tables. This ID uniquely identifies the principal across applications - two different applications signing in the same user will receive the same value in the oid claim. Incorrect: Aud - Identifies the intended recipient of the token. For Azure AD B2C, the audience is the application ID. Your application should validate this value and reject the token if it doesn't match. Audience is synonymous with resource. Idp - Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account not in the same tenant as the issuer - guests, for instance. If the claim isn't present, it means that the value of iss can be used instead. For personal accounts being used in an organizational context (for instance, a personal account invited to an Azure AD tenant), the idp claim may be 'live.com' or an STS URI containing the Microsoft account tenant. Reference: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
Question 307
You need to secure the Azure Functions to meet the security requirements. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. Store the RSA-HSM key in Azure Key Vault with soft-delete and purge-protection features enabled.
B. Store the RSA-HSM key in Azure Blob storage with an immutability policy applied to the container.
C. Create a free tier Azure App Configuration instance with a new Azure AD service principal.
D. Create a standard tier Azure App Configuration instance with an assigned Azure AD managed identity.
E. Store the RSA-HSM key in Azure Cosmos DB. Apply the built-in policies for customer-managed keys and allowed locations.
Scenario: All Azure Functions must centralize management and distribution of configuration data for different environments and geographies, encrypted by using a company-provided RSA-HSM key. Microsoft Azure Key Vault is a cloud-hosted management service that allows users to encrypt keys and small secrets by using keys that are protected by hardware security modules (HSMs). You need to create a managed identity for your application. Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Question 308
DRAG DROP - You need to add markup at line AM04 to implement the ContentReview role. How should you complete the markup? To answer, drag the appropriate json segments to the correct locations. Each json segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Select and Place:
Box 1: allowedMemberTypes - allowedMemberTypes specifies whether this app role definition can be assigned to users and groups by setting to "User", or to other applications (that are accessing this application in daemon service scenarios) by setting to "Application", or to both. Note: The following example shows the appRoles that you can assign to users. "appId": "8763f1c4-f988-489c-a51e-158e9ef97d6a", "appRoles": [ { "allowedMemberTypes": [ "User" ], "displayName": "Writer", "id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f", "isEnabled": true, "description": "Writers Have the ability to create tasks.", "value": "Writer" } ], "availableToOtherTenants": false, Box 2: User - Scenario: In order to review content a user must be part of a ContentReviewer role. Box 3: value - value specifies the value which will be included in the roles claim in authentication and access tokens. Reference: https://docs.microsoft.com/en-us/graph/api/resources/approle
Question 309
HOTSPOT - You need to add code at line AM09 to ensure that users can review content using ContentAnalysisService. How should you complete the code? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: "oauth2Permissions": ["login"] oauth2Permissions specifies the collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. These permission scopes may be granted to client apps during consent. Box 2: "oauth2AllowImplicitFlow":true For applications (Angular, Ember.js, React.js, and so on), Microsoft identity platform supports the OAuth 2.0 Implicit Grant flow. Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
Question 310
HOTSPOT - You need to ensure that network security policies are met. How should you configure network security? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:
Box 1: Valid root certificate - Scenario: All websites and services must use SSL from a valid root certificate authority. Box 2: Azure Application Gateway Scenario: - Any web service accessible over the Internet must be protected from cross site scripting attacks. - All Internal services must only be accessible from Internal Virtual Networks (VNets) All parts of the system must support inbound and outbound traffic restrictions. Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. Application Gateway supports autoscaling, SSL offloading, and end-to-end SSL, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, redirection, rewrite HTTP headers and other features. Note: Both Nginx and Azure Application Gateway act as a reverse proxy with Layer 7 load-balancing features plus a WAF to ensure strong protection against common web vulnerabilities and exploits. You can modify Nginx web server configuration/SSL for X-XSS protection. This helps to prevent cross-site scripting exploits by forcing the injection of HTTP headers with X-XSS protection. Reference: https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview https://www.upguard.com/articles/10-tips-for-securing-your-nginx-deployment
