Microsoft AZ-204 Practice Test - Questions Answers, Page 6

Scenario: Corporate website

While testing the site, the following error message displays:

CryptographicException: The system cannot find the file specified.

Step 1: Generate a certificate

Step 2: Upload the certificate to Azure Key Vault

Scenario: All SSL certificates and credentials must be stored in Azure Key Vault.

Step 3: Import the certificate to Azure App Service

Step 4: Update line SCO5 of Security.cs to include error handling and then redeploy the code

Reference:

https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

Box 1: Validate JWT

The validate-jwt policy enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.

Scenario: User authentication (see step 5 below)

The following steps detail the user authentication process:

1. The user selects Sign in in the website.

2. The browser redirects the user to the Azure Active Directory (Azure AD) sign in page.

3. The user signs in.

4. Azure AD redirects the user's session back to the web application. The URL includes an access token.

5. The web application calls an API and includes the access token in the authentication header. The application ID is sent as the audience ('aud') claim in the access token.

6. The back-end API validates the access token.

Incorrect Answers:

Limit call rate by key - Prevents API usage spikes by limiting call rate, on a per key basis.

Restrict caller IPs - Filters (allows/denies) calls from specific IP addresses and/or address ranges.

Check HTTP header - Enforces existence and/or value of a HTTP Header.

Box 2: Outbound

Reference:

https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies

A: Claims in access tokens

JWTs (JSON Web Tokens) are split into three pieces:

Header - Provides information about how to validate the token including information about the type of token and how it was signed.

Payload - Contains all of the important data about the user or app that is attempting to call your service.

Signature - Is the raw material used to validate the token.

E: Your client can get an access token from either the v1.0 endpoint or the v2.0 endpoint using a variety of protocols.

Scenario: User authentication (see step 5 below)

The following steps detail the user authentication process:

1. The user selects Sign in in the website.

2. The browser redirects the user to the Azure Active Directory (Azure AD) sign in page.

3. The user signs in.

4. Azure AD redirects the user's session back to the web application. The URL includes an access token.

5. The web application calls an API and includes the access token in the authentication header. The application ID is sent as the audience ('aud') claim in the access token.

6. The back-end API validates the access token.

Reference:

https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies

Scenario: You test the Logic app in a development environment. The following error message displays:

'400 Bad Request'

Troubleshooting of the error shows an HttpTrigger action to call the RequestUserApproval function.

Note: If the inbound call's request body doesn't match your schema, the trigger returns an HTTP 400 Bad Request error.

Box 1: function

If you have an Azure function where you want to use the system-assigned identity, first enable authentication for Azure functions.

Box 2: system-assigned

Your logic app or individual connections can use either the system-assigned identity or a single user-assigned identity, which you can share across a group of logic apps, but not both.

Reference:

https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity

Box 1: Premium

Service Bus can now emit events to Event Grid when there are messages in a queue or a subscription when no receivers are present. You can create Event Grid subscriptions to your Service Bus namespaces, listen to these events, and then react to the events by starting a receiver. With this feature, you can use Service Bus in reactive programming models.

To enable the feature, you need the following items:

A Service Bus Premium namespace with at least one Service Bus queue or a Service Bus topic with at least one subscription.

Contributor access to the Service Bus namespace.

Box 2: Contributor

Reference:

https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-to-event-grid-integration-concept

Box 1:WebHook

Scenario: If an anomaly is detected, an Azure Function that emails administrators is called by using an HTTP WebHook.

endpointType: The type of endpoint for the subscription (webhook/HTTP, Event Hub, or queue).

Box 2: SubjectBeginsWith

Box 3: Microsoft.Storage.BlobCreated

Scenario: Log Policy

All Azure App Service Web Apps must write logs to Azure Blob storage. All log files should be saved to a container named logdrop. Logs must remain in the container for 15 days.

Example subscription schema

{

"properties": {

"destination": {

"endpointType": "webhook",

"properties": {

"endpointUrl": "https://example.azurewebsites.net/api/HttpTriggerCSharp1?code=VXbGWce53l48Mt8wuotr0GPmyJ/nDT4hgdFj9DpBiRt38qqnnm5OFg=="

}

},

"filter": {

"includedEventTypes": [ "Microsoft.Storage.BlobCreated", "Microsoft.Storage.BlobDeleted" ],

"subjectBeginsWith": "blobServices/default/containers/mycontainer/log",

"subjectEndsWith": ".jpg",

"isSubjectCaseSensitive ": "true"

}

}

}

Reference:

https://docs.microsoft.com/en-us/azure/event-grid/subscription-creation-schema

Application Insights provides three additional data types for custom telemetry:

Trace - used either directly, or through an adapter to implement diagnostics logging using an instrumentation framework that is familiar to you, such as Log4Net or System.Diagnostics.

Event - typically used to capture user interaction with your service, to analyze usage patterns.

Metric - used to report periodic scalar measurements.

Scenario:

Policy service must use Application Insights to automatically scale with the number of policy actions that it is performing.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/app/data-model

Scenario: Exclude non-user actions from Application Insights telemetry.

Box 1: ITelemetryProcessor To create a filter, implement ITelemetryProcessor. This technique gives you more direct control over what is included or excluded from the telemetry stream.

Box 2: ITelemetryProcessor

Box 3: ITelemetryProcessor

Box 4: RequestTelemetry

Box 5: /health

To filter out an item, just terminate the chain.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/app/api-filtering-sampling

Scenario: You have a shared library named PolicyLib that contains functionality common to all ASP.NET Core web services and applications. The PolicyLib library must:

Exclude non-user actions from Application Insights telemetry.

Provide methods that allow a web service to scale itself.

Ensure that scaling actions do not disrupt application usage.

Box 1: ITelemetryInitializer Use telemetry initializers to define global properties that are sent with all telemetry; and to override selected behavior of the standard telemetry modules.

Box 2: Initialize

Box 3: Telemetry.Context

Box 4: ((EventTelemetry)telemetry).Properties["EventID"]

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/app/api-filtering-sampling