Practice Test #2

Correct: A (group). The command `az group create --location centralus --name $resourcegroupname` creates an Azure Resource Group, which is the logical container for the App Service plan, web app, and deployment slot. Resource groups are required to organize and manage lifecycle, RBAC, and billing boundaries. Why others are wrong: - B (webapp) creates an App Service Web App, not a resource group. - C (appservice plan) creates the hosting plan, but it must be placed in an existing resource group. - D (webapp deployment slot) creates a slot under an existing web app. - E (webapp deployment source) configures source control deployment for an existing web app/slot. In Azure CLI, `az group` is always used for resource group operations, and `--location` is required because the resource group has a region metadata value.

Correct: C (`appservice plan`). The command `az appservice plan create --name $webappname --resource-group $resourcegroupname --sku S3` creates the App Service plan that will host the web app. An App Service plan must exist before the web app can be created, and a Standard-tier SKU supports deployment slots. The other options are incorrect because they create different resource types. `group` creates a resource group, `webapp` creates the app itself, `webapp deployment slot` creates a slot only after the app exists, and `webapp deployment source` configures source control deployment rather than hosting capacity.

Correct: B (webapp). The command `az webapp create --name $webappname --resource-group $resourcegroupname --plan $webappname` creates the App Service web app and associates it with the App Service plan created earlier. The `--plan` parameter binds the web app to the compute resources and pricing tier. Why others are wrong: - A (group) is unrelated; resource group already exists. - C (appservice plan) would create/modify a plan, but here we are creating the web app that runs in the plan. - D (webapp deployment slot) requires an existing web app; it does not create the main app. - E (webapp deployment source) configures deployment, not the web app itself. Real-world note: For Java, you often also set runtime stack (e.g., `--runtime "JAVA|11-java11"`) or use `az webapp config set`, but this question focuses on the minimal commands for app + slot + GitHub deployment.

Correct: D (`webapp deployment slot`). The command `az webapp deployment slot create --name $webappname --resource-group $resourcegroupname --slot staging` creates a deployment slot named `staging` for the existing web app. This is required because the initial code release must be deployed to the staging slot rather than directly to production. The other options do not create a slot. `group` creates a resource group, `appservice plan` creates the hosting plan, `webapp` creates the main app, and `webapp deployment source` only configures repository-based deployment after the slot already exists.

Correct: E (webapp deployment source). The command `az webapp deployment source config --name $webappname --resource-group $resourcegroupname --slot staging --repo-url $gitrepo --branch master --manual-integration` configures GitHub-based deployment for the staging slot specifically. The presence of `deployment source config`, `--repo-url`, and `--branch` indicates source control integration. Why others are wrong: - A (group), C (appservice plan), and D (webapp deployment slot) do not manage repository integration. - B (webapp) manages the app resource but not the deployment source configuration subcommand. Key exam detail: `--slot staging` ensures code is deployed to the staging slot rather than production. `--manual-integration` means Azure won’t automatically pull on every commit via webhook; instead, you manually sync (useful for controlled evaluation). In production CI/CD, you’d more commonly use GitHub Actions or Azure DevOps pipelines, but this CLI approach is valid and frequently tested.

Answering “Pass” is appropriate because the correct authentication mechanism is well-defined by the requirements. To keep API calls secure while ensuring callers do not send credentials to the API, use OAuth 2.0/OpenID Connect with Microsoft Entra ID (Azure AD) issuing access tokens (JWTs). The caller authenticates to Entra ID, obtains an access token, and then calls the API with the token (Bearer). The API validates the token and authorizes based on scopes/roles. Why alternatives are wrong: API keys, shared access signatures, or basic authentication require the caller to send a secret/credential to the API, violating the requirement. Mutual TLS/client certificates also involve presenting a credential to the API endpoint. Entra ID token-based auth avoids credential handling in the API, supports short-lived tokens, and enables centralized policy controls (conditional access, MFA, app roles/scopes), aligning with exam best practices.

optionalClaims is not used to turn on Azure AD group membership claims. It is meant for requesting extra token claims such as specific user attributes in ID, access, or SAML tokens. Since the requirement is specifically to personalize the site based on AD groups, the relevant manifest setting is groupMembershipClaims. Therefore, optionalClaims should not be set to "All" for this requirement.

groupMembershipClaims controls whether and which group memberships are emitted in the token, and it uses string values such as "None", "SecurityGroup", "DirectoryRole", or "All". For a website that personalizes based on Active Directory groups, setting this property to "All" ensures the necessary group claims are included. A value of true is not the correct manifest format for this property. optionalClaims is unrelated to enabling group claims, so it is not the correct mechanism for this requirement.

The blank ends with "--name $webappname --resource-group myResourceGroup --sku FREE", which matches the syntax for creating an App Service plan: "az appservice plan create --name <planName> --resource-group <rg> --sku <tier>". The plan is required before creating the web app because the web app must run in a plan (unless using certain specialized offerings). Why others are wrong: - A (az webapp) would be used to create the web app, but the presence of "--sku FREE" indicates a plan SKU, not a web app property. - C (az webapp deployment) is for deployment-related operations, not plan creation. - D (az group delete) deletes a resource group and is unrelated to provisioning.

This fragment is tied to configuring source control for the web app because it includes repository-specific arguments such as "--repo-url", "--branch", and "--manual-integration". A plan parameter is only used during "az webapp create" to associate the app with an App Service plan, and it is not valid in the deployment source configuration step. Among the provided choices, "git clone $gitrepo" is the only repo-related option, even though in a real Azure CLI script the proper command would be part of "az webapp deployment source config" rather than a local Git clone. The current explanation is inaccurate because it places this fragment in the wrong command context.

Azure CLI uses the command "az webapp deployment source config" to configure GitHub or other source control deployment for an App Service web app. Because the prompt already includes "source config", the missing prefix must be "az webapp deployment". Option A, "az webapp", is incomplete and would not form a valid command in this syntax. The remaining options are for plan creation or resource group deletion and do not apply.

After "az webapp deployment source config", you provide the repository settings. The correct continuation is "--repo-url $gitrepo --branch master --manual-integration". This configures the web app to pull from the specified GitHub repository and branch. "--manual-integration" indicates App Service won’t automatically create/manage the GitHub webhook integration (often used when you’re not authenticating to GitHub in the CLI session), but it still sets the deployment source. Why the other option is wrong: - B (--plan $webappname) is only relevant when creating the web app (binding it to an App Service plan). It is not a valid parameter for "deployment source config".

Yes. The code calls: - line 06: var id = await src.AcquireLeaseAsync(null); In the Azure Storage .NET client library, AcquireLeaseAsync takes a nullable TimeSpan? for the lease duration. For blobs, a null duration requests an infinite lease (as opposed to a fixed-duration lease of 15–60 seconds). An infinite lease remains in effect until it is explicitly released (ReleaseLeaseAsync with the lease ID) or broken (BreakLeaseAsync). Why “No” is wrong: a finite lease would require a specific duration value within the allowed range. Since the code passes null, it is explicitly requesting the infinite lease behavior.

No. The code at line 06 does not create a new blob. Line 06 is AcquireLeaseAsync on the existing source blob (src). That operation only changes the lease state of the existing blob; it does not create any blob. Even if the intent of the question was “line 07” (GetBlockBlobReference), that also does not create a blob in the service—it only creates a local object that points to a blob name. The destination blob may be created later by StartCopyAsync (line 08) if it doesn’t already exist. Therefore, the statement “always creates a new blob” is incorrect: leasing never creates a blob, and even the destination reference creation is not a server-side create operation.

No. The finally block does not “release” the lease; it attempts to break it. Specifically: - It checks src.Properties.LeaseState != LeaseState.Available - Then calls BreakLeaseAsync(TimeSpan.Zero) Release vs Break: - ReleaseLeaseAsync is the normal way to release a lease and requires the lease ID returned by AcquireLeaseAsync. - BreakLeaseAsync forcibly ends the lease without needing the lease ID, transitioning the lease through Broken and eventually Available. Also, there’s a logic issue: src.Properties.LeaseState is only populated after FetchAttributesAsync, but the code checks LeaseState outside the src != null block. If src were null, this would throw. Assuming src is not null, the operation is still a break, not a release, so the statement is false.

Correct: D. Validate JWT. The validate-jwt policy is the dedicated APIM mechanism to authenticate/authorize callers using OAuth 2.0/OpenID Connect access tokens (JWTs). It validates the token signature (trust), token lifetime (exp/nbf), and intended recipient (aud), and can enforce issuer (iss) and required claims/scopes/roles. This is the expected answer when the prompt is about configuring APIM for authentication. Why others are wrong: A. Check HTTP header only verifies that a header exists or matches a value; it does not cryptographically validate a token or prove identity. B. Restrict caller IPs is a network control (useful for narrowing exposure) but does not authenticate a user/app and fails for roaming clients/NAT. C. Limit call rate by key is throttling/abuse protection; it can use subscription keys but that is not robust authentication and is often considered an additional control rather than primary auth.

Correct: A. Inbound. Authentication must be enforced before the request is sent to the backend service. The inbound policy section is executed as the request enters APIM, making it the correct place to validate credentials/tokens and reject unauthorized requests with 401/403 immediately. This reduces backend load, improves security posture, and is consistent with best practices (fail fast at the gateway). Why not outbound: B. Outbound policies run after the backend has processed the request and APIM is returning a response to the client. At that point, the backend may already have executed business logic and accessed data, which defeats the purpose of authentication enforcement. Outbound is intended for response transformations, adding/removing response headers, response caching directives, and similar post-processing tasks.