Topic 3: City Power & Light

   

Case study
This is a case study. Case studies are not timed separately. You can use as much
exam time as you would like to complete each case. However, there may be additional
case studies and sections on this exam. You must manage your time to ensure that you
are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information
that is provided in the case study. Case studies might contain exhibits and other resources
that provide more information about the scenario that is described in the case study. Each
question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review
your answers and to make changes before you move to the next section of the exam. After
you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the
left pane to explore the content of the case study before you answer the questions. Clicking
these buttons displays information such as business requirements, existing environment,
and problem statements. When you are ready to answer a question, click the Question
button to return to the question.
Background

City Power & Light company provides electrical infrastructure monitoring solutions for
homes and businesses. The company is migrating solutions to Azure.
Current environment
Architecture overview
The company has a public website located at http://www.cpandl.com/. The site is a singlepage
web application that runs in Azure App Service on Linux. The website uses files
stored in Azure Storage and cached in Azure Content Delivery Network (CDN) to serve
static content.

API Management and Azure Function App functions are used to process and store data in
Azure Database for PostgreSQL. API Management is used to broker communications to
the Azure Function app functions for Logic app integration. Logic apps are used to
orchestrate the data processing while Service Bus and Event Grid handle messaging and
events.
The solution uses Application Insights, Azure Monitor, and Azure Key Vault.
Architecture diagram
The company has several applications and services that support their business. The
company plans to implement serverless computing where possible. The overall architecture
is shown below.

User authentication
The following steps detail the user authentication process:
The user selects Sign in in the website.
The browser redirects the user to the Azure Active Directory (Azure AD) sign in
page.
The user signs in.
Azure AD redirects the user’s session back to the web application. The URL
includes an access token.
The web application calls an API and includes the access token in the
authentication header. The application ID is sent as the audience (‘aud’) claim in
the access token.
The back-end API validates the access token.

Requirements
Corporate website
Communications and content must be secured by using SSL.
Communications must use HTTPS.
Data must be replicated to a secondary region and three availability zones.
Data storage costs must be minimized.
Azure Database for PostgreSQL
The database connection string is stored in Azure Key Vault with the following attributes:
Azure Key Vault name: cpandlkeyvault
Secret name: PostgreSQLConn
Id: 80df3e46ffcd4f1cb187f79905e9a1e8
The connection information is updated frequently. The application must always use the
latest information to connect to the database.
Azure Service Bus and Azure Event Grid
Azure Event Grid must use Azure Service Bus for queue-based load leveling.
Events in Azure Event Grid must be routed directly to Service Bus queues for use
in buffering.
Events from Azure Service Bus and other Azure services must continue to be
routed to Azure Event Grid for processing.
Security
All SSL certificates and credentials must be stored in Azure Key Vault.
File access must restrict access by IP, protocol, and Azure AD rights.
All user accounts and processes must receive only those privileges which are
essential to perform their intended function.
Compliance
Auditing of the file updates and transfers must be enabled to comply with General Data
Protection Regulation (GDPR). The file updates must be read-only, stored in the order in
which they occurred, include only create, update, delete, and copy operations, and be
retained for compliance reasons.
Issues
Corporate website
While testing the site, the following error message displays:
CryptographicException: The system cannot find the file specified.

Function app
You perform local testing for the RequestUserApproval function. The following error
message displays:
'Timeout value of 00:10:00 exceeded by function: RequestUserApproval'
The same error message displays when you test the function in an Azure development
environment when you run the following Kusto query:
FunctionAppLogs
| where FunctionName = = "RequestUserApproval"
Logic app
You test the Logic app in a development environment. The following error message
displays:
'400 Bad Request'
Troubleshooting of the error shows an HttpTrigger action to call the RequestUserApproval
function.
Code
Corporate website
Security.cs:

You need to configure the Account Kind, Replication, and Storage tier options for the
corporate website’s Azure Storage account.
How should you complete the configuration? To answer, select the appropriate options in
the dialog box in the answer area.
NOTE: Each correct selection is worth one point.


Account Kind: StorageV2 (general-purpose v2)
Scenario: Azure Storage blob will be used (refer to the exhibit). Data storage costs must be
minimized.
General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and
tables. Recommended for most scenarios using Azure Storage.

You need to investigate the Azure Function app error message in the development
environment.
What should you do?

A.

Connect Live Metrics Stream from Application Insights to the Azure Function app and

filter the metrics.

B.

Create a new Azure Log Analytics workspace and instrument the Azure Function app
with Application Insights

C.

Update the Azure Function app with extension methods from
Microsoft.Extensions.Logging to log events by using the log instance.

D.

Add a new diagnostic setting to the Azure Function app to send logs to Log Analytics.

A.   

Connect Live Metrics Stream from Application Insights to the Azure Function app and

filter the metrics.



Azure Functions offers built-in integration with Azure Application Insights to monitor
functions.
The following areas of Application Insights can be helpful when evaluating the behavior,
performance, and errors in your functions:
Live Metrics: View metrics data as it's created in near real-time.
Failures
Performance Metrics
Reference:
https://docs.microsoft.com/en-us/azure/azure-functions/functions-monitoring

You need to authenticate the user to the corporate website as indicated by the architectural
diagram.
Which two values should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A.

ID token signature

B.

ID token claims

C.

HTTP response code

D.

Azure AD endpoint URI

E.

Azure AD tenant ID

A.   

ID token signature


D.   

Azure AD endpoint URI



Claims in access tokens
JWTs (JSON Web Tokens) are split into three pieces:
Header - Provides information about how to validate the token including
information about the type of token and how it was signed.
Payload - Contains all of the important data about the user or app that is
attempting to call your service.
Signature - Is the raw material used to validate the token.
Your client can get an access token from either the v1.0 endpoint or the v2.0 endpoint
using a variety of protocols.
Scenario: User authentication (see step 5 below)
The following steps detail the user authentication process:
The user selects Sign in in the website.

The browser redirects the user to the Azure Active Directory (Azure AD) sign in
page.
The user signs in.
Azure AD redirects the user’s session back to the web application. The URL
includes an access token.
The web application calls an API and includes the access token in the
authentication header. The application ID is sent as the audience (‘aud’) claim in
the access token.
The back-end API validates the access token.
Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-accessrestriction-
policies

You need to configure API Management for authentication.
Which policy values should you use? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.


Box 1: Validate JWT
The validate-jwt policy enforces existence and validity of a JWT extracted from either a
specified HTTP Header or a specified query parameter.
Scenario: User authentication (see step 5 below)
The following steps detail the user authentication process:
The user selects Sign in in the website.

The browser redirects the user to the Azure Active Directory (Azure AD) sign in
page.
The user signs in.
Azure AD redirects the user’s session back to the web application. The URL
includes an access token.
The web application calls an API and includes the access token in the
authentication header. The application ID is sent as the audience (‘aud’) claim in
the access token.
The back-end API validates the access token.
Box 2: Outbound

You need to retrieve the database connection string.
Which values should you use? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.


Azure database connection string retrieve REST API vault.azure.net/secrets/
Box 1: cpandlkeyvault
We specify the key vault, cpandlkeyvault.
Scenario: The database connection string is stored in Azure Key Vault with the following
attributes:
Azure Key Vault name: cpandlkeyvault
Secret name: PostgreSQLConn
Id: 80df3e46ffcd4f1cb187f79905e9a1e8
Box 2: PostgreSQLConn
We specify the secret, PostgreSQLConn
Example, sample request:
https://myvault.vault.azure.net//secrets/mysecretname/4387e9f3d6e14c459867679a90fd0f
79?api-version=7.1
Box 3: Querystring

ASP.NET Core API app by using C#. The API app will allow users to authenticate by using Twitter and Azure Active Directory (Azure AD).
Users must be authenticated before calling API methods. You must log the user’s name for
each method call.
You need to configure the API method calls.
Which values should you use? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.


+ Explanation:
Box 1: Authorize
Box 2: X-MS-CLIENT-PRINCIPAL-NAME
App Service passes user claims to your application by using special headers. External

requests aren't allowed to set these headers, so they are present only if set by App
Service. Some example headers include:
X-MS-CLIENT-PRINCIPAL-NAME
X-MS-CLIENT-PRINCIPAL-ID
Here's the set of headers you get from Easy Auth for a Twitter authenticated user:
{
"cookie": "AppServiceAuthSession=Lx43...xHDTA==",
"x-ms-client-principal-name": "evilSnobu",
"x-ms-client-principal-id": "35....",
"x-ms-client-principal-idp": "twitter",
"x-ms-token-twitter-access-token": "35...Dj",
"x-ms-token-twitter-access-token-secret": "OK3...Jx",
}
References:
https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to

Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated
goals. Some question sets might have more than one correct solution, while others
might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a
result, these questions will not appear in the review screen.
You are developing an Azure solution to collect point-of-sale (POS) device data from 2,000
stores located throughout the world. A single device can produce 2 megabytes (MB) of
data every 24 hours. Each store location has one to five devices that send data.

You must store the device data in Azure Blob storage. Device data must be correlated
based on a device identifier. Additional stores are expected to open in the future.
You need to implement a solution to receive the device data.
Solution: Provision an Azure Notification Hub. Register all devices with the hub.
Does the solution meet the goal?

A.

Yes

B.

No

B.   

No



Instead use an Azure Service Bus, which is used order processing and financial
transactions.
Reference:
https://docs.microsoft.com/en-us/azure/event-grid/compare-messaging-services

You are preparing to deploy a Python website to an Azure Web App using a container. The
solution will use multiple containers in the same container group. The Dockerfile that builds
the container is as follows:


Box 1: -SKU B1 -hyper-v
-hyper-v
Host web app on Windows container.
Box 2: -deployment-source-url images.azurecr.io/website:v1.0.0
-deployment-source-url -u
Git repository URL to link with manual integration.
The Web App must always run the same version of the website regardless of future builds.
Incorrect:
-deployment-container-image-name -i
Linux only. Container image name from Docker Hub, e.g. publisher/image-name:tag.
Box 3: az webapp config container set -url https://images.azurecr.io -u admin -p admin
az webapp config container set
Set a web app container's settings.
Paremeter: -docker-registry-server-url -r
The container registry server url.
The Azure Container Registry instance named images is a private registry.
Example:

az webapp config container set -docker-registry-server-url https://{azure-container-registryname}.
azurecr.io

You are developing a medical records document management website. The website is
used to store scanned copies of patient intake forms. If the stored intake forms are
downloaded from storage by a third party, the content of the forms must not be
compromised.
You need to store the intake forms according to the requirements.
Solution:
uk.co.certification.simulator.questionpool.PList@ed015f0
Does the solution meet the goal?

A.

Yes

B.

No

B.   

No

You are developing a new page for a website that uses Azure Cosmos DB for data storage.
The feature uses documents that have the following format:
You must display data for the new page in a specific order. You create the following query
for the page:
You need to configure a Cosmos DB policy to the support the query.
How should you configure the policy? To answer, drag the appropriate JSON segments to
the correct locations. Each JSON segment may be used once, more than once, or not at
all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.


Box 1: compositeIndexes
You can order by multiple properties. A query that orders by multiple properties requires a
composite index.
Box 2: descending
Example: Composite index defined for (name ASC, age ASC):
It is optional to specify the order. If not specified, the order is ascending.
{
"automatic":true,
"indexingMode":"Consistent",
"includedPaths":[
{
"path":"/*"
}
],
"excludedPaths":[],
"compositeIndexes":[
[
{
"path":"/name",

},
{
"path":"/age",
}
]
]
}
Page 3 out of 28 Pages
AZ-204 Practice Test Previous

Are You Truly Prepared?

Don't risk your exam fee on uncertainty. Take this definitive practice test to validate your readiness for the Microsoft AZ-204 exam.

Enroll Now