View AZ-204 Exam Questions

Q: 1

DRAG DROP You need to add YAML markup at line CS17 to ensure that the ContentUploadService can access Azure Storage access keys. How should you complete the YAML markup? To answer, drag the appropriate YAML segments to the correct locations. Each YAML segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. AZ-204 question

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

secret
envVar
secretValues
volumes
volumeMounts
environmentVariables

Discussion

Sara S. Apr 2, 2026 11:40 am

volumeMounts → Target 1, volumes → Target 2, secret → Target 3. That's how you attach a Kubernetes secret to a pod via a volume and then mount it into the container. Pretty sure this is the pattern for giving your service access to key files. Anyone see a different approach working?

Casey Mar 28, 2026 1:21 pm

Man, these drag and drops are always confusing-volumeMounts Target 1, volumes Target 2, secret Target 3.

Jordan S. Mar 31, 2026 9:18 pm

volumeMounts, volumes, secret is what I picked too. Standard for mounting secrets as files in pods.

Riley K. Mar 19, 2026 1:09 am

volumeMounts Target 1, volumes Target 2, secret Target 3. This matches standard Kubernetes practice for mounting secrets.

Maya M. Mar 20, 2026 9:24 pm

volumeMounts → Target 1, volumes → Target 2, secret → Target 3. This lines up with how you mount secrets as files in Kubernetes YAML. Saw a similar question on my last practice test and the main idea is to connect container volumeMounts to pod-level volumes, which sources from secret. Pretty sure this is right but let me know if you see otherwise.

Aisha Mar 21, 2026 4:19 pm

volumeMounts Target 1, volumes Target 2, secret Target 3. Trap is using envVar for file-based secret access.

Jordan Mar 26, 2026 2:20 pm

I don't think "environmentVariables" is right for Target 1, it's a common trap. Standard mapping here is volumeMounts for Target 1, volumes for 2, secret for 3.

Riley K. Mar 20, 2026 9:41 pm

Yeah, volumeMounts for Target 1, volumes at Target 2, and secret goes with Target 3. That matches how you'd mount a secret as a file in a pod spec. Pretty sure that's right for the scenario.

ChrisO Mar 24, 2026 1:32 pm

volumeMounts goes with Target 1, volumes for Target 2, secret for Target 3. That's the usual way to map a Secret as a file into a container in Kubernetes YAML, at least from what I remember. Let me know if you see another combo.

Vikram Mar 24, 2026 6:44 am

Yeah this fits what I'd expect for mounting secrets as files: volumeMounts, volumes, then secret. This matches the usual pod/container YAML structure I see in practice for Azure and Kubernetes. Pretty sure that's what the question wants here, but open to other takes.

Be respectful. No spam.

Correct Answer:

Answer Areas Target 1: E. volumeMounts Target 2: D. volumes Target 3: A. secret

Explanation

To make a Kubernetes Secret available to a container as a file, you must perform two main steps in the pod specification:

Define a volume: A volume is defined at the pod level under the volumes key. You must specify a name for the volume and its type. To use a Kubernetes Secret, the type is secret. This tells Kubernetes to populate the volume with the data from a specified Secret object.
Mount the volume: Inside the container definition, you specify a volumeMounts section. This links the volume defined at the pod level (using its name) to a specific file path (mountPath) inside the container, making the secret's data accessible as files at that location.

Therefore, volumeMounts is the correct segment for the container's mount point, volumes is for the pod-level volume definition, and secret specifies the volume's source.

References

Kubernetes Documentation, "Volumes": This official page explains how to declare volumes in a Pod (spec.volumes) and mount them into containers (spec.containers.volumeMounts). In the section "secret," it provides a clear example of using a Secret as a volume source.

Reference: kubernetes.io/docs/concepts/storage/volumes/#secret

Kubernetes Documentation, "Secrets": This documentation details how to use Secrets with Pods. The section "Using Secrets as files from a Pod" provides a step-by-step tutorial that shows the exact YAML structure required, confirming the use of volumes, volumeMounts, and the secret key to define the volume type.

Reference: kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

Q: 2

HOTSPOT You develop a Python application for image rendering. The application uses GPU resources to optimize rendering processes. You have the following requirements: • The application must be deployed to a Linux container. • The container must be stopped when the image rendering is complete. AZ-204 question

Your Answer

Discussion

Riley F. Mar 15, 2026 9:45 am

Looks like a reference question, so check the official Microsoft docs or the learning path labs. The right image is page_687_img_1.JPG.

Amelia D. Mar 30, 2026 9:25 pm

Similar question came up on a practice test, matching answer was page_687_img_1.JPG.

DanielC Mar 23, 2026 5:21 pm

page_687_img_1.JPG is the better choice here. Saw something similar in exam reports-this one sets the right restart policy so the container actually stops after rendering, not just runs with GPU/Linux. Pretty sure that's what they're testing.

Avery J. Mar 14, 2026 4:18 am

It should be page_687_img_1.JPG. The other image is tempting but doesn't align with the container stop requirement, which is a common trap on this type of question. If I'm missing something let me know.

Zoe Mar 26, 2026 8:43 pm

Not quite, it's actually page_687_img_1.JPG. The restart policy on 686 is a common trap.

Mason I. Mar 23, 2026 12:25 pm

page_687_img_1.JPG, that's the one matching the requirements here.

Avery K. Mar 30, 2026 8:50 am

Yeah I went for page_686_img_1.jpg. The GPU details matched up and it shows Linux, so seemed right to me.

Riley R. Mar 20, 2026 10:05 am

page_686_img_1.jpg

Alex Mar 13, 2026 12:16 pm

Why not page_687_img_1.JPG instead? page_686_img_1.jpg looks like a trap due to restart policy.

Chloe E. Mar 21, 2026 3:36 am

Nah, I think page_686_img_1.jpg is what I'd choose here. It shows Linux with GPU, looks like that's the main requirement trap.

Be respectful. No spam.

Correct Answer:

HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_687_IMG_1.JPG

Explanation

Compute target: Azure Container Instances (ACI) is the most suitable choice. ACI is a serverless container-on-demand service ideal for workloads that run to completion, like a rendering job. It allows for the provisioning of single containers with GPU resources without the overhead of managing a full orchestration platform like Azure Kubernetes Service (AKS). The requirement to stop the container upon task completion aligns perfectly with ACI's task-based model.

Container termination: The Restart policy setting directly controls the lifecycle of the container after its main process exits. To ensure the container stops and does not restart after the rendering is finished, the restart policy should be set to OnFailure or Never. This ensures that once the application successfully completes its task (exits with code 0), the container instance stops as required.

References

Azure Container Instances (ACI) Documentation:

Microsoft Learn, "What is Azure Container Instances?". This document describes ACI as "a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs."

Microsoft Learn, "Run GPU-intensive workloads in Container Instances". This section confirms ACI's support for GPU resources, which is a key requirement. (Section: "GPU support")

Microsoft Learn, "Tutorial: Deploy a container application with a custom container image". This tutorial details the restartPolicy property for ACI container groups. It states: "The value of Never or OnFailure is best for task-based containers that run to completion." (Section: "Deploy the container")

Comparison of Azure Container Options:

Microsoft Learn, "Choose an Azure compute service for your application". This document compares services. For "Batch processing," it explicitly recommends ACI for "run-to-completion jobs." For AKS, it's recommended for "Orchestration" and "Long-running workloads," which is not the primary scenario described.

Q: 3

You need to implement the processing of enqueuer inventory items. Which message value should you use?

Options

Discussion

Daniel J. Mar 15, 2026 6:46 pm

Option B seen this type in both official docs and exam labs.

Riley C. Mar 15, 2026 3:42 pm

Option B

Ivy Mar 29, 2026 5:34 am

I don’t think it’s C. B is what Service Bus actually uses for message settlement and processing, not partition key. Partition key groups messages but isn’t used to complete or abandon them. Sequence number is how you uniquely track and process each item - seen this pattern in practice sets. If someone thinks otherwise, let me know.

Rowan H. Mar 20, 2026 10:15 am

Not D, it's B. Sequence number is what you use for reliable message processing with Service Bus, especially when handling settlement operations or tracking unique messages. Timestamp can help with sorting or grouping, but for processing logic, sequence number is key. Seen similar wording on practice exams.

JackW Mar 25, 2026 9:43 am

B Seen similar on practice sets-sequence number is what Service Bus expects when you process or settle messages. Timestamp's only for reporting, not settlement. Pretty sure it's B but open to debate if the scenario means something else.

Skyler V. Apr 2, 2026 11:20 am

It’s B for sure. Service Bus processing depends on the sequence number since that’s required to complete, abandon, or dead-letter messages-partition key and timestamp catch people out here, but they’re not used for settlement. I get why D looks tempting if you’re thinking audit, but in similar practice questions it’s always B. Open to pushback if anyone thinks otherwise.

Jason Mar 21, 2026 9:58 am

Pretty sure it's B for this one. Sequence number is the value used to uniquely identify and settle a Service Bus message when you're processing items, not timestamp. Timestamp would only matter if the question focused on when inventory arrived, which it doesn't here. Agree?

CarefulConsultant1822 Mar 18, 2026 6:19 am

Not B? I get why D (timestamp) looks tempting for tracking or reporting, but processing inventory messages usually relies on the sequence number in Azure Service Bus. That's what lets you settle or complete the message reliably. D is more for audits, not core processing. Let me know if I'm wrong!

Taylor Y. Mar 29, 2026 4:59 am

B makes sense here since you need sequence number for settlement or processing logic in Azure Service Bus. Timestamp would be for audit or ordering, but not actual processing. Pretty sure about this but let me know if anyone sees it different.

Kevin G. Mar 20, 2026 9:11 pm

Be respectful. No spam.

Correct Answer:

Explanation

The Sequence number is a unique 64-bit integer assigned by the Service Bus broker to each message upon acceptance. It functions as the message's unique internal identifier and represents its absolute order within the queue or topic. When implementing message processing logic, the sequence number is the fundamental value used to uniquely identify a message for settlement operations such as completing, abandoning, or dead-lettering. It is also essential for implementing idempotent receivers and for auditing or tracking purposes, making it the most critical value for processing any given message.

Why Incorrect

A. Session identifier: This is only used for the specific scenario of grouping related messages to ensure they are processed sequentially by a single consumer.

C. Partition key: This is used with partitioned entities to direct related messages to the same partition, primarily for improving throughput and scalability.

D. Time stamp: Timestamps like EnqueuedTimeUtc are metadata for application-level logic (e.g., checking message age) but are not the primary identifier for processing a message.

References

1. Microsoft Docs: Message sequencing and timestamps. This document explicitly states, "The sequence number is a unique 64-bit integer assigned to a message as it is accepted and stored by the broker and functions as its internal identifier... The sequence number can be trusted as a unique identifier since it is assigned by a central and neutral authority and not by clients."

Source: Microsoft Learn, Azure Service Bus Documentation, "Message sequencing and timestamps", Section: "Sequence number".

2. Microsoft Docs: Service Bus message sessions. This document clarifies the specific use case for sessions: "To realize a FIFO guarantee in Service Bus, use sessions. Message sessions enable joint and ordered handling of unbounded sequences of related messages."

Source: Microsoft Learn, Azure Service Bus Documentation, "Message sessions", Section: "Message sessions".

3. Microsoft Docs: Partitioned messaging entities. This document explains the role of the partition key: "When a client sends a message to a partitioned entity, Service Bus checks for the presence of a partition key. If it finds one, it selects the partition based on that key."

Source: Microsoft Learn, Azure Service Bus Documentation, "Partitioned messaging entities", Section: "Using a partition key".

Q: 4

DRAG DROP Fourth Coffee has an ASP.NET Core web app that runs in Docker. The app is mapped to the www.fourthcoffee.com domain. Fourth Coffee is migrating this application to Azure. You need to provision an App Service Web App to host this docker image and map the custom domain to the App Service web app. A resource group named FourthCoffeePublicWebResourceGroup has been created in the WestUS region that contains an App Service Plan named AppServiceLinuxDockerPlan. Which order should the CLI commands be used to develop the solution? To answer, move all of the Azure CLI command from the list of commands to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

az webapp config hostname add --webapp-name $appName ChCoffee Public WebResource Group\ --resource-group fourth Coffee Public WebRe --hostname $fqdn
#/bin/bash appName="Fourth CoffeePublicWeb$random". location "WestUS" dockerHubContainerPath="Fourth Coffee/publicweb:v1" fqdn=http://www.fourthcoffee.com>www.fourthcoffee.com
az webapp create --name $appName --plan App ServiceLinuxDockerPlan --resource-group fourth Coffee PublicWebResourceGroup
az webapp config container set --docker-custom-image-name $dockerHibContainerPath --name $appName --resource-group fourth Coffee Public WebResourceGroup

Discussion

SkepticalEngineer5239 Mar 31, 2026 12:32 pm

Saw something almost identical in a practice exam. Vars first, then webapp create, container config, finally hostname add. That's the sequence Azure expects. Pretty sure that's correct but open to corrections.

Sam V. Mar 31, 2026 7:13 pm

Yeah, that's the flow I've always used: variables first, then create webapp, set the container image, finally add custom domain. Azure won't accept a domain mapping if the app doesn't exist yet. I think this matches how CLI lets you build deployments step by step. Anyone put hostname before container config and have issues?

Ivy H. Mar 17, 2026 4:10 pm

vars, then webapp create, next container set, last hostname add. That's the right CLI order for Azure migrations here.

Maya P. Mar 22, 2026 11:57 pm

vars, then webapp create, container config, finally hostname add. That's the usual Azure sequence.

Piya J. Mar 20, 2026 4:40 am

vars setup, then create the webapp, set the container image, finally add hostname.
Had something like this in a mock, and that sequence works since you can't assign a domain before the app exists. Pretty sure that's the correct flow, but chime in if anyone did it differently.

Taylor Mar 23, 2026 8:41 am

vars, webapp create, container config, hostname add. This is only correct if adding the domain doesn't need DNS validation up front.

Drew S. Mar 25, 2026 11:12 am

Makes sense to start with variable setup, then create the web app, set the container config, and finally map the custom domain.

Ethan K. Apr 1, 2026 4:59 am

Not quite, I think vars first, then webapp create, container config, and lastly hostname add. The trap here is putting the domain before the app even exists. Open to pushback if I'm missing something.

Noah K. Mar 13, 2026 12:23 am

The right flow is set vars first, then create web app, configure the Docker container, and finally add the custom hostname. So it's variables → create → container → hostname. Not 100% sure if you'd ever need to flip hostname before container but haven't seen that in Azure docs.

HannahD Mar 29, 2026 3:49 pm

Not quite, the order should be variables first so the shell has what it needs, then web app creation, then container config, and finally adding the custom domain. So it's: initialize variables → create web app → set Docker image → add hostname. Pretty sure this matches the actual workflow in Azure and avoids issues with missing resources or references. Domain mapping too early is a common trap.

Be respectful. No spam.

Correct Answer:

Answer Areas Target 1: B. #/bin/bash appName="Fourth CoffeePublicWeb$random". location "WestUS" dockerHubContainerPath="Fourth Coffee/publicweb:v1" fqdn=http://www.fourthcoffee.com>www.fourthcoffee.com Target 2: C. az webapp create --name $appName --plan App ServiceLinuxDockerPlan --resource-group fourth Coffee PublicWebResourceGroup Target 3: D. az webapp config container set --docker-custom-image-name $dockerHibContainerPath --name $appName --resource-group fourth Coffee Public WebResourceGroup Target 4: A. az webapp config hostname add --webapp-name $appName ChCoffee Public WebResource Group\ --resource-group fourth Coffee Public WebRe --hostname $fqdn

Explanation

The sequence of commands follows a logical provisioning workflow.

Initialize Variables: The script begins by setting up shell variables for the app name, location, Docker image path, and fully qualified domain name (FQDN). This is a necessary first step as subsequent commands rely on these variables.
Create Web App: The az webapp create command provisions the basic Azure App Service resource. You must create the web app before you can configure its container or add a custom domain.
Configure Container: Once the web app exists, az webapp config container set is used to specify the Docker container image that the App Service will run.
Add Custom Domain: Finally, with the web app created and configured, the az webapp config hostname add command maps the custom domain name (www.fourthcoffee.com) to the application.

References

Microsoft Docs, az webapp create: The documentation states this command is used to "Create a web app." It's the foundational step for provisioning the service. The examples for container apps show this command being run before container configuration.

Source: Microsoft Corporation. (2023). az webapp create. Azure CLI documentation. Retrieved from https://docs.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest#az-webapp-create

Microsoft Docs, az webapp config container set: This command is explicitly for "Set a web app's container settings." This implies that a web app must already exist to have its settings configured.

Source: Microsoft Corporation. (2023). az webapp config container. Azure CLI documentation. Retrieved from https://docs.microsoft.com/en-us/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set

Microsoft Docs, az webapp config hostname add: The documentation for this command explains how to "Bind a hostname to a web app." This action is performed on an existing web app, typically after the application itself is configured and running.

Source: Microsoft Corporation. (2023). az webapp config hostname. Azure CLI documentation. Retrieved from https://docs.microsoft.com/en-us/cli/azure/webapp/config/hostname?view=azure-cli-latest#az-webapp-config-hostname-add

Quickstart Guide, Create a container app: Tutorial documentation demonstrates the logical flow. The steps consistently show creating the resource group and App Service plan first, followed by az webapp create, then configuring settings like the container image, and finally mapping custom domains as a subsequent step.

Source: Microsoft Corporation. (2023). Quickstart: Create a container app in Azure App Service. Azure App Service documentation. See the "Create a container app" and "Configure container image" sections for the sequence. Retrieved from https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container

Q: 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this question, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user’s Azure AD group membership must be used to determine the permission level. You need to configure authorization. Solution: Configure the Azure Web App for the website to allow only authenticated requests and require Azure AD log on. Does the solution meet the goal?

Options

Discussion

HelpfulConsultant9099 Mar 25, 2026 11:51 am

B . Had something like this in a mock and just enabling Azure AD authentication won’t set the group-based permissions, it’s only auth not authorization. You still need to add logic or claims to handle group mapping. Anyone agree?

DirectAuditor1537 Mar 24, 2026 1:36 am

Option B saw a similar question in a practice test and it matched this answer.

Zoe Mar 31, 2026 2:41 pm

B , just requiring Azure AD login only handles authentication. You still need to map group membership to roles for authorization, otherwise users aren't getting specific permissions. Anyone disagree?

Aisha C. Mar 27, 2026 10:48 am

A tbh

Daniel A. Mar 23, 2026 9:30 am

You need group-based authorization, not just authentication, so B. Just requiring Azure AD login only covers the sign-in part, doesn't set the actual roles based on group membership. I think that's the key catch here, unless I'm missing a subtle detail.

FriendlyReviewer3342 Mar 16, 2026 5:47 pm

A makes more sense to me since requiring Azure AD login covers authentication, which I thought was the main goal here. Maybe I'm missing something about group mapping, but seems like A would be enough?

Zoe Mar 24, 2026 8:59 pm

A tbh

Grace T. Mar 27, 2026 3:25 am

B or maybe A if it just needed auth but I'm pretty sure it's B for group perms.

Aisha R. Mar 21, 2026 1:09 am

Its B

Amelia O. Mar 28, 2026 3:34 am

A but only if all users are put in default group since Azure AD login covers basic access.

Be respectful. No spam.

Correct Answer:

Explanation

The proposed solution only addresses the authentication requirement by configuring the Azure Web App to require an Azure Active Directory (Azure AD) login. This ensures that all users are authenticated. However, it does not fulfill the authorization requirement, which is to assign permission levels (admin, normal, reader) based on the user's Azure AD group membership. Implementing authorization requires additional steps, such as configuring the application registration in Azure AD to emit group or role claims and modifying the application code to interpret these claims to grant appropriate permissions. Therefore, the solution is incomplete.

Why Incorrect

A. Yes: This is incorrect because the solution only enforces authentication. It does not implement the required authorization logic to check a user's group membership and assign a permission level.

References

1. Microsoft Docs - Configure your App Service or Azure Functions app to use Azure AD login: This document explains the process of setting up authentication, which is what the proposed solution describes. It also has a section titled "Access user claims in app code," which clarifies that after authentication is configured, the application code must be used to access claims (like roles or groups) to make authorization decisions. This confirms that the proposed solution is only the first step and does not meet the full goal. (See section: Access user claims in app code).

2. Microsoft Docs - Tutorial: Add app roles to your application and receive them in the token: This tutorial details the necessary steps to implement role-based authorization, a common pattern for the scenario described. It involves defining roles in the Azure AD app registration, assigning users/groups to those roles, and then having the application code check for these roles in the token. This demonstrates the additional configuration required beyond simple authentication. (See section: Declare roles for an application).

3. Microsoft Docs - Configure group claims for applications by using Azure Active Directory: This document provides an alternative method for authorization by configuring the Azure AD application to include the user's security group memberships in the token. The application code would then need to parse these group claims to implement the required permission levels. This highlights that authorization based on groups is a distinct configuration step not covered by the proposed solution. (See section: Add group claims to tokens for SAML, JWT, and UPN-based applications).

Q: 6

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing an Azure Service application that processes queue data when it receives a message from a mobile application. Messages may not be sent to the service consistently. You have the following requirements: Queue size must not grow larger than 80 gigabytes (GB). Use first-in-first-out (FIFO) ordering of messages. Minimize Azure costs. You need to implement the messaging solution. Solution: Use the .Net API to add a message to an Azure Storage Queue from the mobile application. Create an Azure VM that is triggered from Azure Storage Queue events. Does the solution meet the goal?

Options

Discussion

Chris Mar 30, 2026 7:03 pm

Probably B. Storage Queue doesn't guarantee FIFO and VMs aren't the cheapest here.

Robin Mar 17, 2026 5:14 am

B. Storage Queue isn't strict FIFO, that's a classic trap on these. VM cost doesn't help either, so I see B as the right pick here. If anyone thinks Storage Queue is enough for true FIFO, let me know.

Robin Mar 19, 2026 1:31 pm

B, strict FIFO is the dealbreaker in this scenario since Storage Queue doesn't fully guarantee it. VM also adds unnecessary costs imo.

Aaron C. Mar 24, 2026 9:31 pm

A , since exam guides mention Storage Queues in lots of sample questions and they usually cover cost angles in the official docs. Check the Microsoft docs or run through more practice labs for this format.

Hannah O. Mar 20, 2026 7:15 am

B tbh. Storage Queue doesn't support strict FIFO, and using an Azure VM isn’t cheap for sporadic loads. Had something like this in a mock and the answer was B.

MethodicalArchitect5457 Mar 14, 2026 3:37 am

Its B for sure. Azure Storage Queues don't give you strict FIFO, so that fails the requirement right there. Plus, spinning up a VM just to process queue messages is overkill and won't help with cost savings, especially if messages come in at random. I'd go with a serverless function and Service Bus queue for strict FIFO if that's allowed-happy to hear other takes though.

Riley P. Mar 17, 2026 3:58 am

Its B, since Azure Storage Queue isn't true FIFO and a VM would waste money if messages are rare.

Jordan I. Mar 22, 2026 9:18 pm

B Storage Queue isn't strict FIFO so doesn't meet the requirement.

AdamG Mar 27, 2026 9:15 pm

Its A

Jason S. Mar 20, 2026 6:40 pm

B tbh, Storage Queue doesn't guarantee strict FIFO and that catches a lot of people on this kind of question. VM cost is a trap too. If I missed something let me know but B seems right.

Be respectful. No spam.

Correct Answer:

Explanation

The proposed solution does not meet the stated goals because it fails on two critical requirements. First, Azure Storage Queues do not guarantee strict First-In, First-Out (FIFO) message ordering, which is a mandatory requirement for the application. Second, using a dedicated Azure Virtual Machine (VM) to process queue messages is not a cost-effective solution for a workload with inconsistent message arrival. A continuously running VM incurs costs even when idle, violating the "minimize Azure costs" requirement. A serverless compute option, such as Azure Functions, would be more appropriate and cost-efficient.

Why Incorrect

A. Yes: This is incorrect. The solution fails to meet the mandatory FIFO ordering requirement by using Azure Storage Queues and the cost-minimization requirement by using an expensive, non-serverless compute option (Azure VM).

References

1. Microsoft Docs: Compare Storage Queues and Service Bus Queues. This official comparison table explicitly states that for Azure Storage Queues, ordering is "Not supported." For FIFO, it recommends Azure Service Bus Queues with sessions.

Source: Microsoft Learn, "Compare Azure Queues and Service Bus queues," Compare Storage Queues and Service Bus Queues table, Ordering row.

2. Microsoft Docs: Azure Queue Storage triggers for Azure Functions. This document highlights the cost-effectiveness of using serverless Azure Functions, which run only when triggered by a new queue message, aligning with the "minimize cost" requirement for inconsistent workloads.

Source: Microsoft Learn, "Azure Queue Storage triggers for Azure Functions," Overview section.

3. Microsoft Docs: Choose an Azure compute service. This guide recommends Azure Functions for event-driven workloads with a pay-per-use pricing model, contrasting with Azure VMs which are recommended for scenarios requiring full control over the OS and are less cost-effective for sporadic tasks.

Source: Microsoft Learn, "Choose an Azure compute service," Summary of choices section.

Q: 7

HOTSPOT You are preparing to deploy a Python website to an Azure Web App using a container. The solution will use multiple containers in the same container group. The Dockerfile that builds the container is as follows: You build a container by using the following command. The Azure Container Registry instance named images is a private registry. The user name and password for the registry is admin. The Web App must always run the same version of the website regardless of future builds. You need to create an Azure Web App to run the website. How should you complete the commands? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Discussion

Reese X. Mar 30, 2026 10:50 pm

Looks like the right pick is to use the version tag so the app always pulls that exact release. People often trip on thinking digest is needed but since the question just says "same version," not immutability, version tag it is.

Olivia B. Mar 14, 2026 11:19 pm

HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_435_IMG_2.JPG

Taylor R. Mar 21, 2026 2:39 am

Makes sense to use the full version tag for this, since the question wants consistency and doesn't focus on image immutability. HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_435_IMG_2.JPG

QuickLead7452 Mar 14, 2026 12:59 am

I remember a similar question popping up in some exam reports, and the answer was to use the version tag for consistency.

Jamie Mar 25, 2026 2:14 pm

Wouldn't pinning by digest actually guarantee immutability here, or is the exam just looking for a version tag?

Sofia N. Mar 19, 2026 7:43 pm

Is the requirement targeting "always the same version" based on image tag immutability, or should we pin by digest instead? If the registry is subject to tag re-use, using a digest instead of just :v1.0.0 would be safer.

Rowan S. Mar 19, 2026 6:15 pm

Seen similar practice sets, official docs and Azure Portal UI screenshots help here: pin with the specific version tag.

Zoe Mar 18, 2026 4:20 am

Similar question popped up on my exam, used the same image reference as in the screenshot.

Nathan C. Mar 14, 2026 7:38 pm

Saw this on a practice exam, think it's the image with the v1.0.0 tag not a digest.

Noah K. Mar 19, 2026 2:30 pm

Digest reference instead of version tag here, but I think that’s a trap since it doesn’t require strict immutability.

Be respectful. No spam.

Correct Answer:

HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_435_IMG_2.JPG

Explanation

The Dockerfile specifies FROM python:3, which is a Linux-based container image. To host a Linux container in an Azure App Service, the underlying App Service Plan must be a Linux plan. The --is-linux flag explicitly creates a Linux App Service Plan. The --sku B1 option specifies the Basic pricing tier, which is a valid choice for container deployments.

The goal is to deploy a specific container image to the Web App. The --deployment-container-image-name parameter (aliased as -i or --image) is used to specify the full name of the image to run. The requirement is to always run the same version, so the specific version tag v1.0.0 must be used, not latest.

The problem states, "The user name and password for the registry is admin." Since the image is in a private registry, the Web App needs these credentials. The az webapp config container set command configures container settings. The --docker-registry-server-url must point to the registry's login server (https://images.azurecr.io). The command correctly supplies the username with -u admin and the password with -p admin.

References

Azure CLI Documentation for az appservice plan create: The --is-linux parameter is documented for creating an App Service plan to host Linux web apps.

Microsoft, "az appservice plan create," Azure CLI Reference, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/cli/azure/appservice/plan?view=azure-cli-latest#az-appservice-plan-create

Azure CLI Documentation for az webapp create: The --deployment-container-image-name (or its alias --image) parameter is used to specify the container image for the web app.

Microsoft, "az webapp create," Azure CLI Reference, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest#az-webapp-create

Azure CLI Documentation for az webapp config container set: This command is used to configure the container settings, including the private registry server URL and credentials. The parameters -u/--docker-registry-server-user and -p/--docker-registry-server-password are explicitly for this purpose.

Microsoft, "az webapp config container set," Azure CLI Reference, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set

Tutorial: Deploy a custom container to App Service: This official tutorial shows the use of az webapp config container set with the registry URL, username, and password to pull an image from a private registry like ACR.

Microsoft, "Deploy a custom container to App Service," Azure App Service Documentation, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/azure/app-service/tutorial-custom-container

Q: 8

You are implementing an Azure API app that uses built-in authentication and authorization functionality. All app actions must be associated with information about the current user. You need to retrieve the information about the current user. What are two possible ways to achieve the goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

Discussion

LeoB Mar 29, 2026 11:17 am

Tough one since headers can be tricky on the client, but I'd still pick A and C. Anyone disagree with both those?

JordanL Mar 16, 2026 9:27 pm

Not B, it's definitely A and C. Headers and the /.auth/me endpoint are how Easy Auth exposes user data, seen this in exam practice before. D is just login trigger, won't give user info. Anyone see it differently?

FocusedMentor2107 Mar 30, 2026 3:12 pm

C/A? Both give user info, but headers are more backend use and /.auth/me is handy for client apps.

Emma X. Mar 16, 2026 11:36 am

Looks like the correct picks are A and C here. HTTP headers and the /.auth/me endpoint both let you grab user info with Azure's built-in auth. If anyone thinks D is better, I'm open to being convinced but I doubt it!

Jamie L. Mar 13, 2026 8:59 pm

A and C tbh, seen this in practice tests and the official docs too.

Drew V. Mar 31, 2026 10:13 pm

B tbh

Sam V. Mar 21, 2026 1:00 am

Its A and C, D just starts login so doesn't give user info. B's a common trap.

Grace V. Apr 1, 2026 2:07 am

Don't think B or D fit here. A and C match the usual Easy Auth flow: headers for backend, /.auth/me for client-side details. D's just for kicking off login so wouldn't actually return user info.

Hannah Mar 16, 2026 8:19 pm

A and C tbh

ReeseQ Mar 25, 2026 9:36 am

Its A and C for sure. HTTP headers (A) are how server code gets user identity from Easy Auth, while /.auth/me (C) returns claims on the client side. That matches what's in the official docs and practice tests I’ve seen. Anyone think B or D could work?

Be respectful. No spam.

Correct Answer:

A, C

Explanation

Azure App Service's built-in authentication and authorization feature, often called "Easy Auth," provides two primary methods to access authenticated user information. For server-side code, the App Service platform injects user claims directly into the HTTP request headers, such as X-MS-CLIENT-PRINCIPAL-NAME and X-MS-CLIENT-PRINCIPAL. For client-side code (e.g., a single-page application), a GET request can be made to the special /.auth/me endpoint. This endpoint returns a JSON object containing all the claims for the currently logged-in user, which the client can then parse and use.

Why Incorrect

B. environment variables: Environment variables store application settings and secrets, which are static for the app instance, not dynamic per-user information for each request.

D. /.auth/login endpoint: The /.auth/login/ endpoint is used to initiate the authentication flow with a specific identity provider, not to retrieve details about an already authenticated user.

References

1. Microsoft Docs, "Authentication and authorization in Azure App Service and Azure Functions", Section: "Access user claims". This section explicitly states: "For all language frameworks, App Service makes the claims in the incoming token available to your code by injecting them into the request headers." It details the specific headers, including X-MS-CLIENT-PRINCIPAL, which validates option A.

2. Microsoft Docs, "Authentication and authorization in Azure App Service and Azure Functions", Section: "Retrieve user claims in code". This section describes the client-directed flow: "From client-side code, the client can send an HTTP GET request to the /.auth/me endpoint to get the user claims." This validates option C.

3. Microsoft Docs, "Authentication and authorization in Azure App Service and Azure Functions", Section: "Authentication flow". This section describes the purpose of the login endpoint: "The client app can then redirect the user to /.auth/login/ to sign in." This confirms that the /.auth/login endpoint is for initiating login, making option D incorrect.

Q: 9

HOTSPOT You are developing a microservices-based application that uses Azure Container Apps. The application consists of several containerized services that handle tasks, such as processing orders, managing inventory, and generating reports. You must secure the container apps All apps must reside in the same virtual network, share the same Dapr configuration, and share the same logging location. Apps must support the configuration of the amount of memory and compute resources available to containers. You need to configure the Azure Container App. How should you complete the CLI command' To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Discussion

AjayI Mar 20, 2026 9:29 pm

Yeah has to be the one using -enable-workload-profiles.

Luna I. Mar 30, 2026 2:45 am

Option with -enable-workload-profiles is right, not just the default env create. The profiles part is easy to miss.

Nathan R. Mar 26, 2026 3:51 pm

Why not just use default env create here without workload profiles?

Neha X. Mar 13, 2026 1:20 am

az containerapp env create with -enable-workload-profiles is the way to go. This flag lets you set resources per container app, which is what the scenario needs. I think that's the main thing exam wants to check here. Open to other thoughts if I missed a catch.

Vikram Mar 29, 2026 2:21 pm

Wouldn’t you need the -enable-workload-profiles flag to let each service pick its own CPU and memory? I think the regular env create command alone doesn’t support that for individual container apps. If anyone got a different result, let me know!

Taylor L. Mar 28, 2026 6:21 am

Which flag in the CLI enables workload profiles for Container App environments?

Leo C. Mar 31, 2026 5:02 pm

That image with -enable-workload-profiles flag is correct.

Nora H. Mar 23, 2026 5:37 pm

Not just the plain env create here, you need -enable-workload-profiles so each app can set CPU and memory. Some might think the default works, but that's a trap. Pretty sure this is right, but let me know if you see a flaw.

Aisha Mar 31, 2026 1:38 am

Yep, that's the one with -enable-workload-profiles.

Grace D. Mar 13, 2026 8:05 am

Gotta use -enable-workload-profiles when you need to configure memory and CPU per container app. The regular create command doesn't let you tweak those resources for each service. Pretty sure that's the catch here, correct me if I'm missing something.

Be respectful. No spam.

Correct Answer:

Explanation

The scenario requires creating a shared environment for multiple container apps that can utilize a common virtual network and share configurations. This is the function of an Azure Container App Environment.

The az containerapp env command group is used to manage Container App environments.
The create command within the env group is used to provision a new environment.
The requirement to support specific configurations for memory and compute resources for different apps is met by Workload Profiles. The --enable-workload-profiles flag must be used during the environment's creation to enable this feature.

The complete command is az containerapp env create --name MyContainerApp --resource-group MyResourceGroup --location eastus2 --enable-workload-profiles.

References

Microsoft Azure Documentation, "Workload profiles in Azure Container Apps environments". This document states, "Workload profiles determine the amount of compute and memory resources available to the container apps deployed in an environment... You configure workload profiles when you create a Container App environment". This justifies the use of --enable-workload-profiles.

Source: learn.microsoft.com/en-us/azure/container-apps/workload-profiles-overview

Microsoft Azure CLI Documentation, "az containerapp env create". This official command reference shows that to create a Container App Environment, the command structure is az containerapp env create. It also lists the --enable-workload-profiles parameter with the description, "Enable workload profiles for a container app environment."

Source: learn.microsoft.com/en-us/cli/azure/containerapp/env?view=azure-cli-latest#az-containerapp-env-create

Microsoft Azure Documentation, "Azure Container Apps environments". This document explains that a Container App Environment "acts as a secure boundary" where multiple container apps can "share the same virtual network" and "write logs to the same Log Analytics workspace," matching the requirements of the scenario.

Source: learn.microsoft.com/en-us/azure/container-apps/environment

Q: 10

DRAG DROP You need to ensure disaster recovery requirements are met. What code should you add at line PC16? To answer, drag the appropriate code fragments to the correct locations. Each code fragment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

true
SingleTransferContext
ShouldTransferCallbackAsync
false
Directory TransferContext
ShouldOverwriteCallbackAsync

Discussion

Ajay J. Mar 15, 2026 5:08 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true. Directory/TransferContext is a trap for single blob, always-overwrite needed for DR copies.

Nina Mar 18, 2026 10:16 am

I don’t think Directory TransferContext fits here since the requirement is for a single blob copy, not a folder. SingleTransferContext → ShouldOverwriteCallbackAsync → true matches how you guarantee DR overwrites every time, which is needed for recovery. Directory/ShouldTransferCallbackAsync/false is probably a trap if you just skim it. Anyone see a reason to choose otherwise?

KevinG Mar 14, 2026 11:43 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true is the correct sequence. DirectoryTransferContext is just for directory jobs, so that's a common trap. Always overwriting and using server-side copy lines up with standard DR best practices. Pretty sure this is right but yell if you spot a different scenario!

Emma J. Mar 20, 2026 11:48 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true is the right mapping. Saw a similar scenario in the official docs and labs: SingleTransferContext for blob-level control, ShouldOverwriteCallbackAsync to make sure overwrite happens, true for server-side DR efficiency. If you're prepping, check out code samples and try blob copy lab demos for this logic. Pretty sure this matches the exam pattern.

Mia B. Mar 19, 2026 9:29 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true makes sense here. For disaster recovery, you want to overwrite any existing blob every time, so those callbacks fit the requirement. Directory TransferContext is for folders, not single blobs. Pretty sure that's it, but let me know if you saw other logic.

Rowan P. Mar 23, 2026 10:49 am

SingleTransferContext → ShouldOverwriteCallbackAsync → true
Directory TransferContext is tempting but only applies for folder-level moves. For a single blob, SingleTransferContext is the right context, and overwriting is crucial in DR, so ShouldOverwriteCallbackAsync with true makes sense here. Pretty sure that’s what MS expects, but let me know if I missed something.

Hannah R. Mar 23, 2026 2:31 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true matches what I've seen in practice tests and lines up with DR best practices for overwriting the destination. Pretty sure that's right, but happy to hear other takes if anyone thinks differently. Official docs and exam guide back this up.

Owen U. Mar 14, 2026 4:22 am

SingleTransferContext → ShouldOverwriteCallbackAsync → true matches what I had on a mock. SingleTransferContext is for blob ops (not directories), and overwriting with server-side copy is standard for DR. Pretty confident but open if someone had different exam wording.

Hannah Mar 28, 2026 7:56 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true is the order I used too. SingleTransferContext fits since it's a single blob not a directory job, and ShouldOverwriteCallbackAsync guarantees we always overwrite for DR. Pretty sure that's how MS wants it, but open to another view if someone disagrees.

Sean I. Mar 31, 2026 4:39 pm

Nah, it needs SingleTransferContext then ShouldOverwriteCallbackAsync then true. Directory context is tempting but not for a single blob.

Be respectful. No spam.

Correct Answer:

Answer Area Bucket 1: B. SingleTransferContext Bucket 2: F. ShouldOverwriteCallbackAsync Bucket 3: A. true

Explanation

The goal is to implement a disaster recovery (DR) copy for a single blob.

SingleTransferContext: The operation involves copying a single blob object. The SingleTransferContext class is specifically designed to provide context, such as callbacks and progress tracking, for individual file or blob transfers. DirectoryTransferContext would be incorrect as it's used for directory-level operations.
ShouldOverwriteCallbackAsync: For disaster recovery, it's crucial that the destination (DR) blob is always a current copy of the source. If a version of the blob already exists at the DR location, it must be overwritten. Setting the ShouldOverwriteCallbackAsync callback to a function that always returns true ensures that the copy operation will overwrite any existing destination blob.
true: The isServiceCopy parameter specifies whether the copy should be server-side or client-side. Setting this to true initiates a server-side copy. This is highly efficient for DR because the Azure Storage service handles the data transfer directly between the source and destination storage accounts without downloading the data to the client and re-uploading it. This significantly reduces transfer time, cost, and client-side resource consumption.

References

Microsoft Docs - SingleTransferContext Class: The official documentation for the Microsoft.Azure.Storage.DataMovement.SingleTransferContext class lists the ShouldOverwriteCallbackAsync property. It is described as "a callback that is invoked to determine whether a transfer should overwrite an existing destination." This confirms its role in controlling overwrite behavior.

Source: Microsoft.Azure.Storage.DataMovement.SingleTransferContext.ShouldOverwriteCallbackAsync Property Documentation.

Microsoft Docs - Asynchronous Copy Blob: Documentation on copying blobs explains the mechanism of server-side asynchronous copies. It highlights that this method uses server resources, freeing up the client and running in the background. This is the operation initiated when isServiceCopy is set to true in the Data Movement Library, making it ideal for robust DR strategies.

Source: Azure Blob Storage Documentation, "Copy Blob" operation, section on server-side asynchronous copy.

Microsoft Docs - TransferManager.CopyAsync Method: The method signature and its parameters are detailed in the Data Movement Library reference. The isServiceCopy parameter's description confirms that a true value indicates the copy operation will be a server-side copy.

Source: Microsoft.Azure.Storage.DataMovement.TransferManager.CopyAsync Method Documentation.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE