View AZ-204 Exam Questions

Q: 1

DRAG DROP You need to add YAML markup at line CS17 to ensure that the ContentUploadService can access Azure Storage access keys. How should you complete the YAML markup? To answer, drag the appropriate YAML segments to the correct locations. Each YAML segment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. AZ-204 question

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

secret
envVar
secretValues
volumes
volumeMounts
environmentVariables

Discussion

Sara S. Feb 16, 2026 12:24 am

volumeMounts → Target 1, volumes → Target 2, secret → Target 3. That's how you attach a Kubernetes secret to a pod via a volume and then mount it into the container. Pretty sure this is the pattern for giving your service access to key files. Anyone see a different approach working?

Casey Feb 11, 2026 2:06 am

Man, these drag and drops are always confusing-volumeMounts Target 1, volumes Target 2, secret Target 3.

Jordan S. Feb 14, 2026 10:02 am

volumeMounts, volumes, secret is what I picked too. Standard for mounting secrets as files in pods.

Riley K. Feb 1, 2026 1:53 pm

volumeMounts Target 1, volumes Target 2, secret Target 3. This matches standard Kubernetes practice for mounting secrets.

Aisha Feb 4, 2026 5:04 am

volumeMounts Target 1, volumes Target 2, secret Target 3. Trap is using envVar for file-based secret access.

Jordan Feb 9, 2026 3:05 am

I don't think "environmentVariables" is right for Target 1, it's a common trap. Standard mapping here is volumeMounts for Target 1, volumes for 2, secret for 3.

Vikram Feb 6, 2026 7:29 pm

Yeah this fits what I'd expect for mounting secrets as files: volumeMounts, volumes, then secret. This matches the usual pod/container YAML structure I see in practice for Azure and Kubernetes. Pretty sure that's what the question wants here, but open to other takes.

Chloe N. Jan 30, 2026 12:12 pm

volumeMounts for Target 1, volumes for Target 2, secret for Target 3. Lines up with the usual Kubernetes YAML layout for mounting secrets. I think that’s the expected mapping but let me know if you see an edge case here.

Ryan F. Feb 2, 2026 9:04 pm

Think it's Target 1: environmentVariables, Target 2: secretValues, Target 3: secret. Maybe missing something with how the values reference secrets directly.

Mia Feb 2, 2026 12:52 pm

Pretty sure the correct order is volumeMounts for Target 1, volumes for Target 2, and secret for Target 3. That's how you'd get a Kubernetes secret as a file into the container like they want. Not fully confident if they'd want something else for env var access though, so willing to hear other opinions on it.

Be respectful. No spam.

Correct Answer:

Answer Areas Target 1: E. volumeMounts Target 2: D. volumes Target 3: A. secret

Explanation

To make a Kubernetes Secret available to a container as a file, you must perform two main steps in the pod specification:

Define a volume: A volume is defined at the pod level under the volumes key. You must specify a name for the volume and its type. To use a Kubernetes Secret, the type is secret. This tells Kubernetes to populate the volume with the data from a specified Secret object.
Mount the volume: Inside the container definition, you specify a volumeMounts section. This links the volume defined at the pod level (using its name) to a specific file path (mountPath) inside the container, making the secret's data accessible as files at that location.

Therefore, volumeMounts is the correct segment for the container's mount point, volumes is for the pod-level volume definition, and secret specifies the volume's source.

References

Kubernetes Documentation, "Volumes": This official page explains how to declare volumes in a Pod (spec.volumes) and mount them into containers (spec.containers.volumeMounts). In the section "secret," it provides a clear example of using a Secret as a volume source.

Reference: kubernetes.io/docs/concepts/storage/volumes/#secret

Kubernetes Documentation, "Secrets": This documentation details how to use Secrets with Pods. The section "Using Secrets as files from a Pod" provides a step-by-step tutorial that shows the exact YAML structure required, confirming the use of volumes, volumeMounts, and the secret key to define the volume type.

Reference: kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

Q: 2

HOTSPOT You develop a Python application for image rendering. The application uses GPU resources to optimize rendering processes. You have the following requirements: • The application must be deployed to a Linux container. • The container must be stopped when the image rendering is complete.

Your Answer

Discussion

Riley F. Jan 28, 2026 10:30 pm

Looks like a reference question, so check the official Microsoft docs or the learning path labs. The right image is page_687_img_1.JPG.

Amelia D. Feb 13, 2026 10:09 am

Similar question came up on a practice test, matching answer was page_687_img_1.JPG.

Avery J. Jan 27, 2026 5:02 pm

It should be page_687_img_1.JPG. The other image is tempting but doesn't align with the container stop requirement, which is a common trap on this type of question. If I'm missing something let me know.

Mason I. Feb 6, 2026 1:09 am

page_687_img_1.JPG, that's the one matching the requirements here.

Avery K. Feb 12, 2026 9:35 pm

Yeah I went for page_686_img_1.jpg. The GPU details matched up and it shows Linux, so seemed right to me.

Riley R. Feb 2, 2026 10:50 pm

page_686_img_1.jpg

Alex Jan 27, 2026 1:01 am

Why not page_687_img_1.JPG instead? page_686_img_1.jpg looks like a trap due to restart policy.

Chloe E. Feb 3, 2026 4:20 pm

Nah, I think page_686_img_1.jpg is what I'd choose here. It shows Linux with GPU, looks like that's the main requirement trap.

Ajay V. Jan 31, 2026 6:59 pm

page_686_img_1.jpg here. I was thinking that's the right one since it mentions Linux container and GPU, which looks like what image 686 shows. Not 100% sure though, these two filenames are easy to mix up.

CuriousOps1219 Feb 14, 2026 4:14 pm

Makes sense, I think it's page_687_img_1.JPG but not 100% sure since both seem close.

Be respectful. No spam.

Correct Answer:

HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_687_IMG_1.JPG

Explanation

Compute target: Azure Container Instances (ACI) is the most suitable choice. ACI is a serverless container-on-demand service ideal for workloads that run to completion, like a rendering job. It allows for the provisioning of single containers with GPU resources without the overhead of managing a full orchestration platform like Azure Kubernetes Service (AKS). The requirement to stop the container upon task completion aligns perfectly with ACI's task-based model.

Container termination: The Restart policy setting directly controls the lifecycle of the container after its main process exits. To ensure the container stops and does not restart after the rendering is finished, the restart policy should be set to OnFailure or Never. This ensures that once the application successfully completes its task (exits with code 0), the container instance stops as required.

References

Azure Container Instances (ACI) Documentation:

Microsoft Learn, "What is Azure Container Instances?". This document describes ACI as "a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs."

Microsoft Learn, "Run GPU-intensive workloads in Container Instances". This section confirms ACI's support for GPU resources, which is a key requirement. (Section: "GPU support")

Microsoft Learn, "Tutorial: Deploy a container application with a custom container image". This tutorial details the restartPolicy property for ACI container groups. It states: "The value of Never or OnFailure is best for task-based containers that run to completion." (Section: "Deploy the container")

Comparison of Azure Container Options:

Microsoft Learn, "Choose an Azure compute service for your application". This document compares services. For "Batch processing," it explicitly recommends ACI for "run-to-completion jobs." For AKS, it's recommended for "Orchestration" and "Long-running workloads," which is not the primary scenario described.

Q: 3

You need to implement the processing of enqueuer inventory items. Which message value should you use?

Options

Discussion

Daniel J. Jan 29, 2026 7:30 am

Option B seen this type in both official docs and exam labs.

Riley C. Jan 29, 2026 4:26 am

Option B

Rowan H. Feb 2, 2026 11:00 pm

Not D, it's B. Sequence number is what you use for reliable message processing with Service Bus, especially when handling settlement operations or tracking unique messages. Timestamp can help with sorting or grouping, but for processing logic, sequence number is key. Seen similar wording on practice exams.

Jason Feb 3, 2026 10:43 pm

Pretty sure it's B for this one. Sequence number is the value used to uniquely identify and settle a Service Bus message when you're processing items, not timestamp. Timestamp would only matter if the question focused on when inventory arrived, which it doesn't here. Agree?

CarefulConsultant1822 Jan 31, 2026 7:03 pm

Not B? I get why D (timestamp) looks tempting for tracking or reporting, but processing inventory messages usually relies on the sequence number in Azure Service Bus. That's what lets you settle or complete the message reliably. D is more for audits, not core processing. Let me know if I'm wrong!

Taylor Y. Feb 11, 2026 5:44 pm

B makes sense here since you need sequence number for settlement or processing logic in Azure Service Bus. Timestamp would be for audit or ordering, but not actual processing. Pretty sure about this but let me know if anyone sees it different.

Kevin G. Feb 3, 2026 9:55 am

Nathan Jan 29, 2026 3:14 am

Probably B. Sequence number is used for processing and settling messages in Azure Service Bus.

SeasonedNeteng2084 Jan 27, 2026 4:01 pm

B most likely, but check the official guide and Azure docs to be sure since some practice exams can phrase this tricky.

Alex N. Feb 7, 2026 3:18 am

B imo, not D. Timestamp looks tempting but it's sequence number you use to actually process or settle messages in Azure Service Bus.

Be respectful. No spam.

Correct Answer:

Explanation

The Sequence number is a unique 64-bit integer assigned by the Service Bus broker to each message upon acceptance. It functions as the message's unique internal identifier and represents its absolute order within the queue or topic. When implementing message processing logic, the sequence number is the fundamental value used to uniquely identify a message for settlement operations such as completing, abandoning, or dead-lettering. It is also essential for implementing idempotent receivers and for auditing or tracking purposes, making it the most critical value for processing any given message.

Why Incorrect

A. Session identifier: This is only used for the specific scenario of grouping related messages to ensure they are processed sequentially by a single consumer.

C. Partition key: This is used with partitioned entities to direct related messages to the same partition, primarily for improving throughput and scalability.

D. Time stamp: Timestamps like EnqueuedTimeUtc are metadata for application-level logic (e.g., checking message age) but are not the primary identifier for processing a message.

References

1. Microsoft Docs: Message sequencing and timestamps. This document explicitly states, "The sequence number is a unique 64-bit integer assigned to a message as it is accepted and stored by the broker and functions as its internal identifier... The sequence number can be trusted as a unique identifier since it is assigned by a central and neutral authority and not by clients."

Source: Microsoft Learn, Azure Service Bus Documentation, "Message sequencing and timestamps", Section: "Sequence number".

2. Microsoft Docs: Service Bus message sessions. This document clarifies the specific use case for sessions: "To realize a FIFO guarantee in Service Bus, use sessions. Message sessions enable joint and ordered handling of unbounded sequences of related messages."

Source: Microsoft Learn, Azure Service Bus Documentation, "Message sessions", Section: "Message sessions".

3. Microsoft Docs: Partitioned messaging entities. This document explains the role of the partition key: "When a client sends a message to a partitioned entity, Service Bus checks for the presence of a partition key. If it finds one, it selects the partition based on that key."

Source: Microsoft Learn, Azure Service Bus Documentation, "Partitioned messaging entities", Section: "Using a partition key".

Q: 4

DRAG DROP Fourth Coffee has an ASP.NET Core web app that runs in Docker. The app is mapped to the www.fourthcoffee.com domain. Fourth Coffee is migrating this application to Azure. You need to provision an App Service Web App to host this docker image and map the custom domain to the App Service web app. A resource group named FourthCoffeePublicWebResourceGroup has been created in the WestUS region that contains an App Service Plan named AppServiceLinuxDockerPlan. Which order should the CLI commands be used to develop the solution? To answer, move all of the Azure CLI command from the list of commands to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

az webapp config hostname add --webapp-name $appName ChCoffee Public WebResource Group\ --resource-group fourth Coffee Public WebRe --hostname $fqdn
#/bin/bash appName="Fourth CoffeePublicWeb$random". location "WestUS" dockerHubContainerPath="Fourth Coffee/publicweb:v1" fqdn=http://www.fourthcoffee.com>www.fourthcoffee.com
az webapp create --name $appName --plan App ServiceLinuxDockerPlan --resource-group fourth Coffee PublicWebResourceGroup
az webapp config container set --docker-custom-image-name $dockerHibContainerPath --name $appName --resource-group fourth Coffee Public WebResourceGroup

Discussion

Sam V. Feb 14, 2026 7:57 am

Yeah, that's the flow I've always used: variables first, then create webapp, set the container image, finally add custom domain. Azure won't accept a domain mapping if the app doesn't exist yet. I think this matches how CLI lets you build deployments step by step. Anyone put hostname before container config and have issues?

Ivy H. Jan 31, 2026 4:55 am

vars, then webapp create, next container set, last hostname add. That's the right CLI order for Azure migrations here.

Maya P. Feb 5, 2026 12:41 pm

vars, then webapp create, container config, finally hostname add. That's the usual Azure sequence.

Piya J. Feb 2, 2026 5:24 pm

vars setup, then create the webapp, set the container image, finally add hostname.
Had something like this in a mock, and that sequence works since you can't assign a domain before the app exists. Pretty sure that's the correct flow, but chime in if anyone did it differently.

Taylor Feb 5, 2026 9:25 pm

vars, webapp create, container config, hostname add. This is only correct if adding the domain doesn't need DNS validation up front.

Drew S. Feb 7, 2026 11:56 pm

Makes sense to start with variable setup, then create the web app, set the container config, and finally map the custom domain.

Ethan K. Feb 14, 2026 5:43 pm

Not quite, I think vars first, then webapp create, container config, and lastly hostname add. The trap here is putting the domain before the app even exists. Open to pushback if I'm missing something.

Noah K. Jan 26, 2026 1:07 pm

The right flow is set vars first, then create web app, configure the Docker container, and finally add the custom hostname. So it's variables → create → container → hostname. Not 100% sure if you'd ever need to flip hostname before container but haven't seen that in Azure docs.

HannahD Feb 12, 2026 4:33 am

Not quite, the order should be variables first so the shell has what it needs, then web app creation, then container config, and finally adding the custom domain. So it's: initialize variables → create web app → set Docker image → add hostname. Pretty sure this matches the actual workflow in Azure and avoids issues with missing resources or references. Domain mapping too early is a common trap.

PreciseArchitect8952 Jan 29, 2026 6:45 pm

Why do all these drag & drop CLI order questions keep coming up... still, the mapping should be:

Vars setup
Webapp create
Container config
Hostname add

I think that's right since Azure won't let you map a custom domain before the app/service exists. Not 100% sure if container config and hostname add could swap, but pretty sure this is it. Disagree?

Be respectful. No spam.

Correct Answer:

Answer Areas Target 1: B. #/bin/bash appName="Fourth CoffeePublicWeb$random". location "WestUS" dockerHubContainerPath="Fourth Coffee/publicweb:v1" fqdn=http://www.fourthcoffee.com>www.fourthcoffee.com Target 2: C. az webapp create --name $appName --plan App ServiceLinuxDockerPlan --resource-group fourth Coffee PublicWebResourceGroup Target 3: D. az webapp config container set --docker-custom-image-name $dockerHibContainerPath --name $appName --resource-group fourth Coffee Public WebResourceGroup Target 4: A. az webapp config hostname add --webapp-name $appName ChCoffee Public WebResource Group\ --resource-group fourth Coffee Public WebRe --hostname $fqdn

Explanation

The sequence of commands follows a logical provisioning workflow.

Initialize Variables: The script begins by setting up shell variables for the app name, location, Docker image path, and fully qualified domain name (FQDN). This is a necessary first step as subsequent commands rely on these variables.
Create Web App: The az webapp create command provisions the basic Azure App Service resource. You must create the web app before you can configure its container or add a custom domain.
Configure Container: Once the web app exists, az webapp config container set is used to specify the Docker container image that the App Service will run.
Add Custom Domain: Finally, with the web app created and configured, the az webapp config hostname add command maps the custom domain name (www.fourthcoffee.com) to the application.

References

Microsoft Docs, az webapp create: The documentation states this command is used to "Create a web app." It's the foundational step for provisioning the service. The examples for container apps show this command being run before container configuration.

Source: Microsoft Corporation. (2023). az webapp create. Azure CLI documentation. Retrieved from https://docs.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest#az-webapp-create

Microsoft Docs, az webapp config container set: This command is explicitly for "Set a web app's container settings." This implies that a web app must already exist to have its settings configured.

Source: Microsoft Corporation. (2023). az webapp config container. Azure CLI documentation. Retrieved from https://docs.microsoft.com/en-us/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set

Microsoft Docs, az webapp config hostname add: The documentation for this command explains how to "Bind a hostname to a web app." This action is performed on an existing web app, typically after the application itself is configured and running.

Source: Microsoft Corporation. (2023). az webapp config hostname. Azure CLI documentation. Retrieved from https://docs.microsoft.com/en-us/cli/azure/webapp/config/hostname?view=azure-cli-latest#az-webapp-config-hostname-add

Quickstart Guide, Create a container app: Tutorial documentation demonstrates the logical flow. The steps consistently show creating the resource group and App Service plan first, followed by az webapp create, then configuring settings like the container image, and finally mapping custom domains as a subsequent step.

Source: Microsoft Corporation. (2023). Quickstart: Create a container app in Azure App Service. Azure App Service documentation. See the "Create a container app" and "Configure container image" sections for the sequence. Retrieved from https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container

Q: 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this question, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials. You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user’s Azure AD group membership must be used to determine the permission level. You need to configure authorization. Solution: Configure the Azure Web App for the website to allow only authenticated requests and require Azure AD log on. Does the solution meet the goal?

Options

Discussion

HelpfulConsultant9099 Feb 8, 2026 12:35 am

B . Had something like this in a mock and just enabling Azure AD authentication won’t set the group-based permissions, it’s only auth not authorization. You still need to add logic or claims to handle group mapping. Anyone agree?

Zoe Feb 14, 2026 3:25 am

B , just requiring Azure AD login only handles authentication. You still need to map group membership to roles for authorization, otherwise users aren't getting specific permissions. Anyone disagree?

Aisha C. Feb 9, 2026 11:32 pm

A tbh

Grace T. Feb 9, 2026 4:09 pm

B or maybe A if it just needed auth but I'm pretty sure it's B for group perms.

Aisha R. Feb 3, 2026 1:54 pm

Its B

Amelia O. Feb 10, 2026 4:18 pm

A but only if all users are put in default group since Azure AD login covers basic access.

Ava W. Feb 1, 2026 10:55 am

A seems right, if you only need users to log in with Azure AD and don't need to set roles yet.

KaranL Feb 10, 2026 3:10 am

Option B Pretty sure A is a trap, as authentication alone doesn't handle those group permission levels.

PreciseEngineer9497 Feb 3, 2026 9:41 pm

Maybe B since just forcing Azure AD logon is authentication only, not group-based authorization. For permission levels, you need to map groups or roles too. Let me know if anyone thinks otherwise.

DirectEngineer1772 Jan 26, 2026 6:39 pm

Doesn't fully meet the goal, so B. Only authentication configured here, not the actual group-based authorization part.

Be respectful. No spam.

Correct Answer:

Explanation

The proposed solution only addresses the authentication requirement by configuring the Azure Web App to require an Azure Active Directory (Azure AD) login. This ensures that all users are authenticated. However, it does not fulfill the authorization requirement, which is to assign permission levels (admin, normal, reader) based on the user's Azure AD group membership. Implementing authorization requires additional steps, such as configuring the application registration in Azure AD to emit group or role claims and modifying the application code to interpret these claims to grant appropriate permissions. Therefore, the solution is incomplete.

Why Incorrect

A. Yes: This is incorrect because the solution only enforces authentication. It does not implement the required authorization logic to check a user's group membership and assign a permission level.

References

1. Microsoft Docs - Configure your App Service or Azure Functions app to use Azure AD login: This document explains the process of setting up authentication, which is what the proposed solution describes. It also has a section titled "Access user claims in app code," which clarifies that after authentication is configured, the application code must be used to access claims (like roles or groups) to make authorization decisions. This confirms that the proposed solution is only the first step and does not meet the full goal. (See section: Access user claims in app code).

2. Microsoft Docs - Tutorial: Add app roles to your application and receive them in the token: This tutorial details the necessary steps to implement role-based authorization, a common pattern for the scenario described. It involves defining roles in the Azure AD app registration, assigning users/groups to those roles, and then having the application code check for these roles in the token. This demonstrates the additional configuration required beyond simple authentication. (See section: Declare roles for an application).

3. Microsoft Docs - Configure group claims for applications by using Azure Active Directory: This document provides an alternative method for authorization by configuring the Azure AD application to include the user's security group memberships in the token. The application code would then need to parse these group claims to implement the required permission levels. This highlights that authorization based on groups is a distinct configuration step not covered by the proposed solution. (See section: Add group claims to tokens for SAML, JWT, and UPN-based applications).

Q: 6

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are developing an Azure Service application that processes queue data when it receives a message from a mobile application. Messages may not be sent to the service consistently. You have the following requirements: Queue size must not grow larger than 80 gigabytes (GB). Use first-in-first-out (FIFO) ordering of messages. Minimize Azure costs. You need to implement the messaging solution. Solution: Use the .Net API to add a message to an Azure Storage Queue from the mobile application. Create an Azure VM that is triggered from Azure Storage Queue events. Does the solution meet the goal?

Options

Discussion

Robin Feb 2, 2026 2:15 am

B, strict FIFO is the dealbreaker in this scenario since Storage Queue doesn't fully guarantee it. VM also adds unnecessary costs imo.

Aaron C. Feb 7, 2026 10:15 am

A , since exam guides mention Storage Queues in lots of sample questions and they usually cover cost angles in the official docs. Check the Microsoft docs or run through more practice labs for this format.

Hannah O. Feb 2, 2026 8:00 pm

B tbh. Storage Queue doesn't support strict FIFO, and using an Azure VM isn’t cheap for sporadic loads. Had something like this in a mock and the answer was B.

MethodicalArchitect5457 Jan 27, 2026 4:21 pm

Its B for sure. Azure Storage Queues don't give you strict FIFO, so that fails the requirement right there. Plus, spinning up a VM just to process queue messages is overkill and won't help with cost savings, especially if messages come in at random. I'd go with a serverless function and Service Bus queue for strict FIFO if that's allowed-happy to hear other takes though.

Jordan I. Feb 5, 2026 10:02 am

B Storage Queue isn't strict FIFO so doesn't meet the requirement.

AdamG Feb 10, 2026 9:59 am

Its A

Jason S. Feb 3, 2026 7:24 am

B tbh, Storage Queue doesn't guarantee strict FIFO and that catches a lot of people on this kind of question. VM cost is a trap too. If I missed something let me know but B seems right.

Vikram L. Jan 28, 2026 11:26 pm

Probably B. Storage Queue doesn’t guarantee true FIFO, so it won’t meet that requirement. Also running a VM just for queue processing would bump up costs, which goes against minimizing spend. Pretty sure B is right but open to pushback.

Noah M. Feb 1, 2026 3:55 am

A. Storage Queue with a VM still seems fine to me since it supports FIFO in most cases.

Luke Feb 4, 2026 1:54 pm

Not A here, B is the right pick.

Be respectful. No spam.

Correct Answer:

Explanation

The proposed solution does not meet the stated goals because it fails on two critical requirements. First, Azure Storage Queues do not guarantee strict First-In, First-Out (FIFO) message ordering, which is a mandatory requirement for the application. Second, using a dedicated Azure Virtual Machine (VM) to process queue messages is not a cost-effective solution for a workload with inconsistent message arrival. A continuously running VM incurs costs even when idle, violating the "minimize Azure costs" requirement. A serverless compute option, such as Azure Functions, would be more appropriate and cost-efficient.

Why Incorrect

A. Yes: This is incorrect. The solution fails to meet the mandatory FIFO ordering requirement by using Azure Storage Queues and the cost-minimization requirement by using an expensive, non-serverless compute option (Azure VM).

References

1. Microsoft Docs: Compare Storage Queues and Service Bus Queues. This official comparison table explicitly states that for Azure Storage Queues, ordering is "Not supported." For FIFO, it recommends Azure Service Bus Queues with sessions.

Source: Microsoft Learn, "Compare Azure Queues and Service Bus queues," Compare Storage Queues and Service Bus Queues table, Ordering row.

2. Microsoft Docs: Azure Queue Storage triggers for Azure Functions. This document highlights the cost-effectiveness of using serverless Azure Functions, which run only when triggered by a new queue message, aligning with the "minimize cost" requirement for inconsistent workloads.

Source: Microsoft Learn, "Azure Queue Storage triggers for Azure Functions," Overview section.

3. Microsoft Docs: Choose an Azure compute service. This guide recommends Azure Functions for event-driven workloads with a pay-per-use pricing model, contrasting with Azure VMs which are recommended for scenarios requiring full control over the OS and are less cost-effective for sporadic tasks.

Source: Microsoft Learn, "Choose an Azure compute service," Summary of choices section.

Q: 7

HOTSPOT You are preparing to deploy a Python website to an Azure Web App using a container. The solution will use multiple containers in the same container group. The Dockerfile that builds the container is as follows: You build a container by using the following command. The Azure Container Registry instance named images is a private registry. The user name and password for the registry is admin. The Web App must always run the same version of the website regardless of future builds. You need to create an Azure Web App to run the website. How should you complete the commands? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Discussion

Reese X. Feb 13, 2026 11:34 am

Looks like the right pick is to use the version tag so the app always pulls that exact release. People often trip on thinking digest is needed but since the question just says "same version," not immutability, version tag it is.

Olivia B. Jan 28, 2026 12:04 pm

HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_435_IMG_2.JPG

Taylor R. Feb 3, 2026 3:23 pm

Makes sense to use the full version tag for this, since the question wants consistency and doesn't focus on image immutability. HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_435_IMG_2.JPG

QuickLead7452 Jan 27, 2026 1:44 pm

I remember a similar question popping up in some exam reports, and the answer was to use the version tag for consistency.

Jamie Feb 8, 2026 2:58 am

Wouldn't pinning by digest actually guarantee immutability here, or is the exam just looking for a version tag?

Sofia N. Feb 2, 2026 8:27 am

Is the requirement targeting "always the same version" based on image tag immutability, or should we pin by digest instead? If the registry is subject to tag re-use, using a digest instead of just :v1.0.0 would be safer.

Rowan S. Feb 2, 2026 6:59 am

Seen similar practice sets, official docs and Azure Portal UI screenshots help here: pin with the specific version tag.

Zoe Jan 31, 2026 5:04 pm

Similar question popped up on my exam, used the same image reference as in the screenshot.

Noah K. Feb 2, 2026 3:15 am

Digest reference instead of version tag here, but I think that’s a trap since it doesn’t require strict immutability.

Sam Feb 7, 2026 3:46 pm

Pinning by version tag (like v1.0.0) seems to match what they're after since the question says "same version" and doesn't mention digests or immutability explicitly. I've seen both accepted but think the exam wants the tag here. Let me know if anyone else read it differently.

Be respectful. No spam.

Correct Answer:

HTTPS://KXBJSYUHCEGGSYVXDKOF.SUPABASE.CO/STORAGE/V1/OBJECT/PUBLIC/FILE-IMAGES/AZ-204/PAGE_435_IMG_2.JPG

Explanation

The Dockerfile specifies FROM python:3, which is a Linux-based container image. To host a Linux container in an Azure App Service, the underlying App Service Plan must be a Linux plan. The --is-linux flag explicitly creates a Linux App Service Plan. The --sku B1 option specifies the Basic pricing tier, which is a valid choice for container deployments.

The goal is to deploy a specific container image to the Web App. The --deployment-container-image-name parameter (aliased as -i or --image) is used to specify the full name of the image to run. The requirement is to always run the same version, so the specific version tag v1.0.0 must be used, not latest.

The problem states, "The user name and password for the registry is admin." Since the image is in a private registry, the Web App needs these credentials. The az webapp config container set command configures container settings. The --docker-registry-server-url must point to the registry's login server (https://images.azurecr.io). The command correctly supplies the username with -u admin and the password with -p admin.

References

Azure CLI Documentation for az appservice plan create: The --is-linux parameter is documented for creating an App Service plan to host Linux web apps.

Microsoft, "az appservice plan create," Azure CLI Reference, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/cli/azure/appservice/plan?view=azure-cli-latest#az-appservice-plan-create

Azure CLI Documentation for az webapp create: The --deployment-container-image-name (or its alias --image) parameter is used to specify the container image for the web app.

Microsoft, "az webapp create," Azure CLI Reference, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest#az-webapp-create

Azure CLI Documentation for az webapp config container set: This command is used to configure the container settings, including the private registry server URL and credentials. The parameters -u/--docker-registry-server-user and -p/--docker-registry-server-password are explicitly for this purpose.

Microsoft, "az webapp config container set," Azure CLI Reference, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/cli/azure/webapp/config/container?view=azure-cli-latest#az-webapp-config-container-set

Tutorial: Deploy a custom container to App Service: This official tutorial shows the use of az webapp config container set with the registry URL, username, and password to pull an image from a private registry like ACR.

Microsoft, "Deploy a custom container to App Service," Azure App Service Documentation, Microsoft Docs. Accessed October 2, 2025. Available: https://learn.microsoft.com/en-us/azure/app-service/tutorial-custom-container

Q: 8

You are implementing an Azure API app that uses built-in authentication and authorization functionality. All app actions must be associated with information about the current user. You need to retrieve the information about the current user. What are two possible ways to achieve the goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

Discussion

JordanL Jan 30, 2026 10:11 am

Not B, it's definitely A and C. Headers and the /.auth/me endpoint are how Easy Auth exposes user data, seen this in exam practice before. D is just login trigger, won't give user info. Anyone see it differently?

Jamie L. Jan 27, 2026 9:43 am

A and C tbh, seen this in practice tests and the official docs too.

Drew V. Feb 14, 2026 10:57 am

B tbh

Sam V. Feb 3, 2026 1:45 pm

Its A and C, D just starts login so doesn't give user info. B's a common trap.

Grace V. Feb 14, 2026 2:52 pm

Don't think B or D fit here. A and C match the usual Easy Auth flow: headers for backend, /.auth/me for client-side details. D's just for kicking off login so wouldn't actually return user info.

Hannah Jan 30, 2026 9:03 am

A and C tbh

ReeseQ Feb 7, 2026 10:21 pm

Its A and C for sure. HTTP headers (A) are how server code gets user identity from Easy Auth, while /.auth/me (C) returns claims on the client side. That matches what's in the official docs and practice tests I’ve seen. Anyone think B or D could work?

Mason U. Jan 27, 2026 1:57 pm

Not B, A and C. The question wants ways to get user info, and with Easy Auth you either read claims from HTTP headers (server) or hit /.auth/me (client). D is a trap since it only initiates login.

Jordan Feb 4, 2026 10:10 am

I’d say A and C. HTTP headers give user info on the server side with Easy Auth, and /.auth/me works if you need to grab claims from the client. Pretty sure D is just for login, not for getting current user details. Correct me if I'm missing a use case.

Taylor H. Jan 30, 2026 9:50 am

A and C tbh, D is just for login not user info, B won't give user claims.

Be respectful. No spam.

Correct Answer:

A, C

Explanation

Azure App Service's built-in authentication and authorization feature, often called "Easy Auth," provides two primary methods to access authenticated user information. For server-side code, the App Service platform injects user claims directly into the HTTP request headers, such as X-MS-CLIENT-PRINCIPAL-NAME and X-MS-CLIENT-PRINCIPAL. For client-side code (e.g., a single-page application), a GET request can be made to the special /.auth/me endpoint. This endpoint returns a JSON object containing all the claims for the currently logged-in user, which the client can then parse and use.

Why Incorrect

B. environment variables: Environment variables store application settings and secrets, which are static for the app instance, not dynamic per-user information for each request.

D. /.auth/login endpoint: The /.auth/login/ endpoint is used to initiate the authentication flow with a specific identity provider, not to retrieve details about an already authenticated user.

References

1. Microsoft Docs, "Authentication and authorization in Azure App Service and Azure Functions", Section: "Access user claims". This section explicitly states: "For all language frameworks, App Service makes the claims in the incoming token available to your code by injecting them into the request headers." It details the specific headers, including X-MS-CLIENT-PRINCIPAL, which validates option A.

2. Microsoft Docs, "Authentication and authorization in Azure App Service and Azure Functions", Section: "Retrieve user claims in code". This section describes the client-directed flow: "From client-side code, the client can send an HTTP GET request to the /.auth/me endpoint to get the user claims." This validates option C.

3. Microsoft Docs, "Authentication and authorization in Azure App Service and Azure Functions", Section: "Authentication flow". This section describes the purpose of the login endpoint: "The client app can then redirect the user to /.auth/login/ to sign in." This confirms that the /.auth/login endpoint is for initiating login, making option D incorrect.

Q: 9

HOTSPOT You are developing a microservices-based application that uses Azure Container Apps. The application consists of several containerized services that handle tasks, such as processing orders, managing inventory, and generating reports. You must secure the container apps All apps must reside in the same virtual network, share the same Dapr configuration, and share the same logging location. Apps must support the configuration of the amount of memory and compute resources available to containers. You need to configure the Azure Container App. How should you complete the CLI command' To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Discussion

Luna I. Feb 12, 2026 3:30 pm

Option with -enable-workload-profiles is right, not just the default env create. The profiles part is easy to miss.

Neha X. Jan 26, 2026 2:04 pm

az containerapp env create with -enable-workload-profiles is the way to go. This flag lets you set resources per container app, which is what the scenario needs. I think that's the main thing exam wants to check here. Open to other thoughts if I missed a catch.

Vikram Feb 12, 2026 3:05 am

Wouldn’t you need the -enable-workload-profiles flag to let each service pick its own CPU and memory? I think the regular env create command alone doesn’t support that for individual container apps. If anyone got a different result, let me know!

Taylor L. Feb 10, 2026 7:05 pm

Which flag in the CLI enables workload profiles for Container App environments?

Leo C. Feb 14, 2026 5:46 am

That image with -enable-workload-profiles flag is correct.

Nora H. Feb 6, 2026 6:21 am

Not just the plain env create here, you need -enable-workload-profiles so each app can set CPU and memory. Some might think the default works, but that's a trap. Pretty sure this is right, but let me know if you see a flaw.

Aisha Feb 13, 2026 2:22 pm

Yep, that's the one with -enable-workload-profiles.

Parker O. Feb 2, 2026 10:30 am

Right call, it's the image with -enable-workload-profiles for per-app resource config.

Nora Feb 11, 2026 12:12 pm

Workload profiles flag matters here, since that's what actually lets you configure compute/memory at app level. Saw similar question in a practice set where people missed it unless the question said 'most secure', which would flip it to require subnet config.

Jordan A. Feb 10, 2026 11:20 am

Yeah, the image with -enable-workload-profiles is it. That's what lets each app set resources. No extra flags needed.

Be respectful. No spam.

Correct Answer:

Explanation

The scenario requires creating a shared environment for multiple container apps that can utilize a common virtual network and share configurations. This is the function of an Azure Container App Environment.

The az containerapp env command group is used to manage Container App environments.
The create command within the env group is used to provision a new environment.
The requirement to support specific configurations for memory and compute resources for different apps is met by Workload Profiles. The --enable-workload-profiles flag must be used during the environment's creation to enable this feature.

The complete command is az containerapp env create --name MyContainerApp --resource-group MyResourceGroup --location eastus2 --enable-workload-profiles.

References

Microsoft Azure Documentation, "Workload profiles in Azure Container Apps environments". This document states, "Workload profiles determine the amount of compute and memory resources available to the container apps deployed in an environment... You configure workload profiles when you create a Container App environment". This justifies the use of --enable-workload-profiles.

Source: learn.microsoft.com/en-us/azure/container-apps/workload-profiles-overview

Microsoft Azure CLI Documentation, "az containerapp env create". This official command reference shows that to create a Container App Environment, the command structure is az containerapp env create. It also lists the --enable-workload-profiles parameter with the description, "Enable workload profiles for a container app environment."

Source: learn.microsoft.com/en-us/cli/azure/containerapp/env?view=azure-cli-latest#az-containerapp-env-create

Microsoft Azure Documentation, "Azure Container Apps environments". This document explains that a Container App Environment "acts as a secure boundary" where multiple container apps can "share the same virtual network" and "write logs to the same Log Analytics workspace," matching the requirements of the scenario.

Source: learn.microsoft.com/en-us/azure/container-apps/environment

Q: 10

DRAG DROP You need to ensure disaster recovery requirements are met. What code should you add at line PC16? To answer, drag the appropriate code fragments to the correct locations. Each code fragment may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

true
SingleTransferContext
ShouldTransferCallbackAsync
false
Directory TransferContext
ShouldOverwriteCallbackAsync

Discussion

Nina Jan 31, 2026 11:01 pm

I don’t think Directory TransferContext fits here since the requirement is for a single blob copy, not a folder. SingleTransferContext → ShouldOverwriteCallbackAsync → true matches how you guarantee DR overwrites every time, which is needed for recovery. Directory/ShouldTransferCallbackAsync/false is probably a trap if you just skim it. Anyone see a reason to choose otherwise?

KevinG Jan 28, 2026 12:27 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true is the correct sequence. DirectoryTransferContext is just for directory jobs, so that's a common trap. Always overwriting and using server-side copy lines up with standard DR best practices. Pretty sure this is right but yell if you spot a different scenario!

Emma J. Feb 3, 2026 12:32 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true is the right mapping. Saw a similar scenario in the official docs and labs: SingleTransferContext for blob-level control, ShouldOverwriteCallbackAsync to make sure overwrite happens, true for server-side DR efficiency. If you're prepping, check out code samples and try blob copy lab demos for this logic. Pretty sure this matches the exam pattern.

Rowan P. Feb 5, 2026 11:33 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true
Directory TransferContext is tempting but only applies for folder-level moves. For a single blob, SingleTransferContext is the right context, and overwriting is crucial in DR, so ShouldOverwriteCallbackAsync with true makes sense here. Pretty sure that’s what MS expects, but let me know if I missed something.

Hannah R. Feb 6, 2026 3:16 am

SingleTransferContext → ShouldOverwriteCallbackAsync → true matches what I've seen in practice tests and lines up with DR best practices for overwriting the destination. Pretty sure that's right, but happy to hear other takes if anyone thinks differently. Official docs and exam guide back this up.

Owen U. Jan 27, 2026 5:07 pm

SingleTransferContext → ShouldOverwriteCallbackAsync → true matches what I had on a mock. SingleTransferContext is for blob ops (not directories), and overwriting with server-side copy is standard for DR. Pretty confident but open if someone had different exam wording.

Hannah Feb 11, 2026 8:41 am

SingleTransferContext → ShouldOverwriteCallbackAsync → true is the order I used too. SingleTransferContext fits since it's a single blob not a directory job, and ShouldOverwriteCallbackAsync guarantees we always overwrite for DR. Pretty sure that's how MS wants it, but open to another view if someone disagrees.

Ava Jan 30, 2026 8:00 am

SingleTransferContext to ShouldOverwriteCallbackAsync to true-saw the same sequence in a similar practice set, fits single-blob DR requirements.

SkepticalOps6666 Feb 13, 2026 9:34 am

So tired of Azure DR questions that overcomplicate it, but it's SingleTransferContext to ShouldOverwriteCallbackAsync to true on this one.

Amelia L. Feb 1, 2026 6:08 am

SingleTransferContext -> ShouldOverwriteCallbackAsync -> true. DirectoryTransferContext is a trap here, only for directory copies.

Be respectful. No spam.

Correct Answer:

Answer Area Bucket 1: B. SingleTransferContext Bucket 2: F. ShouldOverwriteCallbackAsync Bucket 3: A. true

Explanation

The goal is to implement a disaster recovery (DR) copy for a single blob.

SingleTransferContext: The operation involves copying a single blob object. The SingleTransferContext class is specifically designed to provide context, such as callbacks and progress tracking, for individual file or blob transfers. DirectoryTransferContext would be incorrect as it's used for directory-level operations.
ShouldOverwriteCallbackAsync: For disaster recovery, it's crucial that the destination (DR) blob is always a current copy of the source. If a version of the blob already exists at the DR location, it must be overwritten. Setting the ShouldOverwriteCallbackAsync callback to a function that always returns true ensures that the copy operation will overwrite any existing destination blob.
true: The isServiceCopy parameter specifies whether the copy should be server-side or client-side. Setting this to true initiates a server-side copy. This is highly efficient for DR because the Azure Storage service handles the data transfer directly between the source and destination storage accounts without downloading the data to the client and re-uploading it. This significantly reduces transfer time, cost, and client-side resource consumption.

References

Microsoft Docs - SingleTransferContext Class: The official documentation for the Microsoft.Azure.Storage.DataMovement.SingleTransferContext class lists the ShouldOverwriteCallbackAsync property. It is described as "a callback that is invoked to determine whether a transfer should overwrite an existing destination." This confirms its role in controlling overwrite behavior.

Source: Microsoft.Azure.Storage.DataMovement.SingleTransferContext.ShouldOverwriteCallbackAsync Property Documentation.

Microsoft Docs - Asynchronous Copy Blob: Documentation on copying blobs explains the mechanism of server-side asynchronous copies. It highlights that this method uses server resources, freeing up the client and running in the background. This is the operation initiated when isServiceCopy is set to true in the Data Movement Library, making it ideal for robust DR strategies.

Source: Azure Blob Storage Documentation, "Copy Blob" operation, section on server-side asynchronous copy.

Microsoft Docs - TransferManager.CopyAsync Method: The method signature and its parameters are detailed in the Data Movement Library reference. The isServiceCopy parameter's description confirms that a true value indicates the copy operation will be a server-side copy.

Source: Microsoft.Azure.Storage.DataMovement.TransferManager.CopyAsync Method Documentation.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE