Architecting Microsoft Azure Solutions


Skills measured

This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area in the exam. The higher the percentage, the more questions you are likely to see on that content area in the exam. 

Please note that the questions may test on, but will not be limited to, the topics described in the bulleted text.

Do you have feedback about the relevance of the skills measured on this exam? Please send Microsoft your comments. All feedback will be reviewed and incorporated as appropriate while still maintaining the validity and reliability of the certification process. Note that Microsoft will not respond directly to your feedback. We appreciate your input in ensuring the quality of the Microsoft Certification Program.

If you have concerns about specific questions on this exam, please scan:

If you have other questions or feedback about Microsoft Certification exams or about the certification program, registration, or promotions, just contact us. 






Who should take this exam?

Candidates for this exam define the appropriate cloud native, cloud migration, and hybrid cloud solutions to meet the required functional, operational, and deployment requirements through the solution lifecycle. Candidates should know the features and capabilities of Azure services to be able to identify trade-offs and make decisions for designing public and hybrid cloud solutions.

The candidate should understand DevOps technologies, provisioning Azure resources using ARM templates, and designing highly resilient workloads running on Azure.

Free demo are as follows:

You are building an application that will run in a virtual machine (VM). The application will
use Managed Service Identity (MSI).
The application uses Azure Key Vault, Azure SQL Database, and Azure Cosmos DB.
You need to ensure the application can use secure credentials to access these services.
Which authorization method should you recommend? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.

You plan to create a Content Delivery Network (CDN) in Azure that meets the following
* Ensure that content can be preloaded into CDN endpoints.
* Accept client requests that use HTTP or HTTPS.
* Accept content from customized origin ports.
* Minimize costs per gigabyte (GB) delivered.
You need to create the CDN profile and endpoint.
Solution: You create a CDN profile by using the Azure CDN Standard from Verizon SKU. You configure
the profile to use a storage account endpoint.
A. Yes
B. No
Answer: B

You have an Azure website that runs on several instances. You have a WebJob that provides
additional functionality to the website.
The WebJob must run on all instances of the website.
You need to ensure that the WebJob runs even when the website is idle for long periods of time.
How should you create and configure the WebJob object? To answer, select the appropriate options
in the answer area.
* You can run programs or scripts in WebJobs in your App Service web app in three ways: on
demand, continuously, or on a schedule.
* For continuous WebJobs there is an important feature called "always on" which is only available for
a Standard Website, this will make sure your Website and WebJob are always up.

A company plans to implement Azure Cosmos DB.
You need to recommend client network connection options to maximize performance.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Direct mode
Connection policy: Use direct connection mode
Gateway Mode involves an additional network hop every time data is read or written to Azure
Cosmos DB.
Because of this, Direct Mode offers better performance due to fewer network hops.
Box 2: TCP
Direct mode supports connectivity through TCP and HTTPS protocols. For best performance, use the
TCP protocol when possible.

You are designing a virtual network to support a web application. The web application uses
Blob storage to store large images. The web application will be deployed to an Azure App Service
Web App.
You have the following requirements:
* Secure all communications by using Secured Sockets Layer (SSL).
* SSL encryption and decryption must be processed efficiently to support high traffic load on the web
* Protect the web application from web vulnerabilities and attacks without modification to backend
* Optimize web application responsiveness and reliability by routing HTTP request and responses to
the endpoint with the lowest network latency for the client.
You need to configure the Azure components to meet the requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Box 1: Azure Application Gateway
Application gateway supports SSL termination at the gateway, after which traffic typically flows
unencrypted to the backend servers. This feature allows web servers to be unburdened from costly
encryption and decryption overhead. However, sometimes unencrypted communication to the
servers is not an acceptable option. This could be due to security requirements, compliance
requirements, or the application may only accept a secure connection. For such applications,
application gateway supports end to end SSL encryption.
Box 2: Azure Security Center
Azure Security Center provides unified security management and advanced threat protection across
hybrid cloud workloads. With Security Center, you can apply security policies across your workloads,
limit your exposure to threats, and detect and respond to attacks.
Box 3: Azure Traffic Manager
Microsoft Azure Traffic Manager allows you to control the distribution of user traffic for service
endpoints in different datacenters. Service endpoints supported by Traffic Manager include Azure
VMs, Web Apps, and cloud services.

You deploy an Azure Web App. The Web App uses a storage account that contains a large
number of storage objects.
You need to grant clients access to application data for a specified interval of time while minimizing
What should you create?
A. a network security group
B. an account shared access signature
C. a service shared access signature
D. a stored access policy
Answer: B

Note: This question is part of a series of questions that present the same scenario. Each ques-
tion on the series contains a unique solution that might meet the stated goals. Some question sets
might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You manage a solution in Azure. You configure Event Hubs to collect telemetry data from dozens of
industrial machines. Hundreds of events per minute are logged in near real-time. You use this da-ta
to create dashboards for analysts.
The company is expanding their machinery and wants to know if the current telemetry solution will
be sufficient to handle the volume of the increasing workload. The volume will increase 10 times by
year end and on a regular basis thereafter. Latency will become more and more important as volume
Messages must be retained for a week. Data must be captured automatically without price increase.
You need to recommend a solution.
Solution: Use the fully-managed platform as a service option in the dedicated tier to handle the
increased volume.
Does the solution meet the goal?
A. Yes
B. No
Answer: B
Azure Event Hubs Dedicated is ideal for customers that need a single-tenant deployment, not the
fully-managed platform, to manage the most demanding requirements.

You need to recommend a solution architecture for the Tailspin Toys Customer Analyzes app.
What should you do recommend? To answer, drag the appropriate solutions to the correct
components. Each solution may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

You have business services that run on an on-premises mainframe server.
You must provide an intermediary configuration to support existing business services and Azure. The
business services cannot be rewritten. The business services are not exposed externally.
You need to recommend an approach for accessing the business services.
What should you recommend?
A. Move all business service functionality to Azure.
B. Expose the business services externally.
C. Connect to the on-premises server by using a custom service in Azure.
D. Expose the business services to the Azure Service Bus by using a custom service that uses relay
Answer: A

You manage a bot in a serverless architecture.
The bot provides custom responses to questions based upon the identity of the user.
The bot must meet the following requirements:
* Identify the user by face.
* Provide text-to-speech reading of questions to the user.
* Analyze the text of the user's responses for patterns.
What should you recommend? To answer, drag the appropriate solution to the correct scenario. Each
solution may be used once, more than once, or not at all. You may need to drag the split bar between
panes to scroll or view content.
NOTE: Each correct selection is worth one point.
Note: With Azure, built-in intelligence is within the reach of all app developers. Enable your serverless
code or logic to use Machine Learning and Cognitive Services.
Box 1, Identify users by face: Azure Cognitive Services
Microsoft Face API, a cloud-based service that provides the most advanced face algorithms. Face API
has two main functions: face detection with attributes and face recognition.
Box 2, Provide text-to-speech services: Azure Cognitive Services
Infuse your apps, websites and bots with intelligent algorithms to see, hear, speak, understand and
interpret your user needs through natural methods of communication.
Speech: Convert spoken audio into text, use voice for verification, or add speaker recognition to your
Box 3, Read questions to users: Azure Functions
Azure Functions is a serverless solution.

You need to correlate the usage and performance data collected by Azure Application
Insights with configuration and performance data across the Azure resources that support the E-
Commerce Web Application.
What should you do?
A. Use the Azure portal to query the Azure activity logs.
B. Create an Azure Log Analytics workspace and enable the Azure Diagnostics extension.
C. write a query by using Azure Log Analytics.
D. Configure and enable the Azure Application Insight Profiler.
Answer: C
Application Insights Analytics, which provides a rich query language for analyzing all data collected by
Application Insights. A query can be generated for you that renders the request count as a chart. You
can write your own queries to analyze other data.

A company has a hybrid ASP.NET Web API application that is based on a software as a service
(SaaS) offering.
Users report general issues with the data. You advise the company to implement live monitoring and
use ad hoc queries on stored JSON data. You also advise the company to set up smart alerting to
detect anomalies in the data.
You need to recommend a solution to set up smart alerting.
What should you recommend?
A. Azure Site Recovery and Microsoft Operations Management Suite
B. Azure Data Lake Analytics and Microsoft Operations Management Suite.
C. Azure Application Insights and Azure Log Analytics
D. Azure Security Center and Azure Data Lake Store
Answer: C

You manage a solution in Azure. You plan to add several new features to the solution.
You identify the following requirements:
* The deployment technology must support load balancing and service discovery.
* Trigger a Biztalk Server workflow to process Electronic Data Interchange (EDI) data.
You need to identify which technical implementation is suitable for each functionality.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You are designing an Internet-of-things (loT) solution for a company.
The project will deploy thousands of sensors that measure noise levels in the company's
manufacturing plants.
The design must meet the following requirements:
* Data from the loT devices must be monitored in near real-time.
* If the noise levels exceed certain thresholds a notification must be sent alerting the appropriate
Different people may be notified based on the seventy of the threshold that has been exceeded.
* A mobile app will be distributed to those who need to receive notifications.
* The solution must allow configuration changes to be pushed to the loT devices.
You need to design the flow of data from the IoT devices to the sending of the notification.
Which five services should you use to process the data in sequence from input to output? To answer,
move the appropriate service from the list of services to the answer area and arrange them in the
correct order.

You need to implement the security requirements.
What should you implement?
A. user certificates
B. LDAP to query the directory
C. the GraphAPI to query the directory
D. single sign-on
Answer: D

A company uses Azure AD Connect to synchronize on-premises and Azure identities.
The company uses Active Directory Federation Services (AD FS) for external users.
The AD FS servers run on Windows Server 2016.
You need to ensure that Azure AD Connect Health can analyze all AD FS audit logs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point
A. On the AD FS servers, enable security auditing.
B. On the AD FS servers, set the audit level to Verbose.
C. On the Azure AD Connect server, set the audit level to Verbose.
D. On the Azure AD Connect server, enable security auditing.
Answer: A,B

You need to ensure that customer data is secured both in transit and at rest.
Which technologies should you recommend? To answer, drag the appropriate technology to the
correct security requirement. Each technology may be used once, more than once, or not at all. You
may need to drag the split bar between panes or scroll to view content.
* Azure Rights Management service
Azure Rights Management service uses encryption, identity, and authorization policies to help secure
your files and email, and it works across multiple devices-phones, tablets, and PCs. Information can
be protected both within your organization and outside your organization because that protection
remains with the data, even when it leaves your organization's boundaries.
* Transparent Data Encryption
Transparent Data Encryption (often abbreviated to TDE) is a technology employed by both Microsoft
and Oracle to encrypt database files. TDE offers encryption at file level. TDE solves the problem of
protecting data at rest, encrypting databases both on the hard drive and consequently on backup
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols designed to provide communications security over a computer network. They use X.509
certificates and hence asymmetric cryptography to authenticate the counterparty with whom they
are communicating, and to negotiate a symmetric key.

Your team uses a proprietary source control product. You use FTP to manually deploy an
Azure website. You must move your source code from the proprietary source control product to a
secure on-premises Git versioning system. Instead of deploying the website by using FTP, the website
must automatically deploy to Azure each time developers check-in source files.
You need to implement the new deployment strategy. Which three actions should you perform in
To answer, move the appropriate actions from the list of actions to the answer area and arrange
them in the correct order.

You manage two cloud services named Service1 and Service2. The development team
updates the code for each application and notifies you that the services are packaged and ready for
Each cloud service has specific requirements for deployment according to the following table. In the
table below, identify the deployment method for each service. Make only one selection in each
Service1: Update by using package in Azure Storage
The package must be retained for disaster recovery purposes.
Service 2: Update by using from your local computer
Maintaining the existing service package is not required.

Your company has an on-premises Active Directory Domain Services (AD DS) domain and an
established Azure Active Directory (Azure AD) environment.
Your company would like users to be automatically signed in when they are on their corporate
desktops that are connected to the corporate network.
You need to enable single sign-on (SSO) for company users.
Solution: Configure an AD DS server in an Azure virtual machine (VM). Configure bidirectional
Does the solution meet the goal?
A. No
B. Yes
Answer: A
Single sign on (SSO) can be enabled via Azure AD Connect.