The latest Microsoft AZ-303 Microsoft Azure Architect Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-303 Microsoft Azure Architect Technologies exam and earn Microsoft AZ-303 Microsoft Azure Architect Technologies certification.
Exam Question 151
You create a web API that will be accessed by a web application and two different mobile applications. You want to secure the web API by using OAuth 2.0.
You need to determine which applications to register in Azure Active Directory (Azure AD)
Choose all that apply:
A. Web API
B. Mobile applications
C. Web applications
Correct Answer:
A. Web API
B. Mobile applications
C. Web applications
Answer Description:
You should register all applications in Azure AD. Both client applications and web APIs are required to be registered to support OAuth 2.0 in an AD tenant.
References:
Microsoft Docs > Protect an API by using OAuth 2.0 with Azure Active Directory and API Management
Exam Question 152
You deploy an application to an Azure virtual machine (VM). You use Secure Shell (SSH) to connect to the VM.
You need to get an access token using the assigned VM’s managed identity.
To which IP address should you issue a web request?
A. 10.10.10.10
B. 192.168.0.1
C. 169.254.169.254
D. 127.0.0.1
Correct Answer:
C. 169.254.169.254
Answer Description:
You should issue a web request to 169.254.169.254. Specifically, the entire URL is http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com. This is the URL you should use on all VMs.
You should not issue a web request to any other IP address. Only 169.254.169.254 is available for issuing identity tokens on VMs.
References:
Microsoft Docs > Use a Windows VM system-assigned managed identity to access Resource Manager
Exam Question 153
You create a Linux Azure virtual machine (VM) and enable the system-assigned identity. You want to use Managed Service Identity to allow the VM to access the Azure Resource Manager application programming interface (API).
Which three actions should you perform in sequence?
A. 1. Grant the Reader role to the VM for all resource groups. 2. Run the Invoke-WebRequest PowerShell cmdlet to retrieve an access token. 3. Call Azure Resource Manager using the access token.
B. 1. Grant the Virtual Machine Contributor role to the VM for all resource groups. 2. Run the Invoke-WebRequest PowerShell cmdlet to retrieve an access token. 3. Call Azure Resource Manager using the access token.
C. 1. Run the az identity create CLI command to specify the name of the identity. 2. Run the Invoke-WebRequest PowerShell cmdlet to retrieve an access token. 3. Call Azure Resource Manager using the access token.
D. 1. Run the az identity create CLI command to specify the name of the identity. 2. Grant the Virtual Machine Contributor role to the VM for all resource groups. 3. Call Azure Resource Manager using the access token.
Correct Answer:
A. 1. Grant the Reader role to the VM for all resource groups. 2. Run the Invoke-WebRequest PowerShell cmdlet to retrieve an access token. 3. Call Azure Resource Manager using the access token.
Answer Description:
You need to perform the following steps in order:
- Grant the Reader role to the VM for all resource groups.
- Run the Invoke-WebRequest PowerShell cmdlet to retrieve an access token.
- Call Azure Resource Manager using the access token.
You should grant the Reader role to the VM for all resource groups. This ensures that the VM can access resources in all resource groups. You must grant the Reader role before taking action to retrieve an access token.
Next, you should run the Invoke-WebRequest cmdlet to retrieve an access token. You extract the access token from the response, and then finally, you call Azure Resource Manager using the access token.
You should not run the az identity create CLI command to specify the name of the system identity. You should run this command when you want to set the name of a user identity, not a system identity.
You should not grant the Virtual Machine Contributor role to your account. This role is required to create a VM with the system-assigned identity enabled. However, because the VM is already created with the system assigned identity enabled, your account already has the required permissions.
References:
Microsoft Docs > Use a Windows VM system-assigned managed identity to access Resource Manager
Microsoft Docs > Configure managed identities for Azure resources on an Azure VM using Azure CLI
Exam Question 154
The following secret identifier exists in an Azure key vault: https://examanswer.vault.azure.net/secrets/billingApiKey/bcbb1a2eb5cb4a3696348504f74704c8
You need to use Azure CLI to retrieve the value for the secret.
Which command should you use?
az keyvault secret show –name
- examanswer
- billingApiKey
- bcbb1a2eb5cb4a3696348504f74704c8
–vault-name
- examanswer
- billingApiKey
- bcbb1a2eb5cb4a3696348504f74704c8
Correct Answer:
az keyvault secret show –name billingApiKey –vault-name examanswer
Answer Description:
You should use the following command:
az keyvault secret show --name billingApiKey --vault-name examanswer
This command sets the –name parameter to billingApiKey, which represents the name of the secret. It also sets the –vault-name parameter to examanswer, which represents the name of the key vault. The secret identifier URL is always in the format https://{key vault name}.vault.azure.net/secrets/{secret name}/{secret version}.
References:
Microsoft Docs > Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI
Exam Question 155
You use the following command to store a connection string in Azure Key Vault:
az keyvault secret set --vault-name "examanswer" --name "connectionString" --value "server=10.10.10.100;database=prodSql;user id=webapp;password=4$gg65"
Developers need to retrieve the connection string.
Which URL should they use?
A. https://examanswer.vault.azure.net/value/connectionString
B. https://examanswer.vault.azure.net/connectionStrings/prodSql
C. https://examanswer.vault.azure.net/keys/connectionString
D. https://examanswer.vault.azure.net/secrets/connectionString
Correct Answer:
D. https://examanswer.vault.azure.net/secrets/connectionString
Answer Description:
The developers should use the following URL: https://examanswer.vault.azure.net/secrets/connectionString
This URL uses the format https://{key vault}.vault.azure.net/secrets/{secret name} to retrieve a secret from the vault.
References:
Microsoft Docs > Quickstart: Set and retrieve a secret from Azure Key Vault by using a .NET web app
Exam Question 156
You have an Azure Key Vault named vault1 that is used by Azure Virtual Machines (VMs) with user-assigned managed identities.
You configure the access policies as shown in the exhibit.
You need to determine which actions an Azure VM with the given managed identity can do.
Choose all that apply:
A. A VM with identity1 can list keys in vault1.
B. A VM with identity2 can get secrets in vault1.
C. A VM with identity3 can update certificates in vault1.
Correct Answer:
C. A VM with identity3 can update certificates in vault1.
Answer Description:
A VM with identity1 cannot list keys in vault1. The access policy for identity1 does not give any permission to keys in vault1. You can manage secrets in vault1 with identity1.
A VM with identity2 cannot get secrets in vault1. The access policy for identity2 does not give any permission to secrets in vault1. You can manage keys in vault1 with identity2.
A VM with identity3 can update certificates in vault1. The access policy for identity3 gives permission to manage secrets and certificates in vault1.
References:
Microsoft Docs > Azure Key Vault security
Exam Question 157
You manage multiple Azure subscriptions in the same Azure Active Directory (Azure AD) tenant.
You deploy the Azure Virtual Machines (VMs) and the managed identities as shown in the exhibit.
| Resource Group | Region | Subscription |
|---|---|---|
| rg1 | Central US | SubscriptionA |
| rg2 | East US | SubscriptionA |
| rg3 | East US | SubscriptionB |
| Managed Identity | Resource Group | Region |
|---|---|---|
| identity1 | rg1 | Central US |
| identity2 | rg2 | East US |
| identity3 | rg3 | East US |
| Azure VM | Resource Group | Region |
|---|---|---|
| vm1 | rg1 | Central US |
| vm2 | rg1 | East US |
| vm3 | rg3 | East US |
You need to determine which VMs can be associated with each of the managed identities.
Which VMs can you use for each identity?
identity1:
- vm1 and vm2 only
- vm1, vm2, and vm3
- vm1 only
identity2:
- vm1, vm2, and vm3
- vm2 and vm3 only
- vm3 only
identity3:
- vm1, vm2, and vm3
- vm2 and vm3 only
- vm3 only
Correct Answer:
identity1: vm1, vm2, and vm3
identity2: vm1, vm2, and vm3
identity3: vm1, vm2, and vm3
Answer Description:
You can use vm1, vm2, and vm3 with identity1, identity2, and indentity3. You can associate any user-assigned managed identities with Azure VMs from different regions, resource groups, and subscriptions, as long these subscriptions are in the same Azure AD tenant.
References:
Microsoft Docs > Configure managed identities for Azure resources on a VM using the Azure portal
Microsoft Docs > What are managed identities for Azure resources?
Exam Question 158
You have a solution that runs in an Azure Virtual Machine (VM).
The solution encrypts sensitive files and saves file metadata information in an Azure SQL database.
You need to use Azure Key Vault to securely store the database connection string for this solution.
Which Key Vault object should you use?
A. Key
B. Certificate
C. Secret
D. Hardware security module (HSM)-protected key
Correct Answer:
C. Secret
Answer Description:
You should use a secret to store the database connection string. You can use secrets to securely store tokens, passwords, API keys, database connection strings, and other secrets. You can control access to these secrets by using access policies.
You should not use a certificate to store the database connection string. You can generate or import x509 certificates used to encrypt Transport Layer Security (TLS) network communication. Azure Key Vault can generate a self-signed or Certificate Authority (CA) certificate. It also handles renewals.
You should not use a key or an HSM-protected key to store the database connection string. You can use these to store or generate software-protected and HSM-protected cryptographic keys. You can use HSM-protected keys in the Azure Key Vault Premium tier.
References:
Microsoft Docs > About Azure Key Vault certificates
Microsoft Docs > Quickstart: Set and retrieve a secret from Azure Key Vault using PowerShell
Azure Pricing > Key Vault pricing
Exam Question 159
An Azure Logic app accesses data from an on-premises SQL Server database. The database administrator recently changed the password that is used to connect to the database.
You need to update your Logic app so that it can connect to the database with the new password.
Which Azure option should you modify?
A. Access keys
B. API connections
C. Properties
D. Workflow settings
Correct Answer:
B. API connections
Answer Description:
You should modify API connections. This option allows you to update the connection to an on-premises data gateway, which is a component that allows you to connect an Azure Logic app to an on-premises database.
You should not modify Workflow settings. This option allows you to configure access control to the Logic app, such as which IP addresses are allowed to access the app. It does not allow you to change connections to on-premises databases.
You should not modify the Properties setting. This option specifies the endpoint information that you can use to manage the Logic app from PowerShell or Azure CLI. It does not allow you to change connections to on-premises databases.
You should not modify the Access keys setting. This option allows you to generate access keys that you can use to access Logic apps from code. It does not allow you to change connections to on-premises databases.
References:
Microsoft Docs > Connect to on-premises data sources from Azure Logic Apps
Microsoft Docs > Overview – What is Azure Logic Apps?
Exam Question 160
An Azure function responds to GET requests at the URL http://shipping.azurewebsites.net/api/HttpTriggerJS1.
You need to modify the setting so that the function responds to requests at http://shipping.azurewebsites.net/Rate
Choose all that apply:
A. Change the routePrefix value to a slash (/) in the host.json file.
B. Change the route template to /Rate.
C. Change the Request parameter name to Rate.
Correct Answer:
A. Change the routePrefix value to a slash (/) in the host.json file.
B. Change the route template to /Rate.
Answer Description:
You should change the routePrefix value to a slash (/) in the host.json file. By default, this value is /api. This means that all functions in this function app have a URL that begins with http://shipping.azurewebsites.net/api. By changing the routePrefix value to /, you allow all functions to have a URL that begin with http://shipping.azurewebsites.net.
You should change the route template to /Rate. This is the path for the actual function. This means that the function in this scenario will be reachable at http://shipping.azurewebsites.net/Rate.
You should not change the Request parameter name to Rate. This Request parameter name represents the parameter to the method that represents the function. By default, this parameter is named req.
References:
Microsoft Docs > Customize an HTTP endpoint in Azure Functions