- (Exam Topic 8)
You are developing an application to securely transfer data between on-premises file systems and Azure Blob storage. The application stores keys, secrets, and certificates in Azure Key Vault. The application uses the Azure Key Vault APIs.
The application must allow recovery of an accidental deletion of the key vault or key vault objects. Key vault objects must be retained for 90 days after deletion.
You need to protect the key vault and key vault objects.
Which Azure Key Vault feature should you use? To answer, drag the appropriate features to the correct actions. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Solution:
Box 1: Soft delete
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
Box 2: Purge protection
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 3)
You need to configure API Management for authentication.
Which policy values should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Solution:
Box 1: Validate JWT
The validate-jwt policy enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
Scenario: User authentication (see step 5 below)
The following steps detail the user authentication process:
The user selects Sign in in the website.
The browser redirects the user to the Azure Active Directory (Azure AD) sign in page.
The user signs in.
Azure AD redirects the user’s session back to the web application. The URL includes an access token.
The web application calls an API and includes the access token in the authentication header. The application ID is sent as the audience (‘aud’) claim in the access token.
The back-end API validates the access token.
Box 2: Outbound Reference:
https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 8)
You develop a web application.
You need to register the application with an active Azure Active Directory (Azure AD) tenant.
Which three actions should you perform in sequence? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.

Solution:
Register a new application using the Azure portal
Sign in to the Azure portal using either a work or school account or a personal Microsoft account.
If your account gives you access to more than one tenant, select your account in the upper right corner.
Set your portal session to the Azure AD tenant that you want.
Search for and select Azure Active Directory. Under Manage, select App registrations.
Select New registration. (Step 1)
In Register an application, enter a meaningful application name to display to users.
Specify who can use the application. Select the Azure AD instance. (Step 2)
Under Redirect URI (optional), select the type of app you're building: Web or Public client (mobile & desktop). Then enter the redirect URI, or reply URL, for your application. (Step 3)
When finished, select Register.

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 8)
You are developing several microservices to deploy to a Azure Service cluster. The microservices manage data stored in Azure Cosmos DB and Azure Blob storage. The data is secured by using customer-managed keys stored in Aue Key Vault.
You must automate key rotation for all Key Vault keys and allow for manual key rotation. Keys must rotate every three months. Notifications Of expiring keys must be sent before key expiry.
You need to configure key rotation and enable key expiry notifications.
Which two actions should you perform? Each correct answer presents part Of solution. NOTE: Each correct selection is worth

1. A. Create and configure a new Azure Event Grid instance.
2. B. Create configure a key rotation policy during key creation
3. C. Create and assign an Azure Key Vault access
4. D. Configure Azure Key Vault

Correct Answer: BD
https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation

- (Exam Topic 8)
You develop and deploy an Azure App Service web app named App1. You create a new Azure Key Vault named Vault 1. You import several API keys, passwords, certificates, and cryptographic keys into Vault1.
You need to grant App1 access to Vault1 and automatically rotate credentials Credentials must not be stored in code.
What should you do?

1. A. Enable App Service authentication for App
2. B. Assign a custom RBAC role to Vault1.
3. C. Add a TLS/SSL binding to App1.
4. D. Assign a managed identity to App1.
5. E. Upload a self-signed client certificate to Vault1. Update App1 to use the client certificate.

Correct Answer: D