ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 2 question 12 discussion

Actual exam question from Microsoft's AZ-204
Question #: 12
Topic #: 2
[All AZ-204 Questions]

DRAG DROP -
You are developing a serverless Java application on Azure. You create a new Azure Key Vault to work with secrets from a new Azure Functions application.
The application must meet the following requirements:
✑ Reference the Azure Key Vault without requiring any changes to the Java code.
✑ Dynamically add and remove instances of the Azure Functions host based on the number of incoming application events.
✑ Ensure that instances are perpetually warm to avoid any cold starts.
✑ Connect to a VNet.
✑ Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted.
You need to grant the Azure Functions application access to the Azure Key Vault.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Step 1: Create the Azure Functions app with a Consumption plan type.
Use the Consumption plan for serverless.
Step 2: Create a system-assigned managed identity for the application.
Create a system-assigned managed identity for your application.
Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.
Step 3: Create an access policy in Key Vault for the application identity.
Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the
"authorized application" or applicationId settings, as this is not compatible with a managed identity.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
by GMartinez at May 19, 2022, 9:06 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
msuser11
Highly Voted 2 years, 5 months ago
1. create ~Premium plan Type (Consumption X) 2. create system-assigned ~ (user-assigned X) 3. create an access policy in Azure Key Vault~
upvoted 180 times
NaSit
2 years, 4 months ago
I agree with you. 1. Premium plan (avoid any cold starts and connect to a VNet) Overview of plans here: https://docs.microsoft.com/th-th/azure/azure-functions/functions-scale 2. create system-assigned => "A system-assigned identity is tied to your application and is deleted if your app is deleted." 3. create an access policy https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?toc=%2Fazure%2Fazure-functions%2Ftoc.json&tabs=azure-cli
upvoted 26 times
Xardas
1 year, 3 months ago
Why not App Service plan?
upvoted 1 times
macobuzi
1 year, 2 months ago
App Service plan can connect to Vnet but it won't "Ensure that instances are perpetually warm to avoid any cold starts".
upvoted 4 times
imheretolearn
1 year, 1 month ago
Wouldn't Always On setting on App Service plan work here?
upvoted 3 times
...
...
...
...
jakobste
1 year, 2 months ago
I agreee. I would go with system assigned identity unless the question talks about "multiple apps/vms". In that case you would go for user assigned if "administration has to be minimized" etc.
upvoted 1 times
...
fkaracan
1 year, 8 months ago
correct
upvoted 1 times
...
Esward
1 year, 9 months ago
Agreed
upvoted 1 times
...
Load full discussion...
...
uffuchsi
Highly Voted 1 year, 8 months ago
Received this in my exam today (22/02/2023). Selected 'Created the Azure Function app with Premium plan type', 'Create a system-assigned managed identity for the application', and 'Create an access policy in Azure Key Vault for the application identity'. Score 927.
upvoted 25 times
...
raja33
Most Recent 1 week, 4 days ago
Got this in the exam today! Apr 19, 2025
upvoted 1 times
...
cb98160
7 months, 2 weeks ago
1. Premium plan (avoid cold start) 2. system-assigned managed identity (we only have 1 Azure resource that our webapp needs to access and also the managed identity has to be removed when we delete or app.) 3. Create an access policy in Azure Key Vault.
upvoted 6 times
...
AhmedAbdelAziz
9 months ago
Why there is a lot of incorrect answers this website show to us ?
upvoted 3 times
...
Samuel316
1 year ago
Answer shown in the image does not agree with what's written in the answer description. Image says user-assigned managed identity. Description says system-assigned managed identity, which would be more correct
upvoted 6 times
CarlosTheBoldest
11 months, 3 weeks ago
System assigned, as the user assigned continue existing after the resource is removed, but system assgined won't be valid once the resource is deleted
upvoted 1 times
...
...
Tarajee
1 year, 1 month ago
Got this on 2023sept
upvoted 2 times
...
kvtborad
1 year, 2 months ago
I have this question on 6th August. it was passed with 904. chose this highly voted:create ~Premium plan Type (Consumption X) 2. create system-assigned ~ (user-assigned X) 3. create an access policy in Azure Key Vault~
upvoted 4 times
...
tom112
1 year, 5 months ago
system-assigned Managed Identity's life cycle: Shared life cycle with the Azure resource that the managed identity is created with. When the parent resource is deleted, the managed identity is deleted as well.
upvoted 1 times
...
ucskips
1 year, 7 months ago
I agree with the answers here 1. Create function app with premium plan (premium plan allows for virtual network connection and pre-warmed starts) 2. System assigned managed identity (when the function app is deleted so is the system identity they are "tied" together https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/) 3. create an access policy (here, the system identity can be set as the method of accessing the key vault**)
upvoted 1 times
...
ucskips
1 year, 7 months ago
I agree with the answers here 1. Create function app with premium plan (premium plan allows for virtual network connection and pre-warmed starts) 2. System assigned managed identity (when the function app is deleted so is the system identity they are "tied" together https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/) 3. create an access policy (here, the system identity can be set as the method of accessing the key value)
upvoted 1 times
...
CODE_STS
1 year, 8 months ago
Got this in the exam today! Feb 28, 2023
upvoted 1 times
...
Harish86
1 year, 8 months ago
Can you tell me, why this website is showing incorrect answers? And most importantly from where it is this answers. When it is saying about Warm tiers , how can it be Consumption plan
upvoted 4 times
...
adilkhan
1 year, 9 months ago
consumption plan does not support VNET https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli
upvoted 2 times
...
micro9000
1 year, 11 months ago
The Azure Function App must be in Premium plan because we need to ensure that instances are perpetually warm to avoid any cold starts.
upvoted 2 times
...
vruizrob
1 year, 12 months ago
The following requirements are the key: ✑ Ensure that instances are perpetually warm to avoid any cold starts. In this link, https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#cold-start-behavior, you can read this same phrase, so, the correct answer is Premium Plan ✑ Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted. In this link, https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types, you can see that is the System-assigned the correct answer ✑ And access policy in Azure Key Vault
upvoted 4 times
...
vruizrob
2 years, 1 month ago
1.- Consumption -> https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale "On the Consumption plan, instances of the Functions host are dynamically added and removed based on the number of incoming events." 2.- System Assigned, because it says "Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted" 3.- Access Policy
upvoted 3 times
[Removed]
2 years, 1 month ago
You are focusing on that one requirement. But it has to be warm and it has to connect to a vnet. Which I think consumption plan cannot handle. But it is silly that Microsoft expects developers to remember all the unfortunate plans and random options they added to them.
upvoted 8 times
...
sb8498
1 year, 12 months ago
I don't think a Function hosted in a Consumption plan connect to a VNET, though. https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago