AZ-204 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-204 Exam - Question 50

DRAG DROP -

You are developing a serverless Java application on Azure. You create a new Azure Key Vault to work with secrets from a new Azure Functions application.

The application must meet the following requirements:

✑ Reference the Azure Key Vault without requiring any changes to the Java code.

✑ Dynamically add and remove instances of the Azure Functions host based on the number of incoming application events.

✑ Ensure that instances are perpetually warm to avoid any cold starts.

✑ Connect to a VNet.

✑ Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted.

You need to grant the Azure Functions application access to the Azure Key Vault.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

Exam AZ-204 Question 50
Show Answer
Correct Answer:
Exam AZ-204 Question 50

Step 1: Create the Azure Functions app with a Consumption plan type.

Use the Consumption plan for serverless.

Step 2: Create a system-assigned managed identity for the application.

Create a system-assigned managed identity for your application.

Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.

Step 3: Create an access policy in Key Vault for the application identity.

Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the

"authorized application" or applicationId settings, as this is not compatible with a managed identity.

Reference:

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

Discussion

34 comments
Sign in to comment
msuser11
Nov 25, 2022

1. create ~Premium plan Type (Consumption X) 2. create system-assigned ~ (user-assigned X) 3. create an access policy in Azure Key Vault~

samraw83
Dec 29, 2022

The question is confusing as per the requirement 2 it may look like, use the consumption plan On the Consumption plan, instances of the Functions host are dynamically added and removed based on the number of incoming events. But, the premium plan takes care of Network connectivity and it does scales up as per this statement "Automatically scales based on demand using pre-warmed workers, which run applications with no delay after being idle, runs on more powerful instances, and connects to virtual networks." Do refer the below documents: https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans Details informaiton on consumption plan https://docs.microsoft.com/en-us/azure/azure-functions/consumption-plan Premier plan: https://docs.microsoft.com/en-us/azure/azure-functions/functions-premium-plan?tabs=portal

NaSit
Dec 30, 2022

I agree with you. 1. Premium plan (avoid any cold starts and connect to a VNet) Overview of plans here: https://docs.microsoft.com/th-th/azure/azure-functions/functions-scale 2. create system-assigned => "A system-assigned identity is tied to your application and is deleted if your app is deleted." 3. create an access policy https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?toc=%2Fazure%2Fazure-functions%2Ftoc.json&tabs=azure-cli

Xardas
Feb 1, 2024

Why not App Service plan?

macobuzi
Feb 15, 2024

App Service plan can connect to Vnet but it won't "Ensure that instances are perpetually warm to avoid any cold starts".

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

macobuzi
Feb 15, 2024

App Service plan can connect to Vnet but it won't "Ensure that instances are perpetually warm to avoid any cold starts".

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

Dani_ac7
Feb 24, 2023

AGREE, HERE THE KEY IS: - It can be premium or appservice, as it says "add and remove instances of the Azure Functions host" is premium - System assigned because it says “Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted” - Use an access policy to allow the identity of the system

Esward
Jul 27, 2023

Agreed

fkaracan
Aug 22, 2023

correct

Xardas
Feb 1, 2024

Why not App Service plan?

macobuzi
Feb 15, 2024

App Service plan can connect to Vnet but it won't "Ensure that instances are perpetually warm to avoid any cold starts".

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

macobuzi
Feb 15, 2024

App Service plan can connect to Vnet but it won't "Ensure that instances are perpetually warm to avoid any cold starts".

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

jakobste
Feb 23, 2024

I agreee. I would go with system assigned identity unless the question talks about "multiple apps/vms". In that case you would go for user assigned if "administration has to be minimized" etc.

imheretolearn
Mar 26, 2024

Wouldn't Always On setting on App Service plan work here?

uffuchsi
Aug 22, 2023

Received this in my exam today (22/02/2023). Selected 'Created the Azure Function app with Premium plan type', 'Create a system-assigned managed identity for the application', and 'Create an access policy in Azure Key Vault for the application identity'. Score 927.

Samuel316
Apr 9, 2024

Answer shown in the image does not agree with what's written in the answer description. Image says user-assigned managed identity. Description says system-assigned managed identity, which would be more correct

CarlosTheBoldest
May 9, 2024

System assigned, as the user assigned continue existing after the resource is removed, but system assgined won't be valid once the resource is deleted

cb98160
Sep 14, 2024

1. Premium plan (avoid cold start) 2. system-assigned managed identity (we only have 1 Azure resource that our webapp needs to access and also the managed identity has to be removed when we delete or app.) 3. Create an access policy in Azure Key Vault.

dookebroyle
Dec 23, 2022

1. Premium plan for function app (needs to connect to vnet) 2. System assigned managed identity (needs to be deleted when app is deleted and you need to do this from settings menu in the app service menu - need to create function app first) 3. Access policy - key vault.

vruizrob
May 3, 2023

The following requirements are the key: ✑ Ensure that instances are perpetually warm to avoid any cold starts. In this link, https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#cold-start-behavior, you can read this same phrase, so, the correct answer is Premium Plan ✑ Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted. In this link, https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types, you can see that is the System-assigned the correct answer ✑ And access policy in Azure Key Vault

Harish86
Aug 21, 2023

Can you tell me, why this website is showing incorrect answers? And most importantly from where it is this answers. When it is saying about Warm tiers , how can it be Consumption plan

kvtborad
Feb 8, 2024

I have this question on 6th August. it was passed with 904. chose this highly voted:create ~Premium plan Type (Consumption X) 2. create system-assigned ~ (user-assigned X) 3. create an access policy in Azure Key Vault~

Hansmukh
Nov 20, 2022

Will the below requirements be met in the consumption pan? ✑ Ensure that instances are perpetually warm to avoid any cold starts. ✑ Connect to a VNet.

HMKM
Nov 21, 2022

Doc says: System-assigned... The identity is tied to the lifecycle of that service instance. User-assigned... a managed identity as a standalone Azure resource. Simply thought, system-assigned managed identity meets the goal. (https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)

suku555
Nov 22, 2022

user-assigned managed identity will meet the requirement as the application would run on multiple instances (requirement says dynamically add or remove instances)

elasrayo
Nov 24, 2022

No, the managed identity is the correct answer because it will be removed when application is removed and Auth will also be automatically removed.

elasrayo
Nov 24, 2022

No, the managed identity is the correct answer because it will be removed when application is removed and Auth will also be automatically removed.

Spondamq
Jan 21, 2023

Premium plan System assigned Create an access policy in Azure key Vault

vruizrob
Mar 12, 2023

1.- Consumption -> https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale "On the Consumption plan, instances of the Functions host are dynamically added and removed based on the number of incoming events." 2.- System Assigned, because it says "Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted" 3.- Access Policy

[Removed]
Mar 28, 2023

You are focusing on that one requirement. But it has to be warm and it has to connect to a vnet. Which I think consumption plan cannot handle. But it is silly that Microsoft expects developers to remember all the unfortunate plans and random options they added to them.

sb8498
May 3, 2023

I don't think a Function hosted in a Consumption plan connect to a VNET, though. https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli

AhmedAbdelAziz
Jul 30, 2024

Why there is a lot of incorrect answers this website show to us ?

JamaicaBot
Nov 19, 2022

The image with the correct answer and the solution text differs. The second step in the image states ‘Create a user assigned managed identity for the application’ while the solution text says, ‘Create a system-assigned managed identity for your application.’ with the annotation ‘Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.’ Further the provided link states that a user assigned managed identity as well as a system-assigned managed identities can be configured. I am not quite sure which of the answers are correct. Any ideas which one meets the given criteria?

jielong109
Nov 20, 2022

The second step should Create a system-assigned managed identity... based on the explanation.

SlothLearner
Nov 20, 2022

Answer is incorrect . Azure functions needs to be using Premium plan for pre warmed workers and connecting to vnet . Also , it needs to use system managed identity . https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale

micro9000
May 10, 2023

The Azure Function App must be in Premium plan because we need to ensure that instances are perpetually warm to avoid any cold starts.

adilkhan
Jul 22, 2023

consumption plan does not support VNET https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options?tabs=azure-cli

Tarajee
Mar 11, 2024

Got this on 2023sept

GMartinez
Nov 19, 2022

✑ Authentication to the Azure Key Vault instance must be removed if the Azure Function application is deleted. => Managed Identity instead ?

alpfit
Nov 20, 2022

Consumption plan does not avoid cold start. We should use the app service plan

DrSohan
Nov 20, 2022

Shouldn't it be premium plan? Consumption plan has coldstart Premium plan Perpetually warm instances to avoid any cold start. https://docs.microsoft.com/en-us/azure/azure-functions/functions-scale

alpfit
Nov 20, 2022

Both Premium and app service plan will work. But if you wish to reduce cost the App service plan will do. Most of those questions are around cost saving and upgrading to Premium has a higher cost implications that switching to an App service plan.

ITPerson123
Nov 22, 2022

Dynamic instances should also be added and cold starts also to be avoid so the plan has to be Premium

yohannvf
Nov 24, 2022

Only Premium plan meets all requirements

bashirmja
Nov 26, 2022

Azure function Premium plan: You require features that aren't available on the Consumption plan, such as virtual network connectivity.

Eltooth
Dec 22, 2022

Premium plan User-assigned Access policy - key vault

samraw83
Dec 29, 2022

It should be system assigned identity as it must delete with the resource, a user assgined you have to manually delete it. check the last requirement.

d_vaibhav
Feb 16, 2023

Create Azure Functions App with Premium Plan type - (Perpetually warm instances to avoid any cold start) Create System assigned managed identity for the application - (enables vault to be automatically removed if the Azure Function application is deleted) Create an access policy in azure key vault for the application identity.

rohitpatil113
Feb 16, 2023

1. create ~Premium plan Type (Consumption X) 2. create system-assigned ~ (user-assigned X) 3. create an access policy in Azure Key Vault~

DivyaRajkumar
Feb 22, 2023

What is the correct answer for this question? Very confusing.

franklinfocus
Mar 21, 2023

Premium plan system-assigned access policy in Azure Key Vault

CODE_STS
Aug 28, 2023

Got this in the exam today! Feb 28, 2023

ucskips
Sep 8, 2023

I agree with the answers here 1. Create function app with premium plan (premium plan allows for virtual network connection and pre-warmed starts) 2. System assigned managed identity (when the function app is deleted so is the system identity they are "tied" together https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/) 3. create an access policy (here, the system identity can be set as the method of accessing the key value)

ucskips
Sep 8, 2023

I agree with the answers here 1. Create function app with premium plan (premium plan allows for virtual network connection and pre-warmed starts) 2. System assigned managed identity (when the function app is deleted so is the system identity they are "tied" together https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/) 3. create an access policy (here, the system identity can be set as the method of accessing the key vault**)

tom112
Nov 12, 2023

system-assigned Managed Identity's life cycle: Shared life cycle with the Azure resource that the managed identity is created with. When the parent resource is deleted, the managed identity is deleted as well.

raja33
Apr 20, 2025

Got this in the exam today! Apr 19, 2025