microsoft az-220 practice test

Microsoft Azure IoT Developer

Note: This exam has case studies

Question 1 Topic 4, Mixed Questions

You have IoT devices that connect to an Azure IoT hub.
From IoT Hub, you create an Event subscription to be notified when devices are registered to IoT Hub. You select webhook
endpoint as a handler for the Event subscription.
Which two types of Event Grid messages will be received by the webhook? Each correct answer presents a complete
NOTE: Each correct selection is worth one point.

  • A. Microsoft.Devices.DeviceCreated
  • B. Microsoft.Resources.ResourceWriteSuccess
  • C. Microsoft.EventGrid.SubscriptionValidationEvent
  • D. Microsoft.Devices.DeviceConnected


Microsoft.Devices.DeviceCreated: Published when a device is registered to an IoT hub.
The first thing you want to do is handle Microsoft.EventGrid.SubscriptionValidationEvent events. Every time someone
subscribes to an event, Event Grid sends a validation event to the endpoint with a validationCode in the data payload.

0 / 600

Question 2 Topic 4, Mixed Questions

You need to route events in Azure Digital Twins to a downstream service for additional processing.
Which type of output endpoint can you use?

  • A. Azure Event Hubs
  • B. Azure Queue storage
  • C. Microsoft Power BI
  • D. Azure Table storage


Create an endpoint for Azure Digital Twins.
These are the supported types of endpoints that you can create for your instance: Event Grid

Event Hubs

Service Bus

Note: In Azure Digital Twins, you can route event notifications to downstream services or connected compute resources.
This is done by first setting up endpoints that can receive the events. You can then create event routes that specify which
events generated by Azure Digital Twins are delivered to which endpoints. Reference:

0 / 600

Question 3 Topic 4, Mixed Questions

You have an Azure IoT solution.
You need to create a digital twin model.
Which language should you use?

  • A. XHTML
  • B. DTDL
  • C. YAML
  • D. XML


Azure Digital Twins models are represented in the JSON-LD-based Digital Twin Definition Language (DTDL). Reference:

0 / 600

Question 4 Topic 4, Mixed Questions

You deploy an Azure Digital Twins instance.
You are developing client code that will modify digital twin data.
You run the client code and receive the following response for an Azure Digital Twins API.
403 (Forbidden)
You need to configure access control for the Azure Digital Twins instance to ensure that the client code can modify the data.
Which role should you assign?

  • A. Contributor
  • B. Azure Digital Twins Data Owner
  • C. Owner
  • D. Managed Application Operator Role


Most often, this error indicates that your Azure role-based access control (Azure RBAC) permissions for the service aren't
set up correctly. Many actions for an Azure Digital Twins instance require you to have the Azure Digital Twins Data Owner
role on the instance you are trying to manage. Reference:

0 / 600

Question 5 Topic 4, Mixed Questions

You need to recommend a solution to keep device properties synced to IoT Hub. The solution must minimize data loss
caused by the connectivity issues.
What should you include in the recommendation?

  • A. Azure Event Grid
  • B. a cloud-to-device message
  • C. IoT Hub device twins
  • D. the IoT Hub direct method


Scenario: You discover connectivity issues between the IoT gateway devices and iothub1, which cause IoT devices to lose
connectivity and messages.
To synchronize state information between a device and an IoT hub, you use device twins. A device twin is a JSON
document, associated with a specific device, and stored by IoT Hub in the cloud where you can query them. A device twin
contains desired properties, reported properties, and tags. Reference:

0 / 600

Question 6 Topic 4, Mixed Questions

You have an Azure IoT hub that is being taken from prototype to production.
You plan to connect IoT devices to the IoT hub. The devices have hardware security modules (HSMs).
You need to use the most secure authentication method between the devices and the IoT hub. Company policy prohibits the
use of internally generated certificates.
Which authentication method should you use?

  • A. an X.509 self-signed certificate
  • B. a certificate thumbprint
  • C. a symmetric key
  • D. An X.509 certificate signed by a root certification authority (CA).


Purchase X.509 certificates from a root certificate authority (CA). This method is recommended for production environments.
The hardware security module, or HSM, is used for secure, hardware-based storage of device secrets, and is the most
secure form of secret storage. Both X.509 certificates and SAS tokens can be stored in the HSM Reference:

0 / 600

Question 7 Topic 4, Mixed Questions

You have an Azure IoT solution that includes an Azure IoT hub, 100 Azure IoT Edge devices, and 500 leaf devices.
You need to perform a key rotation across the devices.
Which three types of entities should you update? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. the $edgeHub module identity
  • B. the $edgeAgent module identity
  • C. the leaf module identities
  • D. the IoT Edge device identities
  • E. the iothubowner policy credentials
  • F. the leaf device identities


To get authorization to connect to IoT Hub, devices and services must send security tokens signed with either a shared
access or symmetric key. These keys are stored with a device identity in the identity registry.
An IoT Hub identity registry can be accessed like a dictionary, by using the deviceId or moduleId as the key. Reference:

0 / 600

Question 8 Topic 4, Mixed Questions

You enable Azure Security Center for IoT.
You need to onboard a device to Azure Security Center.
What should you do?

  • A. Add the azureiotsecurity module identity to the Azure IoT Hub device identity.
  • B. Open incoming TCP port 8883 on the device.
  • C. Modify the connection string of the device.
  • D. Install an X.509 certificate on the hardware security module (HSM) of the device.


Use the following workflow to deploy and test your Azure Security Center for IoT security agents:
1. Enable Azure Security Center for IoT service to your IoT Hub
2. If your IoT Hub has no registered devices, Register a new device.
3. Create an azureiotsecurity security module for your devices.
Azure Security Center for IoT makes use of the module twin mechanism and maintains a security module twin named
azureiotsecurity for each of your devices.
Note: To manually create a new azureiotsecurity module twin for a device use the following instructions:
1. In your IoT Hub, locate and select the device you wish to create a security module twin for.
2. Click on your device, and then on Add module identity.
3. In the Module Identity Name field, enter azureiotsecurity.
4. Click Save. Reference:

0 / 600

Question 9 Topic 4, Mixed Questions

You have an Azure IoT Edge device.
You need to modify the credentials used to access the container registry.
What should you modify?

  • A. the $edgeHub module twin
  • B. the IoT Edge module
  • C. the $edgeAgent module twin
  • D. the Azure IoT Hub device twin


The module twin for the IoT Edge agent is called $edgeAgent and coordinates the communications between the IoT Edge
agent running on a device and IoT Hub. The desired properties are set when applying a deployment manifest on a specific
device as part of a single-device or at-scale deployment.
These properties include:
runtime.settings.registryCredentials.{registryId}.username runtime.settings.registryCredentials.registryId}.password


0 / 600

Question 10 Topic 4, Mixed Questions

You are planning a proof of concept (POC) that will use an Azure IoT hub.
You have two self-signed client authentication certificates named Cert1 and Cert2. Cert1 has a basic constraint that contains
Subject Type=CA. Cert2 has a basic constraint that contains Subject Type=End Entity.
You need to identify which certificates to use.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Box 1: Cert2 only
Cert2: The leaf certificate, or end-entity certificate, identifies the certificate holder. It has the root certificate in its certificate
chain as well as zero or more intermediate certificates. The leaf certificate is not used to sign any other certificates. It
uniquely identifies the device to the provisioning service and is sometimes referred to as the device certificate.
Box 2: Cert1 only
Cert1: A root certificate is a self-signed X.509 certificate representing a certificate authority (CA). It is the terminus, or trust
anchor, of the certificate chain. Root certificates can be self-issued by an organization or purchased from a root certificate

0 / 600
To page 2