microsoft az-220 practice test
Microsoft Azure IoT Developer
Note: This exam has case studies
Question 1 Topic 4, Mixed Questions
You have IoT devices that connect to an Azure IoT hub.
From IoT Hub, you create an Event subscription to be notified when devices are registered to IoT Hub. You select webhook
endpoint as a handler for the Event subscription.
Which two types of Event Grid messages will be received by the webhook? Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
- A. Microsoft.Devices.DeviceCreated
- B. Microsoft.Resources.ResourceWriteSuccess
- C. Microsoft.EventGrid.SubscriptionValidationEvent
- D. Microsoft.Devices.DeviceConnected
Answer:
A C
Explanation:
Microsoft.Devices.DeviceCreated: Published when a device is registered to an IoT hub.
The first thing you want to do is handle Microsoft.EventGrid.SubscriptionValidationEvent events. Every time someone
subscribes to an event, Event Grid sends a validation event to the endpoint with a validationCode in the data payload.
Reference:
https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-event-grid https://docs.microsoft.com/en-us/azure/event-grid/receive-
events
Question 2 Topic 4, Mixed Questions
You need to route events in Azure Digital Twins to a downstream service for additional processing.
Which type of output endpoint can you use?
- A. Azure Event Hubs
- B. Azure Queue storage
- C. Microsoft Power BI
- D. Azure Table storage
Answer:
A
Explanation:
Create an endpoint for Azure Digital Twins.
These are the supported types of endpoints that you can create for your instance: Event Grid
Event Hubs
Service Bus
Note: In Azure Digital Twins, you can route event notifications to downstream services or connected compute resources.
This is done by first setting up endpoints that can receive the events. You can then create event routes that specify which
events generated by Azure Digital Twins are delivered to which endpoints. Reference:
https://docs.microsoft.com/en-us/azure/digital-twins/how-to-manage-routes
Question 3 Topic 4, Mixed Questions
You have an Azure IoT solution.
You need to create a digital twin model.
Which language should you use?
- A. XHTML
- B. DTDL
- C. YAML
- D. XML
Answer:
B
Explanation:
Azure Digital Twins models are represented in the JSON-LD-based Digital Twin Definition Language (DTDL). Reference:
https://docs.microsoft.com/en-us/azure/digital-twins/concepts-models
Question 4 Topic 4, Mixed Questions
You deploy an Azure Digital Twins instance.
You are developing client code that will modify digital twin data.
You run the client code and receive the following response for an Azure Digital Twins API.
403 (Forbidden)
You need to configure access control for the Azure Digital Twins instance to ensure that the client code can modify the data.
Which role should you assign?
- A. Contributor
- B. Azure Digital Twins Data Owner
- C. Owner
- D. Managed Application Operator Role
Answer:
B
Explanation:
Most often, this error indicates that your Azure role-based access control (Azure RBAC) permissions for the service aren't
set up correctly. Many actions for an Azure Digital Twins instance require you to have the Azure Digital Twins Data Owner
role on the instance you are trying to manage. Reference:
https://docs.microsoft.com/en-us/azure/digital-twins/troubleshoot-error-403
Question 5 Topic 4, Mixed Questions
You need to recommend a solution to keep device properties synced to IoT Hub. The solution must minimize data loss
caused by the connectivity issues.
What should you include in the recommendation?
- A. Azure Event Grid
- B. a cloud-to-device message
- C. IoT Hub device twins
- D. the IoT Hub direct method
Answer:
C
Explanation:
Scenario: You discover connectivity issues between the IoT gateway devices and iothub1, which cause IoT devices to lose
connectivity and messages.
To synchronize state information between a device and an IoT hub, you use device twins. A device twin is a JSON
document, associated with a specific device, and stored by IoT Hub in the cloud where you can query them. A device twin
contains desired properties, reported properties, and tags. Reference:
https://docs.microsoft.com/en-us/azure/iot-hub/tutorial-device-twins
Question 6 Topic 4, Mixed Questions
You have an Azure IoT hub that is being taken from prototype to production.
You plan to connect IoT devices to the IoT hub. The devices have hardware security modules (HSMs).
You need to use the most secure authentication method between the devices and the IoT hub. Company policy prohibits the
use of internally generated certificates.
Which authentication method should you use?
- A. an X.509 self-signed certificate
- B. a certificate thumbprint
- C. a symmetric key
- D. An X.509 certificate signed by a root certification authority (CA).
Answer:
D
Explanation:
Purchase X.509 certificates from a root certificate authority (CA). This method is recommended for production environments.
The hardware security module, or HSM, is used for secure, hardware-based storage of device secrets, and is the most
secure form of secret storage. Both X.509 certificates and SAS tokens can be stored in the HSM Reference:
https://docs.microsoft.com/en-us/azure/iot-dps/concepts-security
Question 7 Topic 4, Mixed Questions
You have an Azure IoT solution that includes an Azure IoT hub, 100 Azure IoT Edge devices, and 500 leaf devices.
You need to perform a key rotation across the devices.
Which three types of entities should you update? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- A. the $edgeHub module identity
- B. the $edgeAgent module identity
- C. the leaf module identities
- D. the IoT Edge device identities
- E. the iothubowner policy credentials
- F. the leaf device identities
Answer:
A D F
Explanation:
To get authorization to connect to IoT Hub, devices and services must send security tokens signed with either a shared
access or symmetric key. These keys are stored with a device identity in the identity registry.
An IoT Hub identity registry can be accessed like a dictionary, by using the deviceId or moduleId as the key. Reference:
https://docs.microsoft.com/bs-latn-ba/azure/iot-dps/how-to-control-access https://docs.microsoft.com/en-us/azure/iot-hub/iot-
hub-devguide-identity-registry
Question 8 Topic 4, Mixed Questions
You enable Azure Security Center for IoT.
You need to onboard a device to Azure Security Center.
What should you do?
- A. Add the azureiotsecurity module identity to the Azure IoT Hub device identity.
- B. Open incoming TCP port 8883 on the device.
- C. Modify the connection string of the device.
- D. Install an X.509 certificate on the hardware security module (HSM) of the device.
Answer:
A
Explanation:
Use the following workflow to deploy and test your Azure Security Center for IoT security agents:
1. Enable Azure Security Center for IoT service to your IoT Hub
2. If your IoT Hub has no registered devices, Register a new device.
3. Create an azureiotsecurity security module for your devices.
Azure Security Center for IoT makes use of the module twin mechanism and maintains a security module twin named
azureiotsecurity for each of your devices.
Note: To manually create a new azureiotsecurity module twin for a device use the following instructions:
1. In your IoT Hub, locate and select the device you wish to create a security module twin for.
2. Click on your device, and then on Add module identity.
3. In the Module Identity Name field, enter azureiotsecurity.
4. Click Save. Reference:
https://docs.microsoft.com/en-us/azure/asc-for-iot/quickstart-create-security-twin
Question 9 Topic 4, Mixed Questions
You have an Azure IoT Edge device.
You need to modify the credentials used to access the container registry.
What should you modify?
- A. the $edgeHub module twin
- B. the IoT Edge module
- C. the $edgeAgent module twin
- D. the Azure IoT Hub device twin
Answer:
C
Explanation:
The module twin for the IoT Edge agent is called $edgeAgent and coordinates the communications between the IoT Edge
agent running on a device and IoT Hub. The desired properties are set when applying a deployment manifest on a specific
device as part of a single-device or at-scale deployment.
These properties include:
runtime.settings.registryCredentials.{registryId}.username runtime.settings.registryCredentials.registryId}.password
Reference:
https://docs.microsoft.com/en-us/azure/iot-edge/module-edgeagent-edgehub
Question 10 Topic 4, Mixed Questions
HOTSPOT
You are planning a proof of concept (POC) that will use an Azure IoT hub.
You have two self-signed client authentication certificates named Cert1 and Cert2. Cert1 has a basic constraint that contains
Subject Type=CA. Cert2 has a basic constraint that contains Subject Type=End Entity.
You need to identify which certificates to use.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Explanation:
Box 1: Cert2 only
Cert2: The leaf certificate, or end-entity certificate, identifies the certificate holder. It has the root certificate in its certificate
chain as well as zero or more intermediate certificates. The leaf certificate is not used to sign any other certificates. It
uniquely identifies the device to the provisioning service and is sometimes referred to as the device certificate.
Box 2: Cert1 only
Cert1: A root certificate is a self-signed X.509 certificate representing a certificate authority (CA). It is the terminus, or trust
anchor, of the certificate chain. Root certificates can be self-issued by an organization or purchased from a root certificate
authority.
Reference:
https://docs.microsoft.com/en-us/azure/iot-dps/concepts-x509-attestation