Developing AI Apps and Agents on Azure · 20% of the exam

Plan and design AI solutions: free practice questions

5 sample questions from our 50-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Microsoft exam.

1. A global media company is designing a content moderation pipeline using Azure AI Content Safety and Azure OpenAI. User-generated content (UGC) is submitted in real time. The architect proposes the following pipeline: (1) Screen UGC with Azure AI Content Safety; (2) If content passes, send it to Azure OpenAI for summarization; (3) Post the summary. The security reviewer raises a concern about prompt injection attacks—malicious users embedding instructions in UGC that manipulate the Azure OpenAI system prompt. Which mitigation BEST addresses prompt injection in this pipeline?

  • A. Set the Azure AI Content Safety hate and violence thresholds to Low to block more content before it reaches the LLM.
  • B. Use Azure AI Content Safety's Prompt Shield feature to detect and block prompt injection attempts in user-provided content before passing it to the LLM.✓ Correct
  • C. Enable the Azure OpenAI system message and instruct the model to ignore any instructions found in the user content.
  • D. Deploy the Azure OpenAI resource behind an Azure Application Gateway with WAF rules targeting SQL injection patterns.
Explanation

Azure AI Content Safety's Prompt Shield is specifically designed to detect direct and indirect prompt injection attacks in inputs before they reach the LLM—this is the purpose-built, Azure-native mitigation for this threat. Setting hate/violence thresholds to Low (A) only affects those harm categories; it does not detect embedded instruction injection patterns. A system message instruction to ignore user instructions (C) is a useful defense-in-depth measure but is not reliable on its own—LLMs can still be manipulated by sophisticated injection payloads; it is not the 'best' single mitigation. WAF with SQL injection rules (D) targets SQL injection, a different attack vector; WAF does not understand LLM prompt injection semantics.

2. A company is planning to deploy Azure OpenAI Service and is evaluating the cost model. Their workload involves processing large numbers of short customer emails (average 200 input tokens, 150 output tokens) at a variable rate—peak usage is 10× higher than off-peak. Which pricing model is most cost-effective for this workload?

  • A. Provisioned Throughput Units (PTU), because PTU guarantees low latency regardless of volume.
  • B. Standard (pay-per-token) pricing, because the variable and unpredictable traffic pattern means reserved capacity would be underutilized during off-peak periods.✓ Correct
  • C. PTU with auto-scaling enabled to handle peak traffic while minimizing cost.
  • D. Standard pricing for off-peak and PTU for peak, configured via Traffic Manager routing rules.
Explanation

Standard pay-per-token pricing is best when traffic is highly variable (10× peak-to-trough), because PTU requires purchasing a fixed capacity commitment that must be paid for 24/7 regardless of utilization. Underutilizing PTU during off-peak hours makes it more expensive overall. PTU (A) offers latency and throughput guarantees but is cost-efficient only for consistently high, predictable workloads. PTU does not support auto-scaling (C); capacity is fixed at purchase. Azure Traffic Manager is a DNS-based load balancer that does not natively switch between Azure OpenAI pricing tiers (D), and mixing models in this way is not a supported configuration.

3. An organization is deploying an Azure OpenAI solution for internal legal document review. The legal team is concerned that the model may generate confident-sounding but factually incorrect legal citations. Which Responsible AI mitigation techniques directly address this hallucination risk? (Select TWO)

  • A. Enable Azure AI Content Safety hate/violence content filters at the maximum severity threshold.
  • B. Implement Retrieval-Augmented Generation (RAG) so model responses are grounded in verified legal documents.✓ Correct
  • C. Configure system prompt instructions that direct the model to cite only sources provided in the retrieved context.✓ Correct
  • D. Enable PTU deployment to reduce latency and improve model response consistency.
  • E. Apply output parsing to strip any sentence that contains a legal citation format using regex.
Explanation

RAG (B) grounds the model in verified source documents, directly reducing the likelihood of fabricated citations. System prompt grounding instructions (C) reinforce this by explicitly constraining the model to cite only what was retrieved. Together, these are the canonical responsible AI mitigations for hallucination. Content Safety filters (A) target harmful content categories (hate, violence, etc.) and do not detect or block factual inaccuracies. PTU (D) affects throughput and latency, not response accuracy or hallucination rates. Regex stripping (E) is a brittle post-processing hack that would incorrectly remove valid citations and does not reduce the underlying hallucination risk.

4. An AI engineer is deploying multiple Azure AI services (Language, Vision, and Speech) within an Azure AI Foundry project. The application runs on Azure Kubernetes Service (AKS) and must authenticate to all AI services without storing any credentials in code or configuration files. Which authentication approach should the engineer implement?

  • A. Store API keys in Azure Key Vault and have the AKS pods retrieve them at startup.
  • B. Hardcode API keys in environment variables defined in the AKS deployment manifest.
  • C. Assign a user-assigned managed identity to the AKS node pool and grant it the required RBAC roles on the AI service resources.✓ Correct
  • D. Use a service principal with a client secret stored in an Azure Key Vault reference in the AKS manifest.
Explanation

A user-assigned managed identity assigned to the AKS node pool (or pod identity via workload identity) allows AKS workloads to authenticate to Azure AI services using Azure AD tokens with no credentials stored anywhere — the identity is managed by Azure. This is the recommended zero-credential approach. Storing API keys in Key Vault (option A) avoids hardcoding but still uses static credentials that need rotation; managed identity is preferred as it eliminates credential management entirely. Hardcoding keys in manifest environment variables (option B) is a serious security anti-pattern as manifests are often stored in source control. A service principal with a client secret (option D) still involves a secret that must be rotated and managed, and while Key Vault references reduce exposure, it is more complex and less secure than managed identity.

5. An enterprise is designing an Azure AI Foundry architecture. The compliance officer states that all Azure AI service endpoints must not be reachable over the public internet, and all traffic must traverse the corporate network. Which two networking features should the architect implement? (Select TWO)

  • A. Configure a Private Endpoint for the Azure AI Foundry hub and associated Azure AI services.✓ Correct
  • B. Enable Azure DDoS Protection Standard on the Azure AI services subnet.
  • C. Set the Azure AI services network firewall to deny all public network access.✓ Correct
  • D. Deploy an Azure Application Gateway with WAF in front of the Azure OpenAI endpoint.
  • E. Enable geo-redundancy on the Azure OpenAI resource to prevent regional failover over public routes.
  • F. Configure a Virtual Network Service Endpoint for Azure Storage linked to the hub.
Explanation

Private Endpoints (A) route all traffic from the VNet to Azure AI services over a private IP address via Azure Private Link, preventing any public internet traversal. Disabling public network access on the Azure AI services firewall (C) ensures the public endpoint is not accessible even if a private endpoint is also configured—together these two controls satisfy the compliance requirement. DDoS Protection (B) protects against volumetric attacks but does not block public internet access. Application Gateway with WAF (D) sits in front of a public-facing endpoint; it does not eliminate public internet reachability of the backend. Geo-redundancy (E) is about availability, not network isolation. VNet Service Endpoints for Storage (F) help secure storage access but do not apply to Azure AI service endpoints.

45 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free
Plan and design AI solutions — Free Developing AI Apps and Agents on Azure Practice Questions | DataCertPrep — Certification Prep