Operationalizing ML and Generative AI Solutions · 22% of the exam

Design and implement a GenAIOps infrastructure: free practice questions

5 sample questions from our 55-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Microsoft exam.

1. An operations team is reviewing cost and latency for a high-volume Azure AI Foundry workload that processes approximately 50 million tokens per day with very predictable, uniform request patterns. They are currently using a serverless API endpoint. Which deployment option would most reduce per-token cost and provide guaranteed throughput for this workload?

  • A. Switch to a managed compute endpoint backed by a GPU cluster with auto-scaling enabled
  • B. Remain on the serverless API endpoint but enable batch deployment mode
  • C. Purchase provisioned throughput units (PTUs) and deploy the model on a provisioned managed compute endpoint✓ Correct
  • D. Increase the serverless API endpoint's token-per-minute quota via a support request
Explanation

Provisioned throughput units (PTUs) are specifically designed for high-volume, predictable workloads. They offer a reserved capacity model that reduces per-token cost compared to pay-as-you-go serverless pricing and guarantee a consistent level of throughput. A GPU-backed managed compute endpoint with auto-scaling (option A) is suited for custom fine-tuned models, not foundation model deployments, and does not offer PTU economics. Staying on serverless with batch mode (option B) does not reduce per-token cost for real-time traffic and is intended for offline processing. Raising the quota (option D) removes rate limiting but does not reduce cost or provide guaranteed throughput.

2. A team is evaluating whether to use a serverless API endpoint or a managed compute endpoint for deploying an open-source Llama 3 model in Azure AI Foundry. The model requires custom preprocessing logic injected at inference time and must support GPU-accelerated batch scoring. Which deployment type is appropriate and why?

  • A. Serverless API endpoint, because it provides built-in GPU acceleration and supports custom scoring scripts through the managed runtime.
  • B. Managed compute endpoint, because it allows the team to bring a custom scoring script, select a GPU-backed compute SKU, and configure batch deployment jobs.✓ Correct
  • C. Serverless API endpoint, because pay-as-you-go billing is always more cost-effective than managed compute for batch workloads.
  • D. Managed compute endpoint with a CPU-optimized SKU, because open-source models do not benefit from GPU acceleration in Azure AI Foundry.
Explanation

Managed compute endpoints in Azure AI Foundry are the correct choice when: (1) custom preprocessing/scoring logic must be injected via a scoring script, (2) specific GPU compute SKUs are needed, and (3) batch scoring jobs are required. These are capabilities inherent to managed online or batch endpoints backed by dedicated compute. Option A is incorrect—serverless API endpoints do not support custom scoring scripts; they expose a standardized API surface for catalog models. Option C incorrectly claims serverless pay-as-you-go is always more cost-effective for batch workloads; for high-volume batch processing, dedicated compute is often more cost-efficient, and cost-effectiveness was not the primary requirement here. Option D is incorrect because GPU acceleration significantly benefits large open-source LLM inference and is supported by managed compute endpoints with appropriate GPU SKUs.

3. A company is deploying Azure AI Foundry infrastructure using Bicep. The security team requires that the Foundry hub and all dependent resources communicate exclusively over private IP addresses, with no public internet exposure. Which two configurations must be included in the Bicep template to satisfy this requirement? (Select TWO)

  • A. Set the `publicNetworkAccess` property on the Azure AI Foundry hub resource to `Disabled`.✓ Correct
  • B. Enable Azure DDoS Network Protection on the virtual network hosting the Foundry hub.
  • C. Deploy a Private Endpoint for the Azure AI Foundry hub and link it to the target virtual network.✓ Correct
  • D. Configure an outbound NAT gateway on the subnet where the Foundry hub is deployed.
  • E. Apply a Network Security Group (NSG) rule that allows all inbound traffic on port 443 from any source.
Explanation

To eliminate public internet exposure, you must both disable public network access (`publicNetworkAccess: 'Disabled'`) so the service rejects requests arriving over the public endpoint, AND deploy a Private Endpoint so that the hub is reachable via a private IP address within the virtual network. Together these two settings enforce fully private connectivity. Option B (DDoS Protection) adds resilience against volumetric attacks but does not restrict public access to the resource itself. Option D (NAT gateway) controls outbound traffic from a subnet but does nothing to make the Foundry hub private. Option E (NSG allow-all on 443) would actually open inbound traffic rather than restricting it, the opposite of the requirement.

4. A DevOps engineer is automating the deployment of a GPT-4 model to an Azure AI Foundry project using Azure CLI as part of a CI/CD pipeline. The deployment must target a specific model version to prevent unintended upgrades. Which CLI command structure correctly deploys a specific, pinned model version?

  • A. `az ml online-deployment create --model azureml://registries/azure-openai/models/gpt-4/versions/0613 --endpoint-name myEndpoint`
  • B. `az cognitiveservices account deployment create --name myDeployment --model-name gpt-4 --model-version 0613 --model-format OpenAI --resource-group myRG --account-name myFoundryHub`✓ Correct
  • C. `az ai model deploy --project myProject --model gpt-4 --version latest --resource-group myRG`
  • D. `az ml online-endpoint create --name myEndpoint --model gpt-4:latest --resource-group myRG --workspace-name myProject`
Explanation

For Azure OpenAI-based foundation model deployments in AI Foundry, the correct CLI command is `az cognitiveservices account deployment create`, specifying `--model-name`, `--model-version` (pinned to a specific version such as `0613`), `--model-format OpenAI`, and the associated Foundry hub/account name. This pins the deployment to a specific model version and prevents auto-upgrade. Option A uses `az ml online-deployment create` with an AzureML registry path, which is appropriate for custom or open-source models managed through the AzureML model registry, not for managed Azure OpenAI deployments. Option C references `az ai model deploy`, which is not a valid Azure CLI command. Option D uses `az ml online-endpoint create`, which creates an endpoint rather than deploying a model, and specifying `gpt-4:latest` explicitly opts into the latest version rather than pinning a specific one.

5. A team is designing RBAC for an Azure AI Foundry hub shared by three departments. Each department has its own project inside the hub. Department A's data scientists should be able to deploy models and manage prompt flows only within Department A's project. They must NOT be able to view or modify resources in Department B's or Department C's projects. What is the MOST appropriate RBAC assignment strategy?

  • A. Assign Department A's data scientists the 'Azure AI Developer' role at the hub scope so they can access all projects under the hub.
  • B. Assign Department A's data scientists the 'Azure AI Developer' role scoped specifically to Department A's project resource, and do not grant them any role at the hub scope.✓ Correct
  • C. Assign Department A's data scientists the 'Contributor' role at the hub scope and use Azure Policy deny assignments to block access to Department B's and Department C's projects.
  • D. Assign Department A's data scientists the 'Reader' role at the hub scope and the 'Owner' role at the Department A project scope.
Explanation

Scoping the 'Azure AI Developer' role to Department A's project resource grants the necessary permissions (model deployment, prompt flow management) within that project only, with no inherited access to other projects. Azure RBAC is additive and scoped, so a role assignment at the project level does not propagate to sibling projects. Option A is wrong because assigning the role at the hub scope grants access to all child projects, violating the isolation requirement. Option C is wrong because 'Contributor' at the hub scope also grants broad access, and deny assignments add unnecessary complexity and are not the recommended least-privilege approach. Option D is wrong because combining 'Reader' at hub scope with 'Owner' at project scope still provides read visibility across the hub's shared resources and 'Owner' is more permissive than needed.

50 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free