This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Answer the following questions to check your understanding of API Management security.
A security engineer configures the validate-azure-ad-token policy on a partner-facing API in API Management. What must every caller provide for the policy to allow the request?
validate-azure-ad-token
A valid Microsoft Entra ID access token in the Authorization header, issued for the allowed application ID and tenant
A subscription key in the Ocp-Apim-Subscription-Key header
A client certificate presented during the TLS handshake
A PKCE code verifier in the Authorization header alongside the token
Contoso Retail's partner contract allows 10,000 API calls per month but also requires that no partner can exceed 200 calls per minute. Which combination of API Management policies enforces both requirements?
Apply the rate-limit policy to enforce the per-minute limit and the quota policy to enforce the monthly limit
Apply the rate-limit policy twice—once with a renewal-period of 60 seconds and once with a renewal-period of 2,592,000 seconds
Apply the rate-limit-by-key policy with a counter key set to the subscription ID for both limits
Configure a single quota policy with two bandwidth thresholds—one for calls and one for data transfer
An API gateway forwards partner requests to a backend API over HTTPS. With standard TLS, the partner's application verifies the backend server's certificate. What does mutual TLS (mTLS) add that standard TLS doesn't provide?
The backend server also verifies the client's certificate, so both sides authenticate each other's identity before the connection is established
The connection uses TLS 1.3 instead of TLS 1.2, providing stronger cipher suite negotiation
The server certificate is signed by a public certificate authority rather than a private CA, improving trust chain verification
Session keys are rotated more frequently during the connection to reduce exposure from a compromised key
Contoso Retail's Azure OpenAI-based product recommendation API should only be accessible to internal applications on the company's private network—no public internet access is permitted to the API Management gateway hosting this API. Which virtual network integration mode satisfies this requirement?
Internal mode, which deploys API Management fully inside the virtual network with no public endpoint
External mode, which places API Management in the virtual network while retaining a public IP address
Configure a network security group (NSG) on the API Management subnet to block all inbound internet traffic
Enable the private endpoint for inbound access and disable the default gateway endpoint
Contoso Retail routes Azure OpenAI calls through API Management. A single partner subscriber occasionally sends a batch of complex document summarization requests that each consume 8,000 tokens per call. Why is the azure-openai-token-limit policy more effective than the standard rate-limit policy for governing this subscriber's consumption?
AI API cost is driven by token consumption—a few token-intensive calls can exhaust provisioned throughput as effectively as a large number of lightweight calls
The azure-openai-token-limit policy applies per API operation, while rate-limit only applies at the product scope
Azure OpenAI returns HTTP 429 errors that rate-limit can't intercept, but azure-openai-token-limit processes these before they reach the caller
The rate-limit policy only works when subscription keys are enabled, but azure-openai-token-limit works without subscription keys
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?