This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Answer the following questions to check your understanding of the topics covered in this module.
A security engineer configures Azure App Service Authentication on a Function app and sets the action for unauthenticated requests to Require authentication. What happens when an external caller invokes the HTTP trigger without a valid token?
The request is passed to the function code, which can then check for a token and return a 401 response.
The request is rejected with a 401 response or redirected to the identity provider sign-in page before the function code executes.
The request is logged for review, and the function returns a 200 response with an empty body.
The request proceeds, but the function receives empty identity headers instead of the caller's claims.
Contoso Retail has 12 HTTP-triggered functions in a single Function app. A partner system needs access to three specific functions but must not be able to call the other nine. Which function authorization level achieves this without any code changes?
Assign the partner system a host key for the Function app.
Set all 12 functions to the Anonymous authorization level and implement key checks in the function code.
Create function-level keys for each of the three target functions and provide those keys to the partner system.
Create a new host key scoped to the three target functions.
A security team wants to eliminate the public endpoint for a Function app so that it's only accessible through a private IP address within their virtual network. Which hosting plan is required to configure a private endpoint for inbound access?
Standard Consumption plan
Elastic Premium or Dedicated (App Service) plan
Any Function app hosting plan supports private endpoints.
Functions must be deployed to an App Service Environment (ASE) to use private endpoints.
An organization needs to build a Logic app workflow that calls a SQL Server database with no public access, and the workflow trigger shouldn't be reachable from the public internet. Which Logic Apps hosting plan supports both requirements?
Consumption plan, because it provides the lowest cost for infrequently triggered workflows.
Standard plan, because it supports virtual network integration for outbound connector calls and private endpoints for inbound trigger access.
Either plan, because Logic Apps routing is controlled through Azure Front Door regardless of the hosting plan.
Consumption plan, if an on-premises data gateway is installed on the SQL Server subnet.
A Function app stores a database connection string as an application setting. The security team wants to remove the plain-text credential and retrieve it from Azure Key Vault at runtime. What is the correct syntax for a Key Vault reference in a Function app application setting?
@Microsoft.KeyVault(SecretUri=https://<vault-name>.vault.azure.net/secrets/<secret-name>/)
@AzureKeyVault(<vault-name>/<secret-name>)
{{KeyVaultSecret:<secret-name>}}
keyvault://<vault-name>/secrets/<secret-name>
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?