Create SharePoint Folder Structure in Destination (Only If Not Exists)

Why This Script Is Safe

• You can run it multiple times

• It will not create duplicate folders

• It will only create missing folders

• Safe for automation

############################################################

# CONFIGURATION

############################################################

 

# Azure AD App Registration details

$ApplicationClientId     = "Client id"

$ApplicationClientSecret = "Client Secret"

$TenantId                = "Tenant ID"

 

# SharePoint Sites

$SourceSiteUrl      = "https://sourcesite.com/sites/site1"

$DestinationSiteUrl = "https://destination.com/sites/site2"

 

############################################################

# SOURCE FOLDER URLS (Full URLs from Source Site)

############################################################

 

$SourceFolderUrls = @(

    "https://sourcesite.com/Shared Documents/folder3/subfolder3.1",

    "https://sourcesite.com/Shared Documents/folder4/subfolder4.1"

)

 

############################################################

# CONNECT TO DESTINATION SITE (Only once)

############################################################

 

Connect-PnPOnline `

    -Url $DestinationSiteUrl `

    -ClientId $ApplicationClientId `

    -ClientSecret $ApplicationClientSecret `

    -Tenant $TenantId `

    -WarningAction Ignore

 

############################################################

# PROCESS EACH FOLDER

############################################################

 

foreach ($FullFolderUrl in $SourceFolderUrls) {

    Write-Host "Processing: $FullFolderUrl" -ForegroundColor Cyan

 

    # Convert URL to URI object

    $Uri = [System.Uri]$FullFolderUrl

 

    # Get server-relative path

    # Example: /Shared Documents/folder3/subfolder3.1

    $ServerRelativePath = $Uri.AbsolutePath

 

    # Remove site name to get site-relative path

    # Example result: Shared Documents/folder3/subfolder3.1

    $SiteRelativePath = $ServerRelativePath.Replace(

        "/" + $Uri.AbsolutePath.Split('/')[1] + "/" + $Uri.AbsolutePath.Split('/')[2] + "/",

        ""

    )

 

    ############################################################

    # IMPORTANT:

    # This command CREATES the folder ONLY IF IT DOES NOT EXIST

    # If folder already exists → nothing happens

    # If folder does not exist → it gets created

############################################################

    Resolve-PnPFolder -SiteRelativePath $SiteRelativePath

    Write-Host "Folder ensured (created if missing): $SiteRelativePath" -ForegroundColor Green

}

 

############################################################

# COMPLETED

############################################################

 

Write-Host "Folder structure creation completed successfully." -ForegroundColor Yellow

 

Study guide for Exam AZ-204: Developing Solutions for Microsoft Azure

 

Azure: Implement Containerized Solutions (Points Only)

---

1) ✅ Create and Manage Container Images for Solutions

✅ What a container image is

• A packaged application with:

  • App code

  • Runtime (like .NET/Node/Python)

  • Libraries and dependencies

  • OS-level required files

• Built using a Dockerfile

• Runs the same across environments (Dev/Test/Prod)

✅ Best practices for container image creation

• Use lightweight base images:

  • Alpine / slim images when possible

• Use multi-stage builds:

  • Build stage → runtime stage (smaller final image)

• Keep images secure:

  • Avoid storing secrets in image

  • Use environment variables / Key Vault instead

• Standardize tagging:

  • appname:v1.0.0

  • appname:latest (use carefully in prod)

• Include health check endpoint in app:

  • /health for readiness/liveness

• Scan images for vulnerabilities:

  • Use ACR image scanning/security tools

---

2) ✅ Publish an Image to Azure Container Registry (ACR)

⭐ Azure Container Registry (ACR) purpose

• Private container image registry for Azure

• Stores:

  • Docker images

  • Helm charts (optional)

• Supports:

  • Role-based access control (RBAC)

  • Integration with AKS, Container Apps, ACI

✅ Steps to push image to ACR (high-level)

• Create ACR:

  • Choose SKU (Basic/Standard/Premium)

• Login to ACR from CLI:

  • az acr login

• Tag local image:

  • <acrname>.azurecr.io/appname:version

• Push image:

  • docker push <acrname>.azurecr.io/appname:version

✅ Best practices for ACR

• Use Managed Identity for pulling images (avoid secrets)

• Enable private networking:

  • Private Endpoint (enterprise)

• Use separate registries per environment (optional)

• Keep a retention policy for old images

---

3) ✅ Run Containers Using Azure Container Instances (ACI)

⭐ What ACI is best for

• Run containers without managing servers

• Best use cases:

  • Quick deployments

  • Dev/Test workloads

  • Batch jobs and one-off tasks

  • Simple APIs (light traffic)

✅ Key ACI features

• Fast startup

• Supports:

  • Linux and Windows containers

• Networking:

  • Public IP or VNet integration (advanced)

• Storage:

  • Azure Files mount support

✅ When NOT to use ACI

• Complex microservices needing scaling + service discovery

• Production workloads requiring advanced traffic routing

• Kubernetes-level orchestration

✅ Best practice usage

• Use ACI for:

  • Job execution (ETL, scripts)

  • Temporary processing workloads

• Add monitoring:

  • Azure Monitor logs for container output

---

4) ✅ Create Solutions Using Azure Container Apps (ACA)

⭐ Azure Container Apps = best managed container platform (recommended)

• Runs containers with Kubernetes power but simplified operations

• Best for:

  • Microservices

  • API backends

  • Background workers

  • Event-driven apps

✅ Key Container Apps features

• Autoscaling (including scale to zero)

• HTTPS ingress built-in

• Revision management:

  • Blue/green and traffic splitting

• Supports:

  • Dapr (optional for service-to-service messaging)

• Easy integration with ACR

✅ Best design patterns with Container Apps

• Frontend app → public ingress enabled

• Backend services → internal ingress only

• Worker services → no ingress (queue/event driven)

• Use:

  • Managed Identity for ACR pull and secrets access

  • Environment variables for config

  • Key Vault references for sensitive data

✅ When to choose Container Apps vs AKS

• Choose Container Apps when:

  • You want managed simplicity + autoscaling

  • You don’t want cluster management

• Choose AKS when:

  • You need full Kubernetes control

  • Complex networking + policies + advanced workloads

---

✅ Recommended Enterprise Container Flow (End-to-End)

• Build container image (Dockerfile)

• Push image to Azure Container Registry

• Deploy to:

  • ACI for simple/temporary/batch workloads

  • Azure Container Apps for production microservices with scaling

• Secure and operate:

  • Managed Identity + Key Vault

  • Azure Monitor + Log Analytics

---

✅ Final Interview Summary (Perfect Answer)

• Build images → Dockerfile + multi-stage builds + version tagging

• Publish images → push to Azure Container Registry (ACR)

• Run containers quickly → Azure Container Instances (ACI)

• Production microservices → Azure Container Apps (autoscale + revisions + ingress)

---

#Azure #Containers #Docker #ACR #AzureContainerRegistry #ACI #AzureContainerInstances #ContainerApps #Microservices #DevOps #CloudArchitecture #AzureArchitecture

Implement Azure App Service Web Apps (Points Only)

---

1) ✅ Create an Azure App Service Web App

✅ Core components required

• Resource Group

• App Service Plan

  • Defines OS + region + pricing tier + scale

• Web App

  • Hosts code or container

⭐ Best practices while creating Web App

• Choose runtime:

  • .NET / Node.js / Java / Python / PHP

• Pick correct OS:

  • Windows (if required)

  • Linux (common for containers + modern stacks)

• Use naming standards:

  • app-<project>-<env>-<region>

• Enable managed identity (recommended for secure access)

---

2) ✅ Configure and Implement Diagnostics and Logging

✅ Best diagnostics tools for App Service

• App Service Logs

  • Application logs

  • Web server logs

  • Detailed error messages

  • Failed request tracing

• Azure Monitor + Log Analytics

  • Centralized logging and queries using KQL

• Application Insights (Recommended)

  • Request tracking, dependencies, exceptions, performance

✅ What to enable (production ready)

• Enable Application Insights

  • Distributed tracing + live metrics

• Send logs to Log Analytics Workspace

• Enable diagnostic settings for:

  • AppServiceHTTPLogs

  • AppServiceConsoleLogs

  • AppServiceAuditLogs

✅ Troubleshooting benefits

• Detect slow responses + failures

• Track exceptions and root cause

• Monitor CPU/memory and scaling behavior

---

3) ✅ Deploy Code and Containerized Solutions

✅ Code deployment options (most used)

• GitHub Actions

  • Automated CI/CD

• Azure DevOps Pipelines

  • Enterprise release pipelines

• ZIP Deploy

  • Quick manual deployment

• FTP (not recommended for production)

✅ Containerized deployment (recommended approach)

• Use App Service for Containers:

  • Docker image from ACR

  • Or Docker Hub (less secure)

• Best practices for container deployment:

  • Use private registry (Azure Container Registry)

  • Use Managed Identity to pull image (avoid passwords)

  • Use image tagging for version control

---

4) ✅ Configure Settings (TLS, API Settings, Service Connections)

✅ Transport Layer Security (TLS)

• Enforce HTTPS:

  • HTTPS Only = ON

• Set TLS version:

  • Use latest supported TLS (recommended)

• Bind custom domain + SSL certificate:

  • App Service Managed Certificate (when available)

  • Or Key Vault certificate

✅ API settings (common configuration)

• Enable CORS only for allowed domains

• Configure Authentication/Authorization:

  • Microsoft Entra ID (Azure AD)

• Configure API routing:

  • Use API Management if multiple APIs exist

✅ Service connections (secure connectivity)

• Use Managed Identity

  • Access Key Vault, Storage, SQL securely

• Use Key Vault references in App Settings

  • Avoid storing secrets in app config

• Use VNet Integration

  • Access private resources (SQL/Storage via private endpoints)

✅ App configuration settings

• Application settings:

  • Environment variables (Dev/Test/Prod separation)

• Connection strings:

  • Store securely (prefer Key Vault)

• Deployment settings:

  • Build during deployment (if needed)

---

5) ✅ Implement Autoscaling

⭐ Autoscale works on App Service Plan

• Scale out = increase instances

• Scale up = move to bigger plan (more CPU/RAM)

✅ When to use Scale Out (recommended)

• Spiky traffic workloads

• High concurrent users

✅ Autoscale rules (common)

• CPU > 70% for 10 min → add 1 instance

• Memory > 75% → add 1 instance

• Queue length > threshold → scale out (for worker apps)

✅ Best practices

• Set minimum instances for production (avoid cold start)

• Use schedule-based scaling:

  • Scale up during business hours

  • Scale down at night

• Always monitor costs with scaling rules

---

6) ✅ Configure Deployment Slots

⭐ What deployment slots provide

• Separate environments within same Web App:

  • production, staging, dev

• Support:

  • Zero-downtime deployments

  • Quick rollback

✅ Recommended slot usage

• Deploy to staging slot

• Validate health

• Swap to production

✅ Slot settings (very important)

• Mark configs as slot-specific when needed:

  • Connection strings

  • API keys

  • Environment variables like ENV=UAT

• Use swap safely:

  • Warm-up settings to avoid cold start post swap

✅ Best deployment strategies with slots

• Blue/Green deployment

• Canary releases (limited traffic routing with advanced setup)

---

✅ Final Interview Summary (Perfect Answer)

• Create Web App → App Service Plan + Web App + Managed Identity

• Diagnostics → Application Insights + Log Analytics + App Service logs

• Deploy → GitHub Actions/Azure DevOps + ACR container deployments

• Configure → HTTPS/TLS, CORS, Entra ID auth, Key Vault references, VNet integration

• Autoscale → scale-out rules based on CPU/memory/schedule

• Slots → staging slot + swap for zero downtime + slot-specific settings

---

#Azure #AppService #WebApps #ApplicationInsights #AzureMonitor #DeploymentSlots #Autoscale #ACR #Containers #TLS #EntraID #KeyVault #DevOps #AzureArchitecture

Implement Azure Functions (Points Only)

---

1) ✅ Create and Configure an Azure Functions App

✅ Required components for a Function App

• Resource Group

• Function App

• Hosting plan

  • Consumption (serverless pay-per-execution)

  • Premium (no cold start + VNet + better scale)

  • Dedicated (App Service Plan)

• Storage Account (mandatory)

  • Used internally for function state and triggers

• Runtime stack

  • .NET / Node.js / Python / Java

• Region

  • Choose closest to users/data for low latency

⭐ Best plan selection

• Consumption

  • Best for event-driven workloads

  • Lowest cost when usage is unpredictable

• Premium

  • Best for production APIs and enterprise needs

  • Use when you need:

    • VNet integration

    • predictable performance

    • no cold start

• Dedicated

  • Best when:

    • already using App Service Plan

    • fixed capacity required

✅ Core configuration settings (must-do)

• Enable Managed Identity

  • Access Key Vault, Storage, Dataverse, etc.

• Configure Application Settings

  • Connection strings, endpoints, environment flags

• Enable monitoring:

  • Application Insights

• Secure access:

  • Use HTTPS only

  • Restrict inbound access if needed (Private endpoints / VNet)

---

2) ✅ Implement Input and Output Bindings

✅ What bindings do

• Connect your function to services without writing full integration code

• Bindings reduce boilerplate and improve productivity

✅ Common input bindings

• Blob input

  • Read content from Azure Storage blobs

• Queue input

  • Get messages from Storage queue

• Service Bus input

  • Read messages from queue/topic

• Cosmos DB input

  • Read documents or change feed data

✅ Common output bindings

• Blob output

  • Write results to Blob storage

• Queue output

  • Push new messages to a queue

• Service Bus output

  • Send messages to queue/topic

• Cosmos DB output

  • Write documents to database

✅ Best practices for bindings

• Keep bindings simple and focused

• Use managed identity where supported

• Handle failures:

  • dead-letter queues (Service Bus)

  • poison messages (Storage queues)

• Avoid large payloads in queue messages

  • store file in Blob and pass reference URL

---

3) ✅ Implement Function Triggers (Data Operations, Timers, Webhooks)

---

✅ A) Data operations triggers

⭐ Storage Queue trigger

• Best for:

  • Background processing

  • Async workload handling

• Use cases:

  • Process requests from apps/flows

  • Run batch processing safely

⭐ Service Bus trigger

• Best for:

  • Enterprise messaging (reliable + scalable)

• Use cases:

  • Decoupled microservices processing

  • Integration pipelines

• Features:

  • Topics/subscriptions

  • Dead-letter queues (DLQ)

⭐ Blob trigger

• Best for:

  • File-based workloads

• Use cases:

  • File uploaded → extract metadata → store into DB

  • Process images, PDFs, CSV files

⭐ Cosmos DB trigger

• Best for:

  • Change feed based processing

• Use cases:

  • React to document updates in NoSQL

---

✅ B) Timer triggers (Scheduled jobs)

⭐ Timer trigger

• Best for:

  • Scheduled tasks using CRON

• Use cases:

  • Daily sync jobs

  • Cleanup and archival tasks

  • SLA monitoring jobs

✅ Best practice

• Make scheduled tasks idempotent (safe re-run)

• Log run history for auditing

---

✅ C) Webhook / HTTP triggers

⭐ HTTP trigger

• Best for:

  • APIs and webhooks

  • Called from:

    • Power Apps

    • Power Automate

    • External systems

• Use cases:

  • Validate request → start job → return response

  • Integrate external system callbacks

✅ Security best practices

• Prefer Entra ID authentication (OAuth)

• Avoid exposing function keys publicly

• Use APIM in front for enterprise control:

  • throttling, auth, logging

---

✅ Recommended Azure Functions Design Pattern (Enterprise)

• Power Automate / App → HTTP trigger function

• Function writes request to Service Bus queue

• Service Bus trigger function processes job

• Results stored in Dataverse/SQL/Storage

• Monitoring via Application Insights + alerts

---

✅ Final Interview Summary (Perfect Answer)

• Create Function App → choose plan (Consumption/Premium), storage account, enable App Insights + Managed Identity

• Bindings → use input/output bindings for Storage/Service Bus/Cosmos DB to reduce code

• Triggers → use Queue/ServiceBus/Blob for data events, Timer for schedules, HTTP for webhooks and APIs

---

#AzureFunctions #Serverless #Bindings #Triggers #ServiceBus #StorageQueue #BlobTrigger #TimerTrigger #HTTPTrigger #AppInsights #ManagedIdentity #AzureArchitecture

Develop Solutions that Use Azure Cosmos DB (Points Only)

---

1) ✅ Perform Operations on Containers and Items Using the SDK

✅ Cosmos DB core concepts

• Account → top-level Cosmos resource

• Database → logical grouping of containers

• Container → stores items (like a table/collection)

• Item → JSON document (record)

• Partition key → drives scalability + performance

⭐ Best SDK choice (common)

• .NET SDK / Java SDK / Python SDK / Node.js SDK

✅ Required setup for SDK operations

• Cosmos endpoint URI

• Key or Managed Identity (preferred in Azure)

• Database + container name

• Partition key value for item operations

✅ Common operations (CRUD)

• Create:

  • Insert new item into container

• Read:

  • Read item by id + partition key

• Update:

  • Replace item (full update)

  • Patch item (partial update)

• Delete:

  • Delete item by id + partition key

✅ Query operations

• SQL API query examples:

  • SELECT * FROM c WHERE c.status = "Active"

• Best practices:

  • Always filter using partition key when possible

  • Return only required fields

  • Use pagination for large results

✅ Performance + cost best practices (RU/s)

• Choose a good partition key

  • High cardinality (many unique values)

  • Even distribution (avoid “hot partition”)

• Use point reads when possible

  • Cheapest and fastest operation

• Avoid cross-partition scans unless required

• Use bulk mode for high volume inserts/updates

• Use indexing policy tuning for write-heavy workloads

---

2) ✅ Set the Appropriate Consistency Level for Operations

✅ What consistency means in Cosmos DB

• Balance between:

  • data accuracy

  • latency

  • availability

  • cost

⭐ Cosmos DB consistency levels (most important)

• Strong

  • Highest correctness (like single-master strict order)

  • Higher latency, lower availability across regions

  • Best for: financial-like critical reads (rare use)

• Bounded Staleness

  • Reads can lag behind by “N” versions or time window

  • Predictable consistency

  • Best for: global apps needing near-strong behavior

• Session (Most common default)

  • Guarantees user/session sees its own writes

  • Best for: typical user apps, e-commerce, portals

• Consistent Prefix

  • Order preserved, but may not be newest

  • Best for: event/log style workloads

• Eventual

  • Fastest + cheapest, but can return stale reads

  • Best for: analytics, counts, non-critical data

✅ Recommendation cheat sheet

• Most apps → Session

• Global apps + predictable lag → Bounded staleness

• Critical correctness → Strong

• Maximum performance + lowest cost → Eventual

✅ Best practice

• Set account-level consistency first

• Override at request level only when required

• Avoid Strong consistency in multi-region write-heavy workloads

---

3) ✅ Implement Change Feed Notifications

⭐ What is Change Feed

• Continuous stream of changes (inserts + updates) in a container

• Used for event-driven processing and downstream sync

• Enables near real-time integrations

✅ Best use cases

• Real-time notifications

• Data replication to another system

• Materialized views / projections

• Audit and downstream analytics

• Trigger workflows when items change

✅ Best options to consume Change Feed

✅ Option A: Azure Functions Trigger (Recommended)

• Cosmos DB trigger listens to change feed

• Best for:

  • Serverless processing

  • Scaling automatically

• Common flow:

  • Item updated → Function triggered → push to Service Bus / update another container

✅ Option B: Change Feed Processor (SDK-based)

• Runs inside your app/service

• Best for:

  • Custom hosted microservices

  • Advanced checkpoint control

• Needs lease container for checkpointing

✅ Option C: Event-driven integration pattern

• Cosmos change feed → Function → Service Bus/Event Hub

• Best for:

  • Multiple downstream consumers

  • Reliable processing + retries

✅ Change feed best practices

• Use a lease container for checkpoints (Change Feed Processor)

• Ensure idempotency:

  • Same event should not create duplicates

• Use batching for efficiency

• Monitor lag and failures

• Store processing status/logs for audit

---

✅ Final Interview Summary (Perfect Answer)

• SDK operations → use container CRUD, point reads with id + partition key, efficient queries, RU optimization

• Consistency → choose Session for most apps, Bounded staleness for global predictability, Strong only for critical correctness

• Change feed → use Cosmos trigger in Azure Functions or Change Feed Processor for event-driven notifications

---

#Azure #CosmosDB #NoSQL #PartitionKey #ConsistencyLevels #ChangeFeed #AzureFunctions #CloudArchitecture #Dataverse #EventDrivenArchitecture #DatabaseDesign

Develop Solutions that Use Azure Blob Storage (Points Only)

---

1) ✅ Set and Retrieve Properties and Metadata

✅ Difference between properties and metadata

• Properties

  • System-defined values managed by Blob Storage

  • Examples:

    • Content-Type, Content-Length

    • ETag, Last-Modified

    • Access tier (Hot/Cool/Archive)

• Metadata

  • Custom key-value pairs added by you

  • Examples:

    • Department=Finance

    • DocType=Invoice

    • Owner=Sreekanth

    • Retention=7Years

✅ Common operations for metadata/properties

• Set metadata:

  • Add tags used by apps and governance

• Get metadata:

  • Use for filtering, validation, processing decisions

• Update properties:

  • Set Content-Type correctly (PDF, PNG, JSON)

  • Set cache control for performance

✅ Best practices

• Keep metadata values small and meaningful

• Follow consistent naming rules for metadata keys

• Don’t store secrets or sensitive info in metadata

• Use Blob Index Tags (if needed) for searchable tags at scale

---

2) ✅ Perform Operations on Data Using the Appropriate SDK

⭐ Most used SDK: Azure Storage Blob SDK

• Available for:

  • .NET, Java, Python, Node.js

✅ Core objects in SDK

• BlobServiceClient (account level)

• BlobContainerClient (container level)

• BlobClient (blob level)

✅ Common blob operations

• Container operations:

  • Create container

  • List containers

  • Set container access level (private recommended)

• Blob operations:

  • Upload blob

  • Download blob

  • Delete blob

  • Copy blob (async copy)

  • List blobs with prefix/folder style

✅ Handling large files (important)

• Use block blobs

• Upload using:

  • chunking / parallel upload

• Use streaming:

  • don’t load full file into memory

✅ Access and security options (recommended)

• Prefer Managed Identity from Azure services

• Prefer SAS token only when temporary access is needed

• Use RBAC + Storage Blob Data Contributor/Reader

• Use Private Endpoint for internal-only access

✅ Performance best practices

• Use CDN for public content delivery

• Use correct blob type:

  • Block blobs (most common)

• Use parallelism for large uploads/downloads

• Avoid frequent small writes (bundle where possible)

---

3) ✅ Implement Storage Policies and Data Lifecycle Management

✅ Why lifecycle policies matter

• Reduce storage cost automatically

• Enforce retention and compliance rules

• Move older data to cheaper tiers

⭐ Storage lifecycle management (best feature)

• Create rules to automatically:

  • Move blobs between tiers:

    • Hot → Cool → Archive

  • Delete blobs after retention period

  • Handle snapshots and versions cleanup

✅ Common lifecycle rules (real-world)

• Logs:

  • Hot for 7 days → Cool for 30 days → Archive for 180 days → Delete after 1 year

• Backups:

  • Hot 30 days → Archive 7 years

• Documents:

  • Hot for active usage → Cool after inactivity

✅ Versioning + soft delete (data protection)

• Enable:

  • Soft delete (recover deleted blobs)

  • Blob versioning (recover overwritten files)

  • Point-in-time restore (where supported)

• Best for:

  • Protecting against accidental delete/overwrite

  • Ransomware recovery readiness

✅ Governance and access policies

• Use:

  • Immutability policies (WORM) for compliance (if required)

  • Storage account firewall

  • Private endpoints

• Monitor with:

  • Diagnostic settings → Log Analytics

---

✅ Final Interview Summary (Perfect Answer)

• Metadata/properties → set Content-Type + custom metadata for classification, retrieve for processing decisions

• SDK operations → use BlobServiceClient/ContainerClient/BlobClient for upload/download/list/copy/delete

• Policies/lifecycle → apply lifecycle rules (Hot→Cool→Archive), enable soft delete + versioning for protection and cost savings

---

#Azure #BlobStorage #AzureStorage #Metadata #SDK #LifecycleManagement #HotCoolArchive #SoftDelete #Versioning #DataProtection #CloudStorage #AzureArchitecture

Implement User Authentication and Authorization (Azure + Microsoft Identity) — Points Only

---

1) ✅ Authenticate & Authorize Users Using Microsoft Identity Platform

⭐ What Microsoft Identity Platform provides

• OAuth 2.0 and OpenID Connect based authentication

• Supports:

  • Work/school accounts (Entra ID)

  • Personal Microsoft accounts (MSA)

  • External users (B2B / External ID)

• Used for:

  • Secure login (sign-in)

  • Token-based access to APIs (authorization)

✅ Recommended app architecture (common)

• Frontend (Web/Mobile) → sign-in using Microsoft Identity

• Backend API → validates JWT access token

• Access resources:

  • Microsoft Graph

  • Azure services

  • Custom APIs

✅ Key concepts to mention in interview

• ID Token

  • Used for user authentication (who the user is)

• Access Token

  • Used to call APIs (what user/app can access)

• Refresh Token

  • Used to get new access tokens (long session)

✅ Best practices

• Use Authorization Code Flow (most secure for web apps)

• Use PKCE for SPA/mobile apps

• Validate tokens in API:

  • issuer, audience, signature, expiry

• Use scopes + roles to control authorization

---

2) ✅ Authenticate & Authorize Users and Apps Using Microsoft Entra ID

✅ Best identity provider in Azure: Microsoft Entra ID

• Provides:

  • SSO across apps

  • MFA and Conditional Access

  • App registrations + service principals

  • RBAC integration across Azure

✅ Authentication options

• User-based authentication (Delegated)

  • User signs in and acts on their own behalf

  • Best for:

    • Web apps, portals, internal systems

• App-only authentication (Application permissions)

  • Background services run without user context

  • Best for:

    • Scheduled jobs

    • System-to-system integrations

    • Automation scripts

✅ Authorization methods (Entra + Azure)

• App-level authorization:

  • Scopes (API permissions)

  • App roles (role claims in token)

• Azure resource authorization:

  • Azure RBAC (Owner/Contributor/Reader/custom roles)

• Conditional Access:

  • Require MFA

  • Restrict sign-in location/device compliance

✅ Best practices

• Prefer Managed Identity for Azure-to-Azure access

• Use least privilege roles and permissions

• Use PIM for admin roles (just-in-time access)

---

3) ✅ Create and Implement Shared Access Signatures (SAS)

⭐ What SAS is

• A secure token that grants temporary limited access to Azure Storage resources

• Supports:

  • Blob

  • File shares

  • Queues

  • Tables

✅ Types of SAS

• User Delegation SAS (Recommended)

  • Uses Entra ID authentication

  • Stronger security (no account key sharing)

• Service SAS

  • Created using storage account key (more risk)

• Account SAS

  • Broad access across services (use carefully)

✅ Common SAS parameters

• Scope:

  • Container / Blob

• Permissions:

  • Read / Write / Delete / List

• Expiry time:

  • Short-lived recommended

• IP range restriction (optional)

• HTTPS only (recommended)

✅ Best practices

• Use short expiry (minutes/hours)

• Use least privilege permissions

• Prefer User Delegation SAS

• Rotate keys if Service SAS is used

• Never hardcode SAS tokens in apps/repos

---

4) ✅ Implement Solutions That Interact with Microsoft Graph

⭐ What Microsoft Graph provides

• Unified API for Microsoft 365 + Entra ID data

• Common resources:

  • Users, groups, roles

  • Mail, calendar

  • Teams, chats

  • SharePoint, OneDrive

  • Devices and directory objects

✅ Typical Microsoft Graph use cases

• Read user profile details after login

• Manage groups and group membership

• Send mail or create calendar events (with permissions)

• Teams notifications / automation

• Read SharePoint files and lists

✅ Authentication for Microsoft Graph

• Use Entra ID app registration

• Permissions types:

  • Delegated permissions

    • Actions on behalf of signed-in user

  • Application permissions

    • Background service access (admin consent required)

✅ Best practices for Graph

• Request only required scopes

• Use admin consent carefully (for application permissions)

• Handle throttling:

  • Respect 429 + Retry-After

• Use paging for lists:

  • NextLink pagination

• Secure secrets:

  • Use certificates or Managed Identity (when available)

  • Store secrets in Key Vault if needed

---

✅ Final Interview Summary (Perfect Answer)

• Microsoft Identity platform → use OAuth2/OIDC, tokens (ID/access), auth code flow + PKCE

• Entra ID → SSO, MFA, Conditional Access, scopes/roles, app-only or delegated access

• SAS → temporary storage access, prefer User Delegation SAS, short expiry + least privilege

• Microsoft Graph → access M365 data securely using delegated/app permissions with throttling and paging

---

#Azure #MicrosoftIdentityPlatform #EntraID #OAuth2 #OpenIDConnect #Authorization #RBAC #SAS #MicrosoftGraph #Security #ManagedIdentity #ConditionalAccess

Implement Secure Azure Solutions (Points Only)

---

1) ✅ Secure App Configuration Data (Azure App Configuration vs Azure Key Vault)

⭐ Use Azure App Configuration for

• Non-secret configuration values

• Feature flags and app settings

• Environment-based configuration (Dev/UAT/Prod)

• Centralized configuration for multiple apps

✅ Examples (safe to store)

• API base URL

• Feature toggle: EnableNewUI=true

• Timeout values, limits, thresholds

• App theme settings

• Environment name

✅ Benefits

• Central config store (no redeploy needed for changes)

• Feature flags support

• Easy integration with App Service / Functions / AKS

---

⭐ Use Azure Key Vault for

• Secrets, keys, and certificates (high security)

✅ Examples (must store here)

• Database passwords / connection strings

• API keys / tokens

• Certificates (TLS/SSL)

• Encryption keys (CMK)

✅ Benefits

• Strong access control (RBAC)

• Secret rotation and versioning

• Audit logging

• HSM-backed security options

---

✅ Best practice approach (recommended architecture)

• Store app settings in Azure App Configuration

• Store secrets in Azure Key Vault

• Reference Key Vault secrets from:

  • App Service settings (Key Vault references)

  • Functions configuration

  • Apps using SDK

---

2) ✅ Develop Code Using Keys, Secrets, and Certificates from Azure Key Vault

✅ Common access methods

• Azure SDK (Recommended)

  • DefaultAzureCredential to authenticate securely

• Key Vault supports managing:

  • Secrets (passwords, tokens)

  • Keys (encryption keys)

  • Certificates (TLS certs)

✅ Best practices for Key Vault usage in code

• Never hardcode secrets in code or pipelines

• Always authenticate using Managed Identity

• Use secret versioning:

  • Handle secret rotation without breaking apps

• Cache secrets in memory (short TTL) to reduce latency and calls

• Enable:

  • Soft delete + purge protection

  • Diagnostic logging to Log Analytics

✅ Typical secure patterns

• Retrieve secret → use it → do not log it

• Use Key Vault certificate for:

  • HTTPS/mTLS

  • app authentication to external systems

• Use Key Vault keys for:

  • Encryption at rest (CMK)

  • Signing tokens or messages

---

3) ✅ Implement Managed Identities for Azure Resources

⭐ What Managed Identity solves

• Removes need for storing credentials (client secrets/passwords)

• Azure automatically manages token issuance and rotation

• Best for:

  • App Service → Key Vault

  • Function App → Storage / Dataverse / SQL

  • AKS → Key Vault + ACR

✅ Types of managed identity

• System-assigned

  • Auto created per resource

  • Deleted when resource is deleted

  • Best for: single app resource usage

• User-assigned

  • Standalone identity reused across multiple resources

  • Best for: shared access across apps/services

✅ Steps to implement (standard)

• Enable Managed Identity on:

  • App Service / Function App / VM / Container Apps

• Grant permissions using:

  • Azure RBAC roles

  • Key Vault role assignments

• Use DefaultAzureCredential in application code

• Test access:

  • Ensure the identity can fetch secrets/keys/certs

✅ Best practices

• Follow least privilege:

  • Secret Get/List only if required

  • Separate identities per app/environment

• Use Private Endpoints for Key Vault in enterprise environments

• Monitor Key Vault access logs for suspicious activity

• Avoid using access keys when managed identity is possible

---

✅ Final Interview Summary (Perfect Answer)

• Config security → App Configuration for non-secrets, Key Vault for secrets/certs/keys

• Code with Key Vault → use Azure SDK + Managed Identity, enable versioning + soft delete + auditing

• Managed Identities → remove secrets, automatic rotation, grant RBAC permissions with least privilege

---

#AzureSecurity #KeyVault #AppConfiguration #ManagedIdentity #SecretsManagement #Certificates #EncryptionKeys #RBAC #CloudSecurity #AzureArchitecture

Azure Monitor + Application Insights: Monitor and Troubleshoot Solutions (Points Only)

---

1) ✅ Monitor and Analyze Metrics, Logs, and Traces

✅ What Application Insights monitors

• Requests

  • Response time, failure rate, request count

• Dependencies

  • SQL calls, REST APIs, Storage, Service Bus calls

• Exceptions

  • Error stack traces + frequency

• Performance

  • Slow operations, bottlenecks, latency patterns

• Live Metrics

  • Near real-time health view for production

• Distributed Tracing

  • End-to-end request tracking across microservices

---

✅ Metrics vs Logs vs Traces (easy interview explanation)

• Metrics

  • Fast numeric measurements (CPU, request duration, failure rate)

• Logs

  • Searchable records/events stored in Log Analytics (KQL queries)

• Traces

  • Detailed operations flow across services (correlation IDs)

---

⭐ Best tools to analyze

• Azure Monitor Metrics Explorer

  • Quick graphs + thresholds

• Log Analytics (KQL)

  • Deep root-cause analysis

• Application Insights (Performance + Failures + Dependencies)

  • End-to-end troubleshooting

---

✅ Best practices

• Use sampling to reduce noise/cost (keep important logs)

• Add custom dimensions:

  • userId, tenantId, environment, region

• Track business events:

  • orders created, payments succeeded

• Correlate across services:

  • use consistent operationId / traceId

---

2) ✅ Implement Availability Tests and Alerts

⭐ Availability Tests (Uptime Monitoring)

• Purpose:

  • Ensure app endpoint is reachable and healthy

• Types (common)

  • URL ping test (simple uptime check)

  • Standard test (improved version, modern approach)

  • Multi-step web test (legacy in many cases)

✅ Best availability test setup

• Target:

  • /health endpoint (recommended)

• Run frequency:

  • Every 1–5 minutes (based on criticality)

• Test locations:

  • Multiple regions to detect geo routing issues

✅ Alerting (recommended approach)

• Availability alerts

  • Trigger when test fails from multiple locations

• Metric alerts

  • Response time high

  • Failed requests > threshold

• Log query alerts

  • Custom detection using KQL

• Action Groups

  • Notify via Email/SMS/Teams

  • Trigger Logic App / ITSM ticket

✅ Best practices for alerts

• Avoid alert spam:

  • Use smart thresholds and aggregation windows

• Separate alerts by severity:

  • Sev1 (outage), Sev2 (degradation), Sev3 (warnings)

• Include runbook link in alert message:

  • troubleshooting steps, owner team

---

3) ✅ Instrument an App or Service to Use Application Insights

✅ Best instrumentation methods

• Auto-instrumentation (easiest for supported runtimes)

  • Minimal code changes

• SDK-based instrumentation (most control)

  • Add custom telemetry

✅ What to instrument (must-have telemetry)

• Request telemetry:

  • response time, status codes

• Dependency telemetry:

  • DB calls, external API calls

• Exception telemetry:

  • catch and track errors

• Trace telemetry:

  • custom logs for debugging

✅ Recommended enhancements (production ready)

• Add custom events

  • OrderSubmitted, PaymentFailed

• Add custom metrics

  • queue length, job duration

• Implement distributed tracing

  • ensure correlation across services

• Use OpenTelemetry where applicable

  • vendor-neutral instrumentation approach

✅ Secure instrumentation best practices

• Don’t log secrets or PII

• Use sampling + retention policies

• Use different Application Insights resources per environment:

  • Dev / UAT / Prod

---

✅ Final Interview Summary (Perfect Answer)

• Monitor → use metrics + logs (KQL) + traces in Application Insights

• Availability tests → check /health endpoint from multiple locations + alert via Action Groups

• Instrumentation → enable auto-instrumentation or SDK, track requests/dependencies/exceptions + add custom events and correlation

---

#AzureMonitor #ApplicationInsights #Observability #Logging #Metrics #Tracing #KQL #Alerts #AvailabilityTests #DistributedTracing #CloudMonitoring #DevOps #AzureArchitecture

Implement Azure API Management (APIM) — Points Only

---

1) ✅ Create an Azure API Management Instance

✅ What APIM is used for

• Central API Gateway for:

  • Internal APIs

  • External partner APIs

  • Microservices APIs

• Provides:

  • Security, throttling, transformations, monitoring

✅ Steps to create APIM instance (high-level)

• Create a Resource Group

• Create API Management service

• Choose:

  • Region

  • Organization name + admin email

• Select pricing tier:

  • Developer (non-prod, testing only)

  • Basic/Standard (small production)

  • Premium (enterprise: VNet + multi-region + SLA)

✅ Best practices

• Use separate instances for:

  • Dev / UAT / Prod

• Enable diagnostics logging to:

  • Log Analytics / Application Insights

• Use custom domains for production endpoints

---

2) ✅ Create and Document APIs

✅ Ways to add APIs into APIM

• Import from OpenAPI (Swagger) (best)

• Import from Azure Functions / App Service

• Create manually (basic)

• SOAP to REST (supported scenarios)

✅ API documentation features

• API operations:

  • GET/POST/PUT/DELETE endpoints

• Add:

  • Request/response schemas

  • Examples

  • Error codes and messages

• Use Developer Portal

  • Interactive testing

  • Subscription key management

  • Easy onboarding

✅ Best practices for API design in APIM

• Keep versioning strategy:

  • URL versioning /v1/

  • Header versioning

  • Query string versioning

• Create products:

  • Public product

  • Partner product

  • Internal product

---

3) ✅ Configure Access to APIs

✅ Common access control methods

• Subscription keys

  • Simple API consumer onboarding

  • Per product / per API

• OAuth 2.0 / OpenID Connect (Recommended)

  • Authenticate users via Microsoft Entra ID

• Client certificates

  • High-security B2B integrations

• IP filtering

  • Allow only specific networks

• JWT validation

  • Validate token claims before allowing access

✅ Best practice access model

• External APIs:

  • OAuth2 + subscription keys

• Internal APIs:

  • Entra ID auth + private networking

• Use Managed Identity when APIM calls backend services

✅ Security hardening checklist

• Enable HTTPS only

• Use WAF in front (Front Door/App Gateway) if needed

• Restrict admin access using RBAC + PIM

• Use Private Endpoints / VNet integration (premium tier scenarios)

---

4) ✅ Implement Policies for APIs

⭐ Policies are the strongest APIM feature

• They apply rules to:

  • Inbound request

  • Outbound response

  • Backend calls

  • Errors

✅ Most commonly used APIM policies

✅ Security policies

• validate-jwt

  • Validate Entra ID token and claims

• check-header

  • Ensure required headers exist

• ip-filter

  • Allow only approved client IPs

✅ Traffic management policies

• rate-limit

  • Requests per time window

• quota

  • Total calls per day/month

• retry

  • Retry backend failures safely

✅ Transformation policies

• set-header

  • Add correlation IDs, auth headers

• rewrite-uri

  • Route to correct backend path

• set-body

  • Modify request/response body

✅ Caching policies

• cache-lookup + cache-store

  • Improve performance for read APIs

✅ Observability policies

• Add correlation ID:

  • x-correlation-id

• Enable diagnostics to App Insights/Log Analytics

✅ Best practices for policies

• Apply policies at correct level:

  • Global → Product → API → Operation

• Keep policy logic simple and maintainable

• Use named values for reusable config

• Avoid excessive transformations that add latency

---

✅ Final Interview Summary (Perfect Answer)

• Create APIM → choose tier (Developer for dev, Premium for enterprise), enable logs + custom domain

• Create/document APIs → import OpenAPI, publish via Developer Portal with versioning strategy

• Configure access → subscription keys + Entra ID OAuth/JWT validation, restrict IPs and use HTTPS

• Policies → apply validate-jwt, rate limiting, retry, rewrite, caching, headers, and logging

---

#Azure #APIM #APIGateway #AzureAPIM #OAuth2 #EntraID #JWT #RateLimiting #APIManagement #Policies #DeveloperPortal #CloudSecurity #AzureArchitecture

Develop Event-Based Solutions (Azure) — Points Only

---

1) ✅ Implement Solutions That Use Azure Event Grid

⭐ What Azure Event Grid is best for

• Event routing (react when something happens)

• Lightweight, push-based events

• Best use cases:

  • Blob created/deleted events

  • Resource group changes

  • Key Vault secret events

  • Custom business events

✅ Key Event Grid components

• Event Source

  • Storage, Key Vault, Azure services, custom apps

• Event Topic

  • System topic (Azure resource events)

  • Custom topic (your own events)

• Event Subscription

  • Routes events to a destination

  • Supports filtering and retry

• Event Handler (Destination)

  • Azure Functions

  • Logic Apps

  • Webhook

  • Service Bus / Storage Queue

✅ Common architecture pattern

• Storage event → Event Grid → Azure Function → process → update DB/Dataverse

✅ Filtering and routing best practices

• Filter by:

  • Event type (BlobCreated only)

  • Subject patterns (specific container/folder)

• Use dead-letter storage (recommended)

• Use retries + exponential backoff (built-in behavior)

• Design event handlers idempotent (safe if event delivered twice)

✅ When Event Grid is the best choice

• You need:

  • Immediate reaction (near real time)

  • Fan-out to multiple consumers

  • Simple event routing without heavy streaming

---

2) ✅ Implement Solutions That Use Azure Event Hubs

⭐ What Azure Event Hubs is best for

• High-throughput event streaming platform

• Best use cases:

  • Telemetry and logging ingestion

  • IoT events and device streams

  • Clickstream data

  • Real-time pipeline into analytics systems

✅ Key Event Hubs components

• Event Hub Namespace

  • Container for hubs and policies

• Event Hub

  • The stream endpoint (like Kafka topic concept)

• Partitions

  • Parallel consumption and scaling

• Consumer Groups

  • Separate independent readers (apps/teams)

• Throughput Units / Capacity

  • Scale based on load

✅ Common architecture pattern

• Devices/apps → Event Hubs → Stream Analytics/Databricks → Data Lake → Power BI

✅ Best practices for Event Hubs

• Choose partition key carefully

  • even distribution to avoid hot partitions

• Keep events small and structured (JSON/Avro)

• Use batching for producers to improve throughput

• Plan retention:

  • short retention for streaming

  • archive to Data Lake for long-term storage

• Use checkpointing in consumers:

  • Event Processor Client (SDK)

  • Azure Functions Event Hub trigger

✅ When Event Hubs is the best choice

• You need:

  • Millions of events per second

  • Streaming analytics

  • Large-scale ingestion pipeline

---

✅ Event Grid vs Event Hubs (Interview Comparison)

✅ Choose Event Grid when

• You want event routing and automation

• Events are discrete business/system events

• Fan-out to multiple targets is required

✅ Choose Event Hubs when

• You want streaming ingestion at massive scale

• Telemetry/log/IoT data is continuous

• You need partitions + consumer groups for parallel reads

---

✅ Final Interview Summary (Perfect Answer)

• Event Grid → best for reactive event routing, push delivery, filtering, fan-out, Functions/Logic Apps integration

• Event Hubs → best for high-throughput streaming ingestion, partitions, consumer groups, analytics pipelines

---

#Azure #EventGrid #EventHubs #EventDrivenArchitecture #Streaming #Serverless #AzureFunctions #IoT #CloudIntegration #AzureArchitecture

Develop Message-Based Solutions (Azure) — Points Only

---

1) ✅ Implement Solutions That Use Azure Service Bus

⭐ What Azure Service Bus is best for

• Enterprise messaging with guaranteed delivery

• Best use cases:

  • Microservices communication

  • Financial/transaction systems

  • Order processing workflows

  • Reliable integration between apps

✅ Service Bus main components

• Queue (1-to-1 messaging)

  • One message consumed by one receiver

• Topic + Subscriptions (1-to-many pub/sub)

  • One message can be delivered to many subscribers

• Dead-Letter Queue (DLQ)

  • Stores failed/poison messages automatically

✅ Key Service Bus features (interview must-know)

• Message durability (stored until processed)

• At-least-once delivery

• Sessions for FIFO and ordered processing

• Duplicate detection (avoid double-processing)

• Scheduled messages (deliver later)

• Retry and lock management (Peek-Lock mode)

• Transactions (send/receive in one transaction)

✅ Recommended design patterns

• Queue for:

  • Order creation → processing service

• Topic for:

  • Order created → billing + shipping + notifications subscribers

• DLQ handling:

  • Monitor DLQ and reprocess safely

✅ Best practices

• Use Peek-Lock mode (default recommended)

• Complete message only after successful processing

• Use retry with backoff for transient failures

• Design idempotent consumers (safe repeated processing)

• Use message correlation IDs for traceability

• Use Managed Identity for secure access

---

2) ✅ Implement Solutions That Use Azure Queue Storage

⭐ What Azure Queue Storage is best for

• Simple, low-cost messaging for async workloads

• Best use cases:

  • Background job processing

  • Simple producer/consumer pattern

  • Lightweight task queues

✅ Key Queue Storage features

• Stores messages in a storage account

• Simple API and easy integration

• Works well with:

  • Azure Functions (Queue trigger)

  • WebJobs / Worker services

✅ Recommended design patterns

• App pushes task message → Queue → Function processes task

• Use blob + queue pattern:

  • Put file in Blob → queue message contains file URL

✅ Best practices

• Keep message payload small

• Store large data in Blob/DB and pass reference in queue message

• Set visibility timeout correctly:

  • Prevent duplicate processing

• Implement poison message handling:

  • After N failures → move to poison queue

• Use retry strategy for failures

---

✅ Service Bus vs Queue Storage (Interview Comparison)

✅ Choose Azure Service Bus when

• You need enterprise features:

  • Topics/subscriptions

  • FIFO ordering (sessions)

  • DLQ, transactions, duplicate detection

  • Strong reliability and governance

✅ Choose Azure Queue Storage when

• You need simple, cheap async messaging

• You don’t need advanced routing/features

• You want easy serverless processing with Functions

---

✅ Final Interview Summary (Perfect Answer)

• Service Bus → enterprise messaging with queues + topics, DLQ, sessions, transactions, reliable processing

• Queue Storage → simple low-cost queue for background jobs with Azure Functions triggers

---

#Azure #ServiceBus #QueueStorage #Messaging #Microservices #DeadLetterQueue #EventDriven #AzureFunctions #CloudIntegration #AzureArchitecture
==============================================================

Azure Developer: Complete Notes (Points Only)

---

1) Implement Containerized Solutions

✅ Create and manage container images for solutions

• Use Docker to package app + runtime + dependencies

• Create Dockerfile

  • Use multi-stage build (smaller image)

  • Use lightweight base images (slim/alpine)

• Best practices

  • Don’t store secrets in image

  • Add health endpoint /health

  • Tag images properly: app:v1.0.0, app:latest

  • Scan images for vulnerabilities

✅ Publish an image to Azure Container Registry (ACR)

• ACR = private image registry for Azure

• Steps

  • Create ACR (Basic/Standard/Premium)

  • Tag image: acrname.azurecr.io/app:1.0

  • Push image: docker push ...

• Best practices

  • Use Managed Identity for pull

  • Enable private endpoint for enterprise security

  • Cleanup old images (retention)

✅ Run containers using Azure Container Instances (ACI)

• Best for

  • Dev/test, quick runs, batch tasks

• Features

  • No cluster management

  • Public IP or private VNet support

• Best practices

  • Use ACI for short-lived workloads

  • Store logs in Log Analytics

✅ Create solutions using Azure Container Apps (ACA)

• Best for production containers without managing Kubernetes

• Features

  • Autoscale + scale to zero

  • Revision traffic splitting (blue/green)

  • HTTPS ingress built-in

  • Dapr support (optional)

• Best practices

  • Use internal ingress for backend services

  • Managed Identity + Key Vault references

---

2) Implement Azure App Service Web Apps

✅ Create an Azure App Service Web App

• Required components

  • Resource group

  • App Service Plan

  • Web App (runtime or container)

• Best practices

  • Enable Managed Identity

  • Use proper naming: app-name-env-region

✅ Configure diagnostics and logging

• Enable

  • Application Insights (recommended)

  • App Service logs (HTTP logs, console logs)

  • Diagnostic settings → Log Analytics

• Monitor

  • failures, latency, dependencies, exceptions

✅ Deploy code and containerized solutions

• Code deploy options

  • GitHub Actions / Azure DevOps pipelines

  • Zip deploy (quick)

• Container deploy

  • Pull from ACR (recommended)

  • Use Managed Identity to access ACR

✅ Configure settings (TLS, API, service connections)

• Security

  • HTTPS Only = ON

  • Latest TLS supported

• API settings

  • CORS allow only required domains

  • Entra ID authentication for APIs

• Service connections

  • Key Vault references for secrets

  • VNet integration for private access

  • Private endpoints for DB/Storage

✅ Implement autoscaling

• Works on App Service Plan

• Rules

  • CPU > 70% → scale out

  • Memory > 75% → scale out

  • Scheduled scaling for business hours

• Best practices

  • Minimum instances in production

  • Monitor cost impact

✅ Configure deployment slots

• Slots: staging, production

• Benefits

  • Zero-downtime deploy

  • Easy rollback via swap

• Best practices

  • Mark slot settings as “slot specific”

  • Use warm-up settings before swap

---

3) Implement Azure Functions

✅ Create and configure an Azure Functions app

• Needs

  • Function App + Storage account

  • Hosting plan: Consumption / Premium / Dedicated

• Best practices

  • Enable Application Insights

  • Enable Managed Identity

  • Store config in App Settings / App Configuration

✅ Implement input and output bindings

• Bindings reduce code for integrations

• Common bindings

  • Storage Blob input/output

  • Queue input/output

  • Service Bus input/output

  • Cosmos DB input/output

• Best practices

  • Keep payload small

  • Store large files in Blob and pass reference

✅ Implement triggers (data operations, timers, webhooks)

• Data triggers

  • Service Bus trigger (enterprise messaging)

  • Storage Queue trigger (simple background tasks)

  • Blob trigger (file processing)

  • Cosmos DB trigger (change feed processing)

• Timers

  • Timer trigger for CRON schedules

• Webhooks/APIs

  • HTTP trigger (Power Apps/Power Automate/external)

---

4) Develop Solutions Using Azure Cosmos DB

✅ Perform operations on containers and items using SDK

• Core objects

  • Account → Database → Container → Item (JSON)

• Operations

  • Create / Read / Update / Delete

  • Query with SQL API

• Best practices

  • Use partition key in queries

  • Use point reads (fast + cheap RU)

  • Avoid cross-partition scans

  • Bulk execution for large loads

✅ Set the appropriate consistency level

• Strong (highest correctness, slower)

• Bounded staleness (controlled lag)

• Session (best default for apps)

• Consistent prefix (ordered, may lag)

• Eventual (fastest, may be stale)

• Recommendation

  • Most apps → Session

  • Global with control → Bounded staleness

  • Critical finance → Strong

✅ Implement change feed notifications

• Change feed = stream of inserts/updates

• Best consumers

  • Azure Functions Cosmos DB trigger

  • Change Feed Processor (SDK)

• Best practices

  • Idempotent processing

  • Use lease container for checkpointing

  • Send to Service Bus/Event Hub for fan-out

---

5) Develop Solutions Using Azure Blob Storage

✅ Set and retrieve properties and metadata

• Properties (system)

  • Content-Type, ETag, Last-Modified, tier

• Metadata (custom key-value)

  • DocType, Owner, Department

• Best practices

  • Don’t store secrets in metadata

  • Use consistent metadata keys

✅ Perform operations using SDK

• SDK clients

  • BlobServiceClient

  • BlobContainerClient

  • BlobClient

• Operations

  • Upload/download/delete/list/copy

• Best practices

  • Use chunk upload for large files

  • Use managed identity + RBAC

  • Use private endpoints for secure access

✅ Implement lifecycle management

• Policies to move data

  • Hot → Cool → Archive

  • Delete after retention

• Protection

  • Soft delete

  • Versioning

  • Point-in-time restore (supported configs)

---

6) Implement User Authentication and Authorization

✅ Microsoft Identity platform

• OAuth2 + OpenID Connect

• Tokens

  • ID token (login)

  • Access token (API)

• Best flows

  • Auth code flow (web apps)

  • PKCE (SPA/mobile)

✅ Microsoft Entra ID authentication/authorization

• Supports

  • SSO, MFA, Conditional Access

• Authorization

  • Scopes + App roles

  • Azure RBAC for Azure resources

• Best practices

  • Least privilege

  • Use Managed Identity for Azure-to-Azure

✅ Shared Access Signatures (SAS)

• Temporary scoped access to Storage

• Types

  • User Delegation SAS (best)

  • Service SAS (uses account key)

• Best practices

  • Short expiry

  • Minimum permissions

  • HTTPS only

✅ Microsoft Graph interactions

• Access M365 resources

  • users, groups, mail, Teams, SharePoint

• Permissions

  • Delegated (user context)

  • Application (app-only)

• Best practices

  • Request minimum scopes

  • Handle throttling (429 + Retry-After)

---

7) Implement Secure Azure Solutions

✅ Secure config using App Configuration / Key Vault

• App Configuration

  • non-secret settings + feature flags

• Key Vault

  • secrets, keys, certificates

✅ Code using Key Vault secrets/keys/certs

• Use Azure SDK + DefaultAzureCredential

• Best practices

  • Soft delete + purge protection

  • Audit logs + monitoring

  • Cache secrets short-term (reduce calls)

✅ Implement Managed Identities

• System assigned

  • tied to resource

• User assigned

  • reusable identity

• Best practices

  • RBAC with least privilege

  • Avoid access keys when MI works

---

8) Azure Monitor + Application Insights

✅ Monitor metrics, logs, traces

• Metrics

  • requests, failures, duration

• Logs (KQL)

  • deep analysis

• Traces

  • distributed tracing across services

• Best practices

  • add custom telemetry

  • sampling for cost control

  • correlate with traceId

✅ Availability tests and alerts

• Use availability test against /health

• Alerts

  • Availability failure

  • High response time

  • High exceptions

• Action groups

  • Email/Teams/SMS + automation

✅ Instrument app/service

• Auto-instrumentation (easy)

• SDK instrumentation (custom control)

• Track

  • requests + dependencies + exceptions + events

---

9) Implement Azure API Management (APIM)

✅ Create APIM instance

• Tier choice

  • Developer (non-prod)

  • Standard (prod)

  • Premium (enterprise VNet + multi-region)

• Best practices

  • Separate Dev/UAT/Prod

  • Enable diagnostics to Log Analytics

✅ Create and document APIs

• Import OpenAPI (best)

• Enable developer portal

• Add versioning strategy /v1

✅ Configure access to APIs

• Subscription keys

• OAuth2 (Entra ID) + JWT validation

• IP restrictions

• mTLS (if required)

✅ Implement policies

• Security

  • validate-jwt

• Traffic management

  • rate-limit, quota

• Transformations

  • set-header, rewrite-uri

• Reliability

  • retry

• Performance

  • caching

---

10) Develop Event-Based Solutions

✅ Azure Event Grid

• Best for event routing (react to changes)

• Source → Topic → Subscription → Handler

• Best handlers

  • Azure Functions / Logic Apps / Webhooks

• Best practices

  • filtering + dead-letter storage

  • idempotent consumers

✅ Azure Event Hubs

• Best for high-throughput streaming (telemetry, IoT)

• Concepts

  • partitions + consumer groups

• Best consumers

  • Stream Analytics, Functions, Databricks

• Best practices

  • partition key design

  • checkpointing

---

11) Develop Message-Based Solutions

✅ Azure Service Bus

• Enterprise messaging

• Queue (1:1), Topic (1:many)

• Features

  • DLQ, sessions (FIFO), duplicate detection, transactions

• Best practices

  • Peek-lock + complete after success

  • DLQ monitoring + reprocessing

✅ Azure Queue Storage

• Simple low-cost queue

• Best for background jobs

• Best practices

  • small messages

  • poison message handling

  • store large payload in Blob and pass reference

---

#Azure #AzureDeveloper #Containers #ACR #ACI #ContainerApps #AppService #AzureFunctions #CosmosDB #BlobStorage #EntraID #MicrosoftIdentity #KeyVault #ManagedIdentity #AppInsights #AzureMonitor #APIM #EventGrid #EventHubs #ServiceBus #QueueStorage