Maintain an Azure Cosmos DB solution
Drill 16 practice questions focused entirely on Maintain an Azure Cosmos DB solution for the Microsoft DP-420 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A healthcare application stores patient records in Azure Cosmos DB for NoSQL. Compliance requires that the 'nationalId' property be encrypted client-side so that plaintext is never visible to the database engine. Developers must still be able to run queries that filter documents using an exact-match equality predicate on 'nationalId'. When configuring Always Encrypted for this property, which encryption type must you select?
You operate a production Azure Cosmos DB for NoSQL account with a single container using autoscale throughput. Users intermittently report HTTP 429 errors during peak hours. You want to be proactively notified the moment the underlying cause—a physical partition consistently approaching its throughput ceiling—begins to occur, before users experience widespread throttling. Which Azure Monitor metric should you build the alert rule on to detect this specific condition?
A security team wants operations engineers to be able to create and modify Azure Cosmos DB accounts, adjust throughput settings, and manage failover priorities through the Azure portal and ARM, but they must be prevented from reading or writing any document data inside containers. Which approach satisfies these requirements with the least privilege?
Your company uses customer-managed keys (CMK) stored in Azure Key Vault to encrypt an Azure Cosmos DB account. During a security incident review, an administrator accidentally revokes the key permissions granted to the Cosmos DB account's managed identity in the Key Vault access policy. What is the immediate impact on the Cosmos DB account, and what is the correct remediation?
Your company's compliance team requires that all encryption keys for an Azure Cosmos DB account be managed and rotated by your organization rather than by Microsoft. You plan to configure the account to use customer-managed keys (CMK) stored in Azure Key Vault. Which combination of settings is REQUIRED on the Key Vault so that Cosmos DB can use the key and so that accidental deletion does not permanently lock you out of your data?
A financial services company requires that all access to a Cosmos DB for NoSQL account be auditable and that primary/secondary account keys never be used by applications reading and writing documents. Developers must authenticate using Microsoft Entra ID identities, and each application's ability to read or write items must be governed by role assignments. Which approach satisfies these requirements for data-plane operations?
A developer reports that an application writing to an Azure Cosmos DB for NoSQL container intermittently fails. Inspecting the SDK diagnostics, you notice the failed requests return HTTP status code 503 (Service Unavailable), not 429. The container uses autoscale throughput and the Normalized RU Consumption metric peaks at only 62%. What is the MOST likely cause of these failures, and the appropriate action?
Your team needs to investigate individual data-plane requests against an Azure Cosmos DB for NoSQL account — including the RU charge, status code, partition key range, and request duration for each operation over the past week. Metrics in Azure Monitor only show aggregated values and are insufficient for this per-request analysis. What must you configure to enable this level of investigation?
Your operations team must retain Azure Cosmos DB data-plane request logs for seven years to satisfy a compliance audit, while also sending a 90-day copy to a Log Analytics workspace for interactive KQL queries. Costs must be minimized for the long-term retention copy, which is queried only rarely. Which configuration should you implement?
A development team runs an ASP.NET Core web app on Azure App Service that connects to Azure Cosmos DB. Security auditors flag that the account's primary key is stored in an App Service application setting. The team must remove all shared keys from configuration and authenticate using Microsoft Entra ID, while granting the app only the ability to read and write items in a single container (no control-plane management rights). What should the team implement?
Your company runs an on-premises order processing system that publishes messages to Apache Kafka. You need to continuously ingest these Kafka messages into an Azure Cosmos DB for NoSQL container, and separately stream all document changes from a different Cosmos DB container back out to a downstream Kafka topic for analytics. You want to use the official Cosmos DB Kafka connectors with minimal custom code. Which configuration should you deploy?
A retail company runs a production Azure Cosmos DB for NoSQL account currently configured with periodic backup mode. After a recent incident where an operator accidentally deleted several containers, the compliance team requires the ability to perform self-service point-in-time restore to any second within the last 7 days. The database team wants to enable this capability on the existing account with minimal disruption and no data migration. What should they do?
A financial services company runs an Azure Cosmos DB for NoSQL account that must only be reachable from resources inside a specific Azure virtual network. Corporate security policy requires that no traffic ever traverses the public internet, and the account must not be resolvable or reachable via its public endpoint at all. Application servers reside in a subnet within that virtual network. Which configuration meets these requirements?
Your team runs a production Azure Cosmos DB for NoSQL container provisioned with autoscale at a maximum of 10,000 RU/s. Users report intermittent HTTP 429 responses during peak hours, yet the total RU/s consumed across the account stays well below the 10,000 RU/s ceiling in Azure Monitor. Which metric should you examine first to confirm the most likely root cause of the throttling?
A retail company reports that point-read latency for their Azure Cosmos DB for NoSQL container has increased. The application team confirms Normalized RU Consumption is consistently below 40% and there is no throttling (429s). You open Azure Monitor Metrics to isolate whether the delay originates inside Cosmos DB itself versus the network or client. Which metric should you examine to determine the latency contributed by the Cosmos DB service processing the request?
A data engineering team uses Azure Databricks with the Azure Cosmos DB Spark 3 connector to load a large historical dataset into a provisioned throughput container that is also serving a production read workload. During the initial bulk write job, the operations team observes that production queries experience elevated latency and 429 (rate limited) responses. The team wants the Spark job to consume only a bounded fraction of the container's provisioned RU/s while still completing, without permanently increasing the container's throughput. Which configuration should they apply to the Spark write?
More DP-420 practice
Keep going with the other Microsoft Azure Cosmos DB Developer Specialty (DP-420) domains, or take a full timed mock exam.
← Back to DP-420 overview