Free AI-200 Practice Questions

20 scenario questions covering every AI-200 domain — containers, Cosmos DB and pgvector similarity search, Azure Managed Redis, Service Bus, and Key Vault. Answers stay collapsed until you check them.

20 questions~30 minUpdated July 2026

AI-200 is a different kind of AI exam than AI-900 or AI-103: it tests the backend engineering behind AI apps — containerized hosting, vector data services, messaging, and security — rather than how you call a model or consume a prebuilt AI service. If you're coming from AI-103 expecting more Foundry-agent and RAG-consumption questions, expect a shift toward infrastructure: Cosmos DB vector search, pgvector, Azure Managed Redis, KEDA scale rules, and Key Vault reference patterns.

Free practice material for AI-200 is thin because the exam is new — most generic “Azure developer” question sets never mention Cosmos DB vector search, pgvector, or Azure Managed Redis vector indexing by name. The 20 questions below are built directly against AI-200's four official domains, weighted the same way the real exam is (25% / 30% / 20% / 25%), with the largest share on data-management since that's where most candidates lose points.

Read the scenario, pick an answer, then click Reveal answer to check your reasoning against the explanation — not just the correct letter. Treat a wrong answer as a signal to review that specific domain in the full AI-200 practice exam rather than moving on.

Question distribution by domain

25%
30%
20%
25%
Containers (Q1–5)Data Management (Q6–11)Connect & Consume (Q12–15)Secure & Monitor (Q16–20)
1

Develop containerized solutions on Azure

Questions 1–5 · 20–25% of exam

1
ACR Tasks — Automated Builds

Your team pushes code to a Git repository that produces a Dockerfile-based image. You want Azure Container Registry to automatically rebuild and push the image whenever the base image or the source commit changes, without a separate CI system.

What should you configure?

  1. A.An ACR Task with a Git commit trigger and a base image update trigger
  2. B.A scheduled ACR Task that rebuilds nightly regardless of changes
  3. C.An Azure DevOps pipeline that calls docker build and docker push manually
  4. D.A Logic App that polls the Git repo every hour and calls the ACR REST API
Reveal answer & explanation

Correct: A. ACR Tasks natively support both source-code triggers (commit-based) and base-image-update triggers, rebuilding automatically when either changes — no external CI system required. A nightly schedule rebuilds unnecessarily when nothing changed. A manual pipeline and a polling Logic App both reimplement what ACR Tasks already provides declaratively.

2
Container Apps Revisions

You need to roll out a new container image to 10% of production traffic while the previous version continues serving the other 90%, so you can monitor error rates before a full cutover.

Which Azure Container Apps feature achieves this?

  1. A.Multiple revisions with traffic-splitting weights configured between the active revisions
  2. B.A single revision with a manually toggled feature flag in application code
  3. C.Deploying the new image to a second, separate Container Apps environment
  4. D.Scaling the existing revision to zero and back up with the new image
Reveal answer & explanation

Correct: A. Container Apps revision management supports running multiple revisions simultaneously with configurable traffic-split percentages — exactly the canary pattern described. A second environment adds unnecessary networking/DNS complexity. Scaling to zero and back replaces the old version outright rather than splitting traffic.

3
KEDA Scaling on Storage Queue Length

A Container Apps job processes messages from an Azure Storage queue. Volume swings from zero to several thousand messages unpredictably, and you want replica count to track queue depth automatically, including scaling to zero when idle.

Which scaling configuration is correct?

  1. A.A KEDA Azure Queue Storage scale rule referencing the queue length, with minReplicas set to 0
  2. B.A fixed replica count set to the historical peak to avoid scaling delays
  3. C.An Azure Automation runbook on a 5-minute schedule that adjusts replica count
  4. D.HTTP scaling rules, since Container Apps only autoscales on inbound requests
Reveal answer & explanation

Correct: A. Container Apps has built-in KEDA support; a Storage Queue scale rule scales replicas directly off queue length and supports scale-to-zero when minReplicas is 0. A fixed count wastes cost during idle periods. A scheduled runbook reacts too slowly for unpredictable bursts. Container Apps supports non-HTTP KEDA scalers, not just HTTP.

4
AKS Manifest Troubleshooting

After deploying a new manifest to AKS, pods repeatedly restart and enter CrashLoopBackOff. You need to determine whether the application is failing its health check or crashing on startup before it is ready to serve traffic.

What should you inspect first?

  1. A.The readiness and liveness probe configuration and recent pod events
  2. B.The AKS cluster's node pool VM size
  3. C.The Azure Container Registry access policy
  4. D.The cluster's Kubernetes version compatibility matrix
Reveal answer & explanation

Correct: A. CrashLoopBackOff combined with restarts is a strong signal to check probe configuration (is the liveness probe firing before the app is actually ready?) alongside pod events and logs, which reveal the actual failure reason. Node VM size, registry access, and version compatibility are unrelated to a probe-driven restart loop unless events point there.

5
App Service Container Secrets

You are deploying a container to Azure App Service. The container needs a database connection string that must never appear in plaintext in App Service configuration or deployment logs.

How should you supply the connection string?

  1. A.Store it as a plain App Setting environment variable
  2. B.Store it in Azure Key Vault and reference it from App Service using a Key Vault reference
  3. C.Bake it into the container image at build time
  4. D.Pass it as a command-line argument in the container start command
Reveal answer & explanation

Correct: B. Key Vault references in App Service settings resolve secrets at runtime via managed identity, so the raw value is never stored in App Service configuration or build logs. Plain App Settings store the literal value in configuration. Baking secrets into the image or passing them as command-line arguments both expose them in the image layers or process list.

6

Develop AI solutions by using Azure data management services

Questions 6–11 · 25–30% of exam — the largest domain

6
Cosmos DB Indexing Policy

A Cosmos DB for NoSQL container stores large JSON documents with a nested "rawPayload" field that is never queried but is included in every write. RU consumption on writes is higher than expected.

What should you change to reduce RU cost without affecting query results?

  1. A.Exclude the rawPayload path from the indexing policy
  2. B.Switch the consistency level from Session to Strong
  3. C.Increase the provisioned throughput (RU/s) on the container
  4. D.Enable a change feed processor on the container
Reveal answer & explanation

Correct: A. By default Cosmos DB indexes every property; excluding an unqueried path from the indexing policy reduces the indexing (and therefore write RU) cost with zero impact on queries that never reference it. Strong consistency increases latency/cost, not decreases it. Raising RU/s masks the cost rather than reducing it. Change feed is unrelated to indexing RU cost.

7
Cosmos DB Consistency Levels

A globally distributed order-processing system needs the lowest possible read latency across regions and can tolerate reading slightly stale data, as long as reads never go backward in time for a single client session.

Which consistency level fits this requirement?

  1. A.Session
  2. B.Strong
  3. C.Eventual
  4. D.Bounded Staleness with a very large staleness window
Reveal answer & explanation

Correct: A. Session consistency guarantees monotonic reads within a single client's session (never going backward) while keeping latency close to Eventual — the right fit when a client shouldn't see its own writes disappear, but global strong consistency isn't required. Strong consistency adds cross-region latency. Plain Eventual consistency can appear to go backward. A large Bounded Staleness window behaves close to Eventual but adds unneeded complexity versus Session.

8
Cosmos DB Vector Similarity Search

You are storing document embeddings in Cosmos DB for NoSQL and need to run a similarity search that returns the nearest vectors to a query embedding, with acceptable latency at scale.

What must you configure on the container to support this?

  1. A.A vector embedding policy and a vector index defined on the container, then query using the vector distance function
  2. B.A composite index on the embedding array property
  3. C.A stored procedure that computes cosine similarity in application code for every item
  4. D.A Cosmos DB trigger that recalculates similarity on every write
Reveal answer & explanation

Correct: A. Cosmos DB for NoSQL vector search requires an explicit vector embedding policy (describing dimensions, distance function, data type) and a corresponding vector index; queries then use the native vector distance function for efficient nearest-neighbor search. A composite index does not support vector similarity math. Computing similarity in a stored procedure over every item does not scale. A write trigger recalculating similarity per-item is not how vector indexing works.

9
Change Feed Processor

Whenever an order document is inserted or updated in Cosmos DB, a downstream service must be notified within seconds to trigger a fulfillment workflow, without polling the container on a timer.

Which approach is correct?

  1. A.Implement a change feed processor with a lease container to react to inserts and updates in near real time
  2. B.Poll the container every few seconds using a timestamp filter in the WHERE clause
  3. C.Enable TTL on the container to trigger a notification on expiration
  4. D.Use a stored procedure executed manually after each write
Reveal answer & explanation

Correct: A. The change feed processor pattern (with a lease container to track progress) is Cosmos DB's built-in mechanism for reacting to inserts/updates in near real time without polling. Timestamp-based polling adds latency and unnecessary RU cost. TTL only handles expiration/deletion, not inserts/updates. A manually executed stored procedure is not an automated reaction mechanism.

10
pgvector Indexing at Scale

An Azure Database for PostgreSQL table with pgvector stores 10 million embeddings. Exact nearest-neighbor search has become too slow for the application's latency budget, and a small accuracy trade-off is acceptable.

What should you do?

  1. A.Create an approximate nearest-neighbor index (such as HNSW) on the vector column instead of relying on a sequential scan
  2. B.Increase the column's storage size to VARCHAR(MAX)
  3. C.Partition the table by primary key range only
  4. D.Switch the query to use a LIKE pattern match instead of vector distance
Reveal answer & explanation

Correct: A. At 10 million rows, an approximate index like HNSW on the vector column trades a small amount of recall for a large latency improvement over an exact sequential scan — the standard pgvector scaling technique. Storage size and key-range partitioning don't address vector search latency. A LIKE pattern match cannot perform similarity search on embeddings at all.

11
Azure Managed Redis for Vector Caching

A RAG application queries PostgreSQL/pgvector for similarity search, but the same handful of queries repeat thousands of times per minute during peak traffic, adding load to the database.

What is the most appropriate use of Azure Managed Redis here?

  1. A.Cache frequent query embeddings and their similarity results in Redis with an appropriate expiration, using Redis as a fast layer in front of PostgreSQL — not as the system of record
  2. B.Replace PostgreSQL entirely and store all embeddings only in Redis with no expiration
  3. C.Use Redis purely as a message queue between the app and PostgreSQL
  4. D.Disable caching entirely and scale PostgreSQL compute instead
Reveal answer & explanation

Correct: A. Azure Managed Redis vector indexing is well-suited as a caching layer in front of a durable source of truth — cache hot queries with expiration/invalidation to absorb repeated load, while PostgreSQL remains authoritative. Removing PostgreSQL and keeping embeddings only in Redis with no expiration turns a cache into an unreliable system of record. Redis is a cache/vector store here, not a queue. Scaling compute alone is more expensive than caching the hot path.

12

Connect to and consume Azure services

Questions 12–15 · 20–25% of exam

12
Service Bus Dead-Letter Handling

A background processor keeps failing to process a specific message due to malformed data, and Service Bus keeps redelivering it after each failure, consuming worker capacity.

What should happen once the message exceeds its maximum delivery count?

  1. A.Service Bus automatically moves it to the dead-letter sub-queue, where it can be inspected and handled separately without blocking the main queue
  2. B.The message is silently discarded by Service Bus
  3. C.The consuming application must manually track delivery count using a custom database table
  4. D.Service Bus pauses the entire queue until an administrator intervenes
Reveal answer & explanation

Correct: A. Service Bus has a built-in dead-letter sub-queue: once a message exceeds MaxDeliveryCount (or explicitly via dead-lettering), it is automatically moved there for separate inspection and reprocessing, without blocking healthy messages on the main queue. Service Bus does not silently discard messages, does not require custom delivery-count tracking, and does not pause the whole queue.

13
Event Grid Filtering

Multiple event types flow through a single Event Grid topic, but a specific subscriber should only receive events where the subject starts with "orders/" and the event type is "OrderCreated".

How should you configure the subscription?

  1. A.Add subject-begins-with and event-type filters directly on the Event Grid subscription
  2. B.Create a separate topic per event type and subject prefix
  3. C.Have the subscriber receive all events and filter them in application code
  4. D.Use a Logic App as an intermediary to inspect every event before forwarding
Reveal answer & explanation

Correct: A. Event Grid subscriptions support declarative filters (subject begins/ends-with, event type, and advanced filters) so only matching events reach the subscriber — no code required. Splitting into many topics is unnecessary operational overhead. Filtering in application code wastes bandwidth and compute delivering irrelevant events. An intermediary Logic App adds latency and cost that native filtering avoids.

14
Azure Functions Triggers & Bindings

You need a function that fires whenever a message arrives on a Service Bus queue, processes it, and writes the result as a new document in Cosmos DB — with minimal boilerplate code.

Which combination is correct?

  1. A.A Service Bus trigger on the function, with a Cosmos DB output binding
  2. B.An HTTP trigger that polls the Service Bus queue manually
  3. C.A Timer trigger that checks the queue every minute
  4. D.A Cosmos DB trigger that fires on the Service Bus queue
Reveal answer & explanation

Correct: A. Azure Functions bindings map directly to this scenario: a Service Bus trigger invokes the function per message, and a Cosmos DB output binding writes the result declaratively without manual SDK calls. HTTP and Timer triggers would both require manually polling Service Bus, adding latency and code the trigger/binding model already eliminates. A "Cosmos DB trigger on a Service Bus queue" is not a valid binding combination.

15
Service Bus Topics vs. Event Grid

A business event ("InvoiceApproved") must be delivered to several independent downstream systems, each of which needs a durable, ordered subscription and the ability to reprocess a message if its own consumer was briefly offline.

Which service and construct best fits this requirement?

  1. A.Azure Service Bus topics and subscriptions, giving each consumer its own durable subscription with independent message retrieval
  2. B.Azure Event Grid with a single webhook endpoint shared by all consumers
  3. C.Azure Queue Storage with one shared queue for all consumers
  4. D.A single Service Bus queue polled by all consumers simultaneously
Reveal answer & explanation

Correct: A. Service Bus topics/subscriptions give each downstream consumer its own durable, independently-lagging subscription — exactly the "reprocess if briefly offline" and per-consumer durability requirement described. Event Grid excels at lightweight, fire-and-forget eventing but a single shared webhook doesn't give each consumer independent durable state. A single shared queue (Service Bus or Storage) delivers each message to only one consumer, not to every downstream system.

16

Secure, monitor, and troubleshoot Azure solutions

Questions 16–20 · 20–25% of exam

16
Key Vault Secret Rotation

A database password stored in Key Vault must be rotated every 90 days automatically, and a Function App reading the secret must always retrieve the current version without requiring a redeploy after each rotation.

What should you configure?

  1. A.A Key Vault rotation policy on the secret, with the Function App referencing the secret without pinning a specific version
  2. B.A hard-coded secret version in the Function App configuration, updated manually every 90 days
  3. C.A scheduled Function that redeploys the entire app every 90 days
  4. D.Storing the password directly in application settings instead of Key Vault
Reveal answer & explanation

Correct: A. Key Vault supports rotation policies that automatically rotate secrets on a schedule; referencing the secret without pinning a version means the Function App always resolves to the current version at runtime, no redeploy required. Pinning a version defeats automatic rotation. Redeploying the whole app on a schedule is unnecessary operational overhead. Storing the password in plain app settings removes the rotation and access-control benefits of Key Vault entirely.

17
App Configuration vs. Key Vault

An application needs both non-sensitive settings (feature flags, API endpoints) managed centrally and sensitive secrets (API keys) stored securely, with a single configuration read path in code.

What is the correct architecture?

  1. A.Store non-sensitive settings in Azure App Configuration, and store secrets in Key Vault, with App Configuration holding Key Vault references so the app reads from one place
  2. B.Store everything, including secrets, directly in App Configuration as plain values
  3. C.Store everything in Key Vault, including feature flags and non-sensitive settings
  4. D.Store all configuration in environment variables set manually per environment
Reveal answer & explanation

Correct: A. The standard pattern is App Configuration for non-sensitive settings plus Key Vault references embedded in App Configuration for secrets — giving the app a single configuration provider while secrets stay in Key Vault's access-controlled, auditable store. Storing secrets as plain App Configuration values loses secret-specific protections. Storing everything (including non-sensitive feature flags) in Key Vault misuses it as a general config store. Manual per-environment environment variables don't centralize configuration at all.

18
OpenTelemetry Distributed Tracing

A request flows from a Container Apps front end through an Azure Function to Cosmos DB, and overall latency is high. You need to see which hop in the chain contributes the most time.

What should you implement?

  1. A.Instrument each service with the OpenTelemetry SDK and correlate the resulting distributed traces by trace ID across hops
  2. B.Add console.log timestamps in each service and manually compare log timestamps after the fact
  3. C.Enable verbose logging only on the Cosmos DB SDK
  4. D.Increase the timeout setting on the Container Apps ingress
Reveal answer & explanation

Correct: A. OpenTelemetry SDKs propagate a trace context across service boundaries, so a single trace ID links spans from the Container Apps front end, the Function, and the Cosmos DB call — letting you see exactly which hop is slow. Manually comparing scattered log timestamps is error-prone and doesn't correlate hops. Verbose Cosmos DB logging alone misses the other hops. Increasing a timeout hides the symptom rather than diagnosing the cause.

19
Writing a KQL Query

You need to find the three most frequent exception types logged by an application in the last 24 hours, using data already flowing into Log Analytics.

Which KQL query structure is correct?

  1. A.exceptions | where timestamp > ago(24h) | summarize count() by type | top 3 by count_
  2. B.exceptions | select type | filter timestamp = today()
  3. C.SELECT type, COUNT(*) FROM exceptions WHERE timestamp > NOW() - 1 GROUP BY type LIMIT 3
  4. D.exceptions | project type | distinct type | take 3
Reveal answer & explanation

Correct: A. KQL uses where for filtering, summarize count() by for grouping and counting, and top N by for ranking — exactly what's needed here. "select"/"filter" are not KQL keywords (that syntax mixes in other languages). Plain SQL syntax is not valid KQL. project | distinct | take returns three arbitrary distinct types, not the three most frequent ones.

20
Least-Privilege Key Vault Access

A Container Apps job's managed identity only needs to retrieve the current value of specific secrets at runtime. It must not be able to list all secrets in the vault or modify access policies.

Which access configuration is correct?

  1. A.Assign the identity an RBAC role scoped to secret Get permission only (or an access policy limited to Get), not broader management permissions
  2. B.Assign the identity the Key Vault Administrator role
  3. C.Assign the identity Owner on the Key Vault's resource group
  4. D.Grant the identity List and Get on all secret, key, and certificate types by default
Reveal answer & explanation

Correct: A. Least privilege for read-only runtime access is a role or access policy scoped specifically to Get on the needed secrets — nothing broader. Key Vault Administrator grants full management (including access-policy changes) and is over-privileged. Resource-group Owner is far broader than the vault itself. Granting List plus Get across every secret, key, and certificate exposes far more than the scenario requires.

Want 480 More AI-200 Questions?

Full coverage of all four domains, calibrated harder than the real exam. Start with 40 free — no card required.

Start Free AI-200 Practice →