Azure, Cloud Computing

5 Mins Read

Sample Questions for Microsoft Azure IoT Developer Specialty: AZ-220 Certification Exam

Hello Readers, have you enrolled for the Microsoft Azure IoT Developer Specialty AZ-220 Certification Exam yet? Are you willing to take up the Microsoft exam and get certified as a Microsoft Azure IoT Developer? It is time to check your skills and review some sample questions that may appear for the AZ-220 certification exam.

Here goes the Quiz:

  1. Service EndpointsWhich of the following connects a service bus queue to the IoT Hub? Select one:
    a. Built-in Endpoints
    b. Custom Endpoints
    c. Message Routing
    d. Service endpoints
  2. You have an Azure IoT Hub that uses a Device Provisioning Service instance. You have 1,000 legacy IoT devices that only support MAC address or serial number identities. The device DOES NOT have a security feature that can be used to securely identify the device or a hardware security module (HSM). You plan to deploy the devices to a secure environment. You need to configure the Device Provisioning Service instance to ensure that all the devices are identified securely before they receive updates. Which attestation mechanism would you choose? Select one:
    a. X.509 Certificate
    b. Symmetric Key Attestation
    c. TPM 1.2 Attestation
  3. You use Azure Security Center in an Azure IoT solution. You need to exclude some security events. The solution must minimize the development effort. What would you recommend? Select one:
    a. Create an azureiotsecurity module twin and add configuration details to the module twin object.
    b. Add configuration details to the device twin object
    c. Create an Azure Function to filter security messages
    d. Add a configuration to the code of the physical loT device
  4. You have 100 devices that connect to an Azure IoT Hub. You plan to use Azure functions to process all the telemetry messages from the devices before storing the messages. You need to configure the binding of the function for the IoT Hub. Which of the following configuration details would you use to configure the binding? (Select any two)Select one or more:
    a. The loT Hub’s connection string shared access key that has Service connect permissions
    b. The name of the resource group that contains the loT Hub
    c. The Azure Event-Hub compatible name
    d. The connection string of the Azure Event Hub-compatible endpoint from the loT Hub built-in endpoints
  5. You have 10 IoT devices that connect to an Azure IoT Hub named Hub1. From Azure Cloud Shell, you run az IoT hub monitor-events –hub-name Hub1 and receive the following error message: “az iot hub: ‘monitor-events’ is not in the ‘az iot hub’ command group. See ‘az iot hub –help’.” You need to ensure that you can run the command successfully.What would you run first? Select one:
    a. az extension add -name azure-cli-iot-ext
    b. az iot hub configuration list –hub-name Hub1
    c. az iot hub generate-sas-token –hub-name Hub1
    d. az iot hub monitor-feedback –hub-name Hub1
  6. You have an Azure IoT solution that includes a standard tier Azure IoT Hub and an IoT device. The device sends one 100-KB device-to-cloud message every hour. The total daily message consumption of the device needs to be calculated. What is the total daily message consumption of the device?Select one:
    a. 4800
    b. 2400
    c. 600
    d. 24
  7. You have an Azure IoT Edge device. You need to modify the credentials used to access the container registry. What should you modify? Select one:
    a. The $edgeAgent module twin
    b. The Azure IoT Hub device twin
    c. The @edgeHub module twin
    d. The IoT Edge module
  8. You enable Azure Security Center for IoT. You need to onboard a device to Azure Security Center. What would you recommend? Select one:a. Install an X.509 certificate on the hardware security module (HSM) of the device
    b. Modify the connection string of the device
    c. Add the azureiotsecurity module identity to the Azure loT Hub device identity
    d. Open incoming TCP port 8883 on the device
  9. You have an Azure IoT solution that includes an Azure IoT Hub, 100 Azure IoT Edge devices, and 500 leaf devices. You need to perform a key rotation across the devices. Which of the following entities would you update? Select one or more:a. The IoT Hub owner policy credentials
    b. The $edgeAgent module identity
    c. The Leaf module identities
    d. The IoT Edge device identities
    e. The $edgeHub module identity
    f. The Leaf device identities
  10. You have an Azure IoT Hub and plan to develop IoT device firmware. You need to manage the physical IoT devices by using the IoT Hub. In such a scenario, which of the following applies? Select one:a. IoT hub service SDKs
    b. Azure Event Hubs SDK
    c. IoT Hub device SDK
    d. Azure provisioning service SDK

Correct Answers:

  1. b
    Explanation: You need to create a custom endpoint for Service Bus Queue. Once created, you use routing to route messages to the queue. Built-in endpoints do not include Service Bus Queue Service endpoints are used in Virtual Network.
  2. b
    Explanation: A common problem with many legacy devices is that they often have an identity that is composed of a single piece of information. This identity information is usually a MAC address or a serial number. Legacy devices may not have a certificate, TPM, or any other security feature that can be used to securely identify the device. The Device Provisioning Service for IoT Hub includes symmetric key attestation. Symmetric key attestation can be used to identify a device based on information like the MAC address or a serial number.
  3. a
    Explanation: Properties related to every Azure Security Center for IoT security agents are located in the agent configuration object, within the desired properties section, of the azureiotsecurity module. To modify the configuration, create and modify this object inside the azureiotsecurity module twin identity. These configurations help you customize the agent for each scenario. For example, automatically excluding some events, or keeping power consumption to a minimal level is possible by configuring these properties.
  4. c & d
    Explanation: EventHubName: Functions 2.x and higher. The name of the event hub. When the event hub name is also present in the connection string, that value overrides this property at runtime.Connection: The name of an app setting that contains the connection string to the event hub’s namespace. Copy this connection string by clicking on the Connection Information button for the namespace, not the event hub itself. This connection string must have sent permissions to send the message to the event stream.
  5. a
    Explanation: Execute az extension add –name azure-cli-iot-ext once and try again.In order to read the telemetry from your hub by CLI, you have to enable IoT Extension with the following commands: Add: az extension add –name azure-cli-iot-ext
  6. c
    Explanation: 100 KB * 24 is around 2,400 bytes.The 100 KB message is divided into 4 KB blocks, and it is billed for 25 messages. 25 times 24 is 600.
  7. The module twin for the IoT Edge agent is called $edgeAgent and coordinates the communications between the IoT Edge agent running on a device and IoT Hub. The desired properties are set when applying a deployment manifest, on a specific device as part of a single-device or at-scale deployment.These properties include:-runtime.settings.registryCredentials.{registryId}.username-runtime.settings.registryCredentials.registryId}.password
  8. c
    Explanation: Use the following workflow to deploy and test your Azure Security Center for IoT security agents:

    1. Enable Azure Security Centre for IoT service to your IoT Hub
    2. If your IoT Hub has no registered devices, register a new device
    3. Create an azureiotsecurity security module for your devices

    Azure Security Centre for IoT makes use of the module twin mechanism and maintains a security module twin named azureiotsecurity for each of your devices. Reference:

  9. d, e, & f
    Explanation: To get authorization to connect to the IoT Hub, devices and services must send security tokens signed with either shared access or symmetric key. These keys are stored with a device identity in the identity registry. An IoT Hub identity registry can be accessed like a dictionary, by using the device or module as the key.
  10. c
    Explanation: You use IoT Device SDK for device firmware management. IoT Hub SDK allows you to perform operations and device management on the IoT Hub layer. Azure Provisioning service allows to you provision the devices except for firmware-related operations.

This brings us to the end of the correct answers section. For more such practice sessions and hands-on labs, check out TestPrep material.

Disclaimer: These questions are NOT appearing in the certification exam. I personally or CloudThat do not have any official tie-up with Microsoft regarding the certification or the kind of questions asked. These are my best guesses for the kind of questions to expect with Microsoft in general and with the examination.

Here is a Study Guide for passing Microsoft Azure IoT Developer Specialty: AZ-220 Certification Exam. 

Feel free to drop any questions in the comment box, I would love to address them. I hope you enjoyed the article. Best of luck!

WRITTEN BY Anusha Shanbhag

Anusha Shanbhag is an AWS Certified Cloud Practitioner Technical Content Writer specializing in technical content strategizing with over 10+ years of professional experience in technical content writing, process documentation, tech blog writing, and end-to-end case studies publishing, catering to consulting and marketing requirements for B2B and B2C audiences. She is a public speaker and ex-president of the corporate Toastmaster club.



  1. Kiran M

    Mar 4, 2021


    Helpful. Thanks for posting.

  2. Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!