Browse Microsoft Certification Guides

Azure AI-103 Sample Questions with Explanations

April 25, 2026

Azure AI-103 sample questions with explanations, traps, topic labels, and IT Mastery route links.

On this page

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Microsoft Certified: Azure AI Apps and Agents Developer Associate (AI-103) topics such as Azure AI Apps and Agents, Microsoft Foundry, agent workflows, retrieval, tool use, responsible AI, monitoring, security and access controls, and deployment choices. Each item is explanation-heavy so you can see why one design is stronger than the alternatives.

Where these questions fit in the AI-103 guide

The sample set below is part of the Microsoft AI-103 guide path:

AI-103 decision-style sample questions

Work through each prompt before opening the explanation. The goal is not memorization; it is recognizing the service boundary, risk tradeoff, and implementation detail the exam is likely to test.

Question 1

Topic: Retrieval for a support agent

A company is building a customer-support agent in Microsoft Foundry. The agent must answer questions from product manuals, ticket history, and warranty rules. Answers must cite source passages, and support agents should not see documents outside their assigned product line. What is the best design?

  • A. Fine-tune a model on all manuals and tickets, then instruct it to include citations in the system message.
  • B. Use retrieval over an indexed knowledge source with metadata filters for product line access, and require the agent response to include grounded citations.
  • C. Store the documents in blob storage and let the model decide which files to read based only on the user prompt.
  • D. Create one prompt per product line and paste the newest warranty rules directly into each prompt.

Best answer: B

Explanation: The requirement is not just generative answer quality. It also needs grounded responses, source citations, and access-aware retrieval. An indexed retrieval design lets the application search approved content, apply metadata filters such as product line or tenant, and pass the selected passages to the model for a cited answer.

Why the other choices are weaker:

  • A hides the source boundary inside training data and does not provide reliable per-answer citations or access filtering.
  • C gives the model too much ungoverned file-selection responsibility and does not describe identity-aware filtering.
  • D creates brittle prompt maintenance and cannot scale across manuals, tickets, and policy changes.

What this tests: Choosing retrieval-augmented generation when the scenario requires grounding, citations, and authorization-aware document selection.

Related topics: Retrieval; Microsoft Foundry; Access controls; Grounded answers

Question 2

Topic: Safe tool use in an agent workflow

An internal agent can summarize incidents, query runbooks, and open remediation tickets. The team wants the agent to create tickets automatically only when confidence is high, while preventing accidental duplicate tickets and preserving an audit trail. Which implementation choice best supports that requirement?

  • A. Allow the model to call the ticket-creation API directly using a shared administrator key.
  • B. Ask users to copy the agent’s summary into the ticketing system manually for every incident.
  • C. Expose ticket creation as a tool with scoped permissions, input validation, idempotency checks, and structured logging around each tool call.
  • D. Disable tool use and rely only on a larger model so the agent can produce more detailed remediation text.

Best answer: C

Explanation: AI-103 scenarios often test how to make agent actions controlled rather than magical. The stronger design treats ticket creation as a governed tool call: permissions are least-privilege, inputs are validated, duplicate actions are prevented with idempotency, and logs preserve what the agent attempted and why.

Why the other choices are weaker:

  • A creates an unsafe privilege model and makes auditability weak because all actions share the same broad credential.
  • B avoids automation but does not satisfy the goal of high-confidence automatic ticket creation.
  • D improves text generation but removes the controlled action path the scenario requires.

What this tests: Designing agent workflows with secure tool use, least privilege, validation, and operational traceability.

Related topics: Agent workflows; Tool use; Security; Monitoring

Question 3

Topic: Evaluation after a model-flow change

A team updates an AI app by changing the system prompt, retrieval ranking settings, and model configuration. Before deployment, they need evidence that the new version improves answer quality without increasing unsafe responses or latency. What should they do first?

  • A. Deploy the change to all users and watch help-desk tickets for a week.
  • B. Increase the token limit so the model has more context for every response.
  • C. Switch to manual review only after users report incorrect answers.
  • D. Run repeatable evaluations against a representative test set that measures groundedness, safety, relevance, and latency before promotion.

Best answer: D

Explanation: The scenario asks for pre-deployment evidence across quality, safety, and performance. A repeatable evaluation set gives the team a controlled comparison between the old and new model flow. It also supports responsible AI review because it checks more than answer fluency.

Why the other choices are weaker:

  • A makes production users the test group and detects issues too late.
  • B may increase cost and latency, and it does not prove the change is safer or more accurate.
  • C is reactive and does not create a deployment gate.

What this tests: Using evaluation and monitoring practices to compare generative AI application versions before deployment.

Related topics: Responsible AI; Evaluation; Monitoring; Deployment choices

Question 4

Topic: Information extraction from mixed documents

A loan-processing application receives scanned identity documents, typed application PDFs, and uploaded proof-of-income files. The app must extract fields into a known schema, flag low-confidence values, and route uncertain cases for human review. Which approach is strongest?

  • A. Use document and vision extraction capabilities suited to the file types, map results into the target schema, validate required fields, and send low-confidence items to review.
  • B. Send every file to a chat model and ask it to return JSON without validation.
  • C. Require users to rename uploaded files with all important data before submission.
  • D. Use keyword search across OCR text and accept the first matching value for each field.

Best answer: A

Explanation: The prompt combines computer vision, text analysis, information extraction, schema mapping, confidence handling, and review workflow. A robust AI app should use extraction capabilities appropriate to the document type, validate the output against the business schema, and avoid silently accepting uncertain values.

Why the other choices are weaker:

  • B may produce plausible JSON, but without confidence handling and validation it is risky for a structured process.
  • C pushes extraction onto users and does not solve scanned or typed document understanding.
  • D is brittle because keyword proximity is not reliable enough for mixed document layouts.

What this tests: Selecting an extraction architecture that handles documents, vision/text processing, validation, and human review.

Related topics: Information extraction; Computer vision; Text analysis; Human review

Question 5

Topic: Secure deployment of an AI app

An AI application will run in a production Azure environment. It calls model endpoints, reads indexed enterprise data, and writes telemetry to a monitoring workspace. The security team requires no embedded secrets, least-privilege access, and network paths that reduce public exposure. Which deployment pattern best fits?

  • A. Store service keys in application settings and rotate them once a year.
  • B. Use a single shared credential for all developers, CI jobs, and production services so troubleshooting is simpler.
  • C. Use managed identities with role assignments scoped to required resources, private networking where supported, and centralized logging for model, retrieval, and tool-call activity.
  • D. Allow public access to all AI resources but restrict usage by hiding endpoint URLs from users.

Best answer: C

Explanation: The design uses platform identity instead of embedded secrets, applies least privilege through scoped role assignments, reduces exposure with private access patterns where available, and keeps monitoring in place for production behavior.

Why the other choices are weaker:

  • A still depends on stored secrets and weak rotation by itself does not meet the requirement.
  • B destroys separation of duties and makes incident investigation harder.
  • D treats obscurity as a control and leaves resources unnecessarily exposed.

What this tests: Applying secure deployment, identity, access control, network, and monitoring choices to an AI application.

Related topics: Security and access controls; Managed identity; Deployment choices; Telemetry

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by Microsoft or any certification body.

Revised on Sunday, May 10, 2026
Study Plan
FAQ