ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 1 question 27 discussion

Actual exam question from Microsoft's SC-100
Question #: 27
Topic #: 1
[All SC-100 Questions]

You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.

You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.

What should you recommend?

  • A. a managed identity in Azure
  • B. an Azure AD user account that has role assignments in Azure AD Privileged Identity Management (PIM)
  • C. a group managed service account (gMSA)
  • D. an Azure AD user account that has a password stored in Azure Key Vault
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by sbnpj at Aug. 1, 2023, 11:46 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
WRITER00347
Highly Voted 1 year, 10 months ago
In the context of deploying applications using CI/CD pipelines in Azure and following DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure, using managed identities is often recommended. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication, without needing to manage credentials like usernames and passwords. A managed identity in Azure is automatically managed by Azure and does not require you to provision or rotate secrets. This aligns with the principles of DevSecOps, where security is integrated into the development process, and the management of secrets and credentials is handled securely and automatically. So, the correct recommendation for this scenario would be: A. a managed identity in Azure.
upvoted 16 times
...
ayadmawla
Highly Voted 1 year, 3 months ago
Selected Answer: D
Its both but it depends where the resources needed for CI/CD are stored and who authenticates/authorises access to them. According to the link below: Key Vault makes it possible for your client application to use a secret to access resources not secured by Microsoft Entra ID. Managed identities are automatically managed by Azure. https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
upvoted 5 times
ayadmawla
1 year, 3 months ago
although my concern is for the wording of D : "an Azure AD user account that has a password stored in Azure Key Vault" If it is an Azure account, then it would not be used for external resources. So "A" could be a better answer.
upvoted 2 times
...
...
Ali96
Most Recent 3 months, 2 weeks ago
Selected Answer: A
A. A managed identity in Azure is the most appropriate solution because it is secure, doesn’t require managing credentials, and integrates seamlessly with Azure services, making it the ideal choice for automated deployments in a CI/CD pipeline
upvoted 1 times
...
Dirkonormalo
7 months ago
Selected Answer: A
as writer writes, added for wrote count
upvoted 1 times
...
Dirkonormalo
7 months ago
Selected Answer: A
as writer writes, added for wrote count
upvoted 1 times
...
jayek
11 months, 4 weeks ago
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops
upvoted 2 times
...
Jonada1773
1 year, 1 month ago
Selected Answer: A
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
upvoted 1 times
...
alan9999
1 year, 3 months ago
D as per the link below and key words from the question: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops#azure-key-vault
upvoted 2 times
...
Jony_2
1 year, 3 months ago
Selected Answer: D
Pipelines and code repositories should not include hard-coded credentials and secrets. Credentials and secrets should be stored elsewhere and use CI vendor features for security. A.- Is not correct if the CI vendor has internal users/credentials Check the indicated https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops where indicates "If your CI platform supports it, consider storing credentials in a dedicated secret store, for example Azure Key Vault. Credentials are fetched at runtime by the build agent and your attack surface is reduced."
upvoted 2 times
...
epomatti
1 year, 3 months ago
Selected Answer: A
Long and behold, Azure DevOps now supports managed identities. https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/ https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#create-a-managed-identity
upvoted 5 times
...
tocane
1 year, 4 months ago
Selected Answer: D
azure devops cannot connect to azure using managed identities (You need to recommend which types of identities to use for the deployment credentials of the service connection.)
upvoted 1 times
epomatti
1 year, 3 months ago
Try practicing and studying a bit before answering nonsense. https://devblogs.microsoft.com/devops/introducing-service-principal-and-managed-identity-support-on-azure-devops/ https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#create-a-managed-identity
upvoted 2 times
...
...
rahulnair
1 year, 7 months ago
A - since D says user account
upvoted 3 times
...
sherifhamed
1 year, 8 months ago
Selected Answer: A
For an Azure DevOps solution that follows DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure, the recommended choice for deployment credentials in a service connection is a managed identity in Azure (Option A). Here's why this is the recommended choice: A. Managed identity in Azure: Managed identities provide a secure way to authenticate and authorize services or applications in Azure without the need for explicit credentials such as passwords or secrets. Using a managed identity ensures that your CI/CD pipelines can securely access Azure resources without exposing credentials. It also aligns with best practices for security and eliminates the need to manage and rotate passwords or secrets.
upvoted 4 times
...
ZZNZ
1 year, 9 months ago
A. a managed identity in Azure https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
upvoted 1 times
...
theplaceholder
1 year, 9 months ago
Selected Answer: A
Managed Identities, nobody knows the password, not accessible to anyone except the identity itself.
upvoted 4 times
...
celomomo
1 year, 9 months ago
Selected Answer: A
A. A managed identity in Azure Using a managed identity aligns with DevSecOps best practices, as it provides a secure and automated way to manage credentials for your CI/CD pipelines. This approach reduces the risk of exposing sensitive information and follows the principle of least privilege
upvoted 1 times
...
ServerBrain
1 year, 9 months ago
Selected Answer: A
A, 100%
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel