Exam AZ-104 topic 4 question 98 discussion

Please check this tutorial https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app First Step is to Assign a managed identity to the App. Answer: B

In this scenario, you have an Azure App Service web app (App1) and an Azure Key Vault (KV1) containing a wildcard certificate for contoso.com. You want to configure App1 to use the wildcard certificate from KV1. To achieve this, you need to grant the necessary permissions to App1. Access to Key Vault secrets and certificates is managed using Azure AD-based authentication and authorization. The Microsoft Azure App Service principal represents the App Service web app in Azure AD. The correct approach is to create an access policy in KV1 that grants the necessary permissions to the Microsoft Azure App Service principal associated with App1. By doing so, you allow App1 to access the certificate stored in KV1. So, the first step you should take is: A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy. Once you've granted the necessary access to the App Service principal, the web app (App1) will be able to use the wildcard certificate from KV1 for its secure connections.

When you import a Key Vault certificate into an App Service, the resource provider (Microsoft Azure App Service) – not the app’s own identity – must be able to read the secret/certificate in the vault. Microsoft Learn states that you must first grant that resource-provider principal Get permissions on secrets/certificates via an access policy or RBAC before the import will succeed Assigning a managed identity to the web app (option B) is required for Key Vault configuration/secret references inside app settings, but it isn’t used for bringing a TLS/SSL certificate into the app. Switching KV1 to RBAC mode (option C) or adding user1 (option D) doesn’t give the App Service resource provider the needed rights. Therefore, the first action is to create that Key Vault access policy for the Microsoft Azure App Service principal.

Using the Microsoft Azure App Service Principal is to broad of an identity. It is not associated with an objectID that directly associates it with App1. That means any App Service within the tenant will gain the same access rights. Using Managed Identity is the current (2025) recommended method. However, the confusion in this question steps from the use of the word "User" in the middle of Managed Identity. One has to assume that the question is referring to a user created MI. Best practice is to use system-assigned MI. However, given current choices, I believe the best answer still is using a user created MI. This limits the scope to just App1.

To configure App1 to use the wildcard certificate stored in KV1, the first step involves ensuring that App1 can authenticate and retrieve the certificate securely. This requires assigning a managed identity to App1 so it can access KV1 without relying on explicit credentials. Therefore, the correct answer is: B. Assign a managed user identity to App1.

B it's wrong: it says "Assign a managed USER identity", but App1 is not a user... so the only acceptable it's A

it´s B

The correct first step in configuring App1 to use the wildcard certificate stored in KV1 is: B. Assign a managed user identity to App1. Explanation: To allow App1 to securely access the certificate from KV1 without using secrets (like keys or passwords), the most secure and preferred approach is to assign a Managed Identity to App1. Managed identities in Azure provide an automatic identity for the app, allowing it to authenticate against Azure services like Key Vault without embedding credentials in your code. Once the managed identity is assigned to App1, you can grant it the necessary access (read) to the Key Vault by configuring an Access Policy.

B. Assign a managed user identity to App1.

Currently, App Service certificates support only Key Vault access policies, not the RBAC model. https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

Creating a Microsoft Entra application and service principal adds more operational overheads and eliminate many of the security risks associated with manually managing credentials. This feels like an AZ-305 question.

https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/

Answer B is correct

I tested it on the lab and B is right. When creating a key vault with a vault access policy, the app can't be selected unless the managed identity has been enabled.

A is correct

Confirmed in Azure Portal - an Azure App Service has the (system-assigned) Managed Identity set to OFF by default so first step is to enable the managed identity.

Access can be done either using RBAC or Access Policy. In both cases the first Action is to configure a Managed User (or System) Identity to App1 because by default Identities are disabled.