Exam AZ-104 topic 4 question 98 discussion

Please check this tutorial https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app First Step is to Assign a managed identity to the App. Answer: B

I'd go with B, based on this alone: "There are three ways to authenticate to Key Vault: Managed identities for Azure resources: [...] We recommend this approach as a best practice. Service principal and certificate: [...] We don't recommend this approach because the application owner or developer must rotate the certificate. Service principal and secret: [...] Although you can use a service principal and a secret to authenticate to Key Vault, we don't recommend it." https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts#authentication

You can opt for A however it has too much overheads - go for managed identity and let Azure do the heavy work, hence managed, managed by Azure.

When you import a Key Vault certificate into an App Service, the resource provider (Microsoft Azure App Service) – not the app’s own identity – must be able to read the secret/certificate in the vault. Microsoft Learn states that you must first grant that resource-provider principal Get permissions on secrets/certificates via an access policy or RBAC before the import will succeed Assigning a managed identity to the web app (option B) is required for Key Vault configuration/secret references inside app settings, but it isn’t used for bringing a TLS/SSL certificate into the app. Switching KV1 to RBAC mode (option C) or adding user1 (option D) doesn’t give the App Service resource provider the needed rights. Therefore, the first action is to create that Key Vault access policy for the Microsoft Azure App Service principal.

Using the Microsoft Azure App Service Principal is to broad of an identity. It is not associated with an objectID that directly associates it with App1. That means any App Service within the tenant will gain the same access rights. Using Managed Identity is the current (2025) recommended method. However, the confusion in this question steps from the use of the word "User" in the middle of Managed Identity. One has to assume that the question is referring to a user created MI. Best practice is to use system-assigned MI. However, given current choices, I believe the best answer still is using a user created MI. This limits the scope to just App1.

To configure App1 to use the wildcard certificate stored in KV1, the first step involves ensuring that App1 can authenticate and retrieve the certificate securely. This requires assigning a managed identity to App1 so it can access KV1 without relying on explicit credentials. Therefore, the correct answer is: B. Assign a managed user identity to App1.

B it's wrong: it says "Assign a managed USER identity", but App1 is not a user... so the only acceptable it's A

The correct first step in configuring App1 to use the wildcard certificate stored in KV1 is: B. Assign a managed user identity to App1. Explanation: To allow App1 to securely access the certificate from KV1 without using secrets (like keys or passwords), the most secure and preferred approach is to assign a Managed Identity to App1. Managed identities in Azure provide an automatic identity for the app, allowing it to authenticate against Azure services like Key Vault without embedding credentials in your code. Once the managed identity is assigned to App1, you can grant it the necessary access (read) to the Key Vault by configuring an Access Policy.

B. Assign a managed user identity to App1.

Currently, App Service certificates support only Key Vault access policies, not the RBAC model. https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

Creating a Microsoft Entra application and service principal adds more operational overheads and eliminate many of the security risks associated with manually managing credentials. This feels like an AZ-305 question.

https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/

Answer B is correct

I tested it on the lab and B is right. When creating a key vault with a vault access policy, the app can't be selected unless the managed identity has been enabled.

A is correct

Confirmed in Azure Portal - an Azure App Service has the (system-assigned) Managed Identity set to OFF by default so first step is to enable the managed identity.

Access can be done either using RBAC or Access Policy. In both cases the first Action is to configure a Managed User (or System) Identity to App1 because by default Identities are disabled.