ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 4 question 68 discussion

Actual exam question from Microsoft's AZ-400
Question #: 68
Topic #: 4
[All AZ-400 Questions]

You have an Azure key vault named KV1 and three web servers.

You plan to deploy an app named App1 to the web servers.

You need to ensure that App1 can retrieve a secret from KV1. The solution must meet the following requirements:

• Minimize the number of permission grants required.
• Follow the principle of least privilege.

What should you include in the solution?

  • A. role-based access control (RBAC) permission
  • B. a system-assigned managed identity
  • C. a user-assigned managed identity
  • D. a service principal
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by kdawg96 at Oct. 4, 2023, 1:20 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
kdawg96
Highly Voted 1 year, 8 months ago
Selected Answer: C
Correct answer is C, not B since you need to minimize the number of permission grants required (you would only need to assign permissions once).
upvoted 10 times
jerrychan
1 year, 8 months ago
You are right. Using user-assigned identities to reduce administration~ https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations
upvoted 3 times
...
...
Dkijc
Most Recent 7 months, 1 week ago
Since 3 web servers: User-assigned If it was one server I'd have chosen system-assigned
upvoted 1 times
...
hajurbau
12 months ago
Selected Answer: C
I would go with C to minimise the number of permission grants.
upvoted 2 times
...
UrbanRellik
1 year ago
Selected Answer: C
C. User-assigned managed identity.
upvoted 1 times
...
ozbonny
1 year, 3 months ago
Selected Answer: C
I think I'll go by C for this reason Since the managed identity is specific to each server and cannot be shared between different servers, this would not meet the requirement of minimizing the number of permission grants required, since you would have to grant access permissions to each managed identity individually.
upvoted 2 times
...
djhyfdgjk
1 year, 5 months ago
The question asks about web app deployed to simple web servers. Not Azure Web Application. How are you going to assign User- or System managed identity to this Web App ?? It should be Service Principle + RBAC on KV.
upvoted 2 times
hotspot02103
5 months, 1 week ago
indeed, I don't understand why all else talk about managed identities ...if the app is custom made, not part of Azure, how would you use MSI / UAMI ?! correct answer - D
upvoted 1 times
...
...
vsvaid
1 year, 5 months ago
Agree with answer. As there are 3 web servers, user assigned managed identity is simler
upvoted 1 times
...
wolfyzawolf
1 year, 8 months ago
Because it’s for “three” web servers, answer is (user assigned) “C” If it was for one app/server, it would’ve been system assigned.
upvoted 4 times
...
pal40sg
1 year, 8 months ago
Selected Answer: B
B. a system-assigned managed identity Azure Managed Identities provide an identity for applications to use without the need to manage the credentials. When you use a system-assigned managed identity, Azure creates an identity for the application instance in Azure AD. By granting the managed identity access to the Key Vault, you can ensure that the application can retrieve the secret without needing to store any credentials. This approach minimizes the number of permission grants required and follows the principle of least privilege because you can precisely control the access level of the managed identity in Azure Key Vault.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel