Exam SC-300 topic 3 question 44 discussion

Here's my two cents. Correct me if I'm wrong: To provide the apps with access to the storage accounts, I recommend the following identity solution: • Identity type: System-assigned managed identity • To control access, use: Role-based access control (RBAC) This solution will minimize administrative effort because: • System-assigned managed identities are automatically created and deleted by Azure when you create or delete the app service. You don’t need to register or manage them separately. • Role-based access control (RBAC) allows you to assign granular permissions to the managed identities based on the roles they need to access the storage accounts. You don’t need to create or manage shared keys or tokens. https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage

I don't like the question. A User assigned managed identity is probably the least administrative effort, but the second they apps need to access different resources, it becomes problematic. Exam answer: User assigned Real world: System assigned

Answers: UAMI and RBAC. Here is why. I punched in a questions with several follow-up questions including inputting the articles from other users posted prior. In the end, the following is what resulted via Copilot: Considering the best practice recommendations and the specific scenario where multiple Azure App Service apps need access to the same storage accounts, User Assigned Managed Identity (UAMI) is likely the preferred choice for minimizing administrative effort. This approach reduces the number of distinct identities and role assignments to manage, which aligns with Microsoft's guidance on reducing administrative overhead

1: System-assigned managed identities - Are automatically created and tied to a specific resource (the App Service). - Are automatically deleted when the resource is deleted, minimizing management overhead. 2: Role-Based Access Control (RBAC) - The best way to grant secure, least-privilege access to Azure Storage Accounts

Funny, Service Principal is marked for the first dropdown here, but Copilot gives User-Assigned, while ChatGPT suggests System-Assigned. As per Ody here, guessing Exam is based on Copilot/Microsoft and would go with User Assigned

user assigned & RBAC checkhttps://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal

The answer is UAMI and RBAC as per the MS article: "If your infrastructure requires that multiple resources require access to the same resources, a single user-assigned identity can be assigned to them. Administration overhead will be reduced, as there are fewer distinct identities and role assignments to manage." https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations

Sounds like User Assigned Managed Identity as it is less admin effort. If your infrastructure requires that multiple resources require access to the same resources, a single user-assigned identity can be assigned to them. Administration overhead will be reduced, as there are fewer distinct identities and role assignments to manage. If you require that each resource has its own identity, or have resources that require a unique set of permissions and want the identity to be deleted as the resource is deleted, then you should use a system-assigned identity. Taken from : https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations

* System-assigned managed identity * Role-based access control (RBAC) https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal

Tricky question. I vote for *User Assigned managed identity *Azure RBAC I think the key here is the question asks for minimum admin effort rather than least privilege. with a single user assigned managed identity I only need to permission is once against the storage accounts. with System assigned managed identities I would have to permission every resource against the storage accounts, more secure but also more work!

System-assigned managed identity: This option minimizes administrative effort because it automatically creates a unique identity in Azure Active Directory (Azure AD) for each app. You don't need to manage credentials or certificates for the apps. Azure RBAC: This approach allows you to grant specific permissions to the managed identities of your apps. This ensures that the apps only have the access they need to the storage accounts, following the principle of least privilege.

C. Weisen Sie für RG1 die Rolle "Azure Cosmos DB-Datenleserrolle" zu.

system assigned managed identitiy + RBAC

I would go for system assigned managed identitiy + RBAC https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal

Answers seem to be actually correct for once.