ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 17 discussion

Actual exam question from Microsoft's AZ-204
Question #: 17
Topic #: 4
[All AZ-204 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You develop Azure solutions.
You must grant a virtual machine (VM) access to specific resource groups in Azure Resource Manager.
You need to obtain an Azure Resource Manager access token.
Solution: Use the Reader role-based access control (RBAC) role to authenticate the VM with Azure Resource Manager.
Does the solution meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Dirk at Aug. 19, 2020, 8:57 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mlantonis
Highly Voted 4 years ago
Correct Answer: B - No Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. Here we need to authenticate. Here we need to make use of managed identities for the virtual machine. Role-based access control is used for authorization and not authentication. Instead run the Invoke-RestMethod or Invoke-WebRequest cmdlet to make a request to the local managed identity for Azure resources endpoint. Reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
upvoted 39 times
overhill
7 months ago
Phenomenal
upvoted 1 times
...
...
KeerthiKP
Highly Voted 4 years, 8 months ago
ITs not a invoke-RestMethod , it is: Invoke-WebRequest cmdlet https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
upvoted 21 times
vizay
1 month ago
Invoke-RestMethod
upvoted 1 times
...
oversio
4 years, 7 months ago
Yes! you all right
upvoted 2 times
...
Tom87
4 years, 1 month ago
Both Invoke-RestMethod and Invoke-WebRequest can be used. Their behaviour is very similar. https://blog.truesec.com/2020/07/29/invoke-webrequest-vs-invoke-restmethod/
upvoted 5 times
clarionprogrammer
4 years, 1 month ago
Agreed. The real reason it is wrong is RBAC can't be used for Identity Management.
upvoted 2 times
clarionprogrammer
4 years, 1 month ago
It's true that the Reader role is required so the VM can read/access the Azure Resource Manager. But, it's not used to authenticate the VM with the Azure Resource Manager. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm
upvoted 3 times
...
...
...
...
hubekpeter
Most Recent 2 years, 6 months ago
Grant access to specific resource groups in Azure Resource Manager - resource based access control is perfectly usable, but a key here is to limit the access to a specific group, which is not possible through reader role, you need to implement ABAC policy in this case. So the answer is NO.
upvoted 1 times
...
coffecold
2 years, 7 months ago
Selected Answer: A
Answer A - because this particular setup is appropriate to get the token (among others). User-assigned managed identity with RBAC is just one way to obtain an Azure Resource Manager access token. Having done that still you have to get the access token by an Invoke-WebRequest. step 1 : get the access token $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=<value rof the user-assigned managed identity>&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"} step 2 : access Azure Resource Manager with the access token See https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm
upvoted 1 times
coffecold
2 years, 7 months ago
although ... the Reader role-based access control (RBAC) role is not used here to get the token, it's the client ID in the invoke web-request. So to be save : answer B
upvoted 1 times
...
...
Eltooth
2 years, 11 months ago
Selected Answer: B
B is correct answer.
upvoted 3 times
...
sawipef270
3 years, 5 months ago
Selected Answer: B
correct
upvoted 1 times
...
glam
4 years ago
B. No...
upvoted 2 times
...
ccinetto
4 years, 5 months ago
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm Here it says that you first need to go to the Resource Group, and in the IAM tab grant access to the VM as a Reader Role Then, when you are inside the VM, you can use the command Invoke-WebRequest cmdlet in order to get the Token 4 is Correct because it is the first step you need to do in order to get the Token and question 5 is correct too
upvoted 4 times
azahran
4 years, 4 months ago
The question is you need an access token? Q 4 is preparation step and did not retrieve an access token.
upvoted 3 times
...
bugimachi
4 years, 5 months ago
I'm not sure. What you do in IAM / RBAC is authorizing (!) the VM to access the resource group. You do NOT use IAM / RBAC for authENTICATION. I mean, you are right in saying that it is needed to grant access for the VM. But strictly speaking, the question asks for authentication only.
upvoted 4 times
Gathix444
4 years, 4 months ago
Yes you do. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
upvoted 1 times
...
...
...
27close
4 years, 6 months ago
Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager. answer is NO
upvoted 2 times
...
blueturtle
4 years, 7 months ago
Yup the updated version is to use Invoke-WebRequest cmdlet.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel