Exam AZ-204 topic 4 question 24 discussion

If a caller outside Azure doesn't look like we can use Managed Identity in such a situation. I think the client certificate is better.

Ans is correct: managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

The correct answer is C. Managed identity. Managed identities for Azure resources is a feature of Azure Active Directory. It provides Azure services with an automatically managed identity in Azure AD. You can use this identity to authenticate to any service that supports Azure AD authentication, without having any credentials in your code. Option A, Basic authentication, would require sending credentials (username and password) with each API call. Option B, Anonymous authentication, would not secure the API calls as it allows anyone to call the API without any form of authentication. Option D, Client certificate authentication, would require the callers to present a valid client certificate, which can be considered as a form of credential.

Got this on 16/03/23. Went with proposed solution. Make sure to prepare for case study. I got city and lights case study. No Kubernetes, Search, Logic Apps questions for me.

C because it doesn't send credentials + API that's gonna call it is on Azure so Managed Identity is viable.

Given answer is correct as per MS docs https://learn.microsoft.com/en-us/azure/api-management/authentication-managed-identity-policy

It can never be managed identity unless the client is an azure resource that supports managed identity. The question does not say that. So, it has to be client-certificate. But then this is Microsoft exam and cannot expect a lot of logic from the question creators.

C is correct. A lot of people choose D (Client Certificate), but that is also sent to the server using the header X-ARR-ClientCert so that is not correct. See here: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#access-client-certificate

C appears best answer based on question text, however if question is missing key words (API Management) then D would be best answer. Remember the exam question will not be ambiguous nor prove to someone’s photo memory of rewriting it here.

my read was: my company develop an Azure API, and need to authenticate the API to other (Azure) services. If this is the case. using managed ID is correct.

key words - developing an Azure API (obviously customization and there is no Azure service named 'Azure API') & Secure API calls --> These leads to the answer 'Client Certificate'.. Also in the Q there is no requirement of managing/rotating credential so surprising why many people vote for 'Managed Identity'..

Managed identity

Agree with MasDen

Got it in exam 03/22

Since there is no requirement for users outside of Azure, I would choose C.

Couldn't find the requirement that it has to be available to users outside azure.

There is no service called "Azure API". Thus, I assume it refers to "App Service > API Apps". https://azure.microsoft.com/en-us/services/app-service/api In the page of "Secure app > Use managed identities", it's all about App itself accesses other resources, not about client calling API. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity And the page "AuthN and AuthZ in Azure App Service ", it says "App Service uses federated identity", not managed identities. https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization So I suppose the only thing we can do is client certificate https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth