Exam AZ-304 topic 2 question 23 discussion

should be user assigned MI

Somestmes, discussions, lead to more confusion

1. To provision the Azure AD identity: Create a system-assigned Managed Service Identity: This is a type of identity that is tied to the lifecycle of a specific resource, such as an Azure virtual machine. Using system-assigned identities, the identity is automatically managed by Azure and does not require any manual effort once set up. 2. To authenticate, request a token by using: An Azure AD v2.0 endpoint: The Azure AD v2.0 endpoint supports the latest protocol and allows applications to use the Microsoft identity platform to authenticate users and access secured resources in Azure. By choosing these options, you'll ensure that each of the 10 virtual machines has its own identity that can be used by the applications running on them. Since the identity is tied to the machine, the application will only be able to authenticate when running on the virtual machine. The use of system-assigned Managed Service Identity reduces administrative overhead because it doesn't require manual management of the identity lifecycle.

User assigned managed identity = 5 apps on 10 VMs. Endpoint v2 = only one that remains supported and provide authentication. V1 depreciated. IMDS provided info about vm for all processes inside vm, anonymously.

Azure Instance Metadata Service doesn't provide authentication channel. This is wrong answer. Https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows Azure Instance Metadata Service (IMDS) provides information about currently running virtual machine instances. Instance Metadata Service is only accessible from within a running virtual machine instance on a non-routable IP address. VMs are limited to interacting with metadata/functionality that pertains to themselves. IMDS is not a channel for sensitive data. The API is unauthenticated and open to all processes on the VM. Information exposed through this service should be considered as shared information to all applications running inside the VM.

Good link explaining how an app running on a VM can get an access token using Azure Instance Metadata Service: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http

I found this regarding the 2nd part of the question which I agree is correct and thought i'd post it. 'Your code that's running on the server can request a token from the Azure Instance Metadata service endpoint, accessible only from within the server.' https://docs.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication

can anyone explain Azure AD V1, V2 endpoint and Azure Instance Metadata service endpoint?

Why system assigned 1. No admin as they are created automatically and deleted automatically with the resource which is the VM. One requirement is no or less admin effort. 2. The other point is the app is authenticated only when running on these VMs. So if the VM dies and new VM is created the app will not be authenticated. This fits perfectly as the life cycle requirement. The user managed identities are created by user and hence have more admin effort & they still exists when the VM is deleted. So if new VM is created the user managed identity will get assigned and the app will still be authenticated.

1. User Assigned Managed Identity 2. Metadata Service identity endpoint

User-assigned managed IDENTITY (type I believe) AZ instance metadata service OAuth2 endpoint 1) minimize admin effort https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations#using-user-assigned-identities-to-reduce-administration 2) you CANNOT create system-assigned MI, they are auto created. System assigned Managed Identities are automatically created along with the Azure resource and the life cycle of the managed identity depends on the Azure resource. 3) ensure app can auth only with 10 VMs the user-assigned MI will be associated only with the AZ resources (10 VMs). Yes, you can associate with more resources, but you can also create a new VM and associate its automatically created system-assigned MI with AAD. Case closed

Box1: User-assigned: User assigned is sharable whilst system assigned is not. Thus will defeat the requirement that all VMs must run with same identity Box2: Metadata service

1. User Assigned Managed Identity 2. Metadata Service identity endpoint (given answer)

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm#user-assigned-managed-identity Your code that's running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview User-assigned You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service User-assigned managed identities and OAuth2 are the answers

Came in exam on 20-sep-21, i passed, answers are correct

Its should be user Assigned Managed Identity. Second question answer is correct.

Guys, the hint is this the word "Only" >>> "...authenticate only when running on the 10 virtual machines.". With system-assigned managed identity it is tied to the VM you assign only. But with user-assigned managed identity you can add it to anywhere else.