Exam AZ-304 topic 2 question 10 discussion

Correct

I'm a little confused. All the requirements point to a user-assigned managed identity, but that is not supported by Azure Key Vault. "Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used." Everybody is so convinced that the answer is correct, but I think it should be system-assigned, although the question is almost shouting user-assigned. https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#granting-your-app-access-to-key-vault https://www.examtopics.com/discussions/microsoft/view/45744-exam-az-204-topic-3-question-11-discussion/ https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#granting-your-app-access-to-key-vault https://www.examtopics.com/discussions/microsoft/view/45744-exam-az-204-topic-3-question-11-discussion/

Correct, we need to use user assigned managed identity for Virtual machines to share the same identity for the future virtual machines and use this identity (AAD based authentication) to access all the other resources

In AZ-305 exam, 9 april 22

Seems D is the correct answer based on the following info: System-assigned managed identities allow you to: • Enable or disable managed identities at the resource level. • Use role-based access control (RBAC) to grant permissions. • View the create, read, update, and delete (CRUD) operations in Azure Activity logs. • View sign-in activity in Azure AD sign-in logs. User-assigned managed identities allow you to: • You can create, read, update, and delete the identities. • You can use RBAC role assignments to grant permissions. • User assigned managed identities can be used ON MORE THAN ONE RESOURCE. • CRUD operations are available for review in Azure Activity logs. • View sign-in activity in Azure AD sign-in logs.

I would choose D

User-assigned managed identity

refer https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp

User managed identity, will be for more than 1 VM.

Correct Answer Given [User-assigned managed identity] https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview User-assigned managed identity:- "For example, a workload where multiple virtual machines need to access the same resource." System-assigned managed identity:- "For example, an application that runs on a single virtual machine"

Given answer is correct. We can definitely assign user identity to key vault. Keys points to consider why Managed User Identity is the correct answer. 1. New VM will be added in future 2. Minimize administrative efforts. Managed User Identity is not tied to a resource life time. It can be assigned to multiple resources.

Both User assigne and System Assigned Identity will do the job but the System assigned identity is the one without the aministrative hassle. You just click on Systemassigned idenitiy on the VM side and than go to the KeyVault -> Access Policies and add the VM by searching for its name. For me B should be the right answer.

Correct Answer

Correct!

Just a note...To create a user assigned managed identity, you need MI Contributor role and create the MI in the portal, then you can assign RBAC permissions. The MI will need to be deleted separately when no longer in use. System assigned MI is enabled with the resource is created or after creation under VM - Identity. It is automatically deleted when the VM is deleted. User assigned MI is more secure but in this case, system assigned would save work. My vote is for system assigned.

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication User-assigned You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service D is the answer

Came in exam on 20-sep-21, i passed, answer are correct