Exam AZ-500 topic 4 question 21 discussion

I am not fully sure about this one, but I agree the answer choices. Since we are deploying the template across several VMs and need to authenticate with the extension repository ( for downloading extensions), we need to provide the VM an identity to authenticate with the repository. This is best done by assigning the VM with a "user assigned managed identity". We can set up this managed identity to have the required permissions on the extension repository via RBAC roles. The managed identity requests permissions via the Azure IMDS from the Azure AD and hence needs to know the right Tenant ID to get the token from. I believe the Azure AD ID is the same as the Tenant ID.

correct

Its definitely user0assigned managed identity instead of system-assigned. Its does not have anything to do with Log Analytic workspace, why would anyone pick B? I say its AC

https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions-template Workspace ID & Workspace Key (instead of key, use UAMI)

New-AzResourceGroupDeployment ` -ResourceGroupName <YourResourceGroup> ` -TemplateFile .\vulnerability-assessment-template.json ` -vmName <YourVMName> ` -workspaceId <YourWorkspaceID> ` -primarySharedKey <YourPrimarySharedKey>

why not primary shared key ? several ai chats pick this as a correct answer and mention 'primary shared key is required to authenticate the vulnerability scanner extension '

definitivamente user assigned

Workspace ID & Workspace Key

Answer should be A,B. I would like to response first why "C" is not required while multiple justification already shared for "A" & "B" if different responses. - When we are using a managed identity, it represents a specific identity within Azure Active Directory (Azure AD), so option “C” would not require. - Managed Identity are used to authenticate azure resource. Here we have to use a managed identity to authenticate multiple VM as well as Log analytics workspace, hence NOT for single azure resource, hence option “A” is correct. - Workspace ID and key for Azure Defender integration would require for ARM template, hence option “B” is correct.

Answer is correct; it makes more sense to use user-assigned manage identity + Tenant ID for deploying arm template

Not sure why people are voting for system assigned identity here. Only coz ChatGPT said so ? You would need 100 identities if you are going to do that. The given answers are correct imo.

When deploying the vulnerability scanner extension to the virtual machines using an Azure Resource Manager template, you should specify: B. the workspace ID: This is the ID of the Log Analytics workspace where the vulnerability data will be sent. E. the system-assigned managed identity: This is the identity that Azure creates and assigns to the virtual machine. It’s used to authenticate the VM when it communicates with the Azure services.

100 VM : best way is to create a user MI .. so user MI and worksapce ID

B&E Explanation: Since we are deploying the template across several VMs and need to authenticate with the extension repository ( for downloading extensions), we need to provide the VM an identity to authenticate with the repository. This is best done by assigning the VM with a "user assigned managed identity". We can set up this managed identity to have the required permissions on the extension repository via RBAC roles. The managed identity requests permissions via the Azure IMDS from the Azure AD and hence needs to know the right Tenant ID to get the token from. I believe the Azure AD ID is the same as the Tenant ID.

To automate the deployment of the vulnerability scanner extension to the virtual machines with Azure Defender enabled, you should specify the following values in the Azure Resource Manager template: B. the workspace ID: This is the ID of the Azure Defender workspace where the vulnerability scan data will be sent and analyzed. E. the system-assigned managed identity: Managed identities are used for authenticating and authorizing the extension to interact with Azure resources securely. In this case, you should use a system-assigned managed identity to ensure secure authentication between the extension and Azure services. So, the correct values to specify in the code are B and E.

A, C THE QUESTION IS NOT DELIBERATING WHERE ONE SYSTEM-ASSIGNED MANAGED IDENTITY (1 VM) WILL BE SENDING DATA TO (A WORKSPACE), BUT RATHER, WHAT IS REQUIRED TO INSTALL THE SAME EXTENSION ON 100 VMs (ALL WHICH CAN USE ONE USER-ASSIGNED MANAGED IDENTITY). THE AZURE AD ID IS TO SPECIFY WHAT TENANT YOU MANAGED IDENTITY SHOULD BE AUTHENTICATED TO.

I asked chatgpt here is his answer: To automate the deployment of the vulnerability scanner extension to the virtual machines using an Azure Resource Manager template, you should specify the following values: B. The workspace ID: This is required to identify the Azure Defender workspace where the vulnerability scan results will be sent. E. The system-assigned managed identity: This identity will be used to authenticate and authorize the deployment of the extension to the virtual machines. These values are necessary for the successful deployment of the vulnerability scanner extension to the virtual machines.