ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 9 discussion

Actual exam question from Microsoft's AZ-204
Question #: 9
Topic #: 4
[All AZ-204 Questions]

You have an application that includes an Azure Web app and several Azure Function apps. Application secrets including connection strings and certificates are stored in Azure Key Vault.
Secrets must not be stored in the application or application runtime environment. Changes to Azure Active Directory (Azure AD) must be minimized.
You need to design the approach to loading application secrets.
What should you do?

  • A. Create a single user-assigned Managed Identity with permission to access Key Vault and configure each App Service to use that Managed Identity.
  • B. Create a single Azure AD Service Principal with permission to access Key Vault and use a client secret from within the App Services to access Key Vault.
  • C. Create a system assigned Managed Identity in each App Service with permission to access Key Vault.
  • D. Create an Azure AD Service Principal with Permissions to access Key Vault for each App Service and use a certificate from within the App Services to access Key Vault.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by pieronegri at March 1, 2021, 10:56 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
YellowSky002
Highly Voted 4 years, 3 months ago
I think the answer is A. Create a single user-assigned Managed Identity with permission to access Key Vault and configure each App Service to use that Managed Identity. Because we have more than one App (Web App and other Function Apps) , So we agree it is going to be a managed identity but should I create one for each app or one for all apps? If I create system MI then there should be one for each App. If I create user MI then I can re-use it for any App I want with minimum change to AD
upvoted 118 times
Basu525
4 years, 3 months ago
Yes exactly. The question emphasizes on having multiple resources having to access Key vault. So using User Assigned MI is more pragmatic.
upvoted 4 times
SlavMar
3 years, 11 months ago
Well from security standpoint you could assign different secrets to different parts of application (if they are using system managed identity) soi if one component is compromised - not all secrets are available to hackers
upvoted 5 times
...
...
midhy
4 years, 3 months ago
User assigned cannot be used Look at the link provided.
upvoted 4 times
vb3d
4 years, 2 months ago
I think that note in the link is only for the usage of key vault references, which is a new thing in key vaults. I think a user assigned identity should still have access to the key vault.
upvoted 4 times
Zsolt72
4 years, 2 months ago
Yes, key vault reference is an App Configuration feature referencing a secret from key vault.
upvoted 1 times
...
Tom87
4 years, 2 months ago
That's true. https://kasunkodagoda.com/2019/06/09/using-user-assigned-managed-identity-to-access-azure-key-vault-from-azure-app-service/
upvoted 1 times
...
...
vb3d
4 years, 2 months ago
I just tried this, I was able to give access to a user assigned managed identity to a key vault.
upvoted 8 times
...
...
vtomy
3 years, 11 months ago
User assigned MI is not supported for keyvault. System assigned MI is correct.
upvoted 6 times
PhilLI
3 years, 6 months ago
I don't read this on that page t.b.h.
upvoted 1 times
...
zzt
3 years, 10 months ago
This is not true: see: https://kasunkodagoda.com/2019/06/09/using-user-assigned-managed-identity-to-access-azure-key-vault-from-azure-app-service/
upvoted 6 times
...
...
ferut
4 years ago
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview The lifcycle of user-assigned managed identity is manually managed by the user and can be used (not assigned) to several services. The lifecycle of the system-assigned managed identity is tightly coupled with the service, it's assigned to a service. When the service is deleted, the identity will also be gone. To minimize changes to AD, user-assigned is more suitable.
upvoted 8 times
...
Load full discussion...
...
mlantonis
Highly Voted 4 years ago
Correct Answer: C Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used. Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
upvoted 41 times
altafpatel1984
3 years, 6 months ago
Don't misguide people. In the same link you give, this statement exists "Some apps need to reference secrets at creation time, when a system-assigned identity would not yet be available. In these cases, a user-assigned identity can be created and given access to the vault in advance." Your given reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
upvoted 10 times
...
zzt
3 years, 10 months ago
Not correct: see link https://kasunkodagoda.com/2019/06/09/using-user-assigned-managed-identity-to-access-azure-key-vault-from-azure-app-service/
upvoted 5 times
...
eX900
2 years, 8 months ago
Granting your app access to Key Vault 2.Create a managed identity for your application. "Key Vault references will use the app's system assigned identity by default, but you can specify a user-assigned identity." Your second reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references. So, the answer is : A
upvoted 4 times
...
TakumaK
3 years, 11 months ago
You are wrong. your second link OBVISOULY says "Key Vault references will use the app's system assigned identity by default, but you can specify a user-assigned identity."
upvoted 19 times
...
...
Vichu_1607
Most Recent 8 months, 2 weeks ago
Selected Answer: A
Using a user-assigned Managed Identity is a good approach in this scenario. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. A user-assigned managed identity is created as a standalone Azure resource. After it's created, the identity can be assigned to one or more Azure service instances. The identity is managed by Azure AD and does not require a password. By using a single user-assigned Managed Identity across all your App Services, you can manage access to the Key Vault centrally, minimizing changes to Azure AD.
upvoted 1 times
...
prabhjot
10 months, 1 week ago
Ans is C - Secrets must not be stored in the application or application runtime environment.
upvoted 1 times
...
jobolesonihal
1 year, 2 months ago
Selected Answer: A
Key vault references use the app's system-assigned identity by default, but you can specify a user-assigned identity. Even for KeyVault References - "Key vault references use the app's system-assigned identity by default, but you can specify a user-assigned identity."
upvoted 1 times
...
Zhenyuan_Zhang
1 year, 4 months ago
Selected Answer: A
I think the answer is A. https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#management-identity-types%20https://docs.microsoft.com/en-us%20/azure/app-service/app-service-key-vault-references
upvoted 1 times
...
junkz
1 year, 8 months ago
there is a saying in my country: one fool throws a rock in the pond, and 10 good people do their best to pull it out. this is exactly how i feel looking at all of us trying to "guess" what "minimizing AD changes" realy means in this context...
upvoted 4 times
...
drkpnsh
1 year, 10 months ago
I think in the past, you cannot use the user-assigned identity to access to the Azure Key-Vault. But it is possible now: "Key vault references use the app's system-assigned identity by default, but you can specify a user-assigned identity." https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli So I think the answer should be A.
upvoted 2 times
...
Dianahu
1 year, 10 months ago
if I want to add an user-assigned managed identity I need to create it so I wouldnt say that it is minimum change to AD and it is not a good pattern to have the same identity for all of them
upvoted 1 times
...
AzSimuz
2 years, 2 months ago
Managed identities are of the following two types: System-assigned -- this is activated directly on the Azure cloud service. For example, you can create a managed identity for your web app that will be automatically deleted once the web app instance is deleted User-assigned -- this is a stand-alone Azure resource that is created independent of the actual service instance. You can assign this identifier to one or more Azure resources simultaneously. As an example, you can set this identity to both an Azure Web App and an Azure Function at the same time - https://www.loginradius.com/blog/engineering/guest-post/using-azure-key-vault-with-an-azure-web-app-in-c-sharp/
upvoted 2 times
...
maqsoodshah
2 years, 2 months ago
Correct Answer: A System-assigned -- this is activated directly on the Azure cloud service. For example, you can create a managed identity for your web app that will be automatically deleted once the web app instance is deleted User-assigned -- this is a stand-alone Azure resource that is created independent of the actual service instance. You can assign this identifier to one or more Azure resources simultaneously. As an example, you can set this identity to both an Azure Web App and an Azure Function at the same time
upvoted 1 times
...
JamieS
2 years, 3 months ago
I would have thought it was system assigned identity, but it says we have multiple Azure Function apps, and one of the requirements is to minimise changes to AD. Only the user identity has a one to many mapping (https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types).
upvoted 3 times
...
manopeydakon
2 years, 4 months ago
Key Vault references will use the app's system assigned identity by default, but you can specify a user-assigned identity. User-assigned managed identity Can be shared! The same user-assigned managed identity can be associated with more than one Azure resource. So A and C both works but less work with A in this case.
upvoted 1 times
...
Esward
2 years, 4 months ago
User assigned Identity https://thecodeblogger.com/2020/06/13/user-assigned-managed-identity-with-azure-key-vault/
upvoted 1 times
Esward
2 years, 4 months ago
Also refer https://yourazurecoach.com/2022/02/04/use-app-service-key-vault-references-with-user-assigned-identities/
upvoted 1 times
Esward
2 years, 4 months ago
https://stackoverflow.com/questions/55101525/how-can-i-give-access-to-key-vault-to-a-user-assigned-identity
upvoted 1 times
...
...
...
daothanhyen
2 years, 4 months ago
Selected Answer: C
C. Because user assigned will take more codes and configurations for the key. System assigned for each app service more security and noneed to have any configuration and the same code
upvoted 4 times
...
imanonion
2 years, 5 months ago
Selected Answer: C
By creating a system-assigned Managed Identity for each App Service, you can avoid storing secrets in the application or runtime environment, as the Managed Identity provides a way for the App Service to authenticate to Key Vault without the need for hard-coded credentials. Additionally, using a separate Managed Identity for each App Service allows for fine-grained access control to the secrets stored in Key Vault, as you can assign permissions to specific identities rather than granting broad permissions to a single identity.
upvoted 1 times
imanonion
2 years, 5 months ago
Option A, "Create a single user-assigned Managed Identity with permission to access Key Vault and configure each App Service to use that Managed Identity" also can be a good solution, But it can't provide fine-grained access control as all App Service using the same identity. Option B "Create a single Azure AD Service Principal with permission to access Key Vault and use a client secret from within the App Services to access Key Vault" would not be the recommended approach, as it would involve storing the client secret in the App Services, which is a violation of the requirement to avoid storing secrets in the application or runtime environment. Option D "Create an Azure AD Service Principal with Permissions to access Key Vault for each App Service and use a certificate from within the App Services to access Key Vault" is also a valid approach but it is more difficult to manage the certificate in each App Service and need more code to handle the certificate in the code.
upvoted 1 times
warchoon
2 years, 3 months ago
User-assigned Managed Identity is an additional resource. System-assigned is not
upvoted 2 times
...
...
...
oceane0316
2 years, 6 months ago
The correct answer is A. Source : https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations#using-user-assigned-identities-to-reduce-administration Read the article but in summary "When a user-assigned identity is associated with the four virtual machines, only two role assignments are required, compared to eight with system-assigned identities. If the virtual machines' identity requires more role assignments, they'll be granted to all the resources associated with this identity." The key here is "Changes to Azure Active Directory (Azure AD) must be minimized" and the paragraph is called "Using user-assigned identities to reduce administration". So A is the correct answer because of the "change must be minimized". C would work but it means you have much more changes.
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel