You have an Azure subscription named Sub1 that contains the resources shown in the following table. You need to ensure that you can provide VM1 with secure access to a database on SQL1 by using a contained database user. What should you do?
Agree here.
A. Enable a managed identity on VM1.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
Thought so too but that is wrong, "contained database user" ist just a user in the database, does NOT say that he authenticates with SQL authentication.
Given answer is correct
The question is "secure access to a database on SQL1 by using a contained database user"
by using contained database user... it means no need to enable manage identity
I disagree. contained database user does not mean/or nothing to do with managed identity. Contained database user can be mapped to Azure AD identity.
"However, using Azure Active Directory authentication with SQL Database and Azure Synapse requires using contained database users based on an Azure AD identity. A contained database user does not have a login in the master database, and maps to an identity in Azure AD that is associated with the database. The Azure AD identity can be either an individual user account or a group." https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-guide
Therefore, a managed identity should also be possible to mapped to a contained user similar to a user identity in azure ad.
See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql
"Create a contained user in the database that represents the VM's system assigned identity"
Was misled by the term "contained database user", this does simply refer to a database user but it does NOT say anything about the authentication method. A "contained database user" can authenticate via SQL authentication OR Windows-integrated/EntraID.
Hello, We need to use a managed identity because to use key or secret it has to be in the same region. In order to make sure the encryption secrets don't cross regional boundaries. ( the question answer below).
See https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16#contained-database-user-model
"For SQL Database and Azure Synapse Analytics, since the database name is always required in the connection string, no changes are required to the connection string when switching from the traditional model to the contained database user model. For SQL Server connections, the name of the database must be added to the connection string, if it is not already present."
That means that we don't have to store anything in a KV and seen it provides seamless authN with AAD a managed identity is the anwer.
So its confusing in regards to contained. What happens when you set a managed identity in sql? It will create the user in sys.principals and it will calculate the SID based on the origin. For exaple if you have a user assigned identity, its the object Id or when sing sql data package > 3.0 its client id. When suing system assigned identity its using the name and calculates the SID. if you use SQL Management Studio it will do the sid calculation for you.
Anyway, the keyvault doesnt make sense due to different RG. But is we store a connectionstring in keyvault that is using a contained user, it could work. Not the most secure way btw.. So now the question MI or service endpoint? Service endpoint is not enough, MI will work although the question is kind of messed up.
This section is not available anymore. Please use the main Exam Page.AZ-500 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
benito_nepomuceno
Highly Voted 4 years, 1 month agorgullini
4 years agorgullini
4 years agomacka2005
2 years, 4 months agomaxstv
4 years, 1 month agoB0ris
3 years, 8 months agopentium75
9 months agoMalikusmanrasheed
1 year, 10 months agoSuper_Pun
Highly Voted 4 years, 1 month agosureshatt
4 years, 1 month agosureshatt
4 years, 1 month agopentium75
Most Recent 9 months agobxlin
11 months, 2 weeks agofireboysz
1 year, 1 month agobrooklyn510
1 year, 3 months agorosef
1 year, 5 months agoTheProfessor
1 year, 6 months agoESAJRR
1 year, 7 months agozellck
1 year, 12 months agomajstor86
2 years, 1 month agotutonata
2 years, 2 months agoltjones12
2 years, 4 months agoAjdlfasudfo0
2 years, 4 months agoMuaamar_Alsayyad
2 years, 6 months agosomenick
2 years, 6 months agoJakeCallham
2 years, 7 months ago