Exam AZ-204 topic 1 question 10 discussion

Managed Service Identity (MSI) is a feature in Azure that allows you to securely authenticate an Azure service to other Azure services without having to manage credentials. By enabling MSI on the Azure App Service hosting the e-Commerce Web App, you can create a trust relationship between the App Service and Azure Key Vault. This allows the e-Commerce Web App to authenticate with Azure Active Directory (AAD) and securely retrieve secrets from the Key Vault.

Enabling Managed Service Identity (MSI) allows your e-Commerce Web App to securely access Azure Key Vault without needing to manage credentials. MSI provides an automatically managed identity in Azure AD, which can be used to authenticate to any service that supports Azure AD authentication, including Azure Key Vault.

since the statement sais "secured by using Azure App Service authentication and Azure Active Directory (AAD)." it stand to reason the nswer would be D. when configuring app service authentication with Microsoft identity provider, an app registration is required. which, under the hood, creates an app service principal (the ObjectID from the app registration, not to be confused with the applicationID of the app registration). so although the wording of the D option is missfortunate, it's still true.

C is correct

C - Enable Managed Service Identity

D. Create an Azure AD service principal. To secure sign-ins to the e-Commerce Web App by using Azure App Service authentication and Azure Active Directory (AAD), you should create an Azure AD service principal. A service principal is a security identity that you can use to authenticate and authorize your app to access Azure resources. Once you have created the service principal, you can use it to authenticate to Azure Key Vault and access the secrets that you store there. B. Enable Azure AD Connect is a method to Synchronize on-premises directories and enable single sign-on and it's not related to this question. A. Run the az keyvault secret command is a command line to manage secrets in keyvault, it's not related to the question. C. Enable Managed Service Identity (MSI) is a feature that enables an app to authenticate to Azure services using its managed identity, which is automatically managed by Azure. This feature can be used to authenticate to Azure Key Vault and access the secrets that you store there, but it's not necessary to use it in this scenario.

C. Enable Managed Service Identity (MSI).

I think the right answer is A: https://learn.microsoft.com/en-us/azure/data-factory/v1/data-factory-on-premises-mongodb-connector

C is better than D, because thanks to ManageIdentity, your code can forget to store keys, so is better solution than Service Principal

"Azure AD service principals" are created for Apps registered in Azure AD. Whereas WebApps, VMs, hubs etc all can get a Managed Identity.

I dont know. C&D seem to be the same thing. I would take the create principle option as I am not even sure if you can enable or disable MSI on a top level.

This is a bit tricky checkout https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object