ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 36 discussion

Actual exam question from Microsoft's AZ-204
Question #: 36
Topic #: 4
[All AZ-204 Questions]

HOTSPOT -
You develop a containerized application. You plan to deploy the application to a new Azure Container instance by using a third-party continuous integration and continuous delivery (CI/CD) utility.
The deployment must be unattended and include all application assets. The third-party utility must only be able to push and pull images from the registry. The authentication must be managed by Azure Active Directory (Azure AD). The solution must use the principle of least privilege.
You need to ensure that the third-party utility can access the registry.
Which authentication options should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Service principal -
Applications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) service principal.
Incorrect Answers:
✑ Individual AD identity does not support unattended push/pull
✑ Repository-scoped access token is not integrated with AD identity
✑ Managed identity for Azure resources is used to authenticate to an Azure container registry from another Azure resource.

Box 2: AcrPush -
AcrPush provides pull/push permissions only and meets the principle of least privilege.
Incorrect Answers:
AcrPull only allows pull permissions it does not allow push permissions.

✑ Owner and Contributor allow pull/push permissions but does not meet the principle of least privilege.
Reference:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
by sghaha at April 29, 2022, 5:34 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
gmishra88
Highly Voted 2 years, 7 months ago
Correct. It is only service principal. acr-token: cannot be because the AD authentication requirement. The roles are RBAC but the identity is not AD managed Managed identity: Not an option because it is third party AcrPush includes AcrPull. I did not know that nuance and the choice made by Microsoft to do this
upvoted 14 times
vizay
3 weeks, 1 day ago
If your identity (app, user, service) isn’t registered in Azure Active Directory (Azure AD), Azure AD can’t recognize or assign it the necessary permissions to access Azure Container Registry (ACR). As a result, you can’t use the ACR token for authentication. When I say "your identity isn't in Azure AD", I mean that the app, user, or service you're trying to use to access Azure Container Registry (ACR) isn't registered or recognized by Azure Active Directory (Azure AD).
upvoted 1 times
...
ProtossOR89144
10 months, 3 weeks ago
- "An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources." - correct : "AcrPush includes AcrPull"
upvoted 1 times
...
macobuzi
1 year, 9 months ago
I don't understand, Why not Managed Identity? Azure Container Apps also support Managed Identity.
upvoted 1 times
...
...
dtctx
Highly Voted 3 years ago
Got this 4/29. I passed test, but scored poorly in third party integration questions. I went with Managed Identity and Contributor, and I think both are WRONG. I had not heard of ACR Push/Pull, so went with Contributor, but upon learning that ACR Push satisfies least privilege, that is probably the best answer. Table of privileges: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli I suggest ACR Push is the correct permission level.
upvoted 13 times
...
vizay
Most Recent 3 weeks, 1 day ago
🔹 Service Principal Used for apps outside Azure Needs client ID and secret or certificate You manage the credentials Good for CI/CD tools like GitHub Actions 🔹 Managed Identity Used for apps inside Azure No secrets needed — Azure manages authentication More secure and easier to use Good for Azure Functions, Web Apps, VMs, etc.
upvoted 1 times
vizay
3 weeks, 1 day ago
given answer is correct :)
upvoted 1 times
...
...
bgbgvfvf
1 year, 5 months ago
answer is correct
upvoted 1 times
...
130nk3r5
1 year, 5 months ago
To meet all the requirements, you should use the following authentication options: Service Principal: A service principal is an identity that is used by a service or application to log in and access Azure resources. You can assign specific permissions to the service principal to adhere to the principle of least privilege. This will allow the third-party CI/CD utility to authenticate with Azure AD. Role-Based Access Control (RBAC): After creating the service principal, you should assign it a role that only allows it to push and pull images from the Azure Container Registry. The "AcrPush" role could be a good fit as it allows the service principal to push and pull images, but doesn't grant any other permissions. Remember to store the service principal's credentials securely in the CI/CD utility.
upvoted 2 times
...
Stann07
1 year, 5 months ago
Service Principal: Service principals are non-interactive Azure accounts. Using them with CI/CD utilities allows for Unattended deployments. AcrPull: This role can only pull images from the registry. This is here certainly the role with the least privilege because acrpush can Push image to the registry (and also pull them)
upvoted 1 times
Stann07
1 year, 5 months ago
My error, I did not see the requirement in the question for the user to be able to pull AND PUSH images to the registry. So the right answer is ACRPUSH
upvoted 1 times
...
...
sarmaria
2 years, 2 months ago
Got this on 16/03/23. Chosen Service Principal and AcrPush. Make sure to prepare for case study. I got city and lights case study. No Kubernetes, Search, Logic Apps questions for me.
upvoted 7 times
...
mabdo
2 years, 3 months ago
on exam 02/23
upvoted 3 times
...
Esward
2 years, 4 months ago
Service Principal and AcrPush are correct answers! https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli
upvoted 3 times
...
OPT_001122
2 years, 5 months ago
service principal AcrPush
upvoted 2 times
...
hubekpeter
2 years, 6 months ago
Individual identity - no, you don't want to use somebody's username, when he left, service will stop working (saw this tens of times). Managed identity - yes that could work, but you're not sure if CI/CD is running on Azure resource. Repository scoped access token - the next question would be regarding Scope Map, but they are apparently asking about RBAC role. So the correct answer is Service Principal with AcrPush role, which will meet the least priviledge requirement.
upvoted 4 times
...
coffecold
2 years, 7 months ago
The question is about access to 'a' registry. Nowhere in the question is stated that Azure Container Registry (ACR) is used. It talks about "the registry", that is confusing. Provided Azure Container Registry (ACR) is used, then the answer is correct. If an other kind of registry is used to store the images the answer can be everything (depending on the registry used).
upvoted 2 times
...
finnishr
2 years, 8 months ago
The answer is correct.
upvoted 2 times
...
vvlads
3 years ago
why not managed identity? Use only from select Azure services that support managed identities for Azure resources https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli resources: ...Azure Container Registry... https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status#azure-services-that-support-managed-identities-for-azure-resources
upvoted 2 times
coffecold
2 years, 7 months ago
The CI/CD is third party.
upvoted 3 times
...
...
sghaha
3 years ago
https://docs.microsoft.com/ko-kr/azure/container-registry/container-registry-authentication?tabs=azure-cli
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel