ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-300 All Questions

View all questions & answers for the AZ-300 exam
Go to Exam

Exam AZ-300 topic 1 question 6 discussion

Actual exam question from Microsoft's AZ-300
Question #: 6
Topic #: 1
[All AZ-300 Questions]

You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.
VM1 runs services that will be used to deploy resources to RG1.
You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.
What should you do first?

  • A. From the Azure portal, modify the Access control (IAM) settings of RG1.
  • B. From the Azure portal, modify the Policies settings of RG1.
  • C. From the Azure portal, modify the Access control (IAM) settings of VM1.
  • D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
References:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
by Musk at Dec. 6, 2019, 5:13 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Sedge
Highly Voted 5 years, 6 months ago
The question asks what should you do first. Sure, Access control (IAM) needs to be done, but not first. Before you can modify access, you need to create a service principle to manage that access for. The correct answer is indeed 'D' - you need to set this up with a Managed Service Identity first. How a system-assigned managed identity works with an Azure VM: 1. Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM. 2. Azure Resource Manager creates a service principal in Azure AD for the identity of the VM. The service principal is created in the Azure AD tenant that's trusted by the subscription. 3. Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate. 4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
upvoted 44 times
Amrinder101
5 years, 6 months ago
The ques says - You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1. So the identity is already been setup for vm.
upvoted 7 times
PDR
5 years, 5 months ago
I agree with Sedge and think it is D because .... the question says : VM1 runs services that WILL be used to deploy resources to RG1. **** (This suggests to me that the identity has not been set up yet - it is saying it will run the services not that it already can do) You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1. *** (this is saying that you need to ensure that it can, that it needs to be done by using the identity, no mention of there already being anything done to enable the identity) Ultimately though it comes down to semantics and it is frustrating when MS gives questions that this that could be interpreted in more than one way with arguably egual validity - would be much better if they were completely clear and we can just be tested on knowledge and not second guessing what the question writer was thinking.
upvoted 16 times
...
...
2cool2touch
5 years, 5 months ago
I tend to agree with you.
upvoted 2 times
...
Centrifuge
4 years, 10 months ago
Agreed -- but "create" is not the same thing as "modify"! Modify means it has already been created, and would imply that adding the permissions should be done in the Service Identity -- which is absolutely wrong! I have to agree with others that given the way the question is worded, A is the correct answer. But then, Microsoft does like to make really fuzzy questions like this.
upvoted 2 times
...
...
AS007
Highly Voted 5 years, 5 months ago
Its "D" Reason - "manage the resources in RG1 by using the identity of VM1" It never says that managed identity is enabled. Process is : 1. Enable Managed Identity on VM. 2. Modify IAM. 3. Enable Required Access
upvoted 9 times
...
azurecert2021
Most Recent 4 years, 5 months ago
given answer is correct.
upvoted 1 times
...
MMohammad
4 years, 9 months ago
You can go to the Identity section of the virtual machine and enable the service identity for the virtual machine.
upvoted 1 times
...
MMohammad
4 years, 9 months ago
The Correct Answer Is: D
upvoted 2 times
...
Raj2020
4 years, 10 months ago
Answer is D: By default for any VM the managed identity option is set to OFF, you need to modify the status to ON that will create the identity for the VM in Azure AD.Later you can refer the identity while providing the access to resource through RBAC ( it's Authentication then Authorization). Azure portal ->VM->Settings(Identity)->system assigned -> status (ON).
upvoted 3 times
...
JitheshT
4 years, 10 months ago
D is correct
upvoted 2 times
...
DeveshSolanki
4 years, 11 months ago
D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.
upvoted 2 times
...
Chokies
5 years ago
answer is D -- keyword is "services inside the vm"
upvoted 1 times
...
JK2
5 years ago
AS077 is correct and therefore D is the correct answer.
upvoted 1 times
...
Pankaj7121
5 years, 1 month ago
I think answer is D
upvoted 1 times
...
joilec435
5 years, 2 months ago
that is D
upvoted 1 times
...
TYT
5 years, 2 months ago
The question doesn't say that the Managed Identity is enabled. This is a prerequisite.
upvoted 1 times
...
Protonenpaule
5 years, 3 months ago
D is correct, which is a prerequisit to successfully implement https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
upvoted 1 times
...
starnb
5 years, 3 months ago
The correct answer is D since the Managed Identities provide Service Principles without need to store Passwords in Key Vault, Config Files or Databases.
upvoted 2 times
...
Samin
5 years, 4 months ago
Andswer is D , 100%.
upvoted 1 times
...
superbutt
5 years, 5 months ago
A is correct
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel