Exam DP-300 topic 5 question 22 discussion

Copilot answer, To automatically assign permissions to Azure AD users using Azure Automation, the following approach should be taken: A. Create a service principal: A service principal is an identity that automated scripts or applications use to access Azure. By creating this, Azure Automation can be granted the necessary permissions to access the database. B. Create a user-assigned managed identity: Using a managed identity allows for secure connections to the SQL server without the need to manage additional credentials. This identity must be integrated with the SQL1 resource to achieve this functionality.

Note that you cannot create managed identity from the Azure Active Directory admin center (now known as Entra). So B doesn't seem like an option. For this reason, I vote for A: create a service principal (Entra -> App Registrations -> Create), then add service principal as a credential to Automation account, and then C: create a contained database users for the service principal, that have permission to assign permissions to other users (db_securityadmin)

‘ You can now configure Automation accounts to use a managed identity, which is the default option when you create an Automation account. With this feature, an Automation account can authenticate to Azure resources without the need to exchange any credentials. A managed identity removes the overhead of renewing the certificate or managing the service principal.’ https://learn.microsoft.com/en-us/azure/automation/migrate-run-as-accounts-managed-identity?tabs=sa-managed-identity

See guide here that talks about a user-assigned managed entity. There is no mention about service principal. So B and C should be correct. https://learn.microsoft.com/en-us/azure/automation/quickstarts/create-azure-automation-account-portal

Seems correct https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal-tutorial?view=azuresql