exam questions

Exam AZ-305 All Questions

View all questions & answers for the AZ-305 exam

Exam AZ-305 topic 1 question 54 discussion

Actual exam question from Microsoft's AZ-305
Question #: 54
Topic #: 1
[All AZ-305 Questions]

HOTSPOT
-

You are designing an app that will be hosted on Azure virtual machines that run Ubuntu. The app will use a third-party email service to send email messages to users. The third-party email service requires that the app authenticate by using an API key.

You need to recommend an Azure Key Vault solution for storing and accessing the API key. The solution must minimize administrative effort.

What should you recommend using to store and access the key? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
NotMeAnyWay
Highly Voted 1 year, 4 months ago
1. Storage: c. Secret. API keys are typically stored as secrets in Azure Key Vault. The key vault can store and manage secrets like API keys, passwords, or database connection strings. 2. Access: b. A managed service identity (MSI). A managed service identity (MSI) is used to give your VM access to the key vault. The advantage of using MSI is that you do not have to manage credentials yourself. Azure takes care of rolling the credentials and ensuring their lifecycle. The application running on your VM can use its managed service identity to get a token to Azure AD, and then use that token to authenticate to Azure Key Vault.
upvoted 38 times
marcellov
1 year, 2 months ago
Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).
upvoted 12 times
...
...
JimmyYop
Highly Voted 10 months, 2 weeks ago
appeared in Exam 01/2024
upvoted 14 times
...
SeMo0o0o0o
Most Recent 3 weeks, 2 days ago
CORRECT
upvoted 1 times
...
jhahn.gp
3 months, 3 weeks ago
A service principal is indeed the more appropriate choice for accessing a third-party email service using an API key. Here's a breakdown of why: Managed Service Identity (MSI) is primarily designed for accessing other Azure resources. While it can be used for external resources, it's often more complex to set up and manage. Service Principal is specifically designed for applications to authenticate to other services, including external ones. It provides a clear separation of concerns and simplifies the authentication process. To summarize: Store the API key as a secret in Azure Key Vault.   Use a service principal to authenticate to the third-party email service using the API key. By following these steps, you'll ensure secure storage of the API key and efficient authentication to the external service.
upvoted 1 times
...
willybsmith
4 months ago
But isn't it the App that's making the call to Key Vault rather than the VM? If so, I think the answer for the second question would be an API token.
upvoted 2 times
...
23169fd
5 months, 2 weeks ago
The given answer is correct. Storage: Secret: API keys are best stored as secrets in Azure Key Vault. Access: Managed Service Identity (MSI): Allows the app to authenticate to Azure Key Vault without needing to manage credentials, simplifying access management.
upvoted 1 times
...
Lazylinux
7 months, 1 week ago
Given answer is correct difference between A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A key is a cryptographic key represented as a JSON Web Key [JWK] object. Key Vault supports RSA and Elliptic Curve Keys only. A managed service identity (MSI) is used to give your VM access to the key vault https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
upvoted 1 times
...
BShelat
12 months ago
It seems that both answers are correct but have confusion. App is hosted on multiple VMs. I get that there will be a ingle API Key as secret but how can multiple VMs have single managed service identity?
upvoted 1 times
Onobhas01
11 months, 3 weeks ago
The managed identity is for the app (app registration) has nothing to do with the VMs that hosts the app
upvoted 1 times
Onobhas01
11 months, 3 weeks ago
Come to think of it, for apps it's service principals, these are automatically generated during the app registration process.
upvoted 1 times
dimipap3
7 months, 3 weeks ago
i was thinking the same but its not an Registered App (doing the API call Flow) its just an app running on the vm.
upvoted 1 times
...
...
xRiot007
9 months, 1 week ago
It doesn't really say how many, but if they are part of a scale set, you can set up a system assigned managed identity for the scale set. Here is how for Windows, but Linux probably has a similar process: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vmss
upvoted 1 times
...
...
...
MeisAdriano
1 year, 1 month ago
Both correct: 1) To connect on third-part e-mail service you have just an API key (i.g. a long token/password), so you can store the -secret- word in Azure Key Vault. (Third-part didn't give you a certificate or a key file). 2) Managed Identity provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...