Exam AZ-104 topic 4 question 98 discussion

Please check this tutorial https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app First Step is to Assign a managed identity to the App. Answer: B

In this scenario, you have an Azure App Service web app (App1) and an Azure Key Vault (KV1) containing a wildcard certificate for contoso.com. You want to configure App1 to use the wildcard certificate from KV1. To achieve this, you need to grant the necessary permissions to App1. Access to Key Vault secrets and certificates is managed using Azure AD-based authentication and authorization. The Microsoft Azure App Service principal represents the App Service web app in Azure AD. The correct approach is to create an access policy in KV1 that grants the necessary permissions to the Microsoft Azure App Service principal associated with App1. By doing so, you allow App1 to access the certificate stored in KV1. So, the first step you should take is: A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy. Once you've granted the necessary access to the App Service principal, the web app (App1) will be able to use the wildcard certificate from KV1 for its secure connections.

To configure App1 to use the wildcard certificate stored in KV1, the first step involves ensuring that App1 can authenticate and retrieve the certificate securely. This requires assigning a managed identity to App1 so it can access KV1 without relying on explicit credentials. Therefore, the correct answer is: B. Assign a managed user identity to App1.

B it's wrong: it says "Assign a managed USER identity", but App1 is not a user... so the only acceptable it's A

it´s B

The correct first step in configuring App1 to use the wildcard certificate stored in KV1 is: B. Assign a managed user identity to App1. Explanation: To allow App1 to securely access the certificate from KV1 without using secrets (like keys or passwords), the most secure and preferred approach is to assign a Managed Identity to App1. Managed identities in Azure provide an automatic identity for the app, allowing it to authenticate against Azure services like Key Vault without embedding credentials in your code. Once the managed identity is assigned to App1, you can grant it the necessary access (read) to the Key Vault by configuring an Access Policy.

B. Assign a managed user identity to App1.

Currently, App Service certificates support only Key Vault access policies, not the RBAC model. https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

Creating a Microsoft Entra application and service principal adds more operational overheads and eliminate many of the security risks associated with manually managing credentials. This feels like an AZ-305 question.

https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/

Answer B is correct

I tested it on the lab and B is right. When creating a key vault with a vault access policy, the app can't be selected unless the managed identity has been enabled.

A is correct

Confirmed in Azure Portal - an Azure App Service has the (system-assigned) Managed Identity set to OFF by default so first step is to enable the managed identity.

Access can be done either using RBAC or Access Policy. In both cases the first Action is to configure a Managed User (or System) Identity to App1 because by default Identities are disabled.

When a app is registered in Azure, a service principle is created for app. Create an access policy in KV1 that grants the necessary permissions to service principle.

"Select Next and select Vault access policy. Currently, App Service certificates support only Key Vault access policies, not the RBAC model." https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#buy-and-configure-an-app-service-certificate