Exam AZ-400 topic 13 question 2 discussion

Basic authentication uses username and password, and an ideal place to store those is in KeyVault

Since only Basic Authentication is available: it has to be username and password As everyone knows the best place to store is : KeyVault

Basic authentication requires a username and password for accessing the service. Other options like Certificate, PAT, or Shared Access Authorization Token would not align with the technical requirement for basic authentication. Storage Location: The correct storage location remains: Azure Key Vault

1 Secrets 2 KeyVault Explanation: The authentication method used to connect to the Azure Key Vault (where the secrets are stored) and the authentication method used by your mobile application to connect to the share pricing service of the legacy system are two separate things. The Azure Key Vault uses Azure Active Directory for authentication, which is more secure than basic authentication. Your mobile application would use this method (not basic auth) to retrieve the secrets (like username and password) from the Key Vault Remember, the basic authentication here is between your mobile application and the legacy system, not between your mobile application and Azure Key Vault.

Configure your mobile applications to can call the share pricing service and configure a cloud service to store the secrets required 1. Username and password, because is Basic authentication over HTTPS. 2. Azure Key Vault, is the recommended storage location for secure storing secrets (Username and password) Shared Access Authorization Token, may not be the most suitable option, if the app only supports basic authentication typically requires providing the username and password, however Shared Access Authorization Token is a token-based authentication (e.g. OAuth or JWT)

To store the secrets required by the mobile applications to call the share pricing service, you should select the following options: Required secrets: c. Shared access authorization token Storage location: b. Personal key vault These options ensure secure storage of the required secrets and minimize the risk of unauthorized access. Shared access authorization token can be used for authentication with the service, and a personal key vault can be used to securely store and manage the tokens. Azure Storage with HTTP/HTTPS access and Azure Data Lake are not appropriate for storing secrets as they are not designed for secure secret management.

Basic Authentication sends a Base64 encoded string (could be the shared token) that contains a user name and password for the client via HTTP headers.

It was on my exam on December 7, 2022.

i think that answer is right. You cannot call KeyVault from app because it need to impersonate a user. The only way, for me is to apply a keyvallet pattern in app to obtain the sas token. After this you can call a storage for having the authetication information for basic auth to the service.

required secrets ---> username and password (https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies) storage ---> key vault (pretty much the standard service to go for when it comes to storage of credentials in Azure)

1) certificate 2) azure key vault

Basic authentication means username and password https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme The best cloud service to save them is Azure Key Vault

There is no storage there it is for mobile applications to call 1. Username and password 2. key vault

Correct answer is 1. Username and Password 2. Azure Key vault

The only problem I see with using the Key Vault is how the Mobile Application using IOS will register with AAD to get a Service Principal able to retrieve the secret. https://docs.microsoft.com/en-us/azure/key-vault/general/authentication for that reason I think the proposed solution with Storage account holding the username and password in a json file can be retrieved by the app to authenticate.

Here you can find a solution for the exact example: https://github.com/MicrosoftLearning/AZ-203-DevelopingSolutionsforMicrosoftAzure/blob/master/Instructions/Labs/AZ-203_04_lab_ak.md As you can see TLS enabled storage and HTPPS also using connection string to access with password via a Key Vault. But this is a mobile app going through a PSN Service. I think the given answer is correct.

For sure 2nd: Azure Key Vault because 'Requests to the Azure Key Vault are directed to a valid Azure Key Vault URL using HTTPS with some URL parameters and JSON encoded request and response bodies'