Exam AZ-500 topic 4 question 21 discussion

I am not fully sure about this one, but I agree the answer choices. Since we are deploying the template across several VMs and need to authenticate with the extension repository ( for downloading extensions), we need to provide the VM an identity to authenticate with the repository. This is best done by assigning the VM with a "user assigned managed identity". We can set up this managed identity to have the required permissions on the extension repository via RBAC roles. The managed identity requests permissions via the Azure IMDS from the Azure AD and hence needs to know the right Tenant ID to get the token from. I believe the Azure AD ID is the same as the Tenant ID.

correct

New-AzResourceGroupDeployment ` -ResourceGroupName <YourResourceGroup> ` -TemplateFile .\vulnerability-assessment-template.json ` -vmName <YourVMName> ` -workspaceId <YourWorkspaceID> ` -primarySharedKey <YourPrimarySharedKey>

why not primary shared key ? several ai chats pick this as a correct answer and mention 'primary shared key is required to authenticate the vulnerability scanner extension '

definitivamente user assigned

Workspace ID & Workspace Key

Answer should be A,B. I would like to response first why "C" is not required while multiple justification already shared for "A" & "B" if different responses. - When we are using a managed identity, it represents a specific identity within Azure Active Directory (Azure AD), so option “C” would not require. - Managed Identity are used to authenticate azure resource. Here we have to use a managed identity to authenticate multiple VM as well as Log analytics workspace, hence NOT for single azure resource, hence option “A” is correct. - Workspace ID and key for Azure Defender integration would require for ARM template, hence option “B” is correct.

Answer is correct; it makes more sense to use user-assigned manage identity + Tenant ID for deploying arm template

Not sure why people are voting for system assigned identity here. Only coz ChatGPT said so ? You would need 100 identities if you are going to do that. The given answers are correct imo.

When deploying the vulnerability scanner extension to the virtual machines using an Azure Resource Manager template, you should specify: B. the workspace ID: This is the ID of the Log Analytics workspace where the vulnerability data will be sent. E. the system-assigned managed identity: This is the identity that Azure creates and assigns to the virtual machine. It’s used to authenticate the VM when it communicates with the Azure services.

100 VM : best way is to create a user MI .. so user MI and worksapce ID

B&E Explanation: Since we are deploying the template across several VMs and need to authenticate with the extension repository ( for downloading extensions), we need to provide the VM an identity to authenticate with the repository. This is best done by assigning the VM with a "user assigned managed identity". We can set up this managed identity to have the required permissions on the extension repository via RBAC roles. The managed identity requests permissions via the Azure IMDS from the Azure AD and hence needs to know the right Tenant ID to get the token from. I believe the Azure AD ID is the same as the Tenant ID.

To automate the deployment of the vulnerability scanner extension to the virtual machines with Azure Defender enabled, you should specify the following values in the Azure Resource Manager template: B. the workspace ID: This is the ID of the Azure Defender workspace where the vulnerability scan data will be sent and analyzed. E. the system-assigned managed identity: Managed identities are used for authenticating and authorizing the extension to interact with Azure resources securely. In this case, you should use a system-assigned managed identity to ensure secure authentication between the extension and Azure services. So, the correct values to specify in the code are B and E.

A, C THE QUESTION IS NOT DELIBERATING WHERE ONE SYSTEM-ASSIGNED MANAGED IDENTITY (1 VM) WILL BE SENDING DATA TO (A WORKSPACE), BUT RATHER, WHAT IS REQUIRED TO INSTALL THE SAME EXTENSION ON 100 VMs (ALL WHICH CAN USE ONE USER-ASSIGNED MANAGED IDENTITY). THE AZURE AD ID IS TO SPECIFY WHAT TENANT YOU MANAGED IDENTITY SHOULD BE AUTHENTICATED TO.

I asked chatgpt here is his answer: To automate the deployment of the vulnerability scanner extension to the virtual machines using an Azure Resource Manager template, you should specify the following values: B. The workspace ID: This is required to identify the Azure Defender workspace where the vulnerability scan results will be sent. E. The system-assigned managed identity: This identity will be used to authenticate and authorize the deployment of the extension to the virtual machines. These values are necessary for the successful deployment of the vulnerability scanner extension to the virtual machines.

Also Asked chatgpt4 with browsing enabled: To deploy a vulnerability scanner extension to virtual machines using an Azure Resource Manager (ARM) template, you will typically need the following values: B. The Workspace ID: Azure Security Center uses Log Analytics Workspaces to store the data collected by the vulnerability scanner. Thus, you need to specify the workspace ID in the ARM template to tell the scanner where to send the data. E. The System-assigned Managed Identity: Managed identities are used for Azure resources to authenticate and authorize to services that support Azure AD authentication without needing to include credentials in your code. In the context of deploying extensions, a system-assigned managed identity is created for a specific resource and is tied to the lifecycle of that resource. So, the correct answers are B (the workspace ID) and E (the system-assigned managed identity).

I asked chatgpt the answer is BE