Exam AZ-104 topic 2 question 38 discussion

Correct Answer: A Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code. You can enable and disable the system-assigned managed identity for VM using the Azure portal. RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. Examples of Role Based Access Control (RBAC) include: Allowing an app to access all resources in a resource group Policies on the other hand focus on resource properties during deployment and for already existing resources. As an example, a policy can be issued to ensure users can only deploy DS series VMs within a specified resource

Answer is correct "A" Modify Managed Identities.

A is corerct

'A' is the correct answer. The first thing you should do is enable the system-assigned managed identity for VM1. This managed identity will then be used to authenticate and manage resources in RG1. After enabling the identity, you need to assign the appropriate role to it at the resource group level to grant it the necessary permissions.

To ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1, you should first enable a managed identity for VM1. This can be done by modifying the Managed Identity settings of VM1 from the Azure portal. Once the managed identity is enabled, you can assign the necessary role to this identity in the Access control (IAM) settings of RG1 to grant it the required permissions.

A. From the Azure portal, modify the Managed Identity settings of VM1 This is the correct first step. You should enable a managed identity for VM1. Managed identities are Azure AD objects that provide Azure services with an identity within Azure AD. By enabling a managed identity, VM1 can authenticate to Azure services that support Azure AD authentication, like Azure Resource Manager, for managing resources.

A. From the Azure portal, modify the Managed Identity settings of VM1

To enable a service running on VM1 to manage resources in RG1 using VM1’s identity, you should first configure the Managed Identity settings for VM1. Managed identities for Azure resources provide automatically managed identities for Azure services, allowing them to authenticate to services that support Microsoft Azure authentication without requiring credentials in your code12. Therefore, the correct answer is A. From the Azure portal, modify the Managed Identity settings of VM1.

The question is clrearly saying that the VM has already a MI. You just need to assign the RBAC to the MI. So the answer is B.

By default, resources system managed identity status is Off. FIRST we need to turn it ON

Pay attention to the question. It asks what should you do FIRST. You'd do A first, and then B. Once you have enabled Managed Identity for this VM, you can then give it access using IAM.

A. From the Azure portal, modify the Managed Identity settings of VM1. Explanation: Managed identities for Azure resources is a feature of Azure Active Directory (Azure AD). Each of the Azure resources has an identity in Azure AD that you can use to authenticate to any service that supports Azure AD authentication, without any credentials stored in your code. Managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

A. From the Azure portal, modify the Managed Identity settings of VM1 To ensure that a service running on VM1 can manage the resources in RG1 using the identity of VM1, you should first modify the Managed Identity settings of VM1. Managed Identity allows Azure resources, such as virtual machines, to obtain an identity that can be used to authenticate and authorize against other Azure resources. By enabling Managed Identity for VM1, you can grant the necessary permissions to the service running on VM1 to manage resources in RG1 without exposing any sensitive credentials.

OpenAI "A. From the Azure portal, modify the Managed Identity settings of VM1 To allow a service running on a virtual machine to manage resources in an Azure resource group, you can use a managed identity for the virtual machine. A managed identity is an Azure Active Directory (Azure AD) object that can be used to authenticate to services that support Azure AD authentication, including Azure Resource Manager. By using a managed identity, you can avoid the need to store credentials for a service account on the virtual machine. To enable a managed identity for a virtual machine, you can modify the Managed Identity settings of the virtual machine from the Azure portal or using Azure PowerShell or Azure CLI. Once the managed identity is enabled, you can grant the identity access to the resource group by assigning it a role or permissions in the Access control (IAM) settings of the resource group. Therefore, the correct option is A. From the Azure portal, modify the Managed Identity settings of VM1."

A & B are needed to achieve the goal. But the question asks which one needs to be done FIRST. Hence its A, aka ensuring you have a management identity assigned to the VM. And only then configure what access that managed identity has from within the IAM of the RG

Once the Managed Identity for VM1 is enabled, you can grant the necessary permissions to the service running on VM1 to manage the resources in RG1 by using the identity of VM1. This can be done by modifying the Access control (IAM) settings of RG1 or the specific resources within RG1 as needed, and adding the Managed Identity of VM1 with the appropriate role-based access control (RBAC) role.

By modifying the Managed Identity settings of VM1, you can enable a system-assigned managed identity for the virtual machine. This identity can then be used to authenticate to Azure resources without the need for credentials. By doing this, the services running on VM1 will be able to manage the resources in RG1 using the identity of VM1.