Exam AZ-500 topic 2 question 54 discussion

minimize admin effort=> system assign MI minimum required priviledge => Custom role. All other role have too much priviledges

In Exam - 28/7/2023

Answer: 1. System-assigned MI 2. Custom RBAC Reason: 1. A system-assigned managed identity offers automatic Azure management with lifecycle tied to the Azure Function, requiring minimal administrative effort. 2. Custom RBAC role assignment allows defining the exact minimum permissions needed for storage account creation, following the principle of least privilege more strictly than built-in roles or classic administrator roles which might provide excess permissions. Reference: 1. https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity 2. https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

1. System-assigned managed identity 2. Custom RBAC role assignment https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.

correct both system or user managed identity would work, but question states less admin so system managed identity wins

System Assigned Managed Identity Custom role (RBAC)

minimize admin effort=> system assign MI minimum required priviledge => Custom role. All other role have too much priviledges

Minimized admin effort 1 - SAMI 2- RBAC (Custom role)

- User assigned MI, because accounts will be reused for multiples instances - Customized roles to reduce the scope of privilege

I’d go for SAMI and custom role to minimise privileges over admin effort.

Exam - 4/11/21

#exam question # 29 Sep

## Exam Question - 17 Sept 2021 ##

Got this in the AZ-500 exam (Sept 2021)!

Two steps you'd need to do: - Enable System-assigned Managed Identity (SAMI) in your Azure function app (https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#add-a-system-assigned-identity) - Assign it a custom role (Microsoft.Storage/storageAccounts...) with least privilege.

Correct answers

Seems like you could use a normal RBAC role for this and assign the managed identity to it instead of creating an entirely new role just for storage account creation.