Exam AZ-400 topic 4 question 25 discussion

Answer should be B,C, E There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal

The answer is correct: First create a service principal. Ensure to give the service principal access to the secrets in the kay vault via the access policy Then Add the Azure Resource Manager service connection which will be used to access the key vault resource.

From ChatGPT: To use a secret stored in an Azure Key Vault in an Azure DevOps deployment pipeline, you would typically perform the following actions in sequence: Create a service principal in Azure Active Directory (Azure AD): This service principal will represent the identity that the deployment pipeline will use to access Azure resources, including the Azure Key Vault. Add an app registration in Azure Active Directory (Azure AD): Create an app registration in Azure AD associated with the service principal, which will provide the necessary details for authentication. Configure an access policy in the key vault: Grant the app registration the necessary permissions (like Get or List) on the secrets stored in the Azure Key Vault. So, the correct sequence is: Create a service principal in Azure Active Directory (Azure AD) Add an app registration in Azure Active Directory (Azure AD) Configure an access policy in the key vault

Final answer after reading all the comments - Provided answer by examtopics is right (Service Principal need to use instead of app registration as app registration only used in web app and here it is not mentioned anywhere )

You can not directly create a service principle in AzureAD. To create a service principle for your app, you should register the app in Azure AD.

Couldn't you just let the service principal be created automatically when setting up the Azure Resource Manager service connection?

Provided answer is correct and provided link supports it

Why not ? 1. Add an Azure Resource Manager service connection to the pipeline 2. Add an app registration in Azure Active Directory (Azure AD) 3. Configure an access policy in the key vault. Anyway in the pipeline we need to connect to the Key Vault through Variable group!

Service Principal --> Access Policy --> ARM service connection

You can only register app if it is app service. Question doesn't state where the app has been deployed, so SP makes more sense than app registration

Create a service principal Give access to KV via access policy (Use the SP created) Add Arm service to pipeline

Answer should be B,C, E There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant.

There is no way to directly create a service principal using the Azure portal. When you register an application through the Azure portal, an application object and service principal are automatically created in your home directory or tenant. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#app-registration-app-objects-and-service-principals create App registration

the answer is correct as demonstrated by the attached documentation

Got this January 2022.

The App registration is the template used to create the SP. The SP is a security principal (like a User) which can be authenticated and authorised So the most common way of doing this is creating app registration, this is also where you will get a service principal, you use that app/sp for a policy in a key vault, and then as a last step you use this SP in a pipeline

when you create a new service connection you create a service principal as well. If you already have service connection you already have a service principal so I don't see the point of creating a service principal here..