You plan to migrate App1 to Azure. The solution must meet the authentication and authorization requirements. Which type of endpoint should App1 use to obtain an access token?
I'd go with A: IMDS
"A managed identity, assigned by the system, can be enabled on the VM. You can also assign one or more user-assigned managed identities to the VM. You can then request tokens for managed identities from IMDS."
LINK: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows#managed-identity
Check this link as well. Links I shared earlier clearly say token can be retrieved from IMDS from the VM it is running on. not outside. so i go with MS identity framework.
The security boundary of managed identities for Azure resources, is the resource it's being used on. All code/scripts running on a virtual machine can request and retrieve tokens for any managed identities available on it.
Totally agree with you. IMDS provides an endpoint to request an access token from the VM. App1 is hosted on the VM so answer is A: IMDS
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows#endpoint-categories
A. IMDS. Tested.
The requirement is "app1 must use the managed identity of the VM that will host the app"
see here https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows#managed-identity
and then it will show the URL given by pentium75
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
App1 first contacts IMDS (169.254.169.254) to obtain the token.
IMDS then requests the token from Azure AD, but App1 itself never directly communicates with Azure AD for authentication.
Therefore, the correct endpoint that App1 uses to obtain an access token is IMDS.
I think: D
Because:
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#:~:text=Azure%20AD%20authentication.-,Applications%20can%20use%20managed%20identities%20to%20obtain%20Azure%20AD%20tokens%20without%20having%20to%20manage%20any%20credentials.,-The%20following%20video
" Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials."
How to use managed identities for Azure resources on an Azure VM to acquire an access token.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
This question is a bit confusing. It asks about the type of endpoint to use. IMDS is a REST API, not an endpoint. It contains multiple endpoint categories including Managed Identity endpoint which should be the answer. As there's no "Managed Identity" as an answer choice, D would be the closest
It's not D) as Microsoft identity platform relates to API access (MS Graph and others)
Microsoft identity platform documentation https://docs.microsoft.com/en-us/azure/active-directory/develop/
It's A) as per others, you call the IMDS with the URI of the Azure resource to be accessed and IMDS gives you an access token to the resource.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
i belive IMDS to retrieve token using metadata for authentication only.
on the url-
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows#managed-identity
"A managed identity, assigned by the system, can be enabled on the VM. You can also assign one or more user-assigned managed identities to the VM. You can then request tokens for managed identities from IMDS. Use these tokens to authenticate with other Azure services, such as Azure Key Vault."
A is correct. question is asking for what type of endpoint
the Azure Instance Metadata Service (IMDS) endpoint
Azure AD is a service
Azure Service Management is a API
Microsoft Identity platform is a development platform
I also go for A: imds. Based on: To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app, i would say that the running on this vm can only use IMDS to impersonate the managed identity assignd to the vm.
Of course, that is somehow a part of "Microsoft Identity Platform," but you'd clearly use Azure Instance Metadata service (A) to "obtain the token."
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.AZ-304 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
SpamLover
Highly Voted 3 years, 7 months agoSwaminathan
3 years, 4 months agordemontis
3 years, 4 months agopoplovic
Highly Voted 3 years, 7 months agosmosmo
Most Recent 2 months, 2 weeks agoomerco61
2 years, 2 months agoRepohunter
2 years, 11 months agovuphongtran
3 years agoicedog
3 years, 2 months agous3r
3 years, 2 months agoyyuryyucicuryyforme
3 years, 3 months agoSwaminathan
3 years, 4 months agoZodiaC
3 years, 4 months agostudent22
3 years, 5 months agochichi0307
3 years, 6 months agochichi0307
3 years, 6 months agosyu31svc
3 years, 6 months agoleo_az300
3 years, 7 months agojpvdham
3 years, 7 months agopentium75
3 years, 7 months ago