Exam AZ-305 topic 1 question 25 discussion

D. a user-assigned managed identity A user-assigned managed identity is the best choice for this scenario. User-assigned managed identities are standalone Azure Active Directory (Azure AD) identities that can be assigned to one or more Azure resources, such as virtual machines. They can be used to authenticate to other Azure services like Azure Key Vault, Azure Logic Apps instances, and Azure SQL Database without the need for storing secrets and certificates on the virtual machines. By using a user-assigned managed identity, you can easily assign the same identity to multiple virtual machines, which avoids assigning new roles and permissions when you deploy additional VMs. This also minimizes administrative effort in managing identities, as the managed identity is automatically managed by Azure AD.

Correct, answer is D User-assigned MI

You don't have to assign MI to new VM`s, system assigned will resolve by it self.

As per AI , the A answer is the right one: Requirements Analysis: Authenticate to Azure services (Key Vault, Logic Apps, Azure SQL): Managed identities provide built-in authentication to Azure services without needing credentials. Avoid assigning new roles/permissions for additional virtual machines: System-assigned managed identities are tied to the lifecycle of each virtual machine, so when a new VM is created, Azure automatically assigns the necessary identity to that VM. No additional configuration is needed. Avoid storing secrets and certificates: Managed identities eliminate the need to store credentials, secrets, or certificates on the VMs. Authentication to Azure services is seamless. Minimize administrative effort: System-assigned managed identities are simple to manage since Azure handles their creation and lifecycle automatically.

D is correct

We can have system assigned at the scale set resource. I assume it means one user for all VMs in that scale set?

Why Not Other Options: A. System-Assigned Managed Identity: Created per VM and destroyed with the VM. Adding new VMs would require reassigning roles and permissions, increasing administrative effort. B. Service Principal with Certificate: Involves managing certificates, which adds complexity and administrative overhead. C. Service Principal with Client Secret: Requires storing and managing client secrets, which poses security risks and increases administrative effort.

Correct, you have to give auth to VM, but "system-assigned" is just for one resource and you need to gain access to multiple resources

user assigned is right

D is Correct,

D is the answer. https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types User-assigned. You may also create a managed identity as a standalone Azure resource. - You can create a user-assigned managed identity and assign it to one or more Azure Resources. When you enable a user-assigned managed identity: - A service principal of a special type is created in Azure AD for the identity. The service principal is managed separately from the resources that use it. - User-assigned identities can be used by multiple resources. - You authorize the managed identity to have access to one or more services.

https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations Choosing system or user-assigned managed identities Using user-assigned identities to reduce administration

D. a user-assigned managed identity - correct ans

user assigned managed identity

Seems to be the most logical answer.

a workload where multiple virtual machines need to access the same resource should use User Assigned MI.

D is correct because you need to avoid assigning new identities to RBAC, with system assigned to need to have a RBAC for each resource