Exam AZ-305 topic 6 question 4 discussion

Drop Down 1: A system-assigned managed identity. Drop Down 2: Role Assignment. But I'm happy to be corrected. Thanks.

1. user assigned managed identity - share 1 identity among all 6 app services 2. access policy

WRONG 1. A system-assigned managed identity 2. A role assignment

Access policy is currently marked as legacy: https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal New method is RBAC(Role based access control), which means you need to do Role assignment to get proper reference to a secret in KV.

Answer 1: System-assigned MI 2: Access Policy Why not the other? User-assigned managed identity: While user-assigned identities can be used across multiple resources, this option is not selected as it would contradict the requirement that credentials should not be shared between services. Role assignment: While this is used for access control in Azure resources, role-based access control (RBAC) in Key Vault is more commonly used for higher-level management tasks, whereas access policies are typically used to control access to secrets.

system-assigned managed identity role assignment

If you need separate managed identities for each instance, you would have to use user-assigned managed identities instead of system-assigned. User-assigned identities are created as separate Azure resources that can then be assigned individually to each App Service instance as needed. A MI would the same across instances. The "not sharing" between services is about separating Key Vaults or not using the same UI between the two apps.

When i create a key vault i get to choose either RBAC or Access Policy. i think both are correct but which of them satisfy the security requirements? "Security Requirement - - All secrets used by Azure services must be stored in Azure Key Vault. - Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be shared between services." Box1: "Services that require credentials must have the credentials tied to the service instance. The credentials must NOT be shared between services." > system-assigned-managed identity Box2: we can use either of RBAC or Access Policy. couldn't find a clue which one to choose of them.

With given answers how following condition can be met? App1 will be a Python web app hosted in Azure App Service that requires a Linux runtime. Users from Contoso and Fabrikam will access App1.

To ensure that App1 can access the third-party credentials and access strings securely, you should: **Authenticate App1 by using**: A system-assigned managed identity (Option B). A system-assigned managed identity is tied to your App Service and is automatically cleaned up when the service is deleted. **Authorize App1 to retrieve Key Vault secrets by using**: An access policy (Option A). You can configure Azure Key Vault to allow your App Service to retrieve secrets using its system-assigned managed identity. This is done by adding an access policy in Key Vault that grants the necessary permissions (like Get and List) to the managed identity.

I recommend the following solution: System-assigned managed identity - This will allow app1 to use the Azure ad identity of the app service instance to access other Azure resources such as Key Vault. Then to authorize App1 to retrieve key vault secrets, use access policy. This will grant App1 the necessary permissions to read the secrets from the Key Vault. See this: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal

If you use ChatGPT 4 now the answer became the following. A system-assigned managed identity: This is an identity created by Azure for the App Service instance, which is tied to the lifecycle of this service and does not require the management of credentials. A role assignment: Utilizing Azure role-based access control (RBAC), you can assign a specific role to the managed identity, like “Key Vault Secrets User”, to retrieve secrets from the Key Vault. Chat GPT 4 has now been updated to 2023 and its answer changed compared to a few months ago.

Option 2 is role assignment is more granular. Here is how: https://learn-attachment.microsoft.com/api/attachments/193976-image.png?platform=QnA

Drop down 1: system-assigned MI. Literally states services cannot share the same identity. Drop down 2: Role assignment. More granular than access policy.

I think DD1 should be "A user-assigned managed identity". Here's why: Requirements state: "App1 will have six instances: three in the East US Azure region and three in the West Europe Azure region." This means we have two App Services (one per region), each with its own system identity. Using user-managed identity, we can have a single MI to control the access. DD2 should be: Role Assignment (as pointed out in other posts, it provides more granular access)

Answer: 1. Authenticate App1 by using: - B. A system-assigned managed identity 2. Authorize App1 to retrieve Key Vault secrets by using: - A. An access policy Explanation: System-assigned managed identities are automatically managed by Azure, providing an identity for the Azure resource in Azure AD. This makes it an ideal choice for authenticating App1. The Key Vault Access Policy determines what permissions the identities have, like get, list, set, and delete rights for secrets, which is necessary for App1 to retrieve the secrets stored in the Key Vault, hence the selection of an Access Policy for authorization.

It's said here (https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy) that access policies is the "legacy" mode to access key vault. It's not said that one is more granular than other one. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy So for me that will be : Drop Down 1: System-Assigned Managed Identity. Drop Down 2: Role Assignment.