Exam AZ-305 topic 4 question 74 discussion

response is B reason: MID can be used only between Azure resources, here we have on-prem application communicating to Azure resources, then you need a service principal

A managed identity can provide authentication for Azure resources, but it cannot provide authentication for on-premises resources. In the case of an on-premises network, you would typically use a service principal or a personal access token for authentication.

B is correct

This question appeared in the exam, August 2024. I gave this same answer listed here. I scored 870

I would go for B here is why, the key word in the questions is the following You need to configure the authentication method that will be used by the app to access the workspace. Service App is used by the App and for the App but managed identity in this case is created for the workspace (AZ resource) and used by the App hence not what is required. *a service principal is “…An application whose tokens can be used to authenticate and grant access to specific Azure resources from a user-app, service or automation tool, when an organization is using Azure Active Directory…”

Service Principal must be used for accessing on-prem apps to Azure resources. (MI is for within Azure resources).

If the POS system is on-premises and not on Azure, then you cannot use Azure Managed Identity because Managed Identity is only applicable for resources that reside within Azure. B. a service principal A service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at what level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity. You can create a service principal for the application and grant it just enough permissions to perform the operations it needs. This way, you can manage application credentials and permissions in a centralized way, which helps reduce administrative effort associated with staff turnover and credential management.

Service principle, since we're connecting a third party app with AAD. See https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/

A managed identity Is a service principal that is automatically managed by Azure and provides an easier and more secure way to authenticate applications and services to access Azure resources. It reduces the administrative effort associated with credential management and provides seamless access to the Azure resources. With managed identity, you do not have to store any secrets or credentials in the application code or configuration.

From GPT Managed identities are a feature of Azure Active Directory (Azure AD) and are primarily designed for use with Azure services. However, you can leverage managed identities for on-premises applications by using Azure AD Application Proxy or Hybrid Connections. This way, the on-premises application can authenticate with Azure services using the managed identity. Here's a high-level overview of how you can achieve this: Configure Azure AD Application Proxy or Hybrid Connections to securely expose the on-premises application to the internet. Register the on-premises application in Azure AD and enable a managed identity for the app. Assign the appropriate roles and permissions to the managed identity for accessing the required Azure resources, such as the Azure Databricks workspace. Update the on-premises application to use the managed identity to authenticate with Azure services.

Service Principal as Managed Idenitity can't be used for On-Premises workloads.

its onsite app authentication hence it should be Service Principal

B is the answer. https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/service-principals#what-is-a-service-principal A service principal is an identity that you create in Azure Databricks for use with automated tools, jobs, and applications. Service principals give automated tools and scripts API-only access to Azure Databricks resources, providing greater security than using users or groups. It also prevents jobs and automations from failing if a user leaves your organization or a group is modified.

B - A Service Principal

on-premises = Service Principle

B. a service principal

A. a managed identity per ChatGPT