Exam SC-100 topic 1 question 21 discussion

It depends on what is "Service account" in the question. Microsoft benchmark recommends https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline to use OAuth 2.0 "Configure your Azure API Management instance to protect your APIs by using the OAuth 2.0 protocol with Azure AD." --> App registration AND managed identity for the "to allow your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault instead of using service principals." --> Managed Identity Its poorly worded question but I would choose A since key consideration for an API gateway in general is authentication of developers which warrants app registration.

managed identities in Azure recommended solution for service accounts

I agree on B because in https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline at IM-3: Manage application identities securely and automatically we can read "use a Managed Service Identity generated by Azure Active Directory (Azure AD) to allow your API Management instance to easily and securely access etc..."

Considering the following statement, I chose B because it mentions best practices for implementing service accounts. But it's tricky :S Statement: "You need to recommend a best practice for implementing service accounts for Azure API management."

The keyword in the questions is “Implementing Service Accounts” and for the Managed Identity is the answer

B. Managed identities in Azure: Managed identities provide a way to automatically manage the credentials used by applications and services. Using managed identities is a best practice for securing access to Azure resources without the need for storing and managing credentials. It aligns with the principle of least privilege and reduces the risk associated with credential exposure.

Option B seems like the most secure option. https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline#im-3-manage-application-identities-securely-and-automatically

Azure service principals with certificate credentials

B is the answer. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity A managed identity generated by Azure Active Directory (Azure AD) allows your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Azure manages this identity, so you don't have to provision or rotate any secrets.

B right

it is Managed Identity, https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline IM-3

I think the answer should be between Service Principal options and managed identity option... And in these options, managed identity option is preferred here considering better security and convenience. Therefore, the correct answer appears to be option "B".

Refer to https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline IM-3 Manage application identities securely and automatically, selected answer should be B. There is nothing listed in API management security baseline regards to app registration. I do think by using managed identity would meant require earlier app registration as pre-requisite. Hence, answer B is more comprehensive.

Configuration Guidance: Use a Managed Service Identity generated by Azure Active Directory (Azure AD) to allow your API Management instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault instead of using service principals. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline

ChatGPT:The Microsoft Cloud Security Benchmark recommends using managed identities in Azure as a best practice for implementing service accounts for Azure API management. Managed identities are a secure and automated way to provide applications running on Azure services with an automatically managed identity in Azure Active Directory (Azure AD). By using managed identities, you can avoid storing credentials in your code or configuration files, which reduces the risk of exposing sensitive information. Therefore, the correct answer is B. Managed identities in Azure.

B - managed identities because: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/service-accounts-introduction-azure

https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/api-management-security-baseline