Exam AZ-500 topic 2 question 89 discussion

Box1: VM1 and VM2 access to st1 - User-assigned managed identity Requirement: Configure a shared identity for VM1 and VM2 to access st1 We have to create a User-assigned managed identity to be shared with VM1 and VM2 Box2: App1 access to Vault1 - System-assigned managed identity

Hi all, Passed today (13JAN2023) my exam with 918. 50 questions (45 + 5 of a case study). Around 95% of the questions are here. I've compiled the questions and my answers in a ppt, feel free to check it out and hope it helps. https://www.dropbox.com/s/ay00xp2fnloq1ex/AZ%20500%20-%20Exam%20Topics.pptx?dl=0 The password for the file is az500prep and you need to download the file first since dropbox doesn't allow opening protected files. Thanks to all the people that comment on questions, I wouldn't have passed without them :)

System-assigned managed identity: This identity is created and tied to the lifecycle of a specific Azure resource, such as a VM. It is automatically deleted when the resource is deleted. It simplifies the management since it's created and maintained automatically by Azure. User-assigned managed identity: This identity is created independently of the resources that use it. It can be assigned to multiple Azure resources, making it a good choice for applications or services that need to share the same identity. VM1 and VM2 to access st1: System-assigned managed identity App1 access to Vault1: User-assigned managed identity

Choosing system or user-assigned managed identities: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations

Box1: VM1 and VM2 access to st1 - User-assigned managed identity Requirement: Configure a shared identity for VM1 and VM2 to access st1 We have to create a User-assigned managed identity to be shared with VM1 and VM2 Box2: App1 access to Vault1 - System-assigned managed identity

for VM1 and 2 the USER-ASSIGNED MI is needed so that it can be shared between the two as per the requirement. for the App the SYSTEM-ASSIGNED MI will suffice as only that one app requires access to the Key Vault, therefore, the S-A MI works ok for this example.

we can use both managed identity ofc , but if you just consider the question carefully state :The solution must minimize administrative effort ! no doubt system-assigned has less effort

For a VM that needs access to a storage account, you can use a system-assigned managed identity or a user-assigned managed identity. A system-assigned managed identity is a managed identity that is automatically created by Azure for an Azure resource during resource creation. When you enable a system-assigned managed identity on a VM, Azure creates an identity for the VM in the Azure AD tenant that's trusted by the subscription of the VM. You can then use this identity to authenticate to Azure services like storage accounts. A user-assigned managed identity is a standalone Azure resource that you create and assign to a VM. You can then use this identity to authenticate to Azure services like storage accounts. The main advantage of a user-assigned managed identity is that it can be reused across multiple VMs or other Azure resources.

1. System-assigned managed identity 2. User-assigned managed identity https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types There are two types of managed identities: - System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource. - User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources.

The correct answers should be: Box 1: User-assigned managed Identity Box 2: System-assigned Managed identity

Box 1: User-assigned MI (as it will be reused for two VMs and thus minimize admin effort) Box 2: User account (note that nothing says App1 is an Azure service (Web App, Function, Logic App, VM, container etc), it could be any app on-prem or other hosting, and therefor it would need an App Registration and a user account with Delegated or Application access) There are a few other questions that refer to "a deployed app" where the equivalent reasoning is applied leading to App Registration etc)

VM1 and VM2 access to st1 - User-assigned managed identity App1 access to Vault1 - System-assigned managed identity

Configure a shared identity for VM1 and VM2 to access st1: should be a User-assigned managed identity