exam questions

Exam AZ-305 All Questions

View all questions & answers for the AZ-305 exam

Exam AZ-305 topic 1 question 40 discussion

Actual exam question from Microsoft's AZ-305
Question #: 40
Topic #: 1
[All AZ-305 Questions]

HOTSPOT
-

You have an Azure subscription that contains an Azure key vault named KV1 and a virtual machine named VM1. VM1 runs Windows Server 2022: Azure Edition.

You plan to deploy an ASP.Net Core-based application named App1 to VM1.

You need to configure App1 to use a system-assigned managed identity to retrieve secrets from KV1. The solution must minimize development effort.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
sieira
Highly Voted 1 year, 4 months ago
the second answer is no correct. The correct answers are these 1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint The key difference in this scenario is that we are using a Managed Identity, which is a feature of Azure AD, and in that case, access tokens are obtained through the Azure Instance Metadata Service (IMDS) API. The managed identity is responsible for managing the lifecycle of these credentials. Therefore, for the case of an application in an Azure VM that uses a managed identity to authenticate with Key Vault, the IMDS would be used, not an OAuth 2.0 endpoint directly. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
upvoted 39 times
WeepingMaplte
10 months, 1 week ago
Reference to the answers https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-managed-identities-work-vm?source=recommendations#:~:text=Your%20code%20that%27s%20running%20on%20the%20VM%20can%20request%20a%20token%20from%20the%20Azure%20Instance%20Metadata%20Service%20identity%20endpoint%2C%20accessible%20only%20from%20within%20the%20VM%3A%20http%3A//169.254.169.254/metadata/identity/oauth2/token
upvoted 3 times
...
...
GarryK
Highly Voted 1 year, 10 months ago
(a.ka.Gowind) Answers are corrects. We need server based authentication so client credentials is to be used. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow Also prefer AAD , because Microsoft Identity Platform is user based https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-overview
upvoted 14 times
BShelat
1 year ago
I think your explanation suites for the communication between web client app and Azure based web server. Here the ask is about retrieve secrets for Azure resource key vault from app1 on Azure resource VM. Based on following link I think MDS point for 2nd area of answer section seems to be correct answer as under "Access Data" Section of the link PowerShell request "Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -Method GET -Headers @{Metadata="true"} " clearly shows path to metadata. https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
upvoted 2 times
...
mmarkiew
1 year ago
Microsoft Identity Platform supports daemons and the client credentials grant flow. It isn't limited to users only. https://learn.microsoft.com/en-us/entra/identity-platform/scenario-daemon-overview
upvoted 1 times
...
...
SeMo0o0o0o
Most Recent 3 weeks, 5 days ago
WRONG 1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint
upvoted 2 times
...
Thanveer
1 month, 1 week ago
Configure App1 to Use OAuth 2.0: Select: Client credentials grant flows Configure App1 to Use a REST API Call to Retrieve an Authentication Token From: Select: Azure Instance Metadata Service (MDS) endpoint
upvoted 1 times
...
Teerawee
2 months, 3 weeks ago
Client credentials grant flows Azure Instance Metadata Service (MDS) endpoint
upvoted 1 times
...
23169fd
5 months, 2 weeks ago
Configure App1 to use OAuth 2.0: Client credentials grant flow Reason: The client credentials flow is suitable for service-to-service communication, allowing App1 to authenticate and obtain a token to access the Key Vault. Configure App1 to use a REST API call to retrieve an authentication token from the: Azure Instance Metadata Service (IMDS) endpoint Reason: Using the IMDS endpoint is the standard way for Azure resources to obtain tokens for their managed identities, simplifying authentication without managing credentials.
upvoted 3 times
23169fd
5 months, 2 weeks ago
Why Not Other Options? OAuth 2.0 Grant Flows: Authorization code grant flows: Typically used for user-based authentication, requiring user interaction, which is not suitable for service-to-service scenarios. Implicit grant flows: Primarily for client-side applications like single-page apps, less secure and not suitable for backend services. Authentication Token Endpoints: OAuth 2.0 access token endpoint of Azure AD: Requires managing client secrets or certificates, adding complexity. OAuth 2.0 access token endpoint of Microsoft Identity Platform: Similar to the Azure AD endpoint, it requires managing client credentials, which increases administrative effort.
upvoted 2 times
...
...
Lazylinux
7 months, 1 week ago
I would go for 1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint Managed identity: This type of service principal represents a managed identity, which eliminates the need to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. When a managed identity is enabled, the service principal that represents that managed identity is created in your tenant. Common terms for managed identities and service principals: Client ID: The unique ID that's linked to the app and service principal created when you provisioned the identity. Object ID: The service principal object of the managed identity. Azure Instance Metadata Service: The REST API that's enabled when Azure Resource Manager creates a VM. The endpoint is accessible only from within the VM.
upvoted 3 times
...
varinder82
8 months, 1 week ago
Final Answer: 1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint
upvoted 2 times
...
LuisB88
10 months, 3 weeks ago
Am I missing something ? I don't see this type of informations on the modules of MS learn AZ305.
upvoted 11 times
...
peterp007
11 months, 1 week ago
1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-managed-identities-work-vm?source=recommendations
upvoted 2 times
...
Cristian_
11 months, 3 weeks ago
1. Client Credentials Grant Flows 2. Azure Instance Metadata (IMDS) Endpoint IMDS is an endpoint that allows the VM retrieve its own Token using System Managed Identity Ref: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
upvoted 2 times
...
husam421
1 year, 2 months ago
Azure Instance Metadata (IMDS) endpoint Get a token using HTTP The fundamental interface for acquiring an access token is based on REST, making it accessible to any client application running on the VM that can make HTTP REST calls. This approach is similar to the Microsoft Entra programming model, except the client uses an endpoint on the virtual machine (vs a Microsoft Entra endpoint). Sample request using the Azure Instance Metadata Service (IMDS) endpoint (recommended)
upvoted 1 times
...
Elecktrus
1 year, 2 months ago
Question2 must be Azure Instance Metadata (IMDS) endpoint https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad Basically, you need obtain the info of the system-manged identity (including the token). So you must call IMDS to get info about your local machine.That info include the token that you will use to access the key vault. Calling IMDS is a local call (that is, a localhost) so there isnt security problem though it is http (not https)
upvoted 1 times
...
Gato_Pirao
1 year, 2 months ago
2. REST API call to retrieve token from IMDS I'm not an expert but this is the reference I found: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
upvoted 2 times
...
Red0101
1 year, 2 months ago
Client credential grant flows Azure Instance Metadata Service (MDS) endpoint https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm
upvoted 2 times
...
dave22339
1 year, 4 months ago
I don't understand this yet BUT "IMDS is not a channel for sensitive data. The API is unauthenticated and open to all processes on the VM." https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows#security-and-authentication . Some folk have suggested IMDS as a correct answer and surely that can't be right.
upvoted 4 times
...
NK19
1 year, 4 months ago
According to this tutorial: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad The second box should be "Azure Instance Metadata Service (IMDS) endpoint" as that will give you the access token to get the secret from the key vault, using the managed identity of the VM.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago