Exam AZ-305 topic 1 question 40 discussion

the second answer is no correct. The correct answers are these 1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint The key difference in this scenario is that we are using a Managed Identity, which is a feature of Azure AD, and in that case, access tokens are obtained through the Azure Instance Metadata Service (IMDS) API. The managed identity is responsible for managing the lifecycle of these credentials. Therefore, for the case of an application in an Azure VM that uses a managed identity to authenticate with Key Vault, the IMDS would be used, not an OAuth 2.0 endpoint directly. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http

(a.ka.Gowind) Answers are corrects. We need server based authentication so client credentials is to be used. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow Also prefer AAD , because Microsoft Identity Platform is user based https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-overview

Configure App1 to Use OAuth 2.0: Select: Client credentials grant flows Configure App1 to Use a REST API Call to Retrieve an Authentication Token From: Select: Azure Instance Metadata Service (MDS) endpoint

Client credentials grant flows Azure Instance Metadata Service (MDS) endpoint

Configure App1 to use OAuth 2.0: Client credentials grant flow Reason: The client credentials flow is suitable for service-to-service communication, allowing App1 to authenticate and obtain a token to access the Key Vault. Configure App1 to use a REST API call to retrieve an authentication token from the: Azure Instance Metadata Service (IMDS) endpoint Reason: Using the IMDS endpoint is the standard way for Azure resources to obtain tokens for their managed identities, simplifying authentication without managing credentials.

I would go for 1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint Managed identity: This type of service principal represents a managed identity, which eliminates the need to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication. When a managed identity is enabled, the service principal that represents that managed identity is created in your tenant. Common terms for managed identities and service principals: Client ID: The unique ID that's linked to the app and service principal created when you provisioned the identity. Object ID: The service principal object of the managed identity. Azure Instance Metadata Service: The REST API that's enabled when Azure Resource Manager creates a VM. The endpoint is accessible only from within the VM.

Final Answer: 1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint

Am I missing something ? I don't see this type of informations on the modules of MS learn AZ305.

1. Client credentials grant flows 2. Azure Instance Metadata (IMDS) endpoint https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-managed-identities-work-vm?source=recommendations

1. Client Credentials Grant Flows 2. Azure Instance Metadata (IMDS) Endpoint IMDS is an endpoint that allows the VM retrieve its own Token using System Managed Identity Ref: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad

Azure Instance Metadata (IMDS) endpoint Get a token using HTTP The fundamental interface for acquiring an access token is based on REST, making it accessible to any client application running on the VM that can make HTTP REST calls. This approach is similar to the Microsoft Entra programming model, except the client uses an endpoint on the virtual machine (vs a Microsoft Entra endpoint). Sample request using the Azure Instance Metadata Service (IMDS) endpoint (recommended)

Question2 must be Azure Instance Metadata (IMDS) endpoint https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad Basically, you need obtain the info of the system-manged identity (including the token). So you must call IMDS to get info about your local machine.That info include the token that you will use to access the key vault. Calling IMDS is a local call (that is, a localhost) so there isnt security problem though it is http (not https)

2. REST API call to retrieve token from IMDS I'm not an expert but this is the reference I found: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http

Client credential grant flows Azure Instance Metadata Service (MDS) endpoint https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm

I don't understand this yet BUT "IMDS is not a channel for sensitive data. The API is unauthenticated and open to all processes on the VM." https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=windows#security-and-authentication . Some folk have suggested IMDS as a correct answer and surely that can't be right.

According to this tutorial: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad The second box should be "Azure Instance Metadata Service (IMDS) endpoint" as that will give you the access token to get the secret from the key vault, using the managed identity of the VM.

how many questions(what percentage) from ET come in real exam