Examice

Exam AZ-500 All QuestionsBrowse all questions from this exam

Go to Exam

Question 114

HOTSPOT -

You have an Azure subscription that contains an Azure SQL database named SQL1.

You plan to deploy a web app named App1.

You need to provide App1 with read and write access to SQL1. The solution must meet the following requirements:

✑ Provide App1 with access to SQL1 without storing a password.

✑ Use the principle of least privilege.

✑ Minimize administrative effort.

Which type of account should App1 use to access SQL1, and which database roles should you assign to App1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Correct Answer:

Reference:

https://docs.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cdotnet

Discussion

zellck

1. Managed identity 2. db_datareader and db_datawriter https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials. While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Azure Active Directory (Azure AD) for applications to use when connecting to resources that support Azure AD authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.

zellck

https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver16#fixed-database-roles - db_datawriter Members of the db_datawriter fixed database role can add, delete, or change data in all user tables. In most use cases this role will be combined with db_datareader membership to allow reading the data that is to be modified. - db_datareader Members of the db_datareader fixed database role can read all data from all user tables and views. User objects can exist in any schema except sys and INFORMATION_SCHEMA.

Troublemaker

In Exam - 28/7/2023

flafernan

You can use a Service Principal to grant an application access to Azure resources, including SQL databases. However, when granting read and write access to a SQL database, it is generally safer to use Managed Identities when the application is running on a virtual machine or an Azure service. Managed Identities are an easier and more secure way to grant access to Azure resources because they don't require you to manually manage secrets or credentials. Service Principals are typically used when you need to grant access to external applications or services that are not hosted in Azure. When it comes to internal Azure applications and services, Managed Identities are a more direct and secure option. Therefore, using a Managed Identity would be the most appropriate option to meet the criteria of not storing passwords, using the principle of least privilege, and minimizing administrative effort in the context of internal Azure resources.

brooklyn510

On exam 1/2/24

sofieejo

In exam 29/01/2023 + many questions about Microsoft Sentinel

Johnvic

Exam.6 case studies. 3 true/false questions. 47 multiple questions and no simulations. Alot of new questions thats not up here

majstor86

Account Type = Managed Identity Roles = db_datareader and db_datawriter

F117A_Stealth

Correct! Account Type = Managed Identity Roles = db_datareader and db_datawriter

Siblark

In Exam Oct 05, 2022

Amit3

# In EXAM - 01-Oct-2022

Mic8888

correct answers

subrat10

The answer of question 1 should be "Service principal" as the question explicitly says Minimize administrative effort.

xRiot007

FYI, managed identity is a type of service principal used when we don't want to pass credentials around, so question 1 is MI.

icebw22

Correct, Managed identity because db need to see who is the request coming from. Managed identity = identity for the app

AzureJobsTillRetire

Members of the db_datawriter fixed database role can add, delete, or change data in all user tables. In most use cases this role will be combined with db_datareader membership to allow reading the data that is to be modified. https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver16

Kelly8023

Correct answers