SC-300 Exam - Question 255

Question

HOTSPOT-You have a Microsoft Entra tenant that contains multiple storage accounts. You plan to deploy multiple Azure App Service apps that will require access to the storage accounts. You need to recommend an identity solution to provide the apps with access to the storage accounts. The solution must minimize administrative effort. Which type of identity should you recommend, and what should you recommend using to control access to the storage accounts? To answer, select the appropriate options in the answer area.

Examice · Accepted Answer

.

penatuna · Answer

Here's my two cents. Correct me if I'm wrong:

To provide the apps with access to the storage accounts, I recommend the following identity solution:
•	Identity type: System-assigned managed identity
•	To control access, use: Role-based access control (RBAC)

This solution will minimize administrative effort because:
•	System-assigned managed identities are automatically created and deleted by Azure when you create or delete the app service. You don’t need to register or manage them separately.
•	Role-based access control (RBAC) allows you to assign granular permissions to the managed identities based on the roles they need to access the storage accounts. You don’t need to create or manage shared keys or tokens.

https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage

Ody · Answer

I don't like the question.

A User assigned managed identity is probably the least administrative effort, but the second they apps need to access different resources, it becomes problematic.

Exam answer: User assigned
Real world: System assigned

wheeldj · Answer

Tricky question. I vote for 
*User Assigned managed identity
*Azure RBAC

I think the key here is the question asks for minimum admin effort rather than least privilege. with a single user assigned managed identity I only need to permission is once against the storage accounts. with System assigned managed identities I would have to permission every resource against the storage accounts, more secure but also more work!

throwaway10188 · Answer

Answers seem to be actually correct for once.

bobg · Answer

Sounds like User Assigned Managed Identity as it is less admin effort.
If your infrastructure requires that multiple resources require access to the same resources, a single user-assigned identity can be assigned to them. Administration overhead will be reduced, as there are fewer distinct identities and role assignments to manage.

If you require that each resource has its own identity, or have resources that require a unique set of permissions and want the identity to be deleted as the resource is deleted, then you should use a system-assigned identity.
Taken from : https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations

Alcpt · Answer

The answer is UAMI and RBAC as per the MS article:
"If your infrastructure requires that multiple resources require access to the same resources, a single user-assigned identity can be assigned to them. Administration overhead will be reduced, as there are fewer distinct identities and role assignments to manage."
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations

einkaufacs · Answer

I would go for system assigned managed identitiy + RBAC
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal

loukyexamtopic · Answer

user assigned  & RBAC checkhttps://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal

Frank9020 · Answer

1: System-assigned managed identities
 - Are automatically created and tied to a specific resource (the App Service).
 - Are automatically deleted when the resource is deleted, minimizing management overhead.
2: Role-Based Access Control (RBAC)
 - The best way to grant secure, least-privilege access to Azure Storage Accounts

Obi_Wan_Jacoby · Answer

Answers: UAMI and RBAC. Here is why. I punched in a questions with several follow-up questions including inputting the articles from other users posted prior. In the end, the following is what resulted via Copilot: Considering the best practice recommendations and the specific scenario where multiple Azure App Service apps need access to the same storage accounts, User Assigned Managed Identity (UAMI) is likely the preferred choice for minimizing administrative effort. This approach reduces the number of distinct identities and role assignments to manage, which aligns with Microsoft's guidance on reducing administrative overhead

Sneekygeek · Answer

system assigned managed identitiy + RBAC

Wazery · Answer

C. Weisen Sie für RG1 die Rolle "Azure Cosmos DB-Datenleserrolle" zu.

Nielll · Answer

System-assigned managed identity: This option minimizes administrative effort because it automatically creates a unique identity in Azure Active Directory (Azure AD) for each app. You don't need to manage credentials or certificates for the apps.
Azure RBAC: This approach allows you to grant specific permissions to the managed identities of your apps. This ensures that the apps only have the access they need to the storage accounts, following the principle of least privilege.

NICKTON81 · Answer

* System-assigned managed identity
* Role-based access control (RBAC)

https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-storage?tabs=azure-portal

Labelfree · Answer

Funny, Service Principal is marked for the first dropdown here, but Copilot gives User-Assigned, while ChatGPT suggests System-Assigned. As per Ody here, guessing Exam is based on Copilot/Microsoft and would go with User Assigned

SC-300 Exam - Question 255

Discussion