HOTSPOT -
You plan to implement an Azure function named Function1 that will create new storage accounts for containerized application instances.
You need to grant Function1 the minimum required privileges to create the storage accounts. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/howto-assign-access-portal
minimize admin effort=> system assign MI minimum required priviledge => Custom role. All other role have too much priviledges
As usual, there is a contradiction in the specifications. Minimum permissions vs minimum administrative effort, and one different option for each one. If you follow minimum permissions you should create a new role, if you follow minimum effort the built.in role is enough...Which should we attend??. As we say in my country NPI, what means Ni Puta Idea, it's to say NFI... No Fucking Idea
Well, since this is a _security_ focused exam, security ("least privilige") trumps convenience ("least effort") everyday of the week, right?
I would inclined to say the same as Conan, but MS is working in mysterious ways, so this is one of the questions where you don't know, unless there is somebody around here which scored a perfect 1000 points at an exam that had this question in it and can confirm
In Exam - 28/7/2023
well, today is 25.7. :D and i am reading questions
- User assigned MI, because accounts will be reused for multiples instances - Customized roles to reduce the scope of privilege
Two steps you'd need to do: - Enable System-assigned Managed Identity (SAMI) in your Azure function app (https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#add-a-system-assigned-identity) - Assign it a custom role (Microsoft.Storage/storageAccounts...) with least privilege.
Correct answers
Seems like you could use a normal RBAC role for this and assign the managed identity to it instead of creating an entirely new role just for storage account creation.
agree, there is a built in role to create storage accounts: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-contributor
The scenario is: minimum required priviledge. Where do you take into account this reequirement?
IMHO that's too many permissions. It can create AND MANAGE storage accounts, manage deployments etc. So it seems we have to choose either to do a bit of extra administrative work setting up the correct permissions or grant excessive permissions. I believe MS always wants us to strive for minimum required permissions so custom seems more appropriate.
Also, creating a custom role will be more administrative effort than is needed for this.
1. System-assigned managed identity 2. Custom RBAC role assignment https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.
System Assigned Managed Identity Custom role (RBAC)
Exam - 4/11/21
Got this in the AZ-500 exam (Sept 2021)!
minimize admin effort=> system assign MI minimum required priviledge => Custom role. All other role have too much priviledges
Minimized admin effort 1 - SAMI 2- RBAC (Custom role)
#exam question # 29 Sep
## Exam Question - 17 Sept 2021 ##
correct both system or user managed identity would work, but question states less admin so system managed identity wins
I’d go for SAMI and custom role to minimise privileges over admin effort.