AZ-204 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-204 Exam - Question 218

HOTSPOT -

You develop a containerized application. You plan to deploy the application to a new Azure Container instance by using a third-party continuous integration and continuous delivery (CI/CD) utility.

The deployment must be unattended and include all application assets. The third-party utility must only be able to push and pull images from the registry. The authentication must be managed by Azure Active Directory (Azure AD). The solution must use the principle of least privilege.

You need to ensure that the third-party utility can access the registry.

Which authentication options should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Box 1: Service principal -

Applications and container orchestrators can perform unattended, or "headless," authentication by using an Azure Active Directory (Azure AD) service principal.

Incorrect Answers:

✑ Individual AD identity does not support unattended push/pull

✑ Repository-scoped access token is not integrated with AD identity

✑ Managed identity for Azure resources is used to authenticate to an Azure container registry from another Azure resource.

Box 2: AcrPush -

AcrPush provides pull/push permissions only and meets the principle of least privilege.

Incorrect Answers:

AcrPull only allows pull permissions it does not allow push permissions.

✑ Owner and Contributor allow pull/push permissions but does not meet the principle of least privilege.

Reference:

https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli

Discussion

15 comments
Sign in to comment
gmishra88
Oct 6, 2022

Correct. It is only service principal. acr-token: cannot be because the AD authentication requirement. The roles are RBAC but the identity is not AD managed Managed identity: Not an option because it is third party AcrPush includes AcrPull. I did not know that nuance and the choice made by Microsoft to do this

macobuzi
Aug 23, 2023

I don't understand, Why not Managed Identity? Azure Container Apps also support Managed Identity.

ProtossOR89144
Jul 6, 2024

- "An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources." - correct : "AcrPush includes AcrPull"

vizay
May 5, 2025

If your identity (app, user, service) isn’t registered in Azure Active Directory (Azure AD), Azure AD can’t recognize or assign it the necessary permissions to access Azure Container Registry (ACR). As a result, you can’t use the ACR token for authentication. When I say "your identity isn't in Azure AD", I mean that the app, user, or service you're trying to use to access Azure Container Registry (ACR) isn't registered or recognized by Azure Active Directory (Azure AD).

dtctx
Apr 29, 2022

Got this 4/29. I passed test, but scored poorly in third party integration questions. I went with Managed Identity and Contributor, and I think both are WRONG. I had not heard of ACR Push/Pull, so went with Contributor, but upon learning that ACR Push satisfies least privilege, that is probably the best answer. Table of privileges: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli I suggest ACR Push is the correct permission level.

sarmaria
Mar 20, 2023

Got this on 16/03/23. Chosen Service Principal and AcrPush. Make sure to prepare for case study. I got city and lights case study. No Kubernetes, Search, Logic Apps questions for me.

hubekpeter
Nov 22, 2022

Individual identity - no, you don't want to use somebody's username, when he left, service will stop working (saw this tens of times). Managed identity - yes that could work, but you're not sure if CI/CD is running on Azure resource. Repository scoped access token - the next question would be regarding Scope Map, but they are apparently asking about RBAC role. So the correct answer is Service Principal with AcrPush role, which will meet the least priviledge requirement.

Esward
Jan 25, 2023

Service Principal and AcrPush are correct answers! https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli

mabdo
Feb 2, 2023

on exam 02/23

sghaha
Apr 29, 2022

https://docs.microsoft.com/ko-kr/azure/container-registry/container-registry-authentication?tabs=azure-cli

vvlads
May 5, 2022

why not managed identity? Use only from select Azure services that support managed identities for Azure resources https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli resources: ...Azure Container Registry... https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status#azure-services-that-support-managed-identities-for-azure-resources

coffecold
Oct 13, 2022

The CI/CD is third party.

finnishr
Sep 3, 2022

The answer is correct.

coffecold
Oct 13, 2022

The question is about access to 'a' registry. Nowhere in the question is stated that Azure Container Registry (ACR) is used. It talks about "the registry", that is confusing. Provided Azure Container Registry (ACR) is used, then the answer is correct. If an other kind of registry is used to store the images the answer can be everything (depending on the registry used).

OPT_001122
Dec 10, 2022

service principal AcrPush

130nk3r5
Dec 18, 2023

To meet all the requirements, you should use the following authentication options: Service Principal: A service principal is an identity that is used by a service or application to log in and access Azure resources. You can assign specific permissions to the service principal to adhere to the principle of least privilege. This will allow the third-party CI/CD utility to authenticate with Azure AD. Role-Based Access Control (RBAC): After creating the service principal, you should assign it a role that only allows it to push and pull images from the Azure Container Registry. The "AcrPush" role could be a good fit as it allows the service principal to push and pull images, but doesn't grant any other permissions. Remember to store the service principal's credentials securely in the CI/CD utility.

Stann07
Nov 30, 2023

Service Principal: Service principals are non-interactive Azure accounts. Using them with CI/CD utilities allows for Unattended deployments. AcrPull: This role can only pull images from the registry. This is here certainly the role with the least privilege because acrpush can Push image to the registry (and also pull them)

Stann07
Nov 30, 2023

My error, I did not see the requirement in the question for the user to be able to pull AND PUSH images to the registry. So the right answer is ACRPUSH

bgbgvfvf
Dec 24, 2023

answer is correct

vizay
May 5, 2025

🔹 Service Principal Used for apps outside Azure Needs client ID and secret or certificate You manage the credentials Good for CI/CD tools like GitHub Actions 🔹 Managed Identity Used for apps inside Azure No secrets needed — Azure manages authentication More secure and easier to use Good for Azure Functions, Web Apps, VMs, etc.

vizay
May 5, 2025

given answer is correct :)