Your company is developing an Azure API hosted in Azure.
You need to implement authentication for the Azure API to access other Azure resources.
You have the following requirements: -> All API calls must be authenticated.
-> Callers to the API must not send credentials to the API.
Which authentication mechanism should you use?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Azure Active Directory Managed Service Identity (MSI) gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code.
Note: Use the authentication-managed-identity policy to authenticate with a backend service using the managed identity.
This policy essentially uses the managed identity to obtain an access token from Azure Active Directory for accessing the specified resource.
After successfully obtaining the token, the policy will set the value of the token in the Authorization header using the Bearer scheme.
Incorrect Answers: A: Use the authentication-basic policy to authenticate with a backend service using Basic authentication.
This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy.
B: Anonymous is no authentication at all.
D: Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible.
Ideally, they never appear on a developer's workstation or get checked-in to source control.
Azure Key Vault can store credentials securely so they aren't in your code, but to retrieve them you need to authenticate to Azure Key Vault.
To authenticate to Key Vault, you need a credential! A classic bootstrap problem.
https://azure.microsoft.com/en-us/blog/keep-credentials-out-of-code-introducing-azure-ad-managed-service-identity/ https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policiesThe correct answer for this scenario is C. Managed identity.
Explanation: Authentication mechanisms are used to identify and verify the identity of the user or the calling application. In this case, the requirement is to implement authentication for the Azure API to access other Azure resources. The two main authentication mechanisms for Azure are Active Directory and Managed Identity.
Option A: Basic authentication sends credentials with each request, which is not recommended in this case because the requirement is that the API callers should not send credentials to the API.
Option B: Anonymous authentication doesn't require any authentication, which doesn't meet the requirement of having all API calls authenticated.
Option D: Client certificate authentication requires the client to send a certificate to the server, which can be used to authenticate the client. However, this requires the API callers to have a valid client certificate, which doesn't meet the requirement of having callers not send credentials to the API.
Option C: Managed Identity is a way to provide credentials to an Azure service without having to store them in code or configuration. It provides a secure way to authenticate to other Azure services by using Azure Active Directory, without requiring the API callers to send any credentials. This meets the requirement of having all API calls authenticated and callers not sending credentials to the API.
Therefore, the best option for this scenario is to use Managed Identity to implement authentication for the Azure API to access other Azure resources.