Azure Identity for Virtual Machine Authentication
Question
You plan to deploy an application named App1 that will run on five Azure virtual machines. Additional virtual machines will be deployed later to run App1.
You need to recommend a solution to meet the following requirements for the virtual machines that will run App1:
-> Ensure that the virtual machines can authenticate to Azure Active Directory (Azure AD) to gain access to an Azure key vault, Azure Logic Apps instances, and an Azure SQL database.
-> Avoid assigning new roles and permissions for Azure services when you deploy additional virtual machines.
-> Avoid storing secrets and certificates on the virtual machines.
-> Minimize administrative effort for managing identities.
Which type of identity should you include in the recommendation?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D
Managed identities for Azure resources is a feature of Azure Active Directory.
User-assigned managed identity can be shared. The same user-assigned managed identity can be associated with more than one Azure resource.
Incorrect Answers:
B: System-assigned managed identity cannot be shared. It can only be associated with a single Azure resource.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overviewThe recommendation should be to use a system-assigned managed identity for the virtual machines that will run App1.
Explanation:
Azure managed identities provide a way to authenticate to various Azure services without having to store credentials in code or configuration files. Managed identities are available in two types: system-assigned managed identities and user-assigned managed identities.
In this scenario, the virtual machines need to access Azure Key Vault, Azure Logic Apps instances, and an Azure SQL database. To access these resources, the virtual machines require some form of authentication. Using managed identities for authentication helps meet the following requirements:
Ensure that the virtual machines can authenticate to Azure AD: Managed identities are created in Azure AD, which allows the virtual machines to authenticate to Azure AD.
Avoid assigning new roles and permissions for Azure services when you deploy additional virtual machines: When using managed identities, there is no need to assign new roles and permissions when deploying additional virtual machines. The managed identity can be used across multiple virtual machines.
Avoid storing secrets and certificates on the virtual machines: When using managed identities, there is no need to store secrets and certificates on the virtual machines. The managed identity provides the authentication credentials required to access Azure services.
Minimize administrative effort for managing identities: Managed identities are created and managed by Azure. This reduces the administrative effort required to manage identities.
A service principal that is configured to use a certificate or a client secret is not recommended because it requires the storage of secrets and certificates on the virtual machines, which goes against one of the requirements. User-assigned managed identities are also not recommended because they require additional administrative effort to manage.
Therefore, the best option to meet the given requirements is to use a system-assigned managed identity for the virtual machines that will run App1.