Azure VM Identity for Resource Management | Microsoft AZ-303 Exam

Configure Identity for Azure Virtual Machine | AZ-303 Exam Guide

Prev Question Next Question

Question

You have an Azure subscription named Subscription1 that contains an Azure virtual machine named VM1. VM1 is in a resource group named RG1.

VM1 runs services that will be used to deploy resources to RG1.

You need to ensure that a service running on VM1 can manage the resources in RG1 by using the identity of VM1.

What should you do first?

Answers

A. From the Azure portal, modify the Access control (IAM) settings of RG1.

B. From the Azure portal, modify the Policies settings of RG1.

C. From the Azure portal, modify the Access control (IAM) settings of VM1.

D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances.

https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

The correct answer is D. From the Azure portal, modify the value of the Managed Service Identity option for VM1.

Managed Service Identity (MSI) is a feature in Azure that provides an automatically generated identity for Azure services to use. When you enable MSI for a virtual machine, it creates a service principal in Azure Active Directory (Azure AD) that represents the virtual machine. This service principal can then be used to authenticate to Azure services, such as Azure Resource Manager.

In this scenario, the requirement is to enable a service running on VM1 to manage resources in RG1. By enabling MSI for VM1 and using the automatically generated service principal, the service can be granted access to the appropriate Azure resources. To enable MSI for VM1, follow these steps:

Open the Azure portal and navigate to the virtual machine VM1 in resource group RG1.
In the left-hand menu, click on "Identity" under the "Settings" section.
In the "System assigned" tab, toggle the "Status" switch to "On".
Click "Save" to save the changes.

Once MSI is enabled for VM1, you can use the automatically generated service principal to grant access to the necessary Azure resources. This can be done through role-based access control (RBAC) in Azure, which uses Azure AD to assign roles to users, groups, or service principals. To grant access to the necessary resources, follow these steps:

Open the Azure portal and navigate to the resource group RG1.
In the left-hand menu, click on "Access control (IAM)".
Click on the "Add" button and select the appropriate role assignment for the service running on VM1.
In the "Assign access to" section, select "Azure AD user, group, or service principal".
In the "Select" field, start typing the name of the service principal created for VM1 and select it from the dropdown.
Click "Save" to save the role assignment.

With MSI enabled for VM1 and the appropriate role assignments made, the service running on VM1 can now manage the resources in RG1 using the identity of VM1.

Prev Question Next Question