Domain 1.4: Application Identities — AZ-305 Practice Question 15

How to approach this question

Identify how an App Service authenticates without code (Managed Identity) and the specific RBAC role for reading secrets.

Full Answer

Enable a system-assigned managed identity on the App Service, Assign the 'Key Vault Secrets User' role to the managed identity

To securely access Key Vault without storing credentials, you first enable a Managed Identity (system-assigned) on the App Service. To grant access using the modern Azure RBAC model (instead of Access Policies) and adhere to least privilege, you assign the 'Key Vault Secrets User' role to that managed identity at the Key Vault scope. This role allows the app to read secret contents but does not grant access to keys, certificates, or management operations.

Common mistakes

Selecting Key Vault Contributor (too much privilege) or Access Policies (violates the requirement to use RBAC).

How to approach this question

Full Answer

Common mistakes

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

More questions from this exam