Designing and Implementing Microsoft DevOps Solutions — Question 53

You have an Azure key vault named KV1 and three web servers.

You plan to deploy an app named App1 to the web servers.

You need to ensure that App1 can retrieve a secret from KV1. The solution must meet the following requirements:

• Minimize the number of permission grants required.
• Follow the principle of least privilege.

What should you include in the solution?

Answer options

• A. role-based access control (RBAC) permission
• B. a system-assigned managed identity
• C. a user-assigned managed identity
• D. a service principal

Correct answer: C

Explanation

The correct answer is C, a user-assigned managed identity, as it allows for specific permissions to be granted to App1 without over-provisioning access. Option A, RBAC permissions, may grant broader access than necessary, while B, a system-assigned managed identity, is tied to a single resource and may not be suitable for multiple web servers. Option D, a service principal, can also provide access but does not follow the least privilege principle as effectively as a user-assigned managed identity.