Microsoft Azure Security Technologies — Question 119

You have an Azure subscription that contains a storage account named storage1 and two web apps named app1 and app2.
Both apps will write data to storage1.
You need to ensure that each app can read only the data that it has written.
What should you do?

Answer options

• A. Provide each app with a system-assigned identity and configure storage1 to use Azure AD User account authentication.
• B. Provide each app with a separate Storage account key and configure the app to send the key with each request.
• C. Provide each app with a user-managed identity and configure storage1 to use Azure AD User account authentication.
• D. Provide each app with a unique Base64-encoded AES-256 encryption key and configure the app to send the key with each request.

Correct answer: A

Explanation

The correct answer is A because using system-assigned identities allows each app to authenticate with Azure AD and gain access to only the data it has written, ensuring proper data isolation. Options B and D involve sharing keys which do not provide the required access control, while option C uses user-managed identities which are not necessary for this scenario where system-assigned identities are sufficient.