ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 1.4: Application IdentitiesDomain 1IdentityKey VaultApp Service

AZ-305 · Question 15 · Domain 1.4: Application Identities

You are designing the security architecture for an Azure App Service web application. The application needs to retrieve database connection strings stored securely in an Azure Key Vault.

You must adhere to the principle of least privilege. The web app must only be able to read secrets, not certificates or keys. You want to use the modern Azure RBAC permission model for Key Vault rather than legacy Access Policies.

Which TWO steps must you perform? (Select TWO)

Answer options:

A.

Enable a system-assigned managed identity on the App Service.

B.

Assign the 'Key Vault Contributor' role to the managed identity.

C.

Assign the 'Key Vault Secrets User' role to the managed identity.

D.

Configure a Key Vault Access Policy granting 'Get' permissions for Secrets.

E.

Store a Service Principal client secret in the App Service application settings.

How to approach this question

Identify how an App Service authenticates without code (Managed Identity) and the specific RBAC role for reading secrets.

Full Answer

To securely access Key Vault without storing credentials, you first enable a Managed Identity (system-assigned) on the App Service. To grant access using the modern Azure RBAC model (instead of Access Policies) and adhere to least privilege, you assign the 'Key Vault Secrets User' role to that managed identity at the Key Vault scope. This role allows the app to read secret contents but does not grant access to keys, certificates, or management operations.

Common mistakes

Selecting Key Vault Contributor (too much privilege) or Access Policies (violates the requirement to use RBAC).
14All questions16

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd has 50 subscriptions across 3 business units. Each business unit manages its own IT o...EasyQ02You are designing a monitoring solution for a hybrid environment. The environment consists of 200...MediumQ03Your company uses Microsoft Sentinel integrated with a Log Analytics workspace. The workspace ing...HardQ04You are designing an application monitoring strategy using Application Insights. The application ...MediumQ05A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently ...Hard
View all 55 questions →