AZ-305 Question #120: Real Exam Question with Answer & Explanation

Question

Hotspot Question Your organization has developed and deployed several Azure App Service Web and API applications. The applications use Azure Key Vault to store several authentication, storage account, and data encryption keys. Several departments have the following requests to support the applications: You need to recommend the appropriate Azure service for each department request. What should you recommend? To answer, configure the appropriate options in the dialog box in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

Azure Exam Hotspot — Explanation

Note: The dropdown options themselves weren't captured in the source data (Correct: None likely means the answer choices were missing from extraction, not that the answer is literally "None"). Based on the scenario descriptions, here are the correct answers and why:

Dropdown 1 — Role membership reviews, justification for continued access, alerts on admin changes, activation history

Correct Answer: Azure AD Privileged Identity Management (PIM)

Why it's correct: PIM is specifically designed for this use case. It provides:

• Access reviews — periodically review who holds privileged roles and require justification for continued membership
• Alerts — built-in alerts fire when suspicious or unexpected admin assignments occur
• Audit history — full log of when privileged roles were activated, by whom, and what actions were taken

Why alternatives are wrong:

• Azure Monitor / Log Analytics — captures resource-level activity logs but does not manage or review role membership or enforce justification workflows
• Microsoft Defender for Cloud — focuses on security posture and threat protection, not identity governance
• Azure Policy — enforces resource configuration compliance, not role lifecycle management

Key concept: PIM is an Azure AD identity governance tool for managing, controlling, and monitoring access to important resources — specifically privileged roles.

Dropdown 2 — Enable applications to access Azure Key Vault and retrieve keys in code

Correct Answer: Managed Identity

Why it's correct: Managed Identities (system-assigned or user-assigned) give Azure services like App Service an automatically managed identity in Azure AD. You grant that identity access to Key Vault via RBAC or Key Vault access policies. The application authenticates to Key Vault without storing any credentials or secrets in code or config files — the Azure platform handles token acquisition transparently.

Why alternatives are wrong:

• Service Principal with client secret/certificate — works functionally, but requires you to manage and rotate the secret yourself, introducing credential management risk; Managed Identity eliminates this entirely
• Azure API Management — an API gateway, not an authentication mechanism for Key Vault access
• Azure AD Application Registration alone — registration creates the identity but still requires secret/certificate management; Managed Identity is the preferred, secretless alternative

Key concept: Managed Identity is the recommended zero-secret pattern for Azure resource-to-service authentication, eliminating credential sprawl.

Dropdown 3 — Temporary administrator access to create and configure applications in the test environment

Correct Answer: Azure AD Privileged Identity Management (PIM) — Just-In-Time (JIT) access

Why it's correct: PIM's JIT access feature allows users to request elevation to a privileged role for a limited, bounded time window (e.g., 1–8 hours). The access expires automatically. Approvers can be required, and the activation is logged. This is precisely "temporary administrator access."

Why alternatives are wrong:

• Azure RBAC direct role assignment — grants permanent access; does not satisfy the "temporary" requirement
• Azure AD Conditional Access — controls how users authenticate (MFA, compliant device, location), not the duration of role elevation
• Azure Blueprints / Policy — governs resource configuration standards, not user privilege duration

Key concept: PIM JIT access enforces the principle of least privilege by ensuring elevated permissions exist only when needed and expire automatically, reducing the standing privilege attack surface.

Summary Table

No community discussion yet for this question.