nerdexam
ExamsAZ-500Questions#591
MicrosoftMicrosoft

AZ-500 · Question #591

AZ-500 Question #591: Real Exam Question with Answer & Explanation

The correct answer is A: user account. Explanation A user account can be configured to run scripts non-interactively by using stored credentials (such as a username and password or token), making it suitable for automating the onboarding of on-premises servers to Defender for Cloud without prompting for Microsoft Entr

Submitted by obi.ng· Mar 6, 2026Secure identity and access

Question

You have an on-premises datacenter that contains multiple servers. You have an Azure subscription. You plan to onboard the on-premises servers to Microsoft Defender for Cloud by using a script. You need to create an identity to enable the script to run without prompting for Microsoft Entra credentials. Which type of identity should you create?

Options

  • Auser account
  • Buser-assigned managed identity
  • Csystem-assigned managed identity
  • Dgroup account
  • Eservice principal

Explanation

Explanation

A user account can be configured to run scripts non-interactively by using stored credentials (such as a username and password or token), making it suitable for automating the onboarding of on-premises servers to Defender for Cloud without prompting for Microsoft Entra credentials during script execution. This is the appropriate choice when the authentication must occur outside of Azure (i.e., from an on-premises environment), where managed identities are not available.

Why the distractors are wrong:

  • B & C (Managed Identities): Both user-assigned and system-assigned managed identities are tied to Azure resources and cannot be used by on-premises servers, as they rely on the Azure Instance Metadata Service (IMDS) - unavailable outside Azure.
  • D (Group account): Group accounts are used to manage collections of users/permissions, not to authenticate scripts or run automated tasks.
  • E (Service principal): While a service principal is commonly used for non-interactive automation, it is not the best answer here because the scenario specifically involves onboarding via a script provided by Microsoft, which typically uses a user account with stored credentials for this Defender for Cloud Arc-onboarding workflow.

💡 Memory Tip: Think "on-premises = no managed identity" - managed identities only work inside Azure. For scripted, non-interactive access from outside Azure, a user account with pre-configured credentials is the go-to option in this specific Defender for Cloud onboarding scenario.

Topics

#Microsoft Entra identity#Script authentication#Automation identity

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-500 PracticeBrowse All AZ-500 Questions