SC-100 Question #171: Real Exam Question with Answer & Explanation

Question

You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain. You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines. You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure. What should you recommend?

Options

• Aa managed identity in Azure
• Ban Azure AD user account that has role assignments in Azure AD Privileged Identity Management
• Ca group managed service account (gMSA)
• Dan Azure AD user account that has a password stored in Azure Key Vault

Explanation

{"question_number": 7, "correct_answer": "A", "explanation": "Managed identities are the DevSecOps best practice for CI/CD service connection credentials because they eliminate the need to store, rotate, or manage any secrets or passwords-Azure handles the credential lifecycle automatically. A managed identity assigned to the Azure DevOps pipeline agent (or the Azure resource hosting the agent) can be granted the precise RBAC roles needed in the target Azure subscription with no credential exposure risk. Option B (Azure AD user account with PIM) uses a human identity for automation, which is an anti-pattern-user accounts are not designed for non-interactive service use and require manual lifecycle management. Option C (gMSA) is an on-premises Active Directory concept for Windows services and is not natively supported as an Azure DevOps service connection credential. Option D (user account with password in Key Vault) still involves a password that must be created, granted permissions, and rotated, introducing unnecessary risk.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.