SC-300 · Question #281
SC-300 Question #281: Real Exam Question with Answer & Explanation
This question tests knowledge of Azure managed identities and role-based access control (RBAC) for securing App Service access to storage accounts with minimal administrative overhead.
Question
Hotspot Question You have a Microsoft Entra tenant that contains multiple storage accounts. You plan to deploy multiple Azure App Service apps that will require access to the storage accounts. You need to recommend an identity solution to provide the apps with access to the storage accounts. The solution must minimize administrative effort. Which type of identity should you recommend, and what should you recommend using to control access to the storage accounts? To answer, select the appropriate options in the answer area. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of Azure managed identities and role-based access control (RBAC) for securing App Service access to storage accounts with minimal administrative overhead.
Approach. The correct identity type is a User-assigned managed identity, because it can be created once and assigned to multiple App Service apps, minimizing administrative effort compared to system-assigned identities (which are per-resource and harder to manage at scale). For controlling access to storage accounts, you should use Azure RBAC (Role-Based Access Control) - specifically assigning built-in roles like 'Storage Blob Data Contributor' to the managed identity on the storage accounts. This eliminates the need to manage connection strings or secrets, and RBAC provides centralized, auditable, fine-grained access control. User-assigned managed identities are ideal here because one identity can be shared across multiple apps, reducing the number of role assignments and simplifying lifecycle management compared to creating individual system-assigned identities for each app.
Concept tested. The question tests understanding of: (1) the difference between system-assigned and user-assigned managed identities - user-assigned identities are reusable across multiple resources, reducing administrative effort; (2) using Azure RBAC over storage account access keys or SAS tokens, as RBAC with managed identities eliminates secret management and integrates with Microsoft Entra for centralized governance.
Reference. https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
Community Discussion
No community discussion yet for this question.