Developing Solutions for Microsoft Azure (AZ-204) Practice Exam

Which method of authenticating to Azure Key Vault is generally recommended?

• A. Service principal and certificate
• B. Service principal and secret
• C. Managed identities
• D. Azure AD password

The correct answer is: Managed identities

Using managed identities is the generally recommended method for authenticating to Azure Key Vault because it provides a secure and straightforward way for applications to communicate with Azure services without needing to manage credentials explicitly. Managed identities are automatically created and managed by Azure, which eliminates the burden of handling secrets or other sensitive credentials manually. With managed identities, Azure automatically creates an identity for your application within Azure Active Directory when you activate the managed identity feature. This identity is then used to obtain access tokens that can be used to authenticate to Azure Key Vault or any other Azure service. Since the process of token acquisition is handled by Azure, there is no risk of secret leakage, which often occurs when credentials are stored in code or configuration files. In contrast, other methods such as using service principals with certificates or secrets require the management of those credentials, which can lead to potential security vulnerabilities if not handled correctly. Similarly, using Azure AD passwords for authentication is not recommended for service-to-service authentication scenarios, as it introduces risks related to password expiration and the possibility of interception. By using managed identities, applications can authenticate to Key Vault securely and seamlessly, aligning with best practices for security and operational efficiency in Azure environments.