What should you do?

You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure Function app includes an OpenAPl (Swagger) definition and uses an Azure Blob storage account. All resources are secured by using Azure Active Directory (Azure AD).

The Azure Logic app must securely access the Azure Blob storage account. Azure AD resources must remain if the Azure Logic app is deleted.

You need to secure the Azure Logic app.

What should you do?
A . Create an Azure AD custom role and assign role-based access controls.
B. Create an Azure AD custom role and assign the role to the Azure Blob storage account.
C. Create an Azure Key Vault and issue a client certificate.
D. Create a user-assigned managed identity and assign role-based access controls.
E. Create a system-assigned managed identity and issue a client certificate.

View Answer

Answer: D

Explanation:

To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity.

Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages this identity for you and helps secure your credentials because you don’t have to provide or rotate secrets.

If you set up your logic app to use the system-assigned identity or a manually created, user-assigned identity, the function in your logic app can also use that same identity for authentication.

Reference:

https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients