You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Learn how to create, manage, and grant permissions to service principals, which enable your deployment pipelines to securely authenticate to Azure.
description: Learn how to create, manage, and grant permissions to service principals, which enable your deployment pipelines to securely authenticate to Azure.
- content: You're building a custom deployment agent that runs on an Azure virtual machine that you control. Which of these authentication techniques should the agent use to authenticate and work with Azure resources?
17
-
choices:
18
-
- content: User account
19
-
isCorrect: false
20
-
explanation: Deployment agents run in an unattended mode, so you should never use a user account.
21
-
- content: Service principal
22
-
isCorrect: false
23
-
explanation: A service principal can be used for this purpose, but using a service principal requires that you manage credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
24
-
- content: Managed identity
25
-
isCorrect: true
26
-
explanation: Managed identities are designed for unattended access, and they don't require you work with credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
27
-
- content: You need to create a service principal for a pipeline that deploys your infrastructure to three environments - development, test, and production. Each environment is in a dedicated resource group in three different subscriptions. What should you do?
28
-
choices:
29
-
- content: Create a single service principal and grant it access to the tenant root management group.
30
-
isCorrect: false
31
-
explanation: Although this will work, it's not a good practice to use a single service principal for all of your environments. Additionally, granting access to your tenant root management group will allow the service principal to modify resources anywhere in your Azure environment, which is unnecessarily permissive.
32
-
- content: Create a single service principal and grant it access to each of the resource groups in the three subscriptions.
33
-
isCorrect: false
34
-
explanation: Although this will work, it's not good practice to use a single service principal for all of your environments. At the very least, you should separate production and non-production environments by using two service principals, but a dedicated service principal for each environment is preferred.
35
-
- content: Create three service principals, one per environment, and grant each access to a single resource group in the relevant subscription.
36
-
isCorrect: true
37
-
explanation: When you work with multiple environments, it's best to use dedicated service principals for each environment so that your pipeline can't accidentally change anything in another environment.
38
-
- content: You create a service principal with a key, and you set the key to expire 30 days in the future. What happens after that time?
39
-
choices:
40
-
- content: Nothing - the key will automatically renew.
41
-
isCorrect: false
42
-
explanation: Service principal keys don't automatically renew.
43
-
- content: Your client can no longer authenticate.
44
-
isCorrect: true
45
-
explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
46
-
- content: Your client can authenticate, but it receives a warning that the key has expired.
47
-
isCorrect: false
48
-
explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
49
-
- content: You're creating a service principal to run a pipeline. The pipeline deploys a Bicep template that creates a single storage account. Which of the following options has the least privileged access that you need for your pipeline?
50
-
choices:
51
-
- content: |
52
-
**Role definition:** Contributor<br />
53
-
**Scope:** Subscription
54
-
isCorrect: false
55
-
explanation: The Contributor role is a good one to use. However, you should avoid granting it over the subscription scope unless you need to. In this case, you don't.
56
-
- content: |
57
-
**Role definition:** Contributor<br />
58
-
**Scope:** Resource group
59
-
isCorrect: true
60
-
explanation: The Contributor role is a good one to use. Additionally, it's a good practice to grant it over the resource group, which is all that this pipeline needs.
61
-
- content: |
62
-
**Role definition:** Owner<br />
63
-
**Scope:** Resource group
64
-
isCorrect: false
65
-
explanation: This role assignment is too permissive. You should avoid granting the Owner role unless it's required. In this example, it's not.
- content: You're building a custom deployment agent that runs on an Azure virtual machine that you control. Which of these authentication techniques should the agent use to authenticate and work with Azure resources?
17
+
choices:
18
+
- content: User account
19
+
isCorrect: false
20
+
explanation: Deployment agents run in an unattended mode, so you should never use a user account.
21
+
- content: Service principal
22
+
isCorrect: false
23
+
explanation: A service principal can be used for this purpose, but using a service principal requires that you manage credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
24
+
- content: Managed identity
25
+
isCorrect: true
26
+
explanation: Managed identities are designed for unattended access, and they don't require you work with credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
27
+
- content: You need to create a service principal for a pipeline that deploys your infrastructure to three environments - development, test, and production. Each environment is in a dedicated resource group in three different subscriptions. What should you do?
28
+
choices:
29
+
- content: Create a single service principal and grant it access to the tenant root management group.
30
+
isCorrect: false
31
+
explanation: Although this will work, it's not a good practice to use a single service principal for all of your environments. Additionally, granting access to your tenant root management group will allow the service principal to modify resources anywhere in your Azure environment, which is unnecessarily permissive.
32
+
- content: Create a single service principal and grant it access to each of the resource groups in the three subscriptions.
33
+
isCorrect: false
34
+
explanation: Although this will work, it's not good practice to use a single service principal for all of your environments. At the very least, you should separate production and non-production environments by using two service principals, but a dedicated service principal for each environment is preferred.
35
+
- content: Create three service principals, one per environment, and grant each access to a single resource group in the relevant subscription.
36
+
isCorrect: true
37
+
explanation: When you work with multiple environments, it's best to use dedicated service principals for each environment so that your pipeline can't accidentally change anything in another environment.
38
+
- content: You create a service principal with a key, and you set the key to expire 30 days in the future. What happens after that time?
39
+
choices:
40
+
- content: Nothing - the key will automatically renew.
41
+
isCorrect: false
42
+
explanation: Service principal keys don't automatically renew.
43
+
- content: Your client can no longer authenticate.
44
+
isCorrect: true
45
+
explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
46
+
- content: Your client can authenticate, but it receives a warning that the key has expired.
47
+
isCorrect: false
48
+
explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
49
+
- content: You're creating a service principal to run a pipeline. The pipeline deploys a Bicep template that creates a single storage account. Which of the following options has the least privileged access that you need for your pipeline?
50
+
choices:
51
+
- content: |
52
+
**Role definition:** Contributor<br />
53
+
**Scope:** Subscription
54
+
isCorrect: false
55
+
explanation: The Contributor role is a good one to use. However, you should avoid granting it over the subscription scope unless you need to. In this case, you don't.
56
+
- content: |
57
+
**Role definition:** Contributor<br />
58
+
**Scope:** Resource group
59
+
isCorrect: true
60
+
explanation: The Contributor role is a good one to use. Additionally, it's a good practice to grant it over the resource group, which is all that this pipeline needs.
61
+
- content: |
62
+
**Role definition:** Owner<br />
63
+
**Scope:** Resource group
64
+
isCorrect: false
65
+
explanation: This role assignment is too permissive. You should avoid granting the Owner role unless it's required. In this example, it's not.
0 commit comments