While preparing for the AZ-305, many candidates struggle with choosing the right identity strategy for Azure compute resources. In the enterprise world, this decision often hinges on balancing security governance, operational efficiency, and scalability. Let’s drill into a simulated enterprise hybrid-cloud scenario.
The Scenario #
Northwind Solutions is a global manufacturing company modernizing its legacy applications by migrating to Azure virtual machines (VMs). Their flagship application, named FactoryOps, currently runs on 5 Azure VMs with plans to scale out over time. These VMs must securely access Azure Key Vault to retrieve secrets, Azure Logic Apps for workflows, and an Azure SQL database. For security and compliance, FactoryOps VMs cannot store any secrets or certificates locally.
Northwind also requires that as they add more VMs, they avoid manual reconfiguration of role assignments or credentials on each VM to minimize administrative overhead and operational risk. Moreover, the VMs must authenticate natively with Azure AD, consolidating identity management within the enterprise鈥檚 hybrid identity strategy.
Key Requirements #
- Provide secure, scalable Azure AD identity for the FactoryOps VMs to access Azure resources.
- Prevent storing credentials, secrets, or certificates on any VM.
- Avoid reassigning or reconfiguring role permissions with each VM added.
- Minimize ongoing management overhead for identity lifecycle and governance.
The Options #
- A) Use system-assigned managed identities on each VM.
- B) Create and configure service principals using certificates for authentication.
- C) Configure service principals using client secrets for authentication.
- D) Use user-assigned managed identities shared across the VMs.
Correct Answer #
D) Use user-assigned managed identities shared across the VMs.
Step-by-Step Winning Logic #
User-assigned managed identities (UAMI) are Azure AD identities that exist independently of the lifecycle of any single VM. This means you create one managed identity resource and assign it to multiple VMs in your FactoryOps service. This gives you:
- Scalability: Easily assign additional VMs to the same managed identity without needing to recreate or manage new credentials.
- Security: No secrets or certificates are stored on the VM; Azure AD automatically issues tokens securely.
- Governance: You maintain granular Role-Based Access Control (RBAC) on the managed identity, which applies to all VMs using it, reducing sprawl and administration.
- Operational Excellence: Drastically reduces overhead when scaling out VMs as roles and permissions are managed in one place.
This aligns with Microsoft鈥檚 Well-Architected Framework pillars:
- Security: Minimizes credential exposure risks.
- Reliability: Consistent and repeatable identity management.
- Operational Excellence: Simplified lifecycle management.
- Cost Optimization: Avoids expensive manual overhead.
馃拵 The Architect’s Deep Dive: Why Options Fail #
The Trap (Distractor Analysis) #
- Why not A, system-assigned managed identity? Each VM gets a unique managed identity, so you must assign roles repeatedly when adding VMs, increasing management complexity.
- Why not B, service principal with certificates? Requires manual certificate management on each VM, leads to secret sprawl and higher administrative effort.
- Why not C, service principal with client secrets? Storing client secrets on VMs violates security best practices; also adds complexity for rotation and provisioning.
The Architect Blueprint #
- Mermaid Diagram illustrating how multiple VMs share a single user-assigned managed identity to access Azure services securely:*
graph TD
subgraph Azure
UAMI[User-Assigned Managed Identity]
KV[Azure Key Vault]
LA[Azure Logic Apps]
SQL[Azure SQL Database]
end
VM1[VM 1] -->|uses| UAMI
VM2[VM 2] -->|uses| UAMI
VM3[VM 3] -->|uses| UAMI
UAMI --> KV
UAMI --> LA
UAMI --> SQL
style UAMI fill:#0078D4,stroke:#333,color:#fff
style KV fill:#5C2D91,stroke:#333,color:#fff
style LA fill:#5A5A5A,stroke:#333,color:#fff
style SQL fill:#0078D4,stroke:#333,color:#fff
Diagram Note:
Multiple VMs securely authenticate to Azure resources using a centrally managed user-assigned managed identity, simplifying permissions and operational governance.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) System-assigned managed identity | Low | No additional cost | Easy to enable per VM, no credentials stored | Repetitive role assignment; does not scale well for many VMs |
| B) Service principal with certificate | High | Cost of cert management & rotation | Detailed control over identity lifecycle | Complex cert management; secrets on VM; operational overhead |
| C) Service principal with client secret | Medium | Low | Familiar approach, supported widely | Secrets stored on VM; security risk; rotation overhead |
| D) User-assigned managed identity | Medium | Small marginal cost for identity resource | Centralized management; scalable; no secrets on VM; aligns with governance | Slight initial setup; requires RBAC planning |
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always pick user-assigned managed identities when the scenario requires scalable identity management across multiple VMs without storing credentials locally.”
Real World #
“In production, enterprises routinely use user-assigned managed identities to simplify hybrid identity governance and maintain consistent RBAC policies spanning thousands of VMs鈥攅specially in hybrid cloud environments leveraging Azure Arc.”