While preparing for the AZ-305 Designing Microsoft Azure Infrastructure Solutions exam, many candidates struggle with secure and governable access to Azure Key Vault. In the enterprise world, this decision often hinges on balancing strict auditing and governance requirements vs flexible developer and tester access. Let’s drill into a simulated hybrid enterprise identity scenario.
The Scenario #
Tailwind Traders is a multinational retail company migrating several legacy web applications to Azure App Service. Each App Service instance accesses sensitive encryption keys stored in Azure Key Vault to protect customer data. There are multiple internal teams with differing security and operational needs:
- The Security Team must audit and review all key access permissions regularly and generate historical access change reports to pass compliance audits.
- The Development Team requires a seamless way to access Key Vault secrets without managing credentials or keys manually during development and deployment.
- The Quality Assurance (QA) Team needs temporary privileged access to configure and test the staging App Service environments, but only for limited periods.
Key Requirements #
Design an identity and access management solution that best addresses Tailwind Traders’ needs by recommending the appropriate Azure services or features for each team’s requirement.
The Options #
- A) Azure AD Privileged Identity Management (PIM)
- B) Azure Managed Identities
- C) Azure AD Identity Protection
- D) Conditional Access Policies
- E) Access Reviews
- F) Shared Access Signature (SAS)
Correct Answer #
Security Team: E) Access Reviews
Development Team: B) Azure Managed Identities
QA Team: A) Azure AD Privileged Identity Management (PIM)
The Architect’s Analysis #
Correct Answer #
Security Team: Access Reviews (E)
Development Team: Managed Identities (B)
QA Team: Azure AD PIM (A)
Step-by-Step Winning Logic #
-
Security Team - Access Reviews:
Azure Access Reviews enable security owners to periodically confirm or revoke access permissions, supporting ongoing audit and compliance. This is critical when multiple teams access sensitive secrets and you must maintain a detailed permission change history aligned to CAF governance controls. -
Development Team - Managed Identities:
Managed Identities provide the simplest, most secure way for App Service apps to authenticate to Key Vault without storing credentials. This significantly reduces operational overhead and risk of secret leakage, enabling seamless CI/CD pipelines and developer productivity. -
QA Team - Azure AD PIM:
QA needs temporary elevated privileges only when configuring test environments. PIM allows just-in-time access with approval workflows and time-bound assignments, aligning with the principle of least privilege and minimizing security risks during test phases.
The Traps (Distractor Analysis) #
-
Why not Azure AD Identity Protection (C)?
It’s for risk-based conditional access and MFA challenges, not for managing key access or permission reviews. -
Why not Conditional Access Policies (D)?
Conditional Access restricts access by device/location risk but does not provide privileged access management or audit reviews. -
Why not Shared Access Signature (SAS) (F)?
SAS applies to Storage resources, not for Azure Key Vault secrets or identity-based access control.
The Architect Blueprint #
Mermaid Diagram illustrating how the three teams interact with the key vault and identity services:
Diagram Note: The Security Team uses Access Reviews to govern and audit Key Vault access, the Development Team leverages Managed Identities for passwordless access, and the QA Team requests temporary access through Azure AD PIM.
The Decision Matrix (Expert Level) #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) Azure AD PIM | Medium | Low to Moderate | Just-in-time privileged access; strong governance tool | Requires licensing; setup overhead for workflows |
| B) Azure Managed Identities | Low | Free | Simplifies credential management; improves security | Only supports Azure resource scenarios |
| C) Azure AD Identity Protection | Medium | Moderate (requires P2) | Detects risk & enforces access policies | Not focused on Key Vault access governance |
| D) Conditional Access | Low to Medium | Included with Azure AD | Controls access based on conditions | Does not govern privilege or audit access reviews |
| E) Access Reviews | Medium | Included with P2 licenses | Enables periodic permission audits and compliance | Requires Azure AD P2 license |
| F) Shared Access Signature | Low | Free | Time-bound granular access for storage blobs | Not applicable to Key Vault key access |
Real-World Practitioner Insight #
Exam Rule #
For the exam, always pick Azure AD PIM and Access Reviews when you see requirements for controlled, auditable privileged access. Managed Identities are a staple for any Azure resource requiring non-interactive authentication without secrets.
Real World #
In practice, organizations with strict compliance demands stand up governance controls using Access Reviews combined with just-in-time elevation via PIM. Development teams vastly improve security posture by eliminating shared secrets through Managed Identities, aligning perfectly with CAF operational excellence.