SC-100 Certification Practice Question #255

Question

You have an Azure subscription that contains a web app named App1. App1 uses a Microsoft Entra user account named SRV1 as a service account to authenticate to an Azure SQL database named DB1.

You discover that a developer accessed DB1 directly by using SRV1.

You need to recommend a secure authentication method that will prevent credential misuse outside of App1. The solution must minimize administrative effort.

What should you recommend?

Accepted Answer

The problem is that a shared Entra service-account (SRV1) can be used by a developer to log in to DB1 directly, i.e. the credential is reusable outside App1. A managed identity removes the standalone, reusable credential entirely: App1 authenticates to DB1 with an Azure-managed identity that has no password a developer can take and use elsewhere, and Azure rotates it automatically — satisfying both "prevent credential misuse outside of App1" and "minimize administrative effort." MS Learn explicitly positions managed identity as the turnkey, secret-less way for an Azure web app to authenticate to Azure SQL. The alternatives fail: gMSA and dMSA are Windows Server / on-premises AD service-account types that don't apply to an Azure web app authenticating to Azure SQL via Entra, and a federated identity credential targets external workload-identity federation scenarios (extra setup, not minimal effort). Suggested Answer, Most Voted, the top comment, and MS Learn all converge on A.

More SC-100 practice questions