AZ-104 Managed Identity Practice Questions (With Explanations)
Azure Managed Identity is one of the most frequently tested topics on the AZ-104 exam — and one where candidates most often lose marks. This guide provides practice questions with detailed explanations covering system-assigned vs user-assigned managed identities.
What is Azure Managed Identity?
Managed Identity is an Azure Active Directory (Entra ID) feature that allows Azure resources — VMs, App Services, Functions, Logic Apps — to authenticate to other Azure services without storing credentials in code or configuration files.
The problem it solves: Traditionally, an application connecting to Azure Key Vault needed credentials (client ID + secret) stored somewhere. If those credentials were compromised, the attack surface was significant. Managed Identity eliminates this by letting the Azure resource itself authenticate using its Entra ID identity.
Two types:
- System-assigned — Tied to the lifecycle of a specific Azure resource. Deleted when the resource is deleted. One identity per resource.
- User-assigned — Independent identity created separately. Can be assigned to multiple resources. Persists when resources are deleted.
Practice Questions
Question 1
A company runs a web application on an Azure VM named VM1. The application needs to read secrets from Azure Key Vault. You need to ensure the application can authenticate to Key Vault without storing credentials in the application code.
What should you do?
A) Create a service principal and store the client ID and secret in the application's environment variables B) Enable a system-assigned managed identity on VM1 and grant it Get permission on the Key Vault secrets C) Create a user-assigned managed identity, assign it to VM1, and store the identity's client ID in the application code D) Create an Azure AD application registration and use certificate-based authentication from VM1
Correct Answer: B
Explanation:
Option B is correct. Enabling a system-assigned managed identity on VM1 creates an identity in Entra ID that the VM can use to authenticate. Granting this identity Get permission on Key Vault secrets (via Key Vault Access Policy or Azure RBAC) allows the application to retrieve secrets using the Azure SDK or REST API without any stored credentials.
Option A is incorrect — storing credentials in environment variables is the problem that Managed Identity solves.
Option C is partially correct but flawed — a user-assigned managed identity is the right approach for multi-resource scenarios, but storing the client ID in application code is unnecessary. The managed identity client ID can be retrieved from the Azure IMDS endpoint at runtime.
Option D is incorrect — certificate-based authentication is more complex and still requires certificate management.
Question 2
Your organisation has 15 Azure VMs that all need to access the same Azure Storage account and Azure Key Vault. You need to minimise administrative overhead when managing permissions.
Which managed identity approach should you use?
A) Enable a system-assigned managed identity on each of the 15 VMs B) Create a single user-assigned managed identity and assign it to all 15 VMs C) Enable a system-assigned managed identity on one VM and share its credentials with the others D) Create 15 separate user-assigned managed identities, one per VM
Correct Answer: B
Explanation:
Option B is correct. A user-assigned managed identity can be created once and assigned to multiple resources. You grant permissions to storage and Key Vault once (on the single identity), and all 15 VMs inherit those permissions.
Option A would require granting permissions to 15 separate identities — every time permissions need to change, you update 15 identities.
Option C is technically impossible — system-assigned managed identities are tied to a specific resource and cannot have their credentials shared or exported.
Option D multiplies the administrative overhead of Option A without providing additional security benefit.
Rule to remember: User-assigned managed identity = multiple resources sharing one identity. System-assigned = one identity per resource, lifecycle tied to that resource.
Question 3
An Azure Function App processes data and needs to write results to an Azure SQL Database. The database administrator wants to avoid creating SQL authentication accounts.
What should the developer configure?
A) Create a service principal with a client secret and configure the Logic App connection to use it B) Use the Function App's system-assigned managed identity and add it as a database user in Azure SQL C) Create an Azure AD group, add the Function App's managed identity, and grant the group SQL Database Contributor role D) Enable Azure AD authentication on the SQL Database and create a local SQL login for the Function App
Correct Answer: B
Explanation:
Option B is correct. The process:
- Enable system-assigned managed identity on the Function App
- In Azure SQL, run:
CREATE USER [FunctionAppName] FROM EXTERNAL PROVIDER - Grant the required permissions:
ALTER ROLE db_datawriter ADD MEMBER [FunctionAppName]
The Function App connection to SQL can then be configured to use managed identity — no passwords or credentials needed.
Option A uses credentials (client secret) — the opposite of what we want.
Option D "local SQL login" is SQL authentication, which uses passwords — the DBA specifically wants to avoid this.
Question 4
You delete an Azure VM that had a system-assigned managed identity. Three weeks later, you redeploy an identically named VM and enable a system-assigned managed identity on it.
What is the relationship between the new VM's managed identity and the deleted VM's managed identity?
A) The new VM inherits the same managed identity as the deleted VM, including all its role assignments B) The new VM receives a completely new managed identity with a new object ID and no role assignments C) The old managed identity is recovered from a 30-day soft-delete bin and reattached to the new VM D) Azure prevents the new VM from using the same name because the identity is still active
Correct Answer: B
Explanation:
Option B is correct. When a system-assigned managed identity is deleted (along with its resource), it is permanently deleted — there is no recovery. When you create a new VM with the same name and enable managed identity, Azure creates a brand-new identity with a new object ID in Entra ID. All previously granted role assignments are gone.
This is a critical operational consideration: if you delete and recreate VMs (common in infrastructure-as-code environments), you must re-grant all necessary permissions to the new identity.
This is one reason why user-assigned managed identities are preferred for resources that may be recreated — the user-assigned identity persists through resource deletion and recreation.
Question 5
An Azure Function App processes data and needs to write results to both Azure Blob Storage and Azure Cosmos DB. The Function App is part of a disaster recovery setup where an identical Function App runs in a secondary region.
Which managed identity configuration minimises administrative overhead while maintaining secure access?
A) Enable system-assigned managed identities on both Function Apps and grant each identity individual permissions B) Create a user-assigned managed identity, assign it to both Function Apps, and grant permissions to the single identity C) Create two user-assigned managed identities (one per region) and assign each to the respective Function App D) Use connection strings stored in Azure Key Vault for both Function Apps
Correct Answer: B
Explanation:
Option B is correct and demonstrates the key use case for user-assigned managed identities: multiple resources sharing one identity. Both Function Apps get the same identity, so role assignments on Blob Storage and Cosmos DB are configured once. When adding permissions, you update one identity.
Option A creates two separate identities requiring two sets of role assignments.
Option C is a valid DR pattern for isolation but the question asks for minimum overhead — Option B wins on that criterion.
Option D uses connection strings — better than hardcoding, but managed identity is the preferred zero-credential approach.
Key AZ-104 Facts to Memorise
| Feature | System-assigned | User-assigned |
|---|---|---|
| Created with | The Azure resource | Independently |
| Lifecycle | Deleted with the resource | Persists after resource deletion |
| Sharing | One resource only | Can assign to multiple resources |
| Object ID | New on every create | Stable |
| Best for | Single resource, simple cases | Multi-resource, DR scenarios |