A large enterprise uses Azure Active Directory as its identity provider. They want to authenticate users to Vault using Azure AD tokens. However, they require that Vault validate the token's signature and claims without contacting Azure AD every time. Which authentication method should they use?
OIDC can be configured to use cached JWKS keys, allowing offline validation.
Why this answer
Option B (OIDC authentication) is correct because OpenID Connect (OIDC) allows Vault to validate an Azure AD token's signature and claims locally using the provider's JWKS (JSON Web Key Set) endpoint, without requiring a round-trip to Azure AD for every authentication request. This satisfies the requirement for offline token validation while still leveraging Azure AD as the identity provider.
Exam trap
HashiCorp often tests the distinction between OIDC (which supports offline token validation via JWKS) and the Azure auth method (which relies on Azure-specific MSI tokens and requires online calls), leading candidates to mistakenly choose 'Azure authentication' when the question explicitly requires no contact with Azure AD.
How to eliminate wrong answers
Option A is wrong because LDAP authentication is designed for direct binding to an LDAP directory (like Active Directory on-premises) and cannot validate Azure AD tokens or perform OIDC-based token signature verification. Option C is wrong because token authentication in Vault uses Vault's own internal token system, not external Azure AD tokens, and requires Vault to manage the token lifecycle rather than validating third-party tokens. Option D is wrong because 'Azure authentication' is not a standard Vault auth method; Vault's Azure auth method uses Azure Managed Service Identity (MSI) tokens for VMs, not user Azure AD tokens, and it validates tokens by calling the Azure Instance Metadata Service (IMDS) or Azure Resource Manager, not by local signature verification.