A web app running in Azure App Service must upload files to a blob container. The team wants to avoid storing any secrets in application settings and wants the app to authenticate without a password or access key. What should the administrator configure?

Store the storage account key in the app configuration and use it from the application

Account keys work, but they create secret management overhead and are not credential-free.

Create an anonymous public container so the app can upload without authentication

Anonymous access is insecure and does not provide the required controlled upload authentication.

Use a shared access signature generated from the storage account root key

A SAS is temporary, but generating it from an account key still depends on a stored secret.

What does this AZ-104 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Enable a system-assigned managed identity for the app and grant it a storage data role — A system-assigned managed identity is the most appropriate choice because it gives the App Service instance its own identity in Microsoft Entra ID without requiring stored credentials. You then grant the identity a storage data role such as Storage Blob Data Contributor at the appropriate scope. This approach is operationally safer than embedding account keys or long-lived secrets in application settings, and it is easier to rotate because there is no secret to manage in the application itself. Why others are wrong: Using an account key or a SAS generated from an account key still introduces shared secret management. Anonymous public access is not acceptable for a controlled upload scenario. The key requirement is credential-free authentication from the workload itself, which managed identity provides.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.