A web app running on an Azure VM must read files from Azure Blob Storage without storing any passwords, secrets, or access keys on the VM. The identity should be tied to that VM and removed automatically if the VM is deleted. What should you enable?

A shared storage account key in the application settings

A storage account key is a secret that must be stored and managed, which violates the no-secrets requirement.

A user account with a local password on the VM

A local account helps with sign-in to the operating system, but it does not provide secure Azure Storage authorization.

A service endpoint on the VM subnet

A service endpoint changes network access behavior, but it does not replace authentication or remove the need for credentials.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: A system-assigned managed identity — A system-assigned managed identity is ideal when one Azure resource needs secret-free access to other Azure services. Azure handles the identity for you, and applications can request tokens without embedding credentials. Because the identity belongs to the VM itself, it is automatically removed when the VM is deleted. That makes it both secure and easy to manage for a single VM application that must access Blob Storage. Why others are wrong: A storage account key is still a secret and must be protected. A local user account solves operating-system sign-in, not Azure service authentication. A service endpoint can help network access to storage, but it does not provide identity-based authorization and does not eliminate secrets from the application.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.