A Windows Azure VM must download configuration data from Azure Key Vault during first boot. Security policy forbids storing passwords, certificates, or client secrets on the VM. What should the administrator configure?

Create a service principal and place its secret in the VM's startup script.

This requires a long-lived secret on the VM, which violates the security requirement and increases exposure.

Attach a custom script extension that embeds the Key Vault password in plain text.

Embedding a password in a script creates exactly the credential storage problem the question says to avoid.

Use an Entra ID user account and sign in interactively after deployment.

Interactive sign-in is not suitable for unattended startup tasks and does not provide automation-friendly access.

What does this AZ-104 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Enable a system-assigned managed identity on the VM and grant it Key Vault access. — A system-assigned managed identity is the best fit because it lets the VM authenticate to Azure services without any embedded secrets. After enabling the identity, you can authorize it to read from Key Vault by using the appropriate access policy or RBAC role. This approach is designed for secure automation and avoids the operational burden of rotating passwords or certificates on the guest OS. Why others are wrong: The other choices all introduce credentials or manual interaction, which conflicts with the requirement. A service principal secret or plain-text script is insecure, and an Entra ID user account is not practical for unattended boot-time access. The key distinction is that managed identities provide credential-free authentication for Azure resources.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.