An App Service application needs to read secrets from Azure Key Vault. The security team does not want any password, certificate, or client secret stored in application settings, and they want the identity removed automatically if the app is deleted. What should the administrator enable?
A system-assigned managed identity avoids stored credentials and is tied to the app lifecycle.
Why this answer
A system-assigned managed identity (Option B) is the correct choice because it provides an identity for the App Service that is automatically managed by Azure, tied to the lifecycle of the resource (deleted when the app is deleted), and requires no credentials to be stored in application settings. This allows the app to authenticate to Key Vault using Azure AD tokens without any secrets, satisfying the security team's requirements.
Exam trap
The trap here is that candidates may confuse user-assigned managed identities (which are independent resources with separate lifecycles) with system-assigned managed identities (which are tied to the resource's lifecycle), leading them to choose Option C despite the automatic removal requirement.
How to eliminate wrong answers
Option A is wrong because storing a client secret in App Service configuration violates the security team's requirement of no passwords, certificates, or client secrets in application settings, and the secret would not be automatically removed if the app is deleted. Option C is wrong because a user-assigned managed identity is not automatically deleted when the app is deleted; it has its own lifecycle and must be manually removed, failing the 'identity removed automatically' requirement. Option D is wrong because a shared access signature (SAS) is used for granting access to Azure Storage resources, not for authenticating to Key Vault, and it would need to be stored as a secret, which is prohibited.