Your company uses Azure Logic Apps to automate a business process. The process needs to call an external REST API that requires an API key passed in the Authorization header. You need to store the API key securely and reference it in the Logic App. Which approach should you use?
Key Vault provides secure secret storage, and a managed identity allows the Logic App to authenticate without credentials.
Why this answer
Option B is correct because Azure Key Vault securely stores secrets like API keys, and using a managed identity allows the Logic App to authenticate to Key Vault without embedding credentials in code or configuration. This follows the principle of least privilege and eliminates the need to manage secrets in connection strings or parameter files.
Exam trap
The trap here is that candidates often choose Option A or C because they think storing the key in the Logic App definition or a parameter file is 'secure enough' for development, but the exam emphasizes that any plaintext storage in code or configuration is a security violation, and the only correct approach is to use a dedicated secrets store like Key Vault with managed identity.
How to eliminate wrong answers
Option A is wrong because storing the API key as a constant in the Logic App's definition exposes the key in plaintext within the workflow JSON, which can be viewed by anyone with read access to the Logic App and violates security best practices. Option C is wrong because hardcoding the API key in a parameter file still stores the key in plaintext within the deployment or configuration files, which can be leaked through source control or logs. Option D is wrong because using an Azure Storage account table to store the key does not provide encryption at rest by default (unless client-side encryption is implemented) and requires managing access keys for the storage account, introducing additional security risks.