Microsoft AZ-204 Exam - Topic 1 Question 123 Discussion

Actual exam question for Microsoft's AZ-204 exam

Question #: 123
Topic #: 1

You develop and deploy an Azure Logic app that calls an Azure Function app. The Azure Function app includes an OpenAPl (Swagger) definition and uses an Azure Blob storage account. All resources are secured by using Azure Active Directory (Azure AD).

The Azure Logic app must securely access the Azure Blob storage account. Azure AD resources must remain if the Azure Logic app is deleted.

You need to secure the Azure Logic app.

What should you do?

ACreate an Azure AD custom role and assign role-based access controls.

BCreate an Azure AD custom role and assign the role to the Azure Blob storage account.

CCreate an Azure Key Vault and issue a client certificate.

DCreate a user-assigned managed identity and assign role-based access controls.

ECreate a system-assigned managed identity and issue a client certificate.

Show Suggested Answer

Suggested Answer: D

To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity.

Note: To easily authenticate access to other resources that are protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secrets, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI). Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets.

If you set up your logic app to use the system-assigned identity or a manually created, user-assigned identity, the function in your logic app can also use that same identity for authentication.

https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

by Shakira at Nov 23, 2025, 04:20 AM

Limited Time Offer

25%

Off

Get Premium AZ-204 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Shayne

24 days ago

True, but we need to ensure security. D covers that well.

upvoted 0 times

...

Howard

29 days ago

C is interesting, but Key Vault might be overkill here.

upvoted 0 times

...

Tarra

1 month ago

I like B, but it ties the role to the storage account.

upvoted 0 times

...

Nichelle

1 month ago

Option A could work too, but it feels more complex.

upvoted 0 times

...

Shonda

1 month ago

I agree, D seems solid. It simplifies access management.

upvoted 0 times

...

Vallie

2 months ago

C sounds interesting, but I'm not sure if a Key Vault is necessary here.

upvoted 0 times

...

Clarence

2 months ago

B might work, but it feels a bit overkill for just a Logic app.

upvoted 0 times

...

Yuriko

2 months ago

Isn't it surprising that Azure AD roles can be so flexible?

upvoted 0 times

...

Marsha

3 months ago

Option E is hilarious. Issuing a client certificate with a system-assigned identity? That's just asking for trouble!

upvoted 0 times

...

Brandon

3 months ago

D is the way to go. Managed identities are the future, and role-based access is the way to secure things.

upvoted 0 times

...

Antonio

3 months ago

Hmm, I'm leaning towards B. Assigning the custom role directly to the Blob storage account seems simpler.

upvoted 0 times

...

Marguerita

3 months ago

I'd go with C. Using Key Vault and client certificates is a solid approach.

upvoted 0 times

...

Fallon

3 months ago

Option D looks good to me. Managed identities are the way to go for secure access.

upvoted 0 times

...

Shanice

3 months ago

I think option D makes the most sense since it mentions role-based access controls, which we learned are crucial for securing Azure resources.

upvoted 0 times

...

Pearlene

4 months ago

I have a vague recollection of Key Vaults being important for security, but I can't recall if it's necessary for this Logic app.

upvoted 0 times

...

Diego

4 months ago

This question feels similar to one we practiced about securing Azure resources. I think role-based access controls are definitely involved here.

upvoted 0 times

...

Herman

4 months ago

I'm a little unsure about the Key Vault option - it seems like that might be overkill for just securing the Logic app's access to Blob storage. I think I'll focus on the managed identity options and see which one fits best.

upvoted 0 times

...

Melinda

4 months ago

I'm pretty confident that option D is the way to go here. Using a managed identity to access the Blob storage securely, while keeping the Azure AD resources independent of the Logic app, seems like the cleanest solution.

upvoted 0 times

...

Hubert

4 months ago

Okay, so we know we need to secure the Logic app, and the Azure AD resources need to stick around. I'm leaning towards option D - creating a user-assigned managed identity and assigning role-based access controls. That seems like it would meet the requirements.

upvoted 0 times

...

Shayne

5 months ago

I think option D is the best choice. Managed identities are secure.

upvoted 0 times

...

Thea

5 months ago

I remember we discussed managed identities in class, but I'm not sure if I should go with user-assigned or system-assigned for this scenario.

upvoted 0 times

...

Leonora

5 months ago

I think D is the best option for securing the Logic app.

upvoted 0 times

...

Christa

5 months ago

I disagree, A seems more straightforward for access control.

upvoted 0 times

...

Latanya

6 months ago

Hmm, I'm a bit confused on the difference between user-assigned and system-assigned managed identities. I'll need to review those options carefully to see which one best fits the requirements.

upvoted 0 times

...

Shad

6 months ago

I think I'd start by looking at the requirements - the Azure Logic app needs to securely access the Azure Blob storage account, and the Azure AD resources need to remain even if the Logic app is deleted. That sounds like we need to use some kind of managed identity.

upvoted 0 times