Microsoft Azure Developer Associate AZ-204 Practice Question
You deploy an Azure App Service web app that currently stores its Azure SQL Database connection string in the ConnectionStrings:SqlDb application setting. For compliance reasons, the connection string must be moved to Azure Key Vault, and the web app must be able to retrieve the value at runtime without changing application code. After creating a secret that contains the connection string in Key Vault, which action should you perform next to meet the requirement?
Generate a shared access signature (SAS) for the Key Vault secret and store the SAS URL in the ConnectionStrings:SqlDb setting.
Store the secret in Azure App Configuration and reference it by label in the ConnectionStrings:SqlDb setting.
Enable a system-assigned managed identity for the web app, grant that identity Get access to the secret, and change the ConnectionStrings:SqlDb setting value to @Microsoft.KeyVault(SecretUri=<secret URI>).
Add the connection string directly to the web.config file and set the application setting to an empty value.
Key Vault references allow an App Service app to resolve a secret value at runtime by reading it from Azure Key Vault. A reference is placed directly in an application setting using the syntax @Microsoft.KeyVault(SecretUri=<secretUriWithVersion>). For the platform to read the secret, the web app needs permission to the vault. The simplest secure way is to enable a system-assigned managed identity on the web app and grant that identity the Get permission for secrets in the vault. No code changes are required because the configuration key name remains the same, and the platform resolves the reference before injecting it into the app process.
Adding the raw value to web.config does not satisfy the requirement to move the secret out of the app. Using a SAS token is impossible because Key Vault does not support SAS; it uses Azure AD-based access control. Storing the secret in Azure App Configuration would still require application code (or a configuration provider) to fetch the value, contradicting the "no code changes" constraint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a system-assigned managed identity in Azure?
Open an interactive chat with Bash
What permissions does the web app's managed identity need for Azure Key Vault?
Open an interactive chat with Bash
What is a Key Vault reference in Azure App Service?
Open an interactive chat with Bash
Microsoft Azure Developer Associate AZ-204
Implement Azure security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .