BenchMark Quizzes by MDFT Pro

Configure Logic App Managed Identity for Blob Access

You work as an Integration Solutions Architect for MDFT Pro, a well-known training agency that delivers certification courses to students worldwide. Claire, the Serverless Workflow Lead, has deployed an Azure Logic App that orchestrates the student onboarding workflow by calling an Azure Function App. The Function App processes student documents stored in an Azure Blob Storage account, including enrollment forms, transcripts, and certification requirements. All resources are secured using Microsoft Entra ID (formerly Azure Active Directory) for authentication and authorization. The Logic App must securely access the Blob Storage account to read and write student documents without using access keys or connection strings. Additionally, if the Logic App is deleted and recreated during updates or troubleshooting, the Azure AD identity and its permissions must persist to avoid reconfiguring access permissions each time.

What should you configure to enable the Logic App to securely access Azure Blob Storage while ensuring the identity persists after Logic App deletion?

Choose the correct answer from the options below.

Explanations for each answer:

Create an Azure AD custom role and assign role-based access controls is incorrect. While creating custom Azure AD roles is a valid approach for fine-grained permissions, this option alone doesn't provide an identity for the Logic App to authenticate with. You need a managed identity (either system-assigned or user-assigned) that the Logic App can use to authenticate to Blob Storage. Custom roles define permissions but don't create an identity or handle authentication.
Create an Azure AD custom role and assign the role to the Azure Blob storage account is incorrect. Azure AD roles are assigned to security principals (users, groups, service principals, or managed identities), not to resources like storage accounts. You cannot assign a role to a storage account—you assign roles to identities that need access to the storage account. Additionally, this doesn't create an identity for the Logic App to use for authentication.
Create an Azure Key Vault and issue a client certificate is incorrect. Client certificates provide certificate-based authentication but require manual certificate management, rotation, and storage. While Key Vault can securely store certificates, this approach adds complexity compared to managed identities. Managed identities automatically handle credential lifecycle without requiring manual certificate management. For Logic Apps accessing Azure resources like Blob Storage, managed identities are the recommended approach.
Create a user-assigned managed identity and assign role-based access controls is correct. A user-assigned managed identity is the correct solution because it provides an Azure AD identity that persists independently of the Logic App's lifecycle. When you delete the Logic App, the user-assigned identity remains along with its role assignments, satisfying the requirement that Azure AD resources remain after deletion. After creating the identity, you assign it the appropriate RBAC role (like Storage Blob Data Contributor) on the Blob Storage account and configure the Logic App to use this identity for authentication.
Create a system-assigned managed identity and issue a client certificate is incorrect. System-assigned managed identities are tied to the Logic App's lifecycle—when you delete the Logic App, the system-assigned identity and all its role assignments are automatically deleted. This violates the requirement that Azure AD resources must remain after Logic App deletion. Additionally, managed identities don't use client certificates—they authenticate using Azure AD tokens managed automatically by the platform.

Learn more about Managed Identities:

Logic Apps Managed Identity Authentication

Practice Exam

Configure Logic App Managed Identity for Blob Access

Discuss this question on social media: