Topic: AZ-140 topic 5 question 3

You have an Azure Virtual Desktop host pool named Pool1 and an Azure Automation account named Account1. Pool1 is integrated with an Azure Active Directory
Domain Services (Azure AD DS) managed domain named contoso.com.
You plan to configure scaling for Pool1 by using Azure Automation runbooks.
You need to authorize the runbooks to manage the scaling of Pool1. The solution must minimize administrative effort.
What should you configure?

A.
a managed identity in Azure Active Directory (Azure AD)
B.
a group Managed Service Account (gMSA) in Azure AD DS
C.
a Connections shared resource in Azure Automation
D.
a Run As account in Azure Automation

  • Nail
  • New member
  • Offline

Re: AZ-140 topic 5 question 3

Correct

Re: AZ-140 topic 5 question 3

This is the statement from Microsoft regarding this question. The answer is A because D will be deprecated on September 30, 2023.

Important

Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use managed identities. For more information, see migrating from an existing Run As accounts to managed identity to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

Re: AZ-140 topic 5 question 3

A. a managed identity

Re: AZ-140 topic 5 question 3

"A managed identity from Microsoft Entra ID allows your runbook to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.

Managed identities are the recommended way to authenticate in your runbooks, and is the default authentication method for your Automation account."

https://learn.microsoft.com/en-us/azure/automation/automation-security-overview

Re: AZ-140 topic 5 question 3

A. a managed identity in Azure Active Directory (Azure AD)

Re: AZ-140 topic 5 question 3

A should be the correct answer.

As of April 1, 2023, Run As accounts no longer work. recommended to use managed identities instead

Re: AZ-140 topic 5 question 3

A
Azure Automation Run as accounts, including Classic Run as accounts have retired on 30 September 2023 and replaced with Managed Identities. You would no longer be able to create or renew Run as accounts through the Azure portal.
https://learn.microsoft.com/en-us/azure/automation/migrate-run-as-accounts-managed-identity?tabs=sa-managed-identity

Re: AZ-140 topic 5 question 3

I take answer A because the Microsoft exam should adapt to the changes.
Now that you have an Azure Automation account, you'll also need to set up a managed identity if you haven't already. Managed identities will help your runbook access other Azure AD-related resources as well as authenticate important automation processes.
https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-scaling-script#create-a-managed-identity

Re: AZ-140 topic 5 question 3

The answer is A

Re: AZ-140 topic 5 question 3

A should be correct now but D was before

As of April 1, 2023, Run As accounts no longer work. We recommend you use managed identities instead.

Another great MS question. I wander if they accept both on the exam

https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-scaling-script#create-a-managed-identity

  • Wahle
  • New member
  • Offline

Re: AZ-140 topic 5 question 3

A is correct (preferred), D is technically possible
https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-scaling-script
This scaling tool uses a Run As account with Azure Automation. Azure Automation Run As accounts will retire on September 30, 2023. Microsoft won't provide support beyond that date. From now through September 30, 2023, you can continue to use Azure Automation Run As accounts. This scaling tool won't be updated to create the resources using managed identities, however, you can transition to use managed identities and will need to before then. For more information, see Migrate from an existing Run As account to a managed identity.

Re: AZ-140 topic 5 question 3

managed identity
A managed identity from Azure Active Directory (Azure AD) allows your runbook to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.

Re: AZ-140 topic 5 question 3

A is correct since Run as account will be removed

"Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities."

https://learn.microsoft.com/en-us/azure/automation/automation-security-overview

  • Magis
  • New member
  • Offline

Re: AZ-140 topic 5 question 3

You can use both but manage identity minimize administrative effort. Strongly recommended to use by MS. I am using it a lot.

Re: AZ-140 topic 5 question 3

The solution must minimize administrative effort.

Re: AZ-140 topic 5 question 3

The answer is A.
Even back in 2021 MS was recommending Managed Identities for this task:

"Managed identities would be the recommended method for runbook authentication going forward. Read the the guidance to migrate existing Run As accounts to Managed identities"

https://azure.microsoft.com/en-us/updates/azure-automation-managed-identities-ga/

Re: AZ-140 topic 5 question 3

I'd go with "A" - Managed Identity as it respects minizing administrative effort.

"The identity is managed by the Azure platform and users could eliminate the management overhead associated with managing Run As Account in the runbook code."

https://azure.microsoft.com/en-us/updates/azure-automation-managed-identities-ga/