Free The SecOps Group CCPenX-Az Practice Test & Real Exam Questions
A virtual machine has a system-assigned managed identity. From the VM shell, which Azure CLI command authenticates using that identity?
Correct Answer: D
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
From inside the App Service environment, request an Azure Resource Manager token using the managed identity endpoint. Which resource value should be requested for Azure Resource Manager access?
Correct Answer: B
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
Carefully enumerate the accessible Azure Blob Container to locate a file containing credentials for an App Registration within the tenant. What is the Application/Client ID of the discovered App Registration?
Correct Answer:
See the Answer in Explanation below.
Explanation:
The answer is the clientId, appId, or applicationId value inside the credential file downloaded from the sensitive-files container.
Detailed Solution:
List blobs inside the accessible container:
az storage blob list \
--account-name excaliburstore \
--container-name sensitive-files \
--sas-token " $SAS " \
--query " [].name " \
--output table
Download all files locally:
mkdir blobloot
az storage blob download-batch \
--account-name excaliburstore \
--source sensitive-files \
--destination blobloot \
--sas-token " $SAS "
Search the downloaded files for application credentials:
grep -RniE " clientId|appId|applicationId|clientSecret|tenantId|secret|password " blobloot On Windows PowerShell:
Select-String -Path .\blobloot\* -Pattern " clientId|appId|applicationId|clientSecret|tenantId|secret|password " - CaseSensitive:$false A typical file may look like this:
{
" tenantId " : " f015f36d-c07f-41fb-9bde-fffc3a22ee8b " ,
" clientId " : " < application-client-id > " ,
" clientSecret " : " < application-client-secret > "
}
The clientId / appId value is the answer.
Final answer:
Use the clientId / appId value found in the blob credential file.
Explanation:
The answer is the clientId, appId, or applicationId value inside the credential file downloaded from the sensitive-files container.
Detailed Solution:
List blobs inside the accessible container:
az storage blob list \
--account-name excaliburstore \
--container-name sensitive-files \
--sas-token " $SAS " \
--query " [].name " \
--output table
Download all files locally:
mkdir blobloot
az storage blob download-batch \
--account-name excaliburstore \
--source sensitive-files \
--destination blobloot \
--sas-token " $SAS "
Search the downloaded files for application credentials:
grep -RniE " clientId|appId|applicationId|clientSecret|tenantId|secret|password " blobloot On Windows PowerShell:
Select-String -Path .\blobloot\* -Pattern " clientId|appId|applicationId|clientSecret|tenantId|secret|password " - CaseSensitive:$false A typical file may look like this:
{
" tenantId " : " f015f36d-c07f-41fb-9bde-fffc3a22ee8b " ,
" clientId " : " < application-client-id > " ,
" clientSecret " : " < application-client-secret > "
}
The clientId / appId value is the answer.
Final answer:
Use the clientId / appId value found in the blob credential file.
The App Service has a system-assigned managed identity enabled. Identify the managed identity principal ID.
Correct Answer:
See the Answer in Explanation below.
Explanation:
b72a4c19-92f6-47f3-b3dd-9db5a31831d1
Detailed Solution:
Run:
az webapp identity show \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--output json
Expected output:
{
" principalId " : " b72a4c19-92f6-47f3-b3dd-9db5a31831d1 " ,
" tenantId " : " 8f34c1de-1198-4c2a-b1a8-1eaa72f6e99a " ,
" type " : " SystemAssigned "
}
The principalId is the service principal object ID of the managed identity.
Microsoft documents that managed identities provide Azure-managed identities for applications and eliminate the need to manage application secrets directly.
Explanation:
b72a4c19-92f6-47f3-b3dd-9db5a31831d1
Detailed Solution:
Run:
az webapp identity show \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--output json
Expected output:
{
" principalId " : " b72a4c19-92f6-47f3-b3dd-9db5a31831d1 " ,
" tenantId " : " 8f34c1de-1198-4c2a-b1a8-1eaa72f6e99a " ,
" type " : " SystemAssigned "
}
The principalId is the service principal object ID of the managed identity.
Microsoft documents that managed identities provide Azure-managed identities for applications and eliminate the need to manage application secrets directly.
