1.3 Security and Access Management
Key Takeaways
- Managed identities (system-assigned tied to a resource, user-assigned shareable) remove all credentials from code and are the production-preferred auth method.
- Azure Key Vault centralizes secrets; apps read them at runtime using a managed identity, never hardcoded keys.
- RBAC data-plane vs management-plane is heavily tested: Cognitive Services User calls APIs; Cognitive Services Contributor manages resources.
- Azure OpenAI has its own roles — Cognitive Services OpenAI User (inference) and OpenAI Contributor (deploy/fine-tune).
- Private endpoint plus disabled public network access is the most secure network posture for an AI resource.
Quick Answer: Authenticate with managed identities (no secrets in code), store any unavoidable secrets in Azure Key Vault, grant least privilege with RBAC (data-plane vs management-plane), and isolate the network with a private endpoint + disabled public access. Microsoft Entra ID beats API keys for production.
Authentication ladder, least to most secure
| Method | Header / mechanism | When acceptable |
|---|---|---|
| API keys | Ocp-Apim-Subscription-Key: <key> | Dev/test only — keys leak in code, logs, configs |
| Entra ID tokens | OAuth 2.0 bearer token | Production; integrates with RBAC |
| Service principal | App registration + secret/cert | CI/CD and non-Azure callers |
| Managed identity | Azure-issued token, auto-rotated | Best practice for Azure-hosted apps |
System-assigned managed identity is created with the resource and dies with it (1:1). User-assigned is a standalone resource you can attach to many compute hosts (1:N) — pick it when several apps share one identity. Either way, DefaultAzureCredential resolves the identity transparently.
# No keys anywhere in the code path
from azure.identity import DefaultAzureCredential
from azure.ai.textanalytics import TextAnalyticsClient
client = TextAnalyticsClient(
endpoint="https://my-language.cognitiveservices.azure.com/",
credential=DefaultAzureCredential())
On the Exam: A production scenario that says "authenticate without storing secrets" almost always answers managed identity with DefaultAzureCredential. API keys are correct only when the scenario is explicitly dev/test or a quick prototype.
Azure Key Vault integration
When a secret is genuinely unavoidable (a third-party token, a connection string), store it in Key Vault and read it at runtime — the app authenticates to Key Vault with its managed identity.
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
sc = SecretClient("https://my-kv.vault.azure.net/", DefaultAzureCredential())
ai_key = sc.get_secret("AiServiceKey").value
Key Vault adds soft delete (recover deleted secrets within the retention window) and purge protection (block permanent deletion during retention) — both appear in compliance-flavored questions.
RBAC: data plane vs management plane
This distinction is the highest-yield security topic in Domain 1.
| Role | Plane | Can do | Cannot do |
|---|---|---|---|
| Cognitive Services User | Data | Call APIs, read keys | Create/delete the resource |
| Cognitive Services Contributor | Management | Create/update/delete resources, manage keys | (overly broad for an app) |
| Cognitive Services OpenAI User | Data | Run completions, embeddings, chat | Deploy models, fine-tune |
| Cognitive Services OpenAI Contributor | Management | Deploy models, manage fine-tuning | — |
| Reader | Management | View config | Any write or API call |
az role assignment create \
--assignee <managed-identity-object-id> \
--role "Cognitive Services User" \
--scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<name>
A frequent trap: granting Contributor to an app that only needs to call APIs. The least-privilege answer is Cognitive Services User (or OpenAI User for GPT). Contributor is for the DevOps team that provisions the resource, not the runtime workload.
Network isolation
- Virtual network service rules restrict the resource to named subnets and deny the public internet.
- Private endpoint projects a private IP for the resource inside your VNet; traffic stays on the Microsoft backbone, and private DNS resolves the endpoint to that IP.
- Firewall rules allow specific IP ranges or trusted Azure services.
az cognitiveservices account network-rule add -g rg-ai-prod -n my-ai-services \
--vnet-name my-vnet --subnet my-subnet
az cognitiveservices account update -g rg-ai-prod -n my-ai-services \
--public-network-access Disabled
On the Exam: "The AI service must not be reachable from the internet" => private endpoint + public network access Disabled. Just adding a VNet rule without disabling public access still leaves a public attack surface, so the most-secure answer always pairs the two.
Diagnostic logging and monitoring
Enable diagnostic settings to stream logs and metrics to a Log Analytics workspace, Storage account, or Event Hub, then alert on anomalies.
| Metric | Watch for | Suggested alert |
|---|---|---|
| Total Calls | Traffic spikes | Baseline + 50% |
| Total Errors | Failing requests | > 5% error rate |
| Latency | Slow responses | > 2 s (service-dependent) |
| Blocked Calls (429) | Rate limiting | Any occurrence |
| Token Usage | Approaching OpenAI quota | Near deployment cap |
Log Analytics (KQL queries) is the right sink when a question asks about querying or correlating logs; Storage suits long-term archival; Event Hub suits streaming to a SIEM.
Layering the controls together
A production-grade AI deployment stacks these controls rather than picking one. The reference posture the exam rewards looks like this: the app runs with a managed identity that holds the Cognitive Services User role scoped to exactly the one resource it calls; any third-party secret it needs sits in Key Vault, read at runtime through the same identity; the AI resource has public network access Disabled with a private endpoint in the app's VNet; and diagnostic settings stream metrics and logs to Log Analytics with alerts on error rate and 429 throttling.
No API key appears in code, config, or environment variables anywhere in that chain. When a question describes a near-complete version of this and asks for the one missing control, identify which layer is absent — usually it is the network isolation (private endpoint) or the least-privilege scope (Contributor used where User suffices).
Scope and inheritance pitfalls
RBAC role assignments inherit down the hierarchy: an assignment at the subscription or resource group level flows to every AI resource inside it, while an assignment at the resource level is the tightest scope. The least-privilege answer almost always scopes the role to the single resource, not the resource group. Watch for distractors that grant the right role at too broad a scope.
Also remember that Owner and Contributor at the management plane do not by themselves grant data-plane API access for some services — calling the data plane needs the specific data-plane role (Cognitive Services User, or OpenAI User for GPT), which is why an admin can manage a resource yet get a 401 calling its API until the data-plane role is added.
On the Exam: If a person can deploy and delete a resource but gets an authorization error calling its inference API, the missing piece is a data-plane role such as Cognitive Services User or Cognitive Services OpenAI User — management-plane roles do not imply data-plane access.
Which authentication method is recommended for a production app running on Azure that must avoid storing any secrets?
An application only needs to call an Azure AI Language API. Following least privilege, which role should its managed identity receive?
A bank requires that an Azure AI resource be unreachable from the public internet. Which configuration is correct?
When should you choose a user-assigned managed identity over a system-assigned one?