Study Azure AZ-204 Key Vault and Identity: key concepts, common traps, and exam decision cues.
This lesson is about securing configuration and workload access in Azure-native ways. Microsoft expects AZ-204 candidates to prefer managed identities, Key Vault, and App Configuration over plain-text config and hand-managed secrets.
Managed identity: Azure-managed workload identity that lets an app authenticate to supported Azure services without storing credentials in code or config.
App Configuration: Centralized configuration service for application settings and feature flags.
AZ-204 wants you to keep these boundaries straight:
| Need | Strongest first lane | Why it fits |
|---|---|---|
| App calls Azure services without stored credentials | Managed identity | Workload authentication without secrets in code |
| Store secrets, keys, or certificates outside the app package | Key Vault | Secret and certificate boundary |
| Centralize feature flags or ordinary settings | App Configuration | Configuration management, not secret custody |
| Combine runtime config with secret retrieval | App Configuration plus Key Vault reference pattern | Settings and secrets are different objects |
| If the question says | Think first about |
|---|---|
| secret, key, certificate, rotation, secure storage | Key Vault |
| feature flag, setting management, environment-specific config | App Configuration |
| app should authenticate to Azure without storing credentials | Managed identity |
| configuration contains a secret reference rather than the secret itself | App Configuration plus Key Vault |
flowchart LR
A["Application starts"] --> B["Reads ordinary settings from App Configuration"]
B --> C["Uses managed identity"]
C --> D["Retrieves secret from Key Vault when needed"]
D --> E["Calls Azure resource without embedded credentials"]
| Trap | Better reading |
|---|---|
| “App Configuration replaces Key Vault.” | App Configuration manages settings; Key Vault protects secrets and certificates. |
| “Managed identity is where secrets live.” | Managed identity is an authentication method, not a secret store. |
| “If the app uses Key Vault, you do not need workload identity.” | The app still needs a secure way to authenticate to Key Vault or other Azure services. |
| “All config should go into Key Vault.” | Ordinary settings and feature flags often belong in App Configuration, not in secret storage. |
An Azure App Service application needs feature flags for staged rollouts, a certificate and secret for downstream integration, and secure access to Azure Storage without keeping credentials in source control or settings files.
The strongest design reading is:
Correct answer: 1. The problem separates into configuration management, secret custody, and workload authentication.