You have an Azure Active Directory (Azure AD) tenant.
You plan to deploy Azure Cosmos DB databases that will use the SQL API.
You need to recommend a solution to provide specific Azure AD user accounts with read access to the Cosmos DB databases.
What should you include in the recommendation?

A. shared access signatures (SAS) and Conditional Access policies

B. certificates and Azure Key Vault

C. master keys and Azure Information Protection policies

D. a resource token and an Access control (IAM) role assignment








 

Suggested Answer: D

The Access control (IAM) pane in the Azure portal is used to configure role-based access control on Azure Cosmos resources. The roles are applied to users, groups, service principals, and managed identities in Active Directory. You can use built-in roles or custom roles for individuals and groups. The following screenshot shows Active Directory integration (RBAC) using access control (IAM) in the Azure portal:
 
Note: To use the Azure Cosmos DB RBAC in your application, you have to update the way you initialize the Azure Cosmos DB SDK. Instead of passing your account's primary key, you have to pass an instance of a TokenCredential class. This instance provides the Azure Cosmos DB SDK with the context required to fetch an Azure AD (AAD) token on behalf of the identity you wish to use.
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
 https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac

This question is in AZ-305 Exam
For getting Azure Solutions Architect Expert Certificate