Secure Web App with Managed Identity and Key Vault Challenge

Hard-coded secrets are one of the most common and most damaging mistakes in cloud applications: a connection string committed to source control or an API key pasted into a configuration file is one leak away from a breach. Azure Key Vault addresses this by storing secrets, keys, and certificates in a centralized, access-controlled vault, so applications fetch them at runtime instead of embedding them.

That still leaves one question: how does the application authenticate to Key Vault without a secret of its own, which would simply move the problem? A system-assigned managed identity is the answer. Azure gives the App Service its own identity in Microsoft Entra ID, Key Vault grants that identity read access through an access policy, and the app refers to its secrets with Key Vault references in its application settings. The platform resolves those references at runtime, so there are no credentials in code or configuration anywhere.

This challenge tests your ability to wire up that secure path end to end. A web application and a Key Vault are already provisioned; you will configure the access policies, store the secrets, enable the App Service's managed identity, and add the Key Vault references so the app reads its secrets with nothing hard-coded.

Objectives

By completing this intermediate-level challenge, you will be able to:

• Grant a user account and a managed identity scoped access to Azure Key Vault using access policies
• Create and manage secrets in Azure Key Vault
• Enable a system-assigned managed identity on an Azure App Service
• Connect App Service application settings to Key Vault secrets using Key Vault references

Prerequisites

You'll get the most out of this challenge if you're already comfortable with:

• Navigating the Azure Portal
• Azure App Service application settings
• The basics of secrets management and why hard-coded credentials are a risk