This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Choose the best response for each question.
Why should the Azure Container Registry admin account be disabled in production environments?
The admin account provides shared credentials with full registry access that aren't tied to a specific identity, making individual actions unauditable and credential rotation difficult.
The admin account can only pull images and can't push new images to the registry.
The admin account is deprecated and no longer available in newly created registries.
The admin account requires a Premium SKU and incurs other licensing costs.
What is the primary purpose of ACR scope map tokens?
To grant per-repository, per-permissions access using the principle of least privilege—allowing a CI/CD pipeline to push to one specific repository without having access to the rest of the registry.
To provide an alternative to managed identity authentication for Azure services that don't support managed identities.
To enable content trust signing on individual image repositories within a registry.
To restrict which IP addresses can access specific repositories in the registry.
How should a Container Instances workload access a database connection string securely?
Store the connection string in Azure Key Vault and use a managed identity with the Key Vault Secrets User role to retrieve it at runtime via a secure environment variable reference.
Pass the connection string as a plain-text value environment variable in the ARM template.
Embed the connection string in the container image at build time using a Dockerfile ARG instruction.
Store the connection string in an Azure Storage table and mount it as a volume in the container group.
What does setting ingress to 'internal' on a Container App do?
Restricts the app to be accessible only from within the Container Apps environment and virtual network—no public IP address is assigned and the app isn't reachable from the internet.
Enables the built-in authentication middleware to require Microsoft Entra ID sign-in before requests reach the container.
Configures IP security restrictions to block specific source IP addresses from reaching the app.
Routes all ingress traffic through Azure Application Gateway for web application firewall inspection.
What security benefit does Dapr provide automatically between Azure Container Apps services?
Mutual TLS (mTLS) encryption between all Dapr sidecar containers—service-to-service communication is encrypted in transit without any certificate management or application code changes required.
Role-based access control between Dapr-enabled apps, preventing unauthorized apps from calling each other's endpoints.
Automatic IP-based firewall rules that block traffic between container services in different environments.
Automatic rotation of managed identity credentials used by each service to authenticate to Azure resources.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?