Question 26
Domain 1: Plan and Manage an Azure AI SolutionYour organization needs to use Azure AI services across 20 development projects. Each project team should be able to use the services independently, but central security must audit all API calls and enforce that no team stores credentials in code. What architecture satisfies all requirements?
Correct answer: B
Explanation
Separate Azure AI resources per project isolates access so each team can use services independently. User-assigned Managed Identity lets apps authenticate without storing secrets in code, and Azure Monitor logs provide centralized auditing of API calls across all resources.
Why each option is right or wrong
A. One Azure AI Services resource with a shared API key distributed to all teams
B. Separate Azure AI resources per project; each using user-assigned Managed Identity; audit via Azure Monitor logs
Azure AI services support Microsoft Entra ID authentication, and a user-assigned managed identity lets each project’s app obtain tokens without embedding keys or connection strings in source code; the identity is assigned to the workload and authenticated through Azure RBAC rather than stored credentials. Creating separate Azure AI resources per project gives each team independent operational control and isolation, while Azure Monitor diagnostic settings can export service logs to a central Log Analytics workspace so security can audit API activity across all 20 resources.
C. One service principal per team, with passwords stored in Azure Key Vault
D. Azure API Management layer in front of all AI services with a subscription key