Question 11
Domain 1: Plan and Manage an Azure AI SolutionYour company's CI/CD pipeline deploys Azure AI resources using Bicep templates. During deployment to production, you need the pipeline to authenticate to Azure without using stored credentials. What should you configure?
Correct answer: B
Explanation
Use a workload identity federated credential because it lets the pipeline authenticate to Azure without stored secrets. Federated identity uses an external identity provider to issue short-lived tokens, so the CI/CD system can access Azure securely during Bicep deployments.
Why each option is right or wrong
A. Store the service principal client secret in the pipeline's environment variables
B. Use a workload identity federated credential for the CI/CD pipeline (GitHub Actions / Azure DevOps)
Azure deployments from a CI/CD system should use Microsoft Entra ID workload identity federation rather than a client secret or certificate, because the pipeline can exchange its external OIDC token for an Azure access token at run time. In practice, this is configured as a federated credential on the app registration/service principal, which is the secretless authentication pattern supported by GitHub Actions and Azure DevOps for Bicep deployments.
C. Hardcode the subscription owner credentials in the Bicep template parameters file
D. Create an API key and store it in the pipeline's secret manager