Answer: a managed identity

## Explanation ### Recommended Authentication Mechanism: Managed Identity **Managed Identity** is the optimal authentication mechanism for this scenario because: - **Virtual Network Integration**: When an Azure Storage account is configured to be accessible only from a virtual network, managed identities provide seamless authentication without requiring explicit credentials to be stored or managed. - **Security Benefits**: Managed identities eliminate the need to handle storage account keys or connection strings, reducing security risks associated with credential management. The identity is automatically managed by Azure and can be granted specific RBAC permissions on the storage account. - **Azure Synapse Integration**: Azure Synapse Analytics supports managed identities natively. You can assign a system-assigned or user-assigned managed identity to the Synapse workspace, then grant this identity the necessary permissions (such as Storage Blob Data Reader or Contributor) on the storage account. - **Network Security Alignment**: Managed identities work seamlessly with virtual network restrictions since the authentication occurs through Azure's internal security infrastructure, which respects the network boundaries. ### Why Other Options Are Less Suitable **B. Anonymous Public Read Access**: This is completely unsuitable because: - It would bypass the virtual network restriction entirely - Exposes data publicly, creating significant security vulnerabilities - Contradicts the requirement that the storage account is only accessible from the virtual network **C. Shared Key**: While technically possible, this approach is suboptimal because: - Requires storing and managing storage account keys, which poses security risks - Keys need to be rotated regularly for security compliance - Doesn't integrate as seamlessly with virtual network restrictions - More complex to manage compared to managed identities ### Implementation Approach To implement this solution: 1. Enable managed identity for the Azure Synapse workspace 2. Grant the managed identity appropriate RBAC roles on the storage account (e.g., Storage Blob Data Reader) 3. Configure Synapse to use the managed identity when accessing the storage account This approach provides secure, credential-free authentication that respects the virtual network boundaries while maintaining ease of management and strong security posture.

Author: LeetQuiz Editorial Team