Select the answer that correctly completes the sentence.

Microsoft’s identity guidance for Azure resources states there are two kinds of managed identities: system-assigned and user-assigned. The documentation describes that a system-assigned identity is scoped to a single resource and follows its lifecycle: “A system-assigned managed identity is created in Microsoft Entra ID and is tied to the lifecycle of that Azure service instance. When the resource is deleted, Azure automatically deletes the identity.” By contrast, a user-assigned identity is reusable across resources: “A user-assigned managed identity is a standalone Azure resource… It can be assigned to one or more Azure service instances and is managed independently of the resources that use it.”

Because the scenario requires multiple Azure web apps to use the same identity, the only managed identity type that supports this sharing model is the user-assigned managed identity. This allows you to grant RBAC permissions once to the identity and then attach that same identity to several App Service instances, simplifying secretless access to Azure resources (Key Vault, Storage, SQL, etc.) and providing centralized lifecycle and rotation management. Certificates or generic service principals would reintroduce credential management, while a system-assigned identity cannot be shared across multiple apps. Therefore, a user-assigned managed identity is the correct choice.