Learn how to securely authenticate your Azure AI Speech service using Microsoft Entra ID, ensuring private traffic within your virtual network and avoiding internet exposure.
Table of Contents
Question
Your organization, Verigon Corporation, has a Microsoft Entra environment. They are developing an app that will use the Azure AI Speech service. As part of the implementation, you need to ensure that the application can securely authenticate to Azure AI Speech using Microsoft Entra.
You are configuring a Speech resource and creating a Speech SDK configuration object. Both the resource and the object will use Microsoft Entra ID for authentication. You create a resource with a custom subdomain named https://verigon.cognitiveservices.azure.com.
You want to ensure that traffic between Verigon’s network and the Speech resource doesn’t travel over the internet. You want to have a dedicated IP address for the Speech resource within your virtual network
What should you do next to implement authentication for the Azure AI Speech service using a Microsoft Entra token?
A. Open a virtual network service endpoint.
B. Create a private endpoint.
C. Request a TLS/SSL certificate.
D. Request a Code Signing certificate.
Answer
B. Create a private endpoint.
Explanation
With the Speech SDK configuration object, you can configure authentication with a Microsoft Entra token or a Speech resource key. Speech Studio retrieves either a key or a token automatically from the Speech resource. To authenticate using a Microsoft Entra token, the Speech resource must use a private endpoint for the custom domain. The custom domain has already been created for the Speech service. Therefore, a private endpoint must be created.
You need to have a custom subdomain and a private endpoint for the Speech resource to use certain features in Speech Studio, such as using a custom speech model to transcribe audio files. The following table shows the different authentication options.
| Authentication credential | Authentication credential |
|---|---|
| Speech resource key | Full access. Role configuration is not used. |
| Microsoft Entra token with custom subdomain and private endpoint | Full access. Assigned role permissions can limit access. |
| Microsoft Entra token without custom subdomain and private endpoint (not recommended) | Features are restricted. For example, the Speech resource can train a custom speech model but cannot use that custom speech model. |
You would use a private endpoint instead of a virtual network service endpoint. A private endpoint and virtual network service endpoint ensure that traffic does not travel across the public Internet. A private endpoint uses a private IP address for your Speech resource. A virtual network service endpoint allows access to Azure services but does not provide a dedicated IP address for the Speech resource.
The next step is not to request a certificate, either a TLS/SSL or a Code Signing, X.509 certificate. A TLS/SSL certificate is used by the HTTPS protocol to secure web-based traffic. Code Signing certificates ensure integrity and authenticity when signing software. The certificate was already present to create a resource with a custom subdomain named https://verigon.cognitiveservices.azure.com.
Microsoft Azure AI Engineer Associate AI-102 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft Azure AI Engineer Associate AI-102 exam and earn Microsoft Azure AI Engineer Associate AI-102 certification.