The correct answer is Configure all App Service instances to use the same user assigned managed identity.

A user assigned managed identity is created independently of any single App Service instance and can be assigned to multiple apps so all four web apps can authenticate with a single identity when accessing the Key Vault. Granting that one identity the necessary Key Vault permissions simplifies permission management and avoids distributing secrets or credentials to each application.

Create an Azure AD service principal and distribute its credentials to the apps is incorrect because distributing credentials reintroduces secret management and increases security risk. One of the main benefits of managed identities is that you do not have to handle or rotate credentials manually.

Create a single Azure Active Directory user account for all applications to use is incorrect because user accounts are intended for human users and sharing a user account and its credentials is insecure and against best practices. Applications should use identities designed for services instead.

Configure all apps to share the same system assigned managed identity is incorrect because system assigned managed identities are tied to a single resource and cannot be shared across multiple App Service instances. Each app receives its own system assigned identity so this approach is not feasible.

Full AWS Practitioner Certification Question