Azure IoT provides a number of patterns and options to design and implement security in your IoT solutions. One of the key components of the security architecture is the security of the cloud part, i.e. how the different components of a solution can access the IoT Hub endpoints, minimizing the exposure to unauthorized access. While building your solution, you design the access policies for three components: Event processor
Device app
Device manager component
Which policy should you use for which component?

Answer options:

A.device; service; registryReadWrite
B.registryRead; device; registryReadWrite
C.service; iothubowner; iothubowner
D.service; device; registryReadWrite

Correct Answer: D
Option A is incorrect because device and service policies are swapped here, hence the answer is wrong.
Option B is incorrect because back-end services, like event processors, need the ServiceConnect permission to be able to retrieve messages from the IoT Hub. registryRead is wrong in this context.
Option C is incorrect because grating iothubowner permission to components violates the principle of least necessary privileges and raises additional risk.
Option D is CORRECT because the event processor must be able to connect to service endpoints (to receive messages, file uploads etc.); the devices need DeviceConnect permissions to be able to send telemetry; the device manager service needs R/W access to the identity registry. All components are granted the least privileges they need to their operation.
References: 

https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-deployment?context=/azure/iot-hub/rc/rc#iot-hub-security-tokens