Exam AZ-500 topic 2 question 102 discussion

Given answers is correct. https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant

By default, the account that creates a vault is the only one with access (vault creators have by default permissions to create and delete keys). The Verified ID service needs access to the key vault. You must authenticate your key vault, allowing the account used during configuration to create and delete keys. The account used during configuration also requires permissions to sign so that it can create the domain binding for Verified ID. So, if the Admin1 account is not the one that created Vault1, it will need to get the following key permissions: create, delete and sign. https://learn.microsoft.com/en-us/entra/verified-id/verifiable-credentials-configure-tenant

Create, Delete, Sign. "Follow these steps to create a key vault using the Azure portal. Note: By default, the account that creates a vault is the only one with access. The Verified ID service needs access to the key vault. You must configure your key vault with access policies allowing the account used during configuration to CREATE and DELETE keys. The account used during configuration also requires permissions to SIGN so that it can create the domain binding for Verified ID. If you use the same account while testing, modify the default policy to grant the account sign permission, in addition to the default permissions granted to vault creators.

https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant - Go to Set access policies for the Verified ID Admin user, you can see screenshot where Get, Create, Delete, Sign is selected

In all, you need these 4 permissions enabled: Get, Create, Delete, and Sign. However, by default, Create and Delete are enabled. Therefore, Sign and Get should be the only key permissions you need to update. https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant

Considering the principle of least privilege, the definite answers for the three key permissions to support the implementation of Azure Verified ID are: Sign: This permission allows the user (Admin1) to use the keys in Vault1 for signing operations, which is necessary for verifying the authenticity of the Verified ID. Verify: This permission enables the user (Admin1) to use the keys in Vault1 for verification operations, which is essential for validating the Verified ID. Get: This permission allows the user (Admin1) to retrieve the keys from Vault1. It may be required for certain operations during the implementation of Azure Verified ID, such as retrieving the public key for verification purposes. By selecting these three key permissions (Sign, Verify, and Get) for Admin1 in the access policy of Vault1, you ensure that Admin1 has the necessary permissions to support the implementation of Azure Verified ID, while following the principle of least privilege. I apologize for any confusion caused earlier, and I appreciate your patience.

One quirk I also encountered when configuring this in the lab is that when I went to register the decentrialized ID the key vault operation failed with an error that you need to add "List" also. Then it would proceed.

Which three key permissions get create delete

should pick also GET https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant

create,delete,sign