Correct answer is A. Correct me if I'm wrong though. To achieve the requirements of allowing Automation1 to read the contents of Secret1 while preventing it from accessing other secrets in Vault1 and following the principle of least privilege, this is how you can achieve this as well: Navigate to the Azure portal. Go to the Azure Key Vault (Vault1). Select "Access control (IAM)". Add a role assignment for the Automation1's managed identity with the necessary permissions (e.g., "Get" for secrets). By configuring the access control (IAM) settings at the vault level, you can specifically grant the required permissions to the managed identity of Automation1 for the Secret1, while avoiding unnecessary access to other secrets. So, the correct answer is: A. From Vault1, configure the Access control (IAM) settings.

Co Pilot and ChatGPT are sure it's A.

D is the corrects, in depend on Permission model if you have. " Vault access policy" we cannot find the IAM role in secret1 you need to change to "Azure role-based access control (recommended)" https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

Answer is D

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

The best course of action to achieve secure access to Secret1 while adhering to the principle of least privilege is: A. From Vault1, configure the Access control (IAM) settings. Here's why the other options are not ideal: B. From Automation1, configure the Identity settings: While enabling managed identity is a good first step, it doesn't grant specific permissions to access Vault1 resources. C. From Automation1, configure the Run as accounts settings (deprecated): Microsoft is phasing out Run As accounts, and they are considered less secure than managed identities. D. From Secret1, configure the Access control (IAM) settings: Secrets themselves cannot configure access control.

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli Note: >Assigning roles on individual keys, secrets and certificates should be avoided. Exceptions to general guidance: >Scenarios where individual secrets must be shared between multiple applications, for example, one application needs to access data from the other application I guess the exam wants us to answer D in this case though. I would select D.

Answer is D: Secret scope role assignment: > Open a previously created secret. >Click the Access control(IAM) tab > Select Add > Add role assignment to open the Add role assignment page... https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli.

D is the correct answer, individual secrets have their own IAM. If you assigned secret administrator at the vault level then you would be granting access to all secrets in the vault.