ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 4 question 120 discussion

Actual exam question from Microsoft's AZ-500
Question #: 120
Topic #: 4
[All AZ-500 Questions]

HOTSPOT
-

You have an Azure key vault.

You need to delegate administrative access to the key vault to meet the following requirements:

• Provide a user named User1 with the ability to set access policies for the key vault.
• Provide a user named User2 with the ability to add and delete certificates in the key vault.
• Use the principle of least privilege.

What should you use to assign access to each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Apptech at April 30, 2024, 12:37 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jimmy500
Highly Voted 1 year, 1 month ago
Given solution is correct: Here we need to understand question carefully which what asks about for User1 and User2. As we see in the first question it says provide a user named User1 with the ability to set access policies for the key vault. Which basically tells you need to provide access for the management plane not data plane. As we know well, RBAC roles can be assigned for both management and data plane level.However, key vault access policies only works for data plane level. From here can say for the first example this will be RBAC only. In the second example question asks, provide a user named User2 with the ability to add and delete certificates in the key vault, which basically says we need to add permission for the data plane of Azure Key vault which can be done by the help of RBAC and Key vault access policy which can be applied to data level of Azure key Vault.
upvoted 7 times
hellboysecret
4 months, 4 weeks ago
Nice explanation. User 2 - can have access policy or Key Vault Certificates Officer (RBAC) role
upvoted 1 times
...
Jimmy500
1 year, 1 month ago
Sorry I think I missed one thing here, Azure Access Policy and RBAC can not work together this is why I think we can only use RBAC in the both cases , because if we use Key Vault Access Policy and RBAC together and assign role with rbac for data plane for the deleting certficate we will need to use Key Vault certificate Officer and when we assign it it writes in front of role this role only works with rbac model, if will use key vault access policy we will not able to grant access to user1 as it needs rbac since we will use rbac for user1 we will need to use rbac for user2 as well as key vault does not support both methods together. I change my answer and sorry for my initial thought. RBAC,RBAC
upvoted 2 times
Jimmy500
1 year, 1 month ago
I also changed my key vault settings to Access policy and assigned my self Key Vault certificate owner role, I successfully assigned but when I went to create certificate , I got an error and could not create certificate as this role does not support access policy model
upvoted 1 times
...
...
...
MrJR
Most Recent 1 month, 3 weeks ago
I would go with: User1 RBAC only I think that's clear for everyone. User2 Key vault access policy only. As otherwise you would have to grant Key Vault Certificates Office role which grants too much permissions. The question says to use the principle of least privilege and this role: "Perform any action on the certificates of a key vault, except managing permissions. Only works for key vaults that use the 'Azure role-based access control' permission model." User2 would be able to Backup, Recover, Restore, Manage contacts, Manage Certificate authorities etc.. And questions says just add and remove certificates. https://docs.azure.cn/en-us/key-vault/general/assign-access-policy?tabs=azure-portal
upvoted 1 times
...
tomchan2417
1 month, 3 weeks ago
The question is asking what should you use and we need to apply least privilege. Why would user2 use both? Should it not be only key vault access policy?
upvoted 1 times
...
randy0077
4 months, 3 weeks ago
given ans is correct: https://learn.microsoft.com/en-us/azure/key-vault/general/security-features#privileged-access:~:text=Conditional%20Access%20overview-,Privileged%20access,-Authorization%20determines%20which
upvoted 1 times
...
JaridB
1 year, 3 months ago
The provide answers are correct
upvoted 1 times
Pamban
1 year, 3 months ago
Nope.. Key Vault can't have both RBAC and access policy permission models
upvoted 3 times
...
...
Apptech
1 year, 3 months ago
User1: Key Vault access policy User2: RBAC only --> Key Vault Certificates Officer: Perform any action on the certificates of a key vault, except manage permissions
upvoted 2 times
Apptech
1 year, 3 months ago
correcting myself: The given answer is correct. As from Microsoft: "Both planes use Microsoft Entra ID for authentication. For authorization, the management plane uses Azure role-based access control (Azure RBAC) and the data plane uses a Key Vault access policy and Azure RBAC for Key Vault data plane operations." --> See here https://learn.microsoft.com/en-us/azure/key-vault/general/security-features#privileged-access
upvoted 2 times
...
Apptech
1 year, 3 months ago
Same as in Topic3, question 34
upvoted 1 times
timHAG
1 year, 2 months ago
which answers for rbac for user1 and Key Vault access policy, seems its after Entra updates, that the data plane is for both for managing key apptech for the second one. for th e first user1 it should be RBAC only
upvoted 1 times
timHAG
1 year, 2 months ago
so provided answers are correct
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel