My opinion is that the answer is D.
The policy should belong to a key. In the case study the code retrieve the key so the GET access policy is mandatory. The wrap/unwrap is used for symmetric encryption and in this case study the task is to encrypt the blobs.
Yes! it's D
PermissionsToKeys wrapkey, unwrapkey, get
https://docs.microsoft.com/en-us/powershell/module/az.storage/set-azstorageaccount?view=azps-5.8.0#example-5--set-encryption-keysource-to-keyvault
code example at line 7
Some questions here appeared to the actual exam. But the problem is the answer here are not accurate. Same in some highly voted answers. I failed on my first attempt (646/1000) even though I have contributor access.
100% D - All certificates and secrets used to secure data must be stored in Azure Key Vault.
You need to retrieve the keys so get permission is required. The wrapkey and unwrapkey will be used for symmetric encryption to encrypt the blobs.
Below link contains an example of same scenario.
https://docs.microsoft.com/en-us/powershell/module/az.storage/set-azstorageaccount?view=azps-8.0.0#example-5-set-encryption-keysource-to-keyvault
https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys-details#key-access-control
This page shows the example: https://learn.microsoft.com/en-us/powershell/module/azurerm.storage/set-azurermstorageaccount?view=azurermps-6.13.0#example-5-set-encryption-keysource-to-keyvault
The Set-AzureRmKeyValutAccessPolicy parameter -PermissionsToKeys specifies an array of key operation permissions to grant to a user or service principal.
According to the reference, the answer is D
https://docs.microsoft.com/es-es/powershell/module/azurerm.storage/set-azurermstorageaccount?view=azurermps-6.13.0
Answer is D.
Wrap,Unwrap,encrypt,decrypt available only for -PermissionsToKeys
https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultaccesspolicy?view=azps-6.4.0#parameters
This site also clearly states that PermissionsToCertificates only has these options:
all, get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
So B and C are not even valid
Refer
https://docs.microsoft.com/en-us/powershell/module/az.storage/set-azstorageaccount?view=azps-5.8.0#example-5--set-encryption-keysource-to-keyvault
Example 5: Set Encryption KeySource to Keyvault
Answer should be D: wrapkey,unwrapkey,get
PS C:\>Set-AzKeyVaultAccessPolicy -VaultName "MyKeyVault" -ObjectId $account.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get
This section is not available anymore. Please use the main Exam Page.AZ-204 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Zsolt72
Highly Voted 3 years, 8 months agoazurelearner666
3 years, 5 months agomlantonis
Highly Voted 3 years, 6 months agojames2033
Most Recent 9 months, 1 week agoalejary
1 year, 7 months agoadilkhan
1 year, 8 months agodddddd111
1 year, 2 months agouffuchsi
1 year, 10 months agoAlexeyG
1 year, 10 months agomabdo
1 year, 10 months agoOPT_001122
2 years, 1 month agogmishra88
2 years, 2 months agoaruni_mishra
2 years, 5 months agopandrer
2 years, 7 months agoBogdan75
2 years, 9 months agoleonidn
2 years, 10 months agoedengoforit
2 years, 11 months agoRajMasilamani
3 years, 3 months agoReniRechner
2 years, 9 months agoning
3 years, 3 months agoanandhprakash
3 years, 7 months ago