Exam AZ-400 topic 4 question 10 discussion

Answer should be: 1) A Key Vault access policy 2) A Key Vault access policy

answer should be A key vault access policy RABC

Correct answer 1) A Key Vault Advanced Access Policy 2) RBAC

Old question, the correct answer now would be: Key Vault Access configuration. Here you can enable "Azure Resource Manager for template deployment". RBAC

I think that question is old, and the response has changed. Now I think it should be: Slot1: RBAC Slot2: RBAC Explanation: Micorosft recommends to migrate from access-policies (legacy) to RBAC. See provived link, that says: Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on Azure's control and data planes, and the access policy model, which operates on the data plane alone. Azure RBAC is the recommended authorization system for the Azure Key Vault data plane https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy#data-plane-access-control-recommendation

Correct Answer: 3, 1 The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault. Recommendations for controlling access to your vault are as follows: Lock down access to your subscription, resource group, and key vaults using role-based access control (RBAC). Restrict network access with Private Link, firewall and virtual networks https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices

1. Access configurations under Settings on the Key vault blade itself 2. Access to the data in the KV itself => Data plane and here we can chose btw. Access Policy and Key Vault

This questions is a bit outdated. The newer version split it to 2 separate questions asking for restricting access to: - delete the key vault => RBAC - the secrets stored in the key vault? => key access policy

1. Access Policies Fine-grained approach for controlling access to the secrets in Azure Key Vault. 2. RBAC Commonly used for managing access to Azure resources(e.g. Key Vault).

1) Enable key vaults for template deployment: RBAC https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The deployment permissions are defined in the next section. 2) Access policy

As a rule of thumb, access to the key vault could be provided by RBAC, access to the keys/secretes in key vault could be provided by access policy, and access for a period of time can be provided by SAS. I have used this rule of thumb across a few Azure exams (AZ-104, AZ-305, AZ-700, AZ-500) and it never fails me. I hope it works in AZ-400 as well. It must be some very specific reasons that the rule does not apply.

Seems like the answer should be - 1) A Key Vault access policy 2)RBAC https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html Access to vaults takes place through two interfaces or planes. Management plane is controlled via RBAC to manage Key Vault itself. Operations that can be controlled are: > Create, read, update, and delete key vaults > Set Key Vault access policies > Set Key Vault tags Data plane is controlled via Access Policies to allows you to work with the data stored in a key vault. Operations that can be controlled are: > Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge > Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge > Secrets: get, list, set, delete,recover, backup, restore, purge

The first option has to be enabled in KV/ Access Configuration /Resource access The Resource access Choose among the following options to grant access to specific resource types Azure Virtual Machines for deployment > Azure Resource Manager for template deployment Azure Disk Encryption for volume encryption

Today's answer is: 1. Access Policy 2. Access Configuration -- Here you can setup permissions for VMs

Both should be - a key vault access policy https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault

A Key Vault access policy - an access policy is only way to setup this option RBAC - Only way to restrict access would be a permission model, role based is only option, so rather obvious.

Correct answer is: 1) A key vault access policy (which is called "advanced" setting in warning messages) 2) RBAC The answer options are out-of-date. Explanation: Currently in the portal "Access configuration" you can select "Azure role-based access control" or "Vault access policy". Independent of this selection, there is a possibility to select "Azure Resource Manager for template deployment". There is no word "Advanced" anywhere. However, in warning messages, the last option is described as an advanced access policy.