ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 4 question 10 discussion

Actual exam question from Microsoft's AZ-400
Question #: 10
Topic #: 4
[All AZ-400 Questions]

DRAG DROP -
Your company has a project in Azure DevOps.
You plan to create a release pipeline that will deploy resources by using Azure Resource Manager templates. The templates will reference secrets stored in Azure
Key Vault.
You need to recommend a solution for accessing the secrets stored in the key vault during deployments. The solution must use the principle of least privilege.
What should you include in the recommendation? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: A key Vault advanced access policy


Box 2: RBAC -
Management plane access control uses RBAC.
The management plane consists of operations that affect the key vault itself, such as:
✑ Creating or deleting a key vault.
✑ Getting a list of vaults in a subscription.
✑ Retrieving Key Vault properties (such as SKU and tags).
✑ Setting Key Vault access policies that control user and application access to keys and secrets.
Reference:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-use-key-vault
by Ronny95 at July 1, 2021, 5:55 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Kazillius
Highly Voted 4 years, 1 month ago
Answer should be: 1) A Key Vault access policy 2) A Key Vault access policy
upvoted 49 times
rfox321
3 years, 10 months ago
Why is this the correct answer? Link?
upvoted 4 times
rdemontis
3 years, 4 months ago
"To enable the template to retrieve the secret, you must enable an access policy called Enable access to Azure Resource Manager for template deployment for the key vault. This policy is enabled in the template" Please look at the link below (Important section) https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#prepare-a-key-vault The answer provided by exam topic is really outdated. The section Advanced access policy has been removed from years and now, as you can easily test in the portal, the only thing to do for either the question is to create an access policy. Specifically, to enable key vaults for template deployment you need only to flag the proper checkbox
upvoted 4 times
catfood
2 years ago
access policies aren't needed if the user is deploying a template that retrieves a secret https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli Outdated question IMHO, going to ignore it.
upvoted 2 times
...
rdemontis
3 years, 4 months ago
However, if "Advanced access policy" were to be present as an option on the exam I would consider using it for the first box. Because an obsolete answer also suggests that the question is obsolete.
upvoted 4 times
...
...
awron_durat
3 years, 6 months ago
I think this question is just very out of date. I checked KV and they don't even have an advanced access policy section anymore.
upvoted 15 times
ParkXD
2 years, 4 months ago
agree, now it is "resource access" in the Access configuration
upvoted 2 times
...
...
...
prashantjoge
3 years, 3 months ago
Advanced policy is needed for template deployment key vault policy since rbac is needed for managing the keyvault itself
upvoted 1 times
mshin
2 years, 4 months ago
1) Advanced Access Policy Note, this option is now replaced by 'Access Configurations'. Portal --> Key vault --> Access Configuration --> Enable Az Resource Manager for template deployment option 2) Key Vault Access policies Role-Based Access Control (RBAC) are used for managing Azure Active Directory (AAD) users, groups, and applications at a management plane level (assigning roles, creating custom roles with specific perms), Whereas Access Policies are used for managing Key Vault data plane operations, such as read, write, and delete secrets. So Access Policies are specific to Azure Key Vault and are used to manage access to the secrets and keys stored within it. As mentioned in the comments below a good rule of thumb is to remember: - access to the key vault could be provided by RBAC - access to the keys/secrets in key vault could be provided by access policy - access for a period of time can be provided by SAS.
upvoted 9 times
...
...
fkaracan
2 years, 5 months ago
who are you and why should we trust you without giving explanation :D
upvoted 5 times
...
...
sv_26
Highly Voted 4 years ago
answer should be A key vault access policy RABC
upvoted 30 times
rfox321
3 years, 10 months ago
Links for proof please?
upvoted 3 times
CompetentNinja
3 years, 4 months ago
Try to enable it in portal and you will se your self. In new version there is no "advanced"
upvoted 2 times
...
...
...
AugustineUba
Most Recent 2 weeks, 4 days ago
recently RBAC can be used for both. Although Access Policy is still allowed for first question. Microsoft docs refers to access policy as legacy but not deprecated. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy
upvoted 1 times
...
BorisUK2000
1 month, 3 weeks ago
This is an old question. Key Vault access policy is legacy. Now Microsoft recommends RBAC. https://learn.microsoft.com/en-gb/azure/key-vault/general/assign-access-policy https://learn.microsoft.com/en-gb/azure/role-based-access-control/overview
upvoted 3 times
...
Gooldmember
9 months ago
Correct answer 1) A Key Vault Advanced Access Policy 2) RBAC
upvoted 3 times
Gooldmember
8 months, 3 weeks ago
I need to correct my self for the last time, i think this a really old question. Correct answer 1) A Key Vault Access Configuration -> Here you can enable "Azure Resource Manager for template deployment". 2) Key Vault Access Policies -> set secrets permissions
upvoted 1 times
...
Gooldmember
9 months ago
Sorry my mistake. I agree with Skankhunt duo to it is an older question. 1) Key Vault Access configuration. Here you can enable "Azure Resource Manager for template deployment". 2) RBAC
upvoted 2 times
...
...
Skankhunt
1 year ago
Old question, the correct answer now would be: Key Vault Access configuration. Here you can enable "Azure Resource Manager for template deployment". RBAC
upvoted 1 times
...
arr73
1 year, 3 months ago
I think that question is old, and the response has changed. Now I think it should be: Slot1: RBAC Slot2: RBAC Explanation: Micorosft recommends to migrate from access-policies (legacy) to RBAC. See provived link, that says: Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on Azure's control and data planes, and the access policy model, which operates on the data plane alone. Azure RBAC is the recommended authorization system for the Azure Key Vault data plane https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy#data-plane-access-control-recommendation
upvoted 1 times
arr73
1 year, 1 month ago
I was wrong: it's access policy, as rdemontis explained. Sorry for the mistake.
upvoted 1 times
...
...
chloaus
1 year, 3 months ago
Correct Answer: 3, 1 The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault. Recommendations for controlling access to your vault are as follows: Lock down access to your subscription, resource group, and key vaults using role-based access control (RBAC). Restrict network access with Private Link, firewall and virtual networks https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices
upvoted 1 times
...
yana_b
1 year, 9 months ago
1. Access configurations under Settings on the Key vault blade itself 2. Access to the data in the KV itself => Data plane and here we can chose btw. Access Policy and Key Vault
upvoted 2 times
...
yana_b
1 year, 11 months ago
This questions is a bit outdated. The newer version split it to 2 separate questions asking for restricting access to: - delete the key vault => RBAC - the secrets stored in the key vault? => key access policy
upvoted 15 times
WH16
1 year, 11 months ago
Yes, it was on exam 2023-09-06, went with answers above and scored 933.
upvoted 4 times
...
...
renzoku
2 years ago
1. Access Policies Fine-grained approach for controlling access to the secrets in Azure Key Vault. 2. RBAC Commonly used for managing access to Azure resources(e.g. Key Vault).
upvoted 4 times
...
Pipek
2 years, 4 months ago
1) Enable key vaults for template deployment: RBAC https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The deployment permissions are defined in the next section. 2) Access policy
upvoted 1 times
...
AzureJobsTillRetire
2 years, 6 months ago
As a rule of thumb, access to the key vault could be provided by RBAC, access to the keys/secretes in key vault could be provided by access policy, and access for a period of time can be provided by SAS. I have used this rule of thumb across a few Azure exams (AZ-104, AZ-305, AZ-700, AZ-500) and it never fails me. I hope it works in AZ-400 as well. It must be some very specific reasons that the rule does not apply.
upvoted 14 times
...
rikininetysix
2 years, 7 months ago
Seems like the answer should be - 1) A Key Vault access policy 2)RBAC https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html Access to vaults takes place through two interfaces or planes. Management plane is controlled via RBAC to manage Key Vault itself. Operations that can be controlled are: > Create, read, update, and delete key vaults > Set Key Vault access policies > Set Key Vault tags Data plane is controlled via Access Policies to allows you to work with the data stored in a key vault. Operations that can be controlled are: > Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge > Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge > Secrets: get, list, set, delete,recover, backup, restore, purge
upvoted 3 times
rikininetysix
2 years, 7 months ago
Sorry for the mistake, the answer given is entirely correct, first answer would be the A Key Vault advanced access policy and second one would be RBAC.
upvoted 1 times
...
...
Rachid
2 years, 8 months ago
The first option has to be enabled in KV/ Access Configuration /Resource access The Resource access Choose among the following options to grant access to specific resource types Azure Virtual Machines for deployment > Azure Resource Manager for template deployment Azure Disk Encryption for volume encryption
upvoted 3 times
...
hebertpena88
2 years, 9 months ago
Today's answer is: 1. Access Policy 2. Access Configuration -- Here you can setup permissions for VMs
upvoted 2 times
...
Aksssssh
2 years, 9 months ago
Both should be - a key vault access policy https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel