ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 4 question 55 discussion

Actual exam question from Microsoft's AZ-400
Question #: 55
Topic #: 4
[All AZ-400 Questions]

DRAG DROP -
You have an Azure Key Vault that contains an encryption key named key1.
You plan to create a Log Analytics workspace that will store logging data.
You need to encrypt the workspace by using key1.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Customer-Managed key provisioning steps (assuming there already is an Azure Key Vault):
Step 1: Enable soft delete for the key vault.
The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
Step 2: Create a Log Analytics cluster.
Clusters uses managed identity for data encryption with your Key Vault. Configure identity type property to SystemAssigned when creating your cluster to allow access to your Key Vault for "wrap" and "unwrap" operations.
Step 3: Grant permissions to the key vault.
Grant Key Vault permissions.
Create Access Policy in Key Vault to grants permissions to your cluster. These permissions are used by the underlay cluster storage. Open your Key Vault in
Azure portal and click Access Policies then + Add Access Policy to create a policy with these settings:
Key permissionsג€"select Get, Wrap Key and Unwrap Key.
Etc.

1. Creating cluster
2. Granting permissions to your Key Vault
3. Updating cluster with key identifier details
4. Linking workspaces

Step 4: Link workspace -
Link workspace to cluster.
This step should be performed only after the cluster provisioning. If you link workspaces and ingest data prior to the provisioning, ingested data will be dropped and won't be recoverable.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys
by syu31svc at Sept. 2, 2022, 8:48 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
509325_5153
Highly Voted 2 years, 10 months ago
Why do we need soft delete? I was thinking... 1. Register the Azure subscription to allow cluster creation. 2. Create a Log Analytics cluster. 3. Grant permissions to the key vault. 4. Link the workspace.
upvoted 53 times
RealRaymond
2 years, 3 months ago
Not able to find any reference to "Register the Azure subscription to allow cluster creation."
upvoted 2 times
Pamban
2 years, 2 months ago
here is the referance: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=cli Cluster creation triggers resource allocation and provisioning. This operation can take a few hours to complete. Dedicated cluster is billed once provisioned regardless data ingestion and it's recommended to prepare the deployment to expedite the provisioning and workspaces link to cluster. Verify the following: A list of initial workspace to be linked to cluster is identified You have permissions to subscription intended for the cluster and any workspace to be linked
upvoted 2 times
...
...
armvch
2 years, 9 months ago
We already have Keyvault, why do we need to create an Azure Subs then? Enabling soft delete sounds more logical, I guess
upvoted 4 times
binhdortmund
2 years, 7 months ago
Yes, we already have Keyvault and while creating Keyvault, the Soft Delete is enable, we cant change here. So this step "Enabling soft delete" is impossible
upvoted 1 times
armvch
2 years, 5 months ago
This Keyvault could have been created before the deprecating of soft deletion optional enabling. There is a guide how to enable soft deletion for existing Keyvaults. https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-change Anyway, we already have some subscription because we already have Keyvault.
upvoted 2 times
...
...
binhdortmund
2 years, 7 months ago
From azure portal: "The ability to turn off soft delete via the Azure Portal has been deprecated. You can create a new key vault with soft delete off for a limited time using CLI / PowerShell / REST API. The ability to create a key vault with soft delete disabled will be fully deprecated by the end of the year."
upvoted 5 times
...
...
Pamban
2 years, 2 months ago
Yes correct. according to below link https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=cli explanation is follows Cluster creation triggers resource allocation and provisioning. This operation can take a few hours to complete. Dedicated cluster is billed once provisioned regardless data ingestion and it's recommended to prepare the deployment to expedite the provisioning and workspaces link to cluster. Verify the following: A list of initial workspace to be linked to cluster is identified You have permissions to subscription intended for the cluster and any workspace to be linked nothing to do with soft delete here
upvoted 3 times
...
6c01613
1 year, 5 months ago
Correct https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal
upvoted 1 times
...
...
Pamban
Highly Voted 2 years, 1 month ago
this question appeared on today's (20/06/23) exam.selected below order. scored 955. should be correct! cheers 1. Register the Azure subscription to allow cluster creation. 2. Create a Log Analytics cluster. 3. Grant permissions to the key vault. 4. Link the workspace.
upvoted 30 times
Inderpreet773
2 years, 1 month ago
@Pamban - Could you share other questions also and any lab related quiz? And how many from examtopics?
upvoted 2 times
...
...
tweezerman
Most Recent 5 months, 1 week ago
My two pence: 1. Enable soft delete for the key vault - Required for customer-managed keys (CMK) in Azure 2. Create a Log Analytics cluster - You must create the cluster before assigning permissions 3. Grant permissions to the key vault - Now that the cluster exists, you can assign it permissions 4. Link the workspace - The final step is to connect the workspace to the encrypted cluster Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=cli
upvoted 1 times
...
husam421
1 year, 1 month ago
Given answer is correct https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
upvoted 1 times
...
hajurbau
1 year, 1 month ago
Soft Delete must be enabled as per microsoft link https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=azure-portal The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
upvoted 1 times
...
hajurbau
1 year, 2 months ago
Based on the Microsoft link https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal (Check the Storage encryption key section) The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
upvoted 1 times
...
zellck
2 years, 2 months ago
1. Enable soft delete for key vault 2. Create log analytics cluster 3. Grant permissions to key vault 4. Link the workspace https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#customer-managed-key-provisioning-steps - Creating Azure Key Vault and storing key - Creating cluster - Granting permissions to your Key Vault - Updating cluster with key identifier details - Linking workspaces https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#storing-encryption-key-kek The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
upvoted 9 times
...
Asten
2 years, 2 months ago
Answer is correct. Because Soft Delete is not default. You have to enable it at first.
upvoted 1 times
...
Fal991l
2 years, 4 months ago
GTP: Here are the four steps in sequence: Grant permissions to the key vault - c Register the Azure subscription to allow cluster creation - b Create a Log Analytics cluster - d Link the workspace to the key vault - a Explanation: To encrypt the Log Analytics workspace using the key1 encryption key in Azure Key Vault, you need to perform the following four steps: Grant permissions to the key vault: You need to grant the Log Analytics workspace access to the key1 encryption key in Azure Key Vault to be able to use it for encryption. Register the Azure subscription to allow cluster creation: You need to register your Azure subscription to allow the creation of a Log Analytics cluster. Create a Log Analytics cluster: You need to create a Log Analytics cluster in your Azure subscription. Link the workspace to the key vault: Once the Log Analytics cluster is created, you need to link it to the key1 encryption key in Azure Key Vault to enable encryption of data in the workspace.
upvoted 3 times
Fal991l
2 years, 4 months ago
GTP: You can switch the order of steps b and c, so the revised sequence of actions would be: Register the Azure subscription to allow cluster creation - b Grant permissions to the key vault - c Create a Log Analytics cluster - d Link the workspace to the key vault - a Explanation: You can first register your Azure subscription to allow the creation of a Log Analytics cluster and then grant permissions to the key vault. This order will not impact the outcome of the steps as both are independent of each other. So, you can switch the order of steps b and c based on your preference. After registering the Azure subscription and granting permissions to the key vault, you can create a Log Analytics cluster, and then link the workspace to the key vault to enable encryption of data in the workspace.
upvoted 1 times
Fal991l
2 years, 4 months ago
Bing: To encrypt a Log Analytics workspace by using an encryption key named key1 stored in an Azure Key Vault, you should perform the following actions in sequence: Register the Azure subscription to allow cluster creation (b) Create a Log Analytics cluster (d) Grant permissions to the key vault © Link the workspace (a) Note that these actions should be performed in the correct order to achieve the desired result.
upvoted 1 times
nakedsun
2 years ago
Pasting in LLM answers from ChatGTP etc is really dumb if you are just copy and pasting the exam question as a prompt, because they will have ingested the contents of this website and there is a good chance it is just feeding back comments on here from 6 months ago. Better results would be from using a prompt that isn't a copy and past of the exam question, so there is a better chance is pulls from MS documentation rather than internet comments.
upvoted 2 times
...
...
...
...
AlexeyG
2 years, 5 months ago
got this in 02 March 2023 exams. scored 870 marks.
upvoted 3 times
...
nikipediaa
2 years, 6 months ago
Got this Feb 2023
upvoted 3 times
...
Ev3rtao
2 years, 9 months ago
Whats the relevance of soft delete here? It doesnt mention the type of key we are using.
upvoted 4 times
...
syu31svc
2 years, 11 months ago
Answer is correct and explanation provided supports it
upvoted 3 times
pdk88
2 years, 10 months ago
Agreed upon that, answer is correct Creating Azure Key Vault and storing key(*) Creating cluster Granting permissions to your Key Vault (Updating cluster with key identifier details --> not given in answer) Linking workspaces (*)"You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled." https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#customer-managed-key-provisioning-steps. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#storing-encryption-key-kek
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel