ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-203 All Questions

View all questions & answers for the AZ-203 exam
Go to Exam

Exam AZ-203 topic 8 question 4 discussion

Actual exam question from Microsoft's AZ-203
Question #: 4
Topic #: 8
[All AZ-203 Questions]

You need to ensure the security policies are met.
What code do you add at line CS07?

  • A. -PermissionsToCertificates create, encrypt, decrypt
  • B. -PermissionsToKeys wrapkey, unwrapkey, get
  • C. -PermissionsToCertificates wrapkey, unwrapkey, get
  • D. -PermissionsToKeys create, encrypt, decrypt
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
Scenario: All certificates and secrets used to secure data must be stored in Azure Key Vault.
You must adhere to the principle of least privilege and provide privileges which are essential to perform the intended function.
The Set-AzureRmKeyValutAccessPolicy parameter -PermissionsToKeys specifies an array of key operation permissions to grant to a user or service principal.
The acceptable values for this parameter: decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, restore, recover, purge
Incorrect Answers:
A, C: The Set-AzureRmKeyValutAccessPolicy parameter -PermissionsToCertificates specifies an array of certificate permissions to grant to a user or service principal. The acceptable values for this parameter: get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
References:
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy
by IrfanSheikh at Nov. 11, 2019, 7:39 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
JaQua
Highly Voted 5 years, 3 months ago
B is correct. See https://docs.microsoft.com/en-us/powershell/module/azurerm.storage/set-azurermstorageaccount?view=azurermps-6.13.0#examples example 5
upvoted 40 times
...
Regimiento
Highly Voted 5 years, 6 months ago
Indeed, A and C are not correct. Both B and D are valid, but B has less rights, therefore I would say that B is the correct answer.
upvoted 22 times
...
Jay1987
Most Recent 4 years, 5 months ago
B PS C:\>Set-AzureRmKeyVaultAccessPolicy -VaultName "MyKeyVault" -ObjectId $account.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get Set-AzureRmStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -AssignIdentity $account = Get-AzureRmStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" $keyVault = New-AzureRmKeyVault -VaultName "MyKeyVault" -ResourceGroupName "MyResourceGroup" -Location "EastUS2" $key = Add-AzureKeyVaultKey -VaultName "MyKeyVault" -Name "MyKey" -Destination 'Software' Set-AzureRmKeyVaultAccessPolicy -VaultName "MyKeyVault" -ObjectId $account.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get Set-AzureRmStorageAccount -ResourceGroupName "MyResourceGroup" -AccountName "mystorageaccount" -KeyvaultEncryption -KeyName $key.Name -KeyVersion $key.Version -KeyVaultUri $keyVault.VaultUri
upvoted 3 times
...
Doshibu
4 years, 9 months ago
https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy?view=azurermps-6.13.0#description -PermissionsToCertificates "DO NOT" allow those options. There is no debate. Yet, -PermissionsToKeys "DO" allow wrapkey, unwrapkey, get Strange .. Suggested Answer = A // Incorrect Answers include A ... Next question ..
upvoted 2 times
...
031920
4 years, 10 months ago
JaQua is correct. PS C:\>Set-AzureRmKeyVaultAccessPolicy -VaultName "MyKeyVault" -ObjectId $account.Identity.PrincipalId -PermissionsToKeys wrapkey,unwrapkey,get
upvoted 2 times
...
hertino
4 years, 10 months ago
Today I got 900, I had this question, my answer: PermissionsToCertificates create, encrypt, decrypt
upvoted 9 times
maver9ck
4 years, 7 months ago
Possibly one of your missed answers :D
upvoted 10 times
...
...
nikos2001
4 years, 12 months ago
B Set-AzKeyVaultAccessPolicy ` -VaultName $keyVault.VaultName ` -ObjectId $storageAccount.Identity.PrincipalId ` -PermissionsToKeys wrapkey,unwrapkey,get https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-powershell
upvoted 3 times
Juanlu
4 years, 3 months ago
I Agree !
upvoted 1 times
...
...
AK89
5 years, 1 month ago
Correct Answer is B
upvoted 4 times
...
Khang
5 years, 4 months ago
B is correct answer.
upvoted 21 times
...
PraPat
5 years, 6 months ago
encrypt, decrypt options available with -PermissionsToKeys only hence Correct Ans: D
upvoted 4 times
...
shanky_007
5 years, 6 months ago
Correct Ans: D. -PermissionsToKeys create, encrypt, decrypt
upvoted 8 times
...
IrfanSheikh
5 years, 7 months ago
According to the link the answer can be only for setting permission for Keys as it contains Ceate, Enrypt, Decrypt, Wrapkey and unwrapKey. The values given for certificate policy is incorrect
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel