User1 - has ownership at subscription level therefore has access to the control plane of the key vault but not to the data plane. therefore User1 can manage RBAC permissions but cannot create/access keys or secrets (unless bthey can grant themself 'Key Administrator' access and do this, which again does not show up in this RBACs listed so we cannot assume that) - Therefore User1 has not access to the keys or secrets in this vault User2 - Is a Key VAult Crypto officer for the KeyVault1. so according to this:https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations , they can manage keys (but not access secrets or manage permissions) User3 - Is a Secrets officer for the KeyVault1 scope. they can access secrets data in this key vault User4 - Here's a tricky one. while they are indeed given 'Key Vault Administrator', notice the scope is set to "../KeyVault1/Keys/Key1". So they should only be able to work with that key. Therefore, I believe the answer is: 1st box - Only User2 2nd box - Only User3

1. Only User2 2. Only User3 https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner DataActions: none https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-crypto-officer Perform any action on the keys of a key vault, except manage permissions. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-secrets-officer Perform any action on the secrets of a key vault, except manage permissions. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments.

1. Can create keys in a key vault - user1, user2, and user4 2. Can create secrets in a key vault - user1, user3, and user4

User1 - has ownership at subscription level therefore has access to the control plane of the key vault but not to the data plane. therefore User1 can manage RBAC permissions but cannot create/access keys or secrets (unless bthey can grant themself 'Key Administrator' access and do this, which again does not show up in this RBACs listed so we cannot assume that) - Therefore User1 has not access to the keys or secrets in this vault User2 - Is a Key VAult Crypto officer for the KeyVault1. so according to this:https://learn.microsoft.com/en- us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane- operations , they can manage keys (but not access secrets or manage permissions) User3 - Is a Secrets officer for the KeyVault1 scope. they can access secrets data in this key vault User4 - Here's a tricky one. while they are indeed given 'Key Vault Administrator', notice the scope is set to "../KeyVault1/Keys/Key1". So they should only be able to work with that key. 1st box - Only User2 2nd box - Only User3

How can I generate keys without access policies?

Key Vault Crypto Officer : Perform any action on the keys of a key vault, except manage permissions. Key Vault Secrets Officer : Perform any action on the secrets of a key vault, except manage permissions

>OWNER CAN PERFORM ANY OPERTIONS FROM MICROSOFT: >Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. >Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. >Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.

Ist Box - Only User 2 "nd Box - Only User 3 https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

I agree with Koreshio 1st box - Only User2 2nd box - Only User3

in exam 26/05

1st box - Only User2 2st box - Only User 3 and 4 permissions that are granted to users with the Key Vault Administrator role: Create, delete, and manage keys, secrets, and certificates. Manage key vault policies. Manage key vault access control. Manage key vault audit logs. permissions that are granted to users with the Key Vault Crypto Officer role: Create, import, export, rotate, and delete keys. Manage key permissions. Audit key activity. permissions that are granted to users with the Key Vault Secrets Officer role: Create, update, delete, and list secrets. Recover deleted secrets. Manage secret permissions. Audit secret activity.

Can create keys - Only User2 Can create secrets - Only User3

Rights differ when using RBAC vs Policy based. Oddly enough when using policy based, an owner can create key, secrets, ... This is NOT the case when using RBAC since owner doesn't have any DataActions at all listed under his role definition. Seen that we see role assigments we have to assumed we're in RBAC mode, hence the Owner can't do sh... and cannot create keys or secrets. This gives us: can create keys in the key vault: User2 (Keyvault Crypto officer for keys ); Key Vault Administrator (User4) perm is set on a specific key, not at the vault1 level so he can't do anything at the vault since the delegation was done on a specific key. can create secrets in the key vault: User3 (Key Vault Secrets Officer); scoping for KV Admin is set on a single existing key so doesn't apply to the vault, hence it's useless Hope this clarifies all your doubts.

Box 1: Only User2 Box 2: Only User3 User1: To create key/secret, you as owner still need to assign yourself the Key Vault Admin role even though you're an Owner of the Azure Key Vault. For the Key Vault Administrator role, you'll see that you have some Management Plan operations but you'll also have Data Plane operations. Reference Should a Key Vault Owner be able to create/read/update Secrets after changing to RBAC? https://learn.microsoft.com/en-us/answers/questions/432805/should-a-key-vault-owner-be-able-to-create-read-up

Box1: User1 and User 2 Box2: User1 and User3 Explanations: User1: Owner of the subscription. User1 "can" create keys and secrets in the key vault. User1: Owner of the subscription. User1 "can" create keys in the key vault. User2: Key Vault Crypto Officer for KeyVault1. User2 can manage keys but not secrets User3: Key Vault Secrets Officer for KeyVault1. User3 can manage secrets but not keys User4: Key Vault Administrator for Key1 in ./KeyVault1/keys/. User4 only has control over one existing key. User4 cannot create either a key or a secret.

Both answers are correct. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

Role assignment for user4 is scoped to a particular key in the key vault. Not sure whether we have to take it into consideration or not.