ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 3 question 62 discussion

Actual exam question from Microsoft's AZ-500
Question #: 62
Topic #: 3
[All AZ-500 Questions]

HOTSPOT -
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD). The tenant contains the users shown in the following table.

You have an Azure key vault named Vault1 that has Purge protection set to Disable. Vault1 contains the access policies shown in the following table.

You create role assignments for Vault1 as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
Resource Policy Contributor or Security Administrator is required.
User1 is Security Administrator only with the no specific permission granted to Vault1.
The Security Admin can view and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
However:


Box 2: Yes -
User2 is a Network Contributor, with Select All Key, Secret & Certificate permissions, and Key Vault Reader.
The Network Contributor role lets you manage networks, but not access to them.

Box 3: Yes -
User3 is a Key Vault Contributor and a User Access Administrator for Vault.
The Key Vault Contributor role allows you to manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor https://charbelnemnom.com/enable-purge-protection-key-vault-azure-policy/
by joanjcanals at Sept. 20, 2022, 12:54 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
juandmi
Highly Voted 2 years, 3 months ago
Tested with following results: A: No Security Admin cannot manage key vault properties https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-admin B: No Network Contributor or Key Vault Reader cannot change the key vault firewall https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor C: YES Key vault contributor can do that https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor Note: "does not allow you to assign roles" - but here the question is to add access policies which works.
upvoted 32 times
sigvast
1 year, 10 months ago
Agree, but for A the user role doesn't matter anyway because purge protection cannot be changed after the vault creation.
upvoted 4 times
...
...
KvE90093
Most Recent 10 months, 2 weeks ago
A: NO, even the user is in group1, the inherited permission cannot enable purge protection. The purge permission allows purge/delete soft-delete items, but not for configuration settings such as purge protection.
upvoted 1 times
...
JaridB
1 year ago
B: NO - These roles allow the configuration of Key Vault firewall rules, including setting up network rules that restrict access to the vault based on IP addresses or virtual network settings. The Key Vault Contributor role enables a user to manage various Key Vault properties, including its networking and firewall configurations, which are essential for defining who can access the vault. The Azure Network Contributor role does not have the permissions necessary to configure firewall and virtual network settings for an Azure Key Vault. This role primarily allows for managing networking resources such as subnets, virtual networks, and routing tables, but does not extend to managing the security and network configuration of Key Vaults.
upvoted 1 times
...
wardy1983
1 year, 6 months ago
Box 1: No - Resource Policy Contributor or Security Administrator is required. User1 is Security Administrator only with the no specific permission granted to Vault1. The Security Admin can view and update permissions for Security Center. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. However: Box 2:no Network Contributor or Key Vault Reader cannot change the key vault firewall https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-role Box 3: Yes - User3 is a Key Vault Contributor and a User Access Administrator for Vault.
upvoted 3 times
...
JunetGoyal
1 year, 6 months ago
Note: When it comes to some resources in Azure, overall RBAC does not apply to them.Ypu need to give explicit permission to these resouces. For example Key vault in this Q. user 1-Security Admin will work for rest of other sources but not for KV. this same applies to user 2. So my ans N,N,Y
upvoted 2 times
...
Strifelife
1 year, 9 months ago
no,no,yes had to check from ChatGPT just to make sure.
upvoted 3 times
...
majstor86
2 years, 2 months ago
NO NO YES
upvoted 4 times
...
Diallo18
2 years, 6 months ago
In Exam 10/18/2022. One case study(6 ques), no lab.
upvoted 3 times
...
Kelly8023
2 years, 6 months ago
Answers are correct.
upvoted 2 times
...
joanjcanals
2 years, 7 months ago
2nd statement is wrong: becuase not have authorization to perform action 'Microsoft.KeyVault/vaults/write
upvoted 4 times
Amit3
2 years, 7 months ago
Its only taking about firewall and network, not writing anything to keyvault
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago