ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 5 question 19 discussion

Actual exam question from Microsoft's AZ-500
Question #: 19
Topic #: 5
[All AZ-500 Questions]

You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?

  • A. In Azure AD, create a role.
  • B. In Azure Key Vault, create a key.
  • C. In Azure Key Vault, create an access policy.
  • D. In Azure AD, enable Azure AD Application Proxy.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Oz at Nov. 27, 2019, 5 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Oz
Highly Voted 5 years, 7 months ago
Ref: https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app The correct answer is "set access policy" to the managed identity that app will use. Example: az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get list This command gives the identity (MSI) of the app service permission to do get and list operations on your key vault.
upvoted 100 times
...
gfhbox0083
Highly Voted 5 years ago
C, for sure. Access Policy for Azure KeyVault
upvoted 36 times
...
xRiot007
Most Recent 11 months, 2 weeks ago
Your app has to use an identity. On the identity you need an access policy that you will have to create. The answer is C
upvoted 1 times
...
Ginairo214
1 year, 6 months ago
The answer should be A. Though both A and C answers will work, see the link below. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration
upvoted 3 times
nExoR
11 months, 1 week ago
would be, but it say 'create a role' while you could use existing one. question is not about RBAC vs policy... it's outdated probably, but still C would be better answer
upvoted 1 times
...
bxlin
1 year, 1 month ago
Correct. RBAC would be preferred. C also works.
upvoted 1 times
...
...
wardy1983
1 year, 8 months ago
Azure role is needed for the Management plane through RBAC (Key Vault). Access to the Data plane (secrets reside in Data plane) is through access policy.
upvoted 1 times
...
ESAJRR
1 year, 10 months ago
Selected Answer: C
C. In Azure Key Vault, create an access policy.
upvoted 1 times
...
WinXPert
2 years, 4 months ago
The answer is A, because you don't create an access policy in Azure Key Vault.
upvoted 1 times
LonDonMagic
2 years, 2 months ago
To create an access policy in Azure Key Vault, follow these steps: Open the Azure Key Vault in the Azure portal. Click on the "Access policies" link in the left-hand menu. Click on the "+ Add Access Policy" button. In the "Configure from template" section, select the appropriate template based on the type of access you want to grant to the application. In the "Select principal" section, search for and select the Azure AD application that you want to grant access to. In the "Secret permissions" section, select the permissions that you want to grant to the application, such as "Get" or "List". Click the "Add" button to save the access policy. After you create the access policy, the application will be able to authenticate with Azure AD and retrieve the Secret1 from the Azure Key Vault.
upvoted 5 times
...
...
majstor86
2 years, 4 months ago
Selected Answer: C
C. In Azure Key Vault, create an access policy.
upvoted 2 times
...
OrangeSG
2 years, 5 months ago
Selected Answer: C
"To grant an application access to use keys in a key vault, you grant data plane access by using Azure RBAC or a Key Vault access policy." Both RBAC and access policy are valid option. But Access policy can be more fine-grained, refer to Access policy screenshot. So I would go for C.
upvoted 2 times
Nian
2 years, 4 months ago
Actually RBAC for key vault can control data plane access scoped to individual keys now - so it offers the same fine grained control. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration
upvoted 1 times
...
...
ltjones12
2 years, 6 months ago
Selected Answer: C
C 100%
upvoted 1 times
...
fonte
2 years, 6 months ago
Selected Answer: C
If you have already registered the app (as it mentions in the question) then you automatically have a managed identity. So you don't need to create an Azure AD role... at most you could use that managed identity to grant RBAC access to the secret (if it's an RBAC kv). So C is the correct answer.
upvoted 2 times
...
fonte
2 years, 6 months ago
If you have already registered the app (as it mentions in the question) then you automatically have a managed identity. So you don't need to create an Azure AD role... at most you could use that managed identity to grant RBAC access to the secret (if it's an RBAC kv). So C is the correct answer.
upvoted 1 times
...
F117A_Stealth
2 years, 8 months ago
Selected Answer: C
Access policy
upvoted 1 times
...
Muaamar_Alsayyad
2 years, 8 months ago
Selected Answer: C
Access policy
upvoted 1 times
...
Amit3
2 years, 9 months ago
# In Exam 01-Oct-2022, I selected C Access Policy.
upvoted 4 times
...
JakeCallham
2 years, 9 months ago
Selected Answer: A
A for sure, as soon as you enable system assigned identity or user assigned identity, you can add these in the access policy of a keyvault.
upvoted 1 times
achechen
1 year ago
But you would create a role assignment, not a role.
upvoted 1 times
...
...
MoFami
3 years ago
On exam 01 july 2022
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel