Exam AZ-500 topic 4 question 91 discussion

I think it should be B: Key Vault Crypto User "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/update/action", "Microsoft.KeyVault/vaults/keys/backup/action", "Microsoft.KeyVault/vaults/keys/encrypt/action", "Microsoft.KeyVault/vaults/keys/decrypt/action", "Microsoft.KeyVault/vaults/keys/wrap/action", "Microsoft.KeyVault/vaults/keys/unwrap/action", "Microsoft.KeyVault/vaults/keys/sign/action", "Microsoft.KeyVault/vaults/keys/verify/action"

Why not Key Vault Crypto Service Encryption User "dataActions": [ "Microsoft.KeyVault/vaults/keys/read", List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. "Microsoft.KeyVault/vaults/keys/wrap/action", Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access.javascript:void(0) "Microsoft.KeyVault/vaults/keys/unwrap/action" Unwraps a symmetric key with a Key Vault key.

A. Key Vault Crypto Service Encryption User https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations

To support the answer: Key Vault Crypto Service Encryption User role provides get, list, wrap, and unwrap access to keys in Azure Key Vault6. Specifically, this role allows: Reading metadata of keys Listing keys in the specified vault Performing wrap operations Performing unwrap operations Answer: A

Answer is D. 1-Key vault Crypto Service Encryption user only has permission for wrap and unwrap, read keys (list) but can not get keys . 2-Key Vault crypto user- can have permission, sign, verify, read (list),encrpt,decrypt,backup,update but can not get keys. 3-Key vault reader, can read key(list) 4- Is the answer and most excessive permission I know question asks least privilidge but other roles does not have enough permission for list,get,wrap,unwrap operations

Both A and B can meet the required permissions, but B's permission is more than that. As the principle of least privilege is needed, A is the best answer here. Detail RBAC here: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

The Key Vault Crypto Service Encryption User role allows the user to read metadata of keys and perform wrap/unwrap operations. This role is typically used when your application needs to use ASP.NET Core Data Protection with Key Vault keys. On the other hand, the Key Vault Crypto User role allows more access to operations for keys, such as data signing. This role is typically used when more access to operations is needed for keys. In terms of the specific permissions of Get/List/Wrap/Unwrap, both roles should be able to perform these operations. However, the Key Vault Crypto User role might have additional permissions that go beyond these specific ones.

Vault Crypto Service Encryption User: "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/wrap/action", "Microsoft.KeyVault/vaults/keys/unwrap/action"

A. Key Vault Crypto Service Encryption User

While following principle of least privilege, Key Vault Crypto Service Encryption User (A) is the best fit. Key Vault Crypto Service Encryption User (Option A): Capabilities: Get: Can retrieve encryption-related information. List: Can list encryption-related information. Wrap: Can encrypt keys. Unwrap: Can decrypt keys. Whereas, Key Vault Crypto User and Key Vault Crypto Officer have the extra capabilities excluding the ones mentioned above: Key Vault Crypto User (Option B): Additional Capabilities: Purge: Can permanently delete keys. This action is irreversible. Recover: Can recover deleted keys within the retention period. Key Vault Crypto Officer (Option D): Additional Capabilities: Create: Can create new keys. Purge: Can permanently delete keys. This action is irreversible. Recover: Can recover deleted keys within the retention period.

Answer should A https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#:~:text=Key%20Vault%20Crypto%20Service%20Encryption%20User

I don't know how the voting messed up, but it is really C. On an exam on 7/8/23

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-crypto-service-encryption-user Description: "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model."

A. Key Vault Crypto Service Encryption User

A is the answer. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-crypto-service-encryption-user - Read metadata of keys and perform wrap/unwrap operations.

Answer: "A" Name: "Key Vault Crypto Service Encryption User", Id: "e147488a-f6f5-4113-8e2d-b22465e65bf6", IsCustom: false, Description: "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model."

The correct answer i A Look the detail: https://www.azadvertizer.net/azrolesadvertizer/e147488a-f6f5-4113-8e2d-b22465e65bf6.html The Crypto users have too many permissions