Exam AZ-500 topic 5 question 58 discussion

I thought that it would be Yes No No Box1: Yes Admin1 is Key Vault Contributor on KeyVault1, in which has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 5th, Admin1 can recover Key1 Box2: No On Jun 1st, secret1 has already been deleted. Hence it cannot be purged again on Jun 12th Box3: No KeyVault1 has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 17th it cannot be recovered

Y - within 10 days N - purge protection enabled so no, also Secrets officer has not enough permission N - more than 15 days have passed, so already deleted and not possible to recover anymore

YYN: Box 2: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#:~:text=Key%20Vault%20Secrets%20Officer,access%20control%27%20permission%20model.

No - Key vault Contributor could recover deleted key vaults (management plane) but not deleted secrets within a key vault (data plane) No - purging keys requires an explicit permission which is not part of any predefined role No - protection period is over

For Azure Key vault by Default Soft delete is enabled, for the first statement Admin1 has Key Vault contributor role which is for management plane that is why this role is not enough for recover key from vault, answer is No for the first option. Admin2 is officer he/she can do whatever wants and here purge protection is disabled that is why Admin2 will be abele to purge but if it would be enabled then this would be No as well, however now this is Yes for option 2. For the option 3rd we have Admin3 who is Key Vault Admin and can work with data plane operations, admin3 recover keys until 11th of June as retention is 10 days and we have deleted on June 1 so this will be the NO as well. All in all, answer is No, Yes, No.

Y N N Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators. Password Administrator Can reset passwords for non-administrators and Password Administrators.

By default Soft delete is enabled 1. No : The key1 is still in the recyvcle bin but Admin1 is Key vault Contributor (Perform only management operations and can't manage permissions) he can't recover the key 2. Yes, the Secret1 is still in the recycle bin, Admin2 is Key Vault Secret Officers (can manage all data operation about secrets) and Purge protection is disabled so yes he can delete the secret, if purge protection was enabled on key Vault2, he will not be able to purge the secrets 3. Key1 is no more in the recycle bin because the period of retention was only 10 days after the deletion and we are at the 17 of June, so nobody can recover this key at this date

NO NO NO The Key Vault Contributor role is for management plane operations only to manage key vaults. It does not allow access to keys, secrets and certificates.

You're all wrong. Box 1: No Key Vault Contributor does NOT have data plane permissions. Box 2: Yes Purge protection is disabled. Box 3: No Retention period has passed. Retention period applies to BOTH the vault and the objects.

NO YES NO 1- Key Vault Contributor has only permissions on management plane not data plane 2- secret officer has total control on secrets. Do not confuse with "to purge we need an elevation of permissions", it is true but it is for access policy model. We are in RBAC model 3- It is already deleted, nothing to recover

Explanation: Box1: Yes Admin1 is Key Vault Contributor on KeyVault1, in which has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 5th, Admin1 can recover Key1 Box2: No On Jun 1st, secret1 has already been deleted. Hence it cannot be purged again on Jun 12th Box3: No KeyVault1 has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 17th it cannot be recovered

Key Vault Contributor Lets you manage key vaults, but not access to them. 1st option NO Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. it's within the timeframe so Yes (tested in lab Key Vault Secrets Officer can recover secrets only) Key Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets Purge protection keeps the key in recovery state for 90 days (tested in lab) so Yes

Tested it And Result is: NO YES NO. While testing make sure only mentioned role you assign not less not more.

YNN, 2nd box is No cuz no enough permissions to do purge

1. When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). 2. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. Therefore the third option is Yes. The key can be recovered for 90 days. The question says that key1 was deleted. Not that it was purged after the purge protection period. https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview

y, y, n is correct Admin 1 can recover KEY 1 on June 5 because they are a KEY VAULT CONTRIBUTOR, who is allowed to recover keys, and the date falls within the 10 day retention period for that KEY VAULT1. Admin 2 can PURGE Secret1 on June 12 from KEY VAULT2 because the secret will still be in SOFT-DELETE state until June 15. The retention period for it is 15 days. To PURGE is not to DELETE. Delete is deleting the secret from the key vault and putting it in SOFT-DELETE state. Purging is equivalent to emptying a recycle bin in Windows. A KEY VAULT SECRETS OFFICER can delete and purge secrets. Admin 3, although a KEY VAULT ADMIN, cannot recover KEY1 on June 17th because it is past the 10 day Retention period for for Key Vault1.

Y - within 10 days N - purge protection enabled so no, also Secrets officer has not enough permission N - more than 15 days have passed, so already deleted and not possible to recover anymore