D is correct and needed, so the correct answer should be D

Correct answer is C. This is the task to retreive Keyvault secrets to use in following tasks

Option D, adding Azure Key Vault references to Azure Resource Manager templates, is a valid approach for securely accessing credentials and other sensitive information in your infrastructure deployment. However, it is more focused on managing secrets within your infrastructure code rather than in your CI/CD pipeline. For the specific scenario of minimizing the likelihood of infrastructure credentials being leaked in an Azure DevOps pipeline, using an Azure Key Vault task directly in the pipeline (Option C) is a more direct and secure approach. This allows you to retrieve secrets from Azure Key Vault at runtime without exposing them in your pipeline configuration. So the ANS is C

By using an Azure Key Vault task in your pipeline, you can retrieve secrets during runtime without exposing them in your code or configuration files.

The question is referring to infrastructure credentials. Instead of putting a secure value (like a password) directly in your template or parameter file, you can retrieve the value from an Azure Key Vault during a deployment. You retrieve the value by referencing the key vault and secret in your parameter file. The value is never exposed because you only reference its key vault ID. https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli

C. Add an Azure Key Vault task to the pipeline.

C. Add an Azure Key Vault task to the pipeline. By using Azure Key Vault tasks, you can securely store and retrieve secrets in Azure Key Vault during your build or release process, reducing the exposure of sensitive information like credentials in your pipelines. Option D (Add Azure Key Vault references to Azure Resource Manager templates) is also a good practice, but it may not directly address the concern of credentials leaking during the pipeline execution. It's more about securely referencing secrets during infrastructure deployment. Therefore, the correct answer is C

I think C as this task is only for reteiving passwords securly. Can be done with D as well but for C is better choice

D as it is more secure than KV task:"The task can be used to fetch the latest values of all or a subset of secrets from the vault and set them as variables that can be used in subsequent tasks of a pipeline. " With ARM template/parameter file a particular KV secret is referred and that KV secret value is only "visible" for that particular ARM or AzureCLI task

Correct answer is C

KV task

Correct answer is C.

B, C, D - Regarding which option is the right one, it is important to remember that there is no one-size-fits-all answer, as each project may have specific needs. The recommended option will depend on the project context, security requirements, and team preferences. Microsoft's official solution, "Add a PowerShell task to the pipeline and run Set-AzureKeyVaultSecret", is a good choice because it offers a high level of control and flexibility. However, the other options may also be equally valid, depending on the details of the project.

You want credentials not to be leaked. This means they CANNOT be anywhere in your infrastructure scripts of pipeline. To do this, you will add Azure Key Vault key references. At runtime, the pipeline will ask the Vault for values and pass them immediately to the infrastructure scripts.

C I think, credentials in KV task are fetched from KV and not visible at all.

C. Add Key Vault task.. Secrets can be used to full parameter values, if using ARM templates the parameter type is securestring and will not be shown in the RG deployment Secrets using Key Vault task are masked in all and any ouputs and logs generated by the Agents