Exam AZ-400 All QuestionsBrowse all questions from this exam
Go to Exam
Question 106

HOTSPOT -

You have an Azure subscription that contains the resources shown in the following table.

You plan to create a linked service in DF1. The linked service will connect to SQL1 by using Microsoft SQL Server authentication. The password for the SQL

Server login will be stored -

in KV1.

You need to configure DF1 to retrieve the password when the data factory connects to SQL1. The solution must use the principle of least privilege.

How should you configure DF1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: Secret -

    Store credential in Azure Key Vault by reference secret stored in key vault.

    To reference a credential stored in Azure Key Vault, you need to:

    1. Retrieve data factory managed identity

    2. Grant the managed identity access to your Azure Key Vault. In your key vault -> Access policies -> Add Access Policy, search this managed identity to grant

    Get permission in Secret permissions dropdown. It allows this designated factory to access secret in key vault.

    3. Create a linked service pointing to your Azure Key Vault.

    4. Create data store linked service, inside which reference the corresponding secret stored in key vault.

    Box 2: Access policy -

    Reference:

    https://docs.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault

Discussion
surensaluka

This came today (2023-02-14) for my exam. Selected Secret and Access Policy

pc1707

Hey! Did you get simulation questions?

meoukg

saw it yesterday in my exam

pc1707

Hey! Did you get simulation questions?

Rod_DA

New recommended acceess configuration to vault is now RBAC instead of access policy and there is a role to give access only to secrets so The answer should be secret and RBAC

zellck

1. Secret 2. Access policy https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault secrets, keys, and certificates. You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell.

Tyler2023

Access Policy is a legacy authorization system built in Key Vault to provide access to keys, secrets, and certificates but there is new recommended authorization, which is RBAC, you can setup the Managed Identity of Azure Data Factory and allow the identity to access Key Vault BUT since, in the question, they ask which permission type that you need which is Secret so you have to Access Policy instead of RBACK Answer is Secret and Access Policy refs: https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy

Aqlanoz

since keyvault have rbac now, should the answer be rbac instead of access policy ?

Govcomm

Secret Access Policy (Data Plan)

Leandrocei

Correct. Came today 22 july 9

ppo12

I think correct, since password usually stored in Secret, No need to give RBAC, access policy will do

syu31svc

"Password" so secret for permission Access to Key Vault so Access Policy Answer is correct

UnknowMan

Secret (Password is stored) And Access Policy

Skankhunt

It's an old question. I believe the correct answer now would be: Secret RBAC

ozbonny

secret access policy

vsvaid

Agree with suggested answer

yana_b

Provided answer is correct

xRiot007

Answer is secret and access policy. See ref: https://tech-tutes.com/2020/05/16/get-database-password-from-key-vault-in-data-factory/

dibbadobbagibbu

RBAC is the only one than can limit access per Secret. So you could argue that Rbac is correct

Rubends

RBAC is use for keyvault access for use secret you must configure access policy

catfood

no, rbac can be used for individual secrets, configure in the secret's IAM blade.

Pav143

Well, now that means RBAC for individual secret access satisfies for least privilege than an access policy that offers high privilege by giving access to ALL secrets. So yeah, microsoft is not dumb, if you select access policy when there is RBAC in the options, youre going to lose a point there for sure.