Examice

Exam AZ-400 All QuestionsBrowse all questions from this exam

Question 115

DRAG DROP -

Your company has a project in Azure DevOps.

You plan to create a release pipeline that will deploy resources by using Azure Resource Manager templates. The templates will reference secrets stored in Azure

Key Vault.

You need to recommend a solution for accessing the secrets stored in the key vault during deployments. The solution must use the principle of least privilege.

What should you include in the recommendation? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Correct Answer:

Box 1: A key Vault advanced access policy

Box 2: RBAC -

Management plane access control uses RBAC.

The management plane consists of operations that affect the key vault itself, such as:

✑ Creating or deleting a key vault.

✑ Getting a list of vaults in a subscription.

✑ Retrieving Key Vault properties (such as SKU and tags).

✑ Setting Key Vault access policies that control user and application access to keys and secrets.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-use-key-vault

Discussion

Kazillius

Answer should be: 1) A Key Vault access policy 2) A Key Vault access policy

rfox321

Why is this the correct answer? Link?

awron_durat

I think this question is just very out of date. I checked KV and they don't even have an advanced access policy section anymore.

ParkXD

agree, now it is "resource access" in the Access configuration

rdemontis

"To enable the template to retrieve the secret, you must enable an access policy called Enable access to Azure Resource Manager for template deployment for the key vault. This policy is enabled in the template" Please look at the link below (Important section) https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#prepare-a-key-vault The answer provided by exam topic is really outdated. The section Advanced access policy has been removed from years and now, as you can easily test in the portal, the only thing to do for either the question is to create an access policy. Specifically, to enable key vaults for template deployment you need only to flag the proper checkbox

rdemontis

However, if "Advanced access policy" were to be present as an option on the exam I would consider using it for the first box. Because an obsolete answer also suggests that the question is obsolete.

catfood

access policies aren't needed if the user is deploying a template that retrieves a secret https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli Outdated question IMHO, going to ignore it.

prashantjoge

Advanced policy is needed for template deployment key vault policy since rbac is needed for managing the keyvault itself

mshin

1) Advanced Access Policy Note, this option is now replaced by 'Access Configurations'. Portal --> Key vault --> Access Configuration --> Enable Az Resource Manager for template deployment option 2) Key Vault Access policies Role-Based Access Control (RBAC) are used for managing Azure Active Directory (AAD) users, groups, and applications at a management plane level (assigning roles, creating custom roles with specific perms), Whereas Access Policies are used for managing Key Vault data plane operations, such as read, write, and delete secrets. So Access Policies are specific to Azure Key Vault and are used to manage access to the secrets and keys stored within it. As mentioned in the comments below a good rule of thumb is to remember: - access to the key vault could be provided by RBAC - access to the keys/secrets in key vault could be provided by access policy - access for a period of time can be provided by SAS.

fkaracan

who are you and why should we trust you without giving explanation :D

sv_26

answer should be A key vault access policy RABC

rfox321

Links for proof please?

CompetentNinja

Try to enable it in portal and you will se your self. In new version there is no "advanced"

yana_b

This questions is a bit outdated. The newer version split it to 2 separate questions asking for restricting access to: - delete the key vault => RBAC - the secrets stored in the key vault? => key access policy

WH16

Yes, it was on exam 2023-09-06, went with answers above and scored 933.

AzureJobsTillRetire

As a rule of thumb, access to the key vault could be provided by RBAC, access to the keys/secretes in key vault could be provided by access policy, and access for a period of time can be provided by SAS. I have used this rule of thumb across a few Azure exams (AZ-104, AZ-305, AZ-700, AZ-500) and it never fails me. I hope it works in AZ-400 as well. It must be some very specific reasons that the rule does not apply.

renzoku

1. Access Policies Fine-grained approach for controlling access to the secrets in Azure Key Vault. 2. RBAC Commonly used for managing access to Azure resources(e.g. Key Vault).

Rachid

The first option has to be enabled in KV/ Access Configuration /Resource access The Resource access Choose among the following options to grant access to specific resource types Azure Virtual Machines for deployment > Azure Resource Manager for template deployment Azure Disk Encryption for volume encryption

Atos

A Key Vault access policy - an access policy is only way to setup this option RBAC - Only way to restrict access would be a permission model, role based is only option, so rather obvious.

Def21

Correct answer is: 1) A key vault access policy (which is called "advanced" setting in warning messages) 2) RBAC The answer options are out-of-date. Explanation: Currently in the portal "Access configuration" you can select "Azure role-based access control" or "Vault access policy". Independent of this selection, there is a possibility to select "Azure Resource Manager for template deployment". There is no word "Advanced" anywhere. However, in warning messages, the last option is described as an advanced access policy.

yana_b

1. Access configurations under Settings on the Key vault blade itself 2. Access to the data in the KV itself => Data plane and here we can chose btw. Access Policy and Key Vault

rikininetysix

Seems like the answer should be - 1) A Key Vault access policy 2)RBAC https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html Access to vaults takes place through two interfaces or planes. Management plane is controlled via RBAC to manage Key Vault itself. Operations that can be controlled are: > Create, read, update, and delete key vaults > Set Key Vault access policies > Set Key Vault tags Data plane is controlled via Access Policies to allows you to work with the data stored in a key vault. Operations that can be controlled are: > Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge > Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge > Secrets: get, list, set, delete,recover, backup, restore, purge

rikininetysix

Sorry for the mistake, the answer given is entirely correct, first answer would be the A Key Vault advanced access policy and second one would be RBAC.

hebertpena88

Today's answer is: 1. Access Policy 2. Access Configuration -- Here you can setup permissions for VMs

Aksssssh

Both should be - a key vault access policy https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault

Narender_892

1. Answer didn't give in the options. It should be an Access configuration blade in the Key vault 2. A Key Vault access policy 2.

Skankhunt

Old question, the correct answer now would be: Key Vault Access configuration. Here you can enable "Azure Resource Manager for template deployment". RBAC

arr73

I think that question is old, and the response has changed. Now I think it should be: Slot1: RBAC Slot2: RBAC Explanation: Micorosft recommends to migrate from access-policies (legacy) to RBAC. See provived link, that says: Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on Azure's control and data planes, and the access policy model, which operates on the data plane alone. Azure RBAC is the recommended authorization system for the Azure Key Vault data plane https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy#data-plane-access-control-recommendation

arr73

I was wrong: it's access policy, as rdemontis explained. Sorry for the mistake.

chloaus

Correct Answer: 3, 1 The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault. Recommendations for controlling access to your vault are as follows: Lock down access to your subscription, resource group, and key vaults using role-based access control (RBAC). Restrict network access with Private Link, firewall and virtual networks https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices

Pipek

1) Enable key vaults for template deployment: RBAC https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The deployment permissions are defined in the next section. 2) Access policy