AZ-400 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-400 Exam - Question 115

DRAG DROP -

Your company has a project in Azure DevOps.

You plan to create a release pipeline that will deploy resources by using Azure Resource Manager templates. The templates will reference secrets stored in Azure

Key Vault.

You need to recommend a solution for accessing the secrets stored in the key vault during deployments. The solution must use the principle of least privilege.

What should you include in the recommendation? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Select and Place:

Show Answer
Correct Answer:

Box 1: A key Vault advanced access policy

Box 2: RBAC -

Management plane access control uses RBAC.

The management plane consists of operations that affect the key vault itself, such as:

✑ Creating or deleting a key vault.

✑ Getting a list of vaults in a subscription.

✑ Retrieving Key Vault properties (such as SKU and tags).

✑ Setting Key Vault access policies that control user and application access to keys and secrets.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-tutorial-use-key-vault

Discussion

17 comments
Sign in to comment
Kazillius
Jul 1, 2021

Answer should be: 1) A Key Vault access policy 2) A Key Vault access policy

rfox321
Sep 24, 2021

Why is this the correct answer? Link?

awron_durat
Jan 27, 2022

I think this question is just very out of date. I checked KV and they don't even have an advanced access policy section anymore.

ParkXD
Mar 14, 2023

agree, now it is "resource access" in the Access configuration

rdemontis
Mar 18, 2022

"To enable the template to retrieve the secret, you must enable an access policy called Enable access to Azure Resource Manager for template deployment for the key vault. This policy is enabled in the template" Please look at the link below (Important section) https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault#prepare-a-key-vault The answer provided by exam topic is really outdated. The section Advanced access policy has been removed from years and now, as you can easily test in the portal, the only thing to do for either the question is to create an access policy. Specifically, to enable key vaults for template deployment you need only to flag the proper checkbox

rdemontis
Apr 1, 2022

However, if "Advanced access policy" were to be present as an option on the exam I would consider using it for the first box. Because an obsolete answer also suggests that the question is obsolete.

catfood
Jul 25, 2023

access policies aren't needed if the user is deploying a template that retrieves a secret https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli Outdated question IMHO, going to ignore it.

prashantjoge
Apr 5, 2022

Advanced policy is needed for template deployment key vault policy since rbac is needed for managing the keyvault itself

mshin
Mar 9, 2023

1) Advanced Access Policy Note, this option is now replaced by 'Access Configurations'. Portal --> Key vault --> Access Configuration --> Enable Az Resource Manager for template deployment option 2) Key Vault Access policies Role-Based Access Control (RBAC) are used for managing Azure Active Directory (AAD) users, groups, and applications at a management plane level (assigning roles, creating custom roles with specific perms), Whereas Access Policies are used for managing Key Vault data plane operations, such as read, write, and delete secrets. So Access Policies are specific to Azure Key Vault and are used to manage access to the secrets and keys stored within it. As mentioned in the comments below a good rule of thumb is to remember: - access to the key vault could be provided by RBAC - access to the keys/secrets in key vault could be provided by access policy - access for a period of time can be provided by SAS.

fkaracan
Feb 13, 2023

who are you and why should we trust you without giving explanation :D

sv_26
Jul 6, 2021

answer should be A key vault access policy RABC

rfox321
Sep 24, 2021

Links for proof please?

CompetentNinja
Mar 31, 2022

Try to enable it in portal and you will se your self. In new version there is no "advanced"

yana_b
Aug 11, 2023

This questions is a bit outdated. The newer version split it to 2 separate questions asking for restricting access to: - delete the key vault => RBAC - the secrets stored in the key vault? => key access policy

WH16
Sep 6, 2023

Yes, it was on exam 2023-09-06, went with answers above and scored 933.

AzureJobsTillRetire
Jan 18, 2023

As a rule of thumb, access to the key vault could be provided by RBAC, access to the keys/secretes in key vault could be provided by access policy, and access for a period of time can be provided by SAS. I have used this rule of thumb across a few Azure exams (AZ-104, AZ-305, AZ-700, AZ-500) and it never fails me. I hope it works in AZ-400 as well. It must be some very specific reasons that the rule does not apply.

Def21
Sep 9, 2022

Correct answer is: 1) A key vault access policy (which is called "advanced" setting in warning messages) 2) RBAC The answer options are out-of-date. Explanation: Currently in the portal "Access configuration" you can select "Azure role-based access control" or "Vault access policy". Independent of this selection, there is a possibility to select "Azure Resource Manager for template deployment". There is no word "Advanced" anywhere. However, in warning messages, the last option is described as an advanced access policy.

Atos
Sep 13, 2022

A Key Vault access policy - an access policy is only way to setup this option RBAC - Only way to restrict access would be a permission model, role based is only option, so rather obvious.

Rachid
Nov 27, 2022

The first option has to be enabled in KV/ Access Configuration /Resource access The Resource access Choose among the following options to grant access to specific resource types Azure Virtual Machines for deployment > Azure Resource Manager for template deployment Azure Disk Encryption for volume encryption

renzoku
Jul 14, 2023

1. Access Policies Fine-grained approach for controlling access to the secrets in Azure Key Vault. 2. RBAC Commonly used for managing access to Azure resources(e.g. Key Vault).

Narender_892
Sep 7, 2022

1. Answer didn't give in the options. It should be an Access configuration blade in the Key vault 2. A Key Vault access policy 2.

Aksssssh
Oct 19, 2022

Both should be - a key vault access policy https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-tutorial-use-key-vault

hebertpena88
Oct 20, 2022

Today's answer is: 1. Access Policy 2. Access Configuration -- Here you can setup permissions for VMs

rikininetysix
Dec 27, 2022

Seems like the answer should be - 1) A Key Vault access policy 2)RBAC https://learn.microsoft.com/en-us/answers/questions/370371/restrict-access-to-the-secrets-in-the-key-vault-ar.html Access to vaults takes place through two interfaces or planes. Management plane is controlled via RBAC to manage Key Vault itself. Operations that can be controlled are: > Create, read, update, and delete key vaults > Set Key Vault access policies > Set Key Vault tags Data plane is controlled via Access Policies to allows you to work with the data stored in a key vault. Operations that can be controlled are: > Keys: encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, recover, backup, restore, purge > Certificates: managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, get, list, create, import, update, delete, recover, backup, restore, purge > Secrets: get, list, set, delete,recover, backup, restore, purge

rikininetysix
Dec 28, 2022

Sorry for the mistake, the answer given is entirely correct, first answer would be the A Key Vault advanced access policy and second one would be RBAC.

yana_b
Oct 26, 2023

1. Access configurations under Settings on the Key vault blade itself 2. Access to the data in the KV itself => Data plane and here we can chose btw. Access Policy and Key Vault

Pipek
Mar 23, 2023

1) Enable key vaults for template deployment: RBAC https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The deployment permissions are defined in the next section. 2) Access policy

chloaus
Apr 10, 2024

Correct Answer: 3, 1 The access policies aren't needed if the user is deploying a template that retrieves a secret. Add a user to the access policies only if the user needs to work directly with the secrets. The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and key vault. Recommendations for controlling access to your vault are as follows: Lock down access to your subscription, resource group, and key vaults using role-based access control (RBAC). Restrict network access with Private Link, firewall and virtual networks https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices

arr73
Apr 28, 2024

I think that question is old, and the response has changed. Now I think it should be: Slot1: RBAC Slot2: RBAC Explanation: Micorosft recommends to migrate from access-policies (legacy) to RBAC. See provived link, that says: Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on Azure's control and data planes, and the access policy model, which operates on the data plane alone. Azure RBAC is the recommended authorization system for the Azure Key Vault data plane https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy#data-plane-access-control-recommendation

arr73
Jun 29, 2024

I was wrong: it's access policy, as rdemontis explained. Sorry for the mistake.

Skankhunt
Jul 21, 2024

Old question, the correct answer now would be: Key Vault Access configuration. Here you can enable "Azure Resource Manager for template deployment". RBAC