HOTSPOT -
You have an Azure subscription that contains an Azure key vault named ContosoKey1.
You create users and assign them roles as shown in the following table.
You need to identify which users can perform the following actions:
✑ Delegate permissions for ContosoKey1.
✑ Configure network access to ContosoKey1.
Which users should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-guide
Delegate permissions for ContosoKey1: User 1 and User 3 Configure network access to ContosoKey1: User 1 and User 4 Key Vault Contributor role definition includes Microsoft.KeyVault/*, which means it has full rights and can therefore modify network access https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
Not sure about box1, Box1: User1 and User3/User4. Box2: User1 and User4. https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault#management-plane-and-azure-rbac https://docs.microsoft.com/en-us/azure/key-vault/general/security-overview https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Tested in lab Box1: User1,User3 and User4. Box2: User1 and User4.
@guser99 Contributors on ANY blade have full right EXCEPT modifying permission which includes delegation. Therefore this is incorrect. COrrect answer are: Box 1: User 1 and User 3 Box 2: User 1 and User 4
Box 2 should be User 1 only since Key Vault Contributor role is for management plane operations to manage key vaults. It does not allow access to keys, secrets and certificates.
key Vault contributor wont be enough to completely configure network setting - suppose it needs to access the VNET/subnet for service endpoint or create private endpoint - it is contentious we can argue those resource are in separate RG and for those RGs user 4 have the required permissions
Questions says: "Configure network access to ContosoKey1". Key Vault Contributor can modify network access of Key Vault
Even an Owner (at Key Vault level) wouldn't be able to access the VNET/subnet....
that doesn't matter, he could also just whitelist IP ranges
wrong: Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
A contributor does not have rights to grant permissions, check microsoft.keyvault/* does not include network access - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault box 1 - user 1 and user 3 box 2 - user 1
One only need Microsoft.KeyVault/vaults/accessPolicies/write which is part of the Key Vault Contributor role. You can add a single IP range, don't need to read the network configs (vnet/subnet)
Box1: User1 and User3 Box2: User1 and User4 I have tested this on my lab. user4 also can modify network access https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
Delegate permissions for ContosoKey1: User 1 and User 3 only Configure network access to ContosoKey1: User 1 only
Delegate permissions for ContosoKey1: User 1 and User 3 Configure network access to ContosoKey1: User 1 and User 4 Key Vault Contributor role definition includes Microsoft.KeyVault/*, which means it has full rights and can therefore modify network access https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
1. User1 and User3 only. 2. User1 only. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator Lets you manage user access to Azure resources. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates.
Delegate Permissions: User 1 and User 3 Configure Network Access (Networking > Firewalls and virtual Networks): User 1 and User 4 Tested in lab.
I also tested this in lab For configuring the Network access, user4 was able to do some network configurations like Changing "Allow access from:" option for all to Disable but not to an specific VNet as the user doesn't have any rights on those VNETs or even no right to create a new VNET. the User also could add an IP to firewall and change the Exception settings. So considering all these I thing Box 2 should be User1 and User4.
Box1: User1 and User3 Box2: User1 and User4
Box 1 : User 1 and User 3 (The Key Vault Contributor role is for management plane operations to manage key vaults. It does not allow access to keys, secrets and certificates) Box 2: User 1 and User 4
Given Answer is correct
For Q2: The answer should be User 1 and User 4. Why user 4? KeyVault Contributer has the following permission: Microsoft.Resources/deployments/* (Create and manage a deployment) which means he can configure network access to keys. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
In Exam - 20/6/2022 - 1 Case Study ( 6 ) - Lab ( 10 Tasks )
In exam Dec'21. 40 questions, 1 case study, no labs.
In the first box we need to know Key Vault Contributor can manage key vault but cannot grant access for key vault. There might be question can Key Vault Administrator could do this if it would be here instead of Key vault contributor? Answer would be not as well. As, Key vault administrator can perform all data plane operations but cannot grant access to the Key Vault. Owner and User Access administrator can grant an access to the Azure Key vault. That is why, in the box1 we should choose User1, User3. However, may be in the exam you can see Owner can see data plane directly, answer is not Owner should assign him/herself role first. I think this is enough for the box1. I will add next section as reply to here Exam Topics does not allow to add full comment as it is long a bit
Let’s go with box2, Security Admin role is obvious to us we need to use it for Defender for Cloud side this is not option for us to choose in our answer. User Access Contributor cannot change any network settings as we see it is intended for access. We left for owner and Key vault contributor. Owner will be able to manage any management plane operation that is why one of the answers will be User1 who has owner role here. For the second role which is Key vault contributor I revoked my all permission in the subscription and tried to add network rules to Azure Key vault .
I could only add Allow Access from section’s 2 options which are Allow public access from all networks, Disable Public access. When it comes to Allow public access from specific virtual networks and IP addresses, we cannot add Virtual network with just Key Vault Contributor role (You can test this as I did), In firewall setting where can only add public IP, I could add it. For the Private endpoint connections settings, we cannot add anything with just Key Vault contributor role. As a result of long tests, I would choose User1 only for the second box as we saw Key Vault Contributor could not add all settings for Network of Azure key vault.
Box-1: User1, User3, Box:2- User1
Tested in the lab Configure network access to ContosoKey1: User 1 and User 4 I gave User 4 keyvault contributor and was able to add my public IP to the network allow list, when I was logged in as User4
You can not any vnet with just Key Vault Contributor Access , you can only do 2 things 1-Allow Public access from all networks in the firewall and virtual network settings, and second one is Disable public access, there is nothing else besides these you can do with just Key vault contributor role
Answers are correct. Key Vault Contributor Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. Learn more Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.KeyVault/* Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions Microsoft.KeyVault/locations/deletedVaults/purge/action Purge a soft deleted key vault Microsoft.KeyVault/hsmPools/* Microsoft.KeyVault/managedHsms/*
Tested - Key Vault Contributor role most definitely allows network access configuration. Only issue seems to be if no service endpoint configured on a subnet, in which case the lack of write access to networks comes into play.