Exam AZ-500 All QuestionsBrowse all questions from this exam
Question 345

HOTSPOT

-

You have an Azure key vault.

You need to delegate administrative access to the key vault to meet the following requirements:

• Provide a user named User1 with the ability to set access policies for the key vault.

• Provide a user named User2 with the ability to add and delete certificates in the key vault.

• Use the principle of least privilege.

What should you use to assign access to each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Apptech

User1: Key Vault access policy User2: RBAC only --> Key Vault Certificates Officer: Perform any action on the certificates of a key vault, except manage permissions

Apptech

Same as in Topic3, question 34

timHAG

which answers for rbac for user1 and Key Vault access policy, seems its after Entra updates, that the data plane is for both for managing key apptech for the second one. for th e first user1 it should be RBAC only

timHAG

so provided answers are correct

Apptech

correcting myself: The given answer is correct. As from Microsoft: "Both planes use Microsoft Entra ID for authentication. For authorization, the management plane uses Azure role-based access control (Azure RBAC) and the data plane uses a Key Vault access policy and Azure RBAC for Key Vault data plane operations." --> See here https://learn.microsoft.com/en-us/azure/key-vault/general/security-features#privileged-access

Jimmy500

Given solution is correct: Here we need to understand question carefully which what asks about for User1 and User2. As we see in the first question it says provide a user named User1 with the ability to set access policies for the key vault. Which basically tells you need to provide access for the management plane not data plane. As we know well, RBAC roles can be assigned for both management and data plane level.However, key vault access policies only works for data plane level. From here can say for the first example this will be RBAC only. In the second example question asks, provide a user named User2 with the ability to add and delete certificates in the key vault, which basically says we need to add permission for the data plane of Azure Key vault which can be done by the help of RBAC and Key vault access policy which can be applied to data level of Azure key Vault.

Jimmy500

Sorry I think I missed one thing here, Azure Access Policy and RBAC can not work together this is why I think we can only use RBAC in the both cases , because if we use Key Vault Access Policy and RBAC together and assign role with rbac for data plane for the deleting certficate we will need to use Key Vault certificate Officer and when we assign it it writes in front of role this role only works with rbac model, if will use key vault access policy we will not able to grant access to user1 as it needs rbac since we will use rbac for user1 we will need to use rbac for user2 as well as key vault does not support both methods together. I change my answer and sorry for my initial thought. RBAC,RBAC

Jimmy500

I also changed my key vault settings to Access policy and assigned my self Key Vault certificate owner role, I successfully assigned but when I went to create certificate , I got an error and could not create certificate as this role does not support access policy model

JaridB

The provide answers are correct

Pamban

Nope.. Key Vault can't have both RBAC and access policy permission models