You have an Azure subscription that contains an Azure key vault named Vault1.
In Vault1, you create a secret named Secret1.
An application developer registers an application in Azure Active Directory (Azure AD).
You need to ensure that the application can use Secret1.
What should you do?
To ensure that the application can use Secret1 from Azure Key Vault, you need to create an access policy within Azure Key Vault. Access policies allow you to specify which applications or users can perform specific actions on the secrets, keys, and certificates stored in the vault. In this scenario, assigning the appropriate access policy to the registered application will ensure it has the necessary permissions to retrieve Secret1.
Ref: https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app The correct answer is "set access policy" to the managed identity that app will use. Example: az keyvault set-policy --name '<YourKeyVaultName>' --object-id <PrincipalId> --secret-permissions get list This command gives the identity (MSI) of the app service permission to do get and list operations on your key vault.
C, for sure. Access Policy for Azure KeyVault
# In Exam 01-Oct-2022, I selected C Access Policy.
Correct answer is C. Azure role is needed for the Management plane through RBAC (Key Vault). Access to the Data plane (secrets reside in Data plane) is through access policy.
The answer should be A. Though both A and C answers will work, see the link below. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration
Correct. RBAC would be preferred. C also works.
On exam 01 july 2022
C. In Azure Key Vault, create an access policy.
"To grant an application access to use keys in a key vault, you grant data plane access by using Azure RBAC or a Key Vault access policy." Both RBAC and access policy are valid option. But Access policy can be more fine-grained, refer to Access policy screenshot. So I would go for C.
Actually RBAC for key vault can control data plane access scoped to individual keys now - so it offers the same fine grained control. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration
If you have already registered the app (as it mentions in the question) then you automatically have a managed identity. So you don't need to create an Azure AD role... at most you could use that managed identity to grant RBAC access to the secret (if it's an RBAC kv). So C is the correct answer.
Azure role is needed for the Management plane through RBAC (Key Vault). Access to the Data plane (secrets reside in Data plane) is through access policy.
C. In Azure Key Vault, create an access policy.
The answer is A, because you don't create an access policy in Azure Key Vault.
To create an access policy in Azure Key Vault, follow these steps: Open the Azure Key Vault in the Azure portal. Click on the "Access policies" link in the left-hand menu. Click on the "+ Add Access Policy" button. In the "Configure from template" section, select the appropriate template based on the type of access you want to grant to the application. In the "Select principal" section, search for and select the Azure AD application that you want to grant access to. In the "Secret permissions" section, select the permissions that you want to grant to the application, such as "Get" or "List". Click the "Add" button to save the access policy. After you create the access policy, the application will be able to authenticate with Azure AD and retrieve the Secret1 from the Azure Key Vault.
C 100%
If you have already registered the app (as it mentions in the question) then you automatically have a managed identity. So you don't need to create an Azure AD role... at most you could use that managed identity to grant RBAC access to the secret (if it's an RBAC kv). So C is the correct answer.
Access policy
Access policy
A for sure, as soon as you enable system assigned identity or user assigned identity, you can add these in the access policy of a keyvault.
But you would create a role assignment, not a role.