Topic: Microsoft AZ-500 topic 3 question 62

HOTSPOT -
You have an Azure subscription that is linked to an Azure Active Directory (Azure AD). The tenant contains the users shown in the following table.

You have an Azure key vault named Vault1 that has Purge protection set to Disable. Vault1 contains the access policies shown in the following table.

You create role assignments for Vault1 as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Re: Microsoft AZ-500 topic 3 question 62

Tested with following results:
A: No
Security Admin cannot manage key vault properties
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-admin
B: No
Network Contributor or Key Vault Reader cannot change the key vault firewall
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor
C: YES
Key vault contributor can do that
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
Note: "does not allow you to assign roles" - but here the question is to add access policies which works.

Re: Microsoft AZ-500 topic 3 question 62

Agree, but for A the user role doesn't matter anyway because purge protection cannot be changed after the vault creation.

Re: Microsoft AZ-500 topic 3 question 62

B: NO - These roles allow the configuration of Key Vault firewall rules, including setting up network rules that restrict access to the vault based on IP addresses or virtual network settings. The Key Vault Contributor role enables a user to manage various Key Vault properties, including its networking and firewall configurations, which are essential for defining who can access the vault.
The Azure Network Contributor role does not have the permissions necessary to configure firewall and virtual network settings for an Azure Key Vault. This role primarily allows for managing networking resources such as subnets, virtual networks, and routing tables, but does not extend to managing the security and network configuration of Key Vaults.

Re: Microsoft AZ-500 topic 3 question 62

Box 1: No -
Resource Policy Contributor or Security Administrator is required.
User1 is Security Administrator only with the no specific permission granted to Vault1.
The Security Admin can view and update permissions for Security Center. Same permissions as the Security
Reader role and can also update the security policy and dismiss alerts and recommendations.
However:
Box 2:no
Network Contributor or Key Vault Reader cannot change the key vault firewall
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-role
Box 3: Yes -
User3 is a Key Vault Contributor and a User Access Administrator for Vault.

Re: Microsoft AZ-500 topic 3 question 62

Note: When it comes to some resources in Azure, overall RBAC does not apply to them.Ypu need to give explicit permission to these resouces.
For example Key vault in this Q.
user 1-Security Admin will work for rest of other sources but not for KV. this same applies to user 2.
So my ans N,N,Y

Re: Microsoft AZ-500 topic 3 question 62

no,no,yes had to check from ChatGPT just to make sure.

Re: Microsoft AZ-500 topic 3 question 62

NO
NO
YES

Re: Microsoft AZ-500 topic 3 question 62

In Exam 10/18/2022. One case study(6 ques), no lab.

Re: Microsoft AZ-500 topic 3 question 62

Answers are correct.

Re: Microsoft AZ-500 topic 3 question 62

2nd statement is wrong: becuase not have authorization to perform action 'Microsoft.KeyVault/vaults/write

  • Amit3
  • New member
  • Offline

Re: Microsoft AZ-500 topic 3 question 62

Its only taking about firewall and network, not writing anything to keyvault

Re: Microsoft AZ-500 topic 3 question 62

juandmi wrote:

Tested with following results:
A: No
Security Admin cannot manage key vault properties
https://learn.microsoft.com/en-us/azure … rity-admin
B: No
Network Contributor or Key Vault Reader cannot change the key vault firewall
https://learn.microsoft.com/en-us/azure … ontributor
C: YES
Key vault contributor can do that
https://learn.microsoft.com/en-us/azure … ontributor
Note: "does not allow you to assign roles" - but here the question is to add access policies which works.