Exam AZ-400 topic 4 question 18 discussion

B, C, E is possible see https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-virtual-machine RBAC is also possible but it still in preview https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide

B. Modify the application to access the key vault. C. Configure a Key Vault access policy. E. Deploy a virtual machine that uses a system-assigned managed identity.

Recommended Answer Based on the Latest Best Practices (2025) A. Configure RBAC for the Key Vault Use RBAC to assign roles like "Key Vault Reader" or "Key Vault Secrets User" to the VM's managed identity. RBAC provides more flexibility and is Microsoft's current recommendation. B. Modify the application to access the key vault The application must be updated to use Azure SDKs or APIs to fetch secrets securely. E. Deploy a virtual machine that uses a system-assigned managed identity The managed identity enables the VM to securely authenticate to Azure services, including the Key Vault, without hardcoding credentials.

Azure Key Vault permissions can be managed using both RBAC and access policies simultaneously. For a system-assigned managed identity to access secrets in the Key Vault, you typically need: RBAC (Role-Based Access Control) to grant the identity access to the Key Vault itself. Access Policies to define specific operations like Get, List, or Set secrets within the Key Vault. Therefore, both RBAC and access policies are required in many cases to fully enable access for a managed identity. Correct Steps: ✅ A. Configure RBAC for the key vault This grants the managed identity or service principal access to the Key Vault at a high level. ✅ C. Configure a Key Vault access policy This defines the specific permissions (e.g., read or write secrets) for the managed identity. ✅ E. Deploy a virtual machine that uses a system-assigned managed identity This ensures the VM can securely authenticate to Azure services like Key Vault without storing credentials.

A, B , E for the current version

As of today, ABE is the best choice.

ABE and BCW are both acceptable solutions. However, I am now going with ABE as RBAC as the new recommended authorisation.

RBAC is now the recommended method for key vault, and access policies are considered legacy by Microsoft. This link further clarifies this change. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy

1) E, deploy a VM that uses a system-assigned managed identity. 2) A, configure RBAC for the Key Vault and assign the system managed identity access. 3) B, modify the application to access the key vault as desired.

I think BCE

Now it's recommended to use RBAC instead.

RBAC is now recommended authz, if I'm going to do this in sequence, I will do E,A,B

B, C and E are correct the answer. B and C are obvious. while A is possible when the app is registered with AAD. but here it hints the app is deployed in a VM with a managed identity, hence, E is chosen.

A,B,C - Option E is not required to ensure secure access to Key Vault secrets by the application running on the server. Using a system-assigned managed identity (system-assigned managed identity) is useful when you want the virtual machine itself to have an identity to access resources such as Key Vault directly. However, in this specific scenario, the objective is to modify the application to access the Key Vault, and this is done by configuring the accepted permissions (RBAC) and a Key Vault access policy, which does not require the use of an identity managed by the Key Vault. virtual machine. Therefore, option E is not needed in this situation and can be excluded from the choices. Options A, B and C are the most suitable to meet the specific requirements of the presented scenario.

E,C,B E - you need to assign a managed identity to your VM C - you create a policy for that managed identity to give it permissions B - you have to modify your app to retrieve values from the KV before usage. It will use DefaultAzureCredential

Definitely B,C and E I have engaged these sort of activities many times in greenfield deployments

E - it is for VM A- Set up MI over KV using RBAC B - Change your app to use the MI