nerdexam
Microsoft

AZ-400 · Question #127

Drag and Drop Question Your company has a project in Azure DevOps. You plan to create a release pipeline that will deploy resources by using Azure Resource Manager templates. The templates will refere

The correct answer is RBAC; an Azure Key Vault access policy. The correct solution uses RBAC to grant the Azure DevOps service principal (service connection) access to the Azure subscription/resource group, and an Azure Key Vault access policy to grant that same service principal 'Get' and 'List' secret permissions on the Key Vault - this f

Submitted by tunde_lagos· Mar 6, 2026Design and Implement a Secure Deployment Pipeline / Recommend a secrets management and access control strategy using Azure Key Vault and RBAC

Question

Drag and Drop Question Your company has a project in Azure DevOps. You plan to create a release pipeline that will deploy resources by using Azure Resource Manager templates. The templates will reference secrets stored in Azure Key Vault. You need to recommend a solution for accessing the secrets stored in the key vault during deployments. The solution must use the principle of least privilege. What should you include in the recommendation? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Exhibits

AZ-400 question #127 exhibit 1
AZ-400 question #127 exhibit 2

Answer Area

Drag items

an Azure Key Vault access policya personal access token (PAT)RBAC

Correct arrangement

  • RBAC
  • an Azure Key Vault access policy

Explanation

The correct solution uses RBAC to grant the Azure DevOps service principal (service connection) access to the Azure subscription/resource group, and an Azure Key Vault access policy to grant that same service principal 'Get' and 'List' secret permissions on the Key Vault - this follows least privilege by granting only the minimum permissions needed for deployment. RBAC controls access to Azure resources at the management plane level, while Key Vault access policies specifically control data-plane access to secrets, keys, and certificates within the vault. Together, these two mechanisms ensure the service connection can deploy ARM templates and retrieve the referenced secrets without over-provisioning permissions.

Topics

#Azure Key Vault#Azure DevOps Release Pipelines#Principle of Least Privilege#ARM Templates

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice