AZ-400 · Question #127
Drag and Drop Question Your company has a project in Azure DevOps. You plan to create a release pipeline that will deploy resources by using Azure Resource Manager templates. The templates will refere
The correct answer is RBAC; an Azure Key Vault access policy. The correct solution uses RBAC to grant the Azure DevOps service principal (service connection) access to the Azure subscription/resource group, and an Azure Key Vault access policy to grant that same service principal 'Get' and 'List' secret permissions on the Key Vault - this f
Question
Exhibits
Answer Area
Drag items
Correct arrangement
- RBAC
- an Azure Key Vault access policy
Explanation
The correct solution uses RBAC to grant the Azure DevOps service principal (service connection) access to the Azure subscription/resource group, and an Azure Key Vault access policy to grant that same service principal 'Get' and 'List' secret permissions on the Key Vault - this follows least privilege by granting only the minimum permissions needed for deployment. RBAC controls access to Azure resources at the management plane level, while Key Vault access policies specifically control data-plane access to secrets, keys, and certificates within the vault. Together, these two mechanisms ensure the service connection can deploy ARM templates and retrieve the referenced secrets without over-provisioning permissions.
Topics
Community Discussion
No community discussion yet for this question.

