nerdexam
Microsoft

AZ-400 · Question #204

Hotspot Question You manage build and release pipelines by using Azure DevOps. Your entire managed environment resides in Azure. You need to configure a service endpoint for accessing Azure Key Vault

This question tests knowledge of configuring an Azure DevOps service endpoint to securely access Azure Key Vault secrets without storing credentials, using Azure's managed identity and service principal capabilities.

Submitted by sofia.br· Mar 6, 2026Develop a security and compliance plan

Question

Hotspot Question You manage build and release pipelines by using Azure DevOps. Your entire managed environment resides in Azure. You need to configure a service endpoint for accessing Azure Key Vault secrets. The solution must meet the following requirements: - Ensure that the secrets are retrieved by Azure DevOps. - Avoid persisting credentials and tokens in Azure DevOps. How should you configure the service endpoint? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Exhibit

AZ-400 question #204 exhibit

Answer Area

  • Service connection type:
    Azure Resource ManagerGeneric serviceTeam Foundation Server / Azure Pipelines service connection
  • Authentication/authorization method for the connection:
    Azure Active Directory OAuth 2.0Grant authorizationManaged Service Identity Authentication

Explanation

This question tests knowledge of configuring an Azure DevOps service endpoint to securely access Azure Key Vault secrets without storing credentials, using Azure's managed identity and service principal capabilities.

Approach. The correct configuration uses an Azure Resource Manager (ARM) service connection with 'Automatic' (Service Principal) authentication, which leverages Azure Active Directory to authenticate without persisting credentials in Azure DevOps. For the Identity type, you should select 'Service Principal (automatic)' which allows Azure DevOps to automatically create and manage a Service Principal in AAD. To avoid persisting credentials/tokens, the connection should use 'Grant access permission to all pipelines' and rely on the Azure AD-issued short-lived tokens rather than storing long-lived secrets. This satisfies both requirements: the secrets are retrieved via the Key Vault task using the ARM endpoint, and no credentials are persisted in Azure DevOps since authentication is handled dynamically by Azure AD.

Concept tested. Configuring Azure DevOps service endpoints (specifically Azure Resource Manager service connections) to securely access Azure Key Vault using Service Principal authentication without persisting credentials, leveraging Azure Active Directory for token-based authentication.

Reference. https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#azure-resource-manager-service-connection

Topics

#Azure DevOps#service connections#Azure Key Vault#secrets management

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice