AZ-400 · Question #204
Hotspot Question You manage build and release pipelines by using Azure DevOps. Your entire managed environment resides in Azure. You need to configure a service endpoint for accessing Azure Key Vault
This question tests knowledge of configuring an Azure DevOps service endpoint to securely access Azure Key Vault secrets without storing credentials, using Azure's managed identity and service principal capabilities.
Question
Exhibit
Answer Area
- Service connection type:Azure Resource ManagerGeneric serviceTeam Foundation Server / Azure Pipelines service connection
- Authentication/authorization method for the connection:Azure Active Directory OAuth 2.0Grant authorizationManaged Service Identity Authentication
Explanation
This question tests knowledge of configuring an Azure DevOps service endpoint to securely access Azure Key Vault secrets without storing credentials, using Azure's managed identity and service principal capabilities.
Approach. The correct configuration uses an Azure Resource Manager (ARM) service connection with 'Automatic' (Service Principal) authentication, which leverages Azure Active Directory to authenticate without persisting credentials in Azure DevOps. For the Identity type, you should select 'Service Principal (automatic)' which allows Azure DevOps to automatically create and manage a Service Principal in AAD. To avoid persisting credentials/tokens, the connection should use 'Grant access permission to all pipelines' and rely on the Azure AD-issued short-lived tokens rather than storing long-lived secrets. This satisfies both requirements: the secrets are retrieved via the Key Vault task using the ARM endpoint, and no credentials are persisted in Azure DevOps since authentication is handled dynamically by Azure AD.
Concept tested. Configuring Azure DevOps service endpoints (specifically Azure Resource Manager service connections) to securely access Azure Key Vault using Service Principal authentication without persisting credentials, leveraging Azure Active Directory for token-based authentication.
Topics
Community Discussion
No community discussion yet for this question.
