nerdexam
Microsoft

AZ-400 · Question #283

Drag and Drop Question You are configuring an Azure DevOps deployment pipeline. The deployed application will authenticate to a web service by using a secret stored in an Azure key vault. You need to

The correct answer is Create a service principal in Azure Active Directory (Azure AD).; Configure an access policy in the key vault.; Add an Azure Resource Manager service connection to the pipeline.. The correct sequence is: (1) Create a service principal in Azure AD to establish an identity for the pipeline to authenticate with, (2) Configure an access policy in the key vault to grant that service principal permission to read secrets, and (3) Add an Azure Resource Manager se

Submitted by haru.x· Mar 6, 2026Implement a secure continuous deployment pipeline - specifically configuring secrets management and identity-based access between Azure DevOps and Azure services (AZ-400 / DevOps Engineer Expert: Develop a Security and Compliance Plan)

Question

Drag and Drop Question You are configuring an Azure DevOps deployment pipeline. The deployed application will authenticate to a web service by using a secret stored in an Azure key vault. You need to use the secret in the deployment pipeline. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Answer:

Exhibit

AZ-400 question #283 exhibit

Answer Area

Drag items

Create a service principal in Azure Active Directory (Azure AD).Add an app registration in Azure Active Directory (Azure AD).Configure an access policy in the key vault.Generate a self-signed certificate.Add an Azure Resource Manager service connection to the pipeline.Export a certificate from the key vault.

Correct arrangement

  • Create a service principal in Azure Active Directory (Azure AD).
  • Configure an access policy in the key vault.
  • Add an Azure Resource Manager service connection to the pipeline.

Explanation

The correct sequence is: (1) Create a service principal in Azure AD to establish an identity for the pipeline to authenticate with, (2) Configure an access policy in the key vault to grant that service principal permission to read secrets, and (3) Add an Azure Resource Manager service connection to the pipeline so Azure DevOps can use the service principal's credentials to connect to Azure and retrieve the secret. This follows the least-privilege principle by tying a specific identity to specific vault permissions and wiring it into the pipeline securely.

Topics

#Azure Key Vault#Azure DevOps Pipelines#Service Principal#Azure Resource Manager Service Connection

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice