nerdexam
Microsoft

AZ-400 · Question #359

Hotspot Question You have an Azure subscription that contains the resources shown in the following table. You plan to create a linked service in DF1. The linked service will connect to SQL1 by using M

The correct answer is The permission type should be Secret. = Yes; The access method should be Access policy. = Yes. Azure Data Factory needs 'Secret' permission (not Key or Certificate) because the SQL Server password is stored as a Key Vault secret, and granting only Secret-level access follows the principle of least privilege by not exposing keys or certificates unnecessarily. The access met

Submitted by certguy· Mar 6, 2026Design and Implement Data Storage Security / Secure Access to Data Assets using Azure Key Vault Integration with ADF

Question

Hotspot Question You have an Azure subscription that contains the resources shown in the following table. You plan to create a linked service in DF1. The linked service will connect to SQL1 by using Microsoft SQL Server authentication. The password for the SQL Server login will be stored in KV1. You need to configure DF1 to retrieve the password when the data factory connects to SQL1. The solution must use the principle of least privilege. How should you configure DF1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Exhibits

AZ-400 question #359 exhibit 1
AZ-400 question #359 exhibit 2

Answer Area

  • The permission type should be Secret.Yes
  • The access method should be Access policy.Yes

Explanation

Azure Data Factory needs 'Secret' permission (not Key or Certificate) because the SQL Server password is stored as a Key Vault secret, and granting only Secret-level access follows the principle of least privilege by not exposing keys or certificates unnecessarily. The access method should be 'Access policy' rather than RBAC because Key Vault Access Policies allow granular, per-operation permissions (Get secret only), whereas Azure RBAC roles like 'Key Vault Secrets User' are broader and less granular at the individual secret operation level - additionally, Access Policy with only 'Get' on Secrets is the minimal permission needed for ADF to retrieve the password. The managed identity of DF1 is granted only the 'Get' secret permission via the Access Policy, satisfying least privilege.

Topics

#Azure Data Factory#Azure Key Vault#Least Privilege#Managed Identity

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice