AZ-400 · Question #359
Hotspot Question You have an Azure subscription that contains the resources shown in the following table. You plan to create a linked service in DF1. The linked service will connect to SQL1 by using M
The correct answer is The permission type should be Secret. = Yes; The access method should be Access policy. = Yes. Azure Data Factory needs 'Secret' permission (not Key or Certificate) because the SQL Server password is stored as a Key Vault secret, and granting only Secret-level access follows the principle of least privilege by not exposing keys or certificates unnecessarily. The access met
Question
Exhibits
Answer Area
- The permission type should be Secret.Yes
- The access method should be Access policy.Yes
Explanation
Azure Data Factory needs 'Secret' permission (not Key or Certificate) because the SQL Server password is stored as a Key Vault secret, and granting only Secret-level access follows the principle of least privilege by not exposing keys or certificates unnecessarily. The access method should be 'Access policy' rather than RBAC because Key Vault Access Policies allow granular, per-operation permissions (Get secret only), whereas Azure RBAC roles like 'Key Vault Secrets User' are broader and less granular at the individual secret operation level - additionally, Access Policy with only 'Get' on Secrets is the minimal permission needed for ADF to retrieve the password. The managed identity of DF1 is granted only the 'Get' secret permission via the Access Policy, satisfying least privilege.
Topics
Community Discussion
No community discussion yet for this question.

