AZ-400 Question #371: Real Exam Question with Answer & Explanation

Submitted by layla.eg· Mar 6, 2026Configure security for Azure Monitor and Log Analytics - specifically implementing customer-managed key (CMK) encryption for log data using dedicated clusters, managed identities, and Azure Key Vault integration.

Question

Drag and Drop Question You have an Azure subscription that uses Azure Monitor and contains a Log Analytics workspace. You have an encryption key. You need to configure Azure Monitor to use the key to encrypt log data. Which five actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select. Answer:

Explanation

To encrypt Azure Monitor log data with a customer-managed key (CMK), you must follow a specific dependency chain: first create the key vault and store the key, then create a dedicated cluster with a system-assigned managed identity (which generates the identity needed for permissions), then grant that identity Key Vault Key permissions (not Certificate permissions), then associate the key vault with the cluster, and finally link the Log Analytics workspace to the cluster. This sequence ensures each prerequisite resource and permission exists before the next step depends on it. Certificate permissions are not required for CMK encryption in Azure Monitor - only Key permissions (Get, Wrap Key, Unwrap Key) are needed.

Topics

#Azure Monitor#Customer-Managed Keys#Log Analytics#Azure Key Vault#Managed Identity

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice Browse All AZ-400 Questions