nerdexam
Microsoft

AZ-400 · Question #536

Drag and Drop Question You have a GitHub repository named repo1 and an Azure key vault named kv1. In repo1, you plan to create a workflow named Workflow1 that will deploy a database server by using cr

The correct answer is Create a service principal in Microsoft Entra ID.; Grant secret permissions to kv1.; Reference the credentials in Workflow1.. To allow a GitHub Actions workflow to retrieve secrets from Azure Key Vault, you must first create a service principal in Microsoft Entra ID (formerly Azure AD), which acts as the identity that GitHub Actions will use to authenticate with Azure. Next, you grant that service princ

Submitted by obi.ng· Mar 6, 2026Implement secure access to Azure resources using managed identities and service principals within CI/CD pipelines (DevOps / Azure Security)

Question

Drag and Drop Question You have a GitHub repository named repo1 and an Azure key vault named kv1. In repo1, you plan to create a workflow named Workflow1 that will deploy a database server by using credentials stored in kv1. You need to ensure that Workflow1 can retrieve the credentials from kv1. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select. Answer:

Exhibit

AZ-400 question #536 exhibit

Answer Area

Drag items

Grant secret permissions to kv1.Reference the credentials in Workflow1.Create a personal access token (PAT) in GitHub.Grant key permissions to kv1.Create a service principal in Microsoft Entra ID.

Correct arrangement

  • Create a service principal in Microsoft Entra ID.
  • Grant secret permissions to kv1.
  • Reference the credentials in Workflow1.

Explanation

To allow a GitHub Actions workflow to retrieve secrets from Azure Key Vault, you must first create a service principal in Microsoft Entra ID (formerly Azure AD), which acts as the identity that GitHub Actions will use to authenticate with Azure. Next, you grant that service principal the appropriate secret permissions on kv1 (e.g., 'Get' permission on secrets) so it can read the credentials. Finally, you reference those credentials in Workflow1 using the Azure Key Vault action or environment variables, completing the integration.

Topics

#Azure Key Vault#GitHub Actions#Service Principal#Microsoft Entra ID

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice