nerdexam
Microsoft

AZ-400 · Question #575

Hotspot Question You have an Azure subscription that contains a user named User1. You have an Azure Resource Manager (ARM) template named Template1. You plan to perform the following actions: - Deploy

This question tests knowledge of the minimum permissions required for a user to deploy ARM templates that reference Key Vault secrets, and the Key Vault property that must be enabled to allow this functionality.

Submitted by kwame.gh· Mar 6, 2026Develop a security and compliance plan

Question

Hotspot Question You have an Azure subscription that contains a user named User1. You have an Azure Resource Manager (ARM) template named Template1. You plan to perform the following actions: - Deploy an Azure key vault named KV1. - Deploy Azure resources by using Template1 to retrieve secrets from KV1. You need to ensure that User1 can deploy Template1. The solution must follow the principle of least privilege. Which permission should you grant to User1, and which parameter should be specified when you create KV1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Exhibit

AZ-400 question #575 exhibit

Answer Area

  • Permission:
    Microsoft.KeyVault/vaults/deploy/actionMicrosoft.KeyVault/vaults/keys/readMicrosoft.Resources/subscriptions/resourceGroups/read
  • Parameter:
    --bypass--enable-rbac-authorization--enabled-for-deployment--enabled-for-template-deployment

Explanation

This question tests knowledge of the minimum permissions required for a user to deploy ARM templates that reference Key Vault secrets, and the Key Vault property that must be enabled to allow this functionality.

Approach. For User1 to deploy Template1, they need the 'Contributor' role on the Resource Group (or subscription scope) - this is the least privileged role that allows deploying resources via ARM templates without needing direct access to the Key Vault secrets themselves. For KV1, the parameter 'enabledForTemplateDeployment' must be set to 'true'. This Key Vault property specifically allows Azure Resource Manager to retrieve secrets from the vault during template deployments, even when the deploying user does not have direct Get Secret permissions on the vault. The ARM service principal retrieves the secret on behalf of the deployment, so the user deploying the template only needs deployment rights, not secret-read rights, keeping with least privilege.

Concept tested. The question tests two key concepts: (1) least-privilege RBAC role assignment for ARM template deployments (Contributor on the resource group is sufficient; Owner would be excessive), and (2) the Key Vault property 'enabledForTemplateDeployment' which must be enabled so that ARM can access Key Vault secrets during deployments without requiring the deploying user to have explicit Key Vault secret permissions.

Reference. https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#grant-access-to-the-secrets

Topics

#Azure Key Vault#ARM template deployment#enabled-for-template-deployment#least privilege RBAC

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice