AZ-500 Question #396: Real Exam Question with Answer & Explanation

Submitted by viktor_hu· Mar 6, 2026Manage Azure identities and governance - specifically configuring Azure Key Vault security including RBAC role assignments, access policies, and the distinction between control plane (Azure RBAC) and data plane (access policies) permissions in Key Vault.

Question

Hotspot Question You have an Azure subscription that is linked to an Azure Active Directory (Azure AD). The tenant contains the users shown in the following table. You have an Azure key vault named Vault1 that has Purge protection set to Disable. Vault1 contains the access policies shown in the following table. You create role assignments for Vault1 as shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Explanation

User2 can configure firewalls and virtual networks because this is a control plane operation managed through Azure RBAC, and the Key Vault Contributor role grants permissions to manage Key Vault resources including networking settings. User3 can add access policies because the Key Vault Administrator role (or Owner role) through RBAC grants full control over the Key Vault, including managing access policies. User1 cannot enable Purge Protection because enabling Purge Protection is an irreversible control plane operation that requires the Owner or Contributor role at the Key Vault level - access policies alone (which govern data plane operations like get/set secrets) do not grant control plane permissions, and User1 only has an access policy with no RBAC role assignment that would allow modifying Key Vault properties.

Topics

#Azure Key Vault#Azure RBAC#Key Vault Access Policies#Control Plane vs Data Plane

Community Discussion

No community discussion yet for this question.

Full AZ-500 Practice Browse All AZ-500 Questions