AZ-500 Question #58: Real Exam Question with Answer & Explanation

Question

Hotspot Question You need to create an Azure key vault. The solution must ensure that any object deleted from the key vault be retained for 90 days. How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

To ensure deleted objects are retained for 90 days and prevent premature purging, both Soft Delete and Purge Protection must be enabled on the Azure Key Vault.

Approach. The question requires ensuring that any object deleted from the key vault is retained for 90 days. This requirement directly maps to Azure Key Vault's deletion protection features:

1. -EnableSoftDelete: This parameter enables the 'Soft Delete' feature for the Key Vault. When Soft Delete is enabled, deleted objects are not immediately purged but enter a soft-deleted state, remaining recoverable for a specified retention period (defaulting to 90 days if not otherwise configured). This directly addresses the 'retained for 90 days' part of the requirement.

2. -EnablePurgeProtection: This parameter enables 'Purge Protection'. Purge Protection is an additional layer of protection that works in conjunction with Soft Delete. When Purge Protection is enabled, soft-deleted objects cannot be permanently deleted (purged) until their retention period has expired. This provides a stronger guarantee that the objects will be retained for the full 90 days, even from users with purge permissions, thus ensuring retention as per the requirement by preventing premature permanent deletion. Purge Protection requires Soft Delete to be enabled.

Therefore, selecting both -EnableSoftDelete and -EnablePurgeProtection ensures that deleted objects are not only retained for 90 days (by Soft Delete) but also cannot be accidentally or maliciously purged before that period ends (by Purge Protection), meeting the spirit of the requirement for reliable retention.

Common mistakes.

• common_mistake. Other parameters are incorrect because they do not address the requirement of retaining deleted objects for 90 days:

• -EnabledForDeployment: Allows Azure Virtual Machines to retrieve certificates and secrets from the vault. Not related to deletion retention.
• -Tag: Adds metadata tags to the resource for organization and billing. Not related to deletion retention.
• -Confirm: Prompts for confirmation before executing the cmdlet. Not related to deletion retention.
• -DefaultProfile: Specifies the user account credentials for the session. Not related to deletion retention.
• -SKU: Defines the pricing tier of the Key Vault (Standard or Premium). While important for functionality and cost, it doesn't directly configure the deletion retention period. Selecting only -EnableSoftDelete would technically meet the 'retained for 90 days' as the default is 90 days, but it lacks the additional protection against immediate purging that -EnablePurgeProtection offers, which is critical for robust retention policies and often implied in 'ensure retention' scenarios.

Concept tested. Azure Key Vault deletion protection features: Soft Delete and Purge Protection. Understanding their purpose, how they work together, and the PowerShell parameters used to configure them (-EnableSoftDelete and -EnableEnablePurgeProtection) during Key Vault creation.

Reference. https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview

No community discussion yet for this question.