AZ-500 Question #69: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription that contains a virtual machine named VM1. You create an Azure key vault that has the following configurations: Name: Vault5 Region: West US Resource group: RG1 You need to use Vault5 to enable Azure Disk Encryption on VM1. The solution must support backing up VM1 by using Azure Backup. Which key vault settings should you configure?

Options

• AAccess policies
• BSecrets
• CKeys
• DLocks

Explanation

Explanation

Access Policies must be configured in Vault5 because Azure Disk Encryption requires the key vault to grant specific permissions to Azure services - particularly, the key vault must have the "Azure Disk Encryption for volume encryption" access policy enabled, and for Azure Backup compatibility, the key vault must also grant the Backup service principal appropriate Get/List permissions on secrets and keys. Without configuring these access policies, neither the encryption service nor the Backup service can interact with the vault's contents.

Secrets (B) and Keys (C) are incorrect because, while Disk Encryption does store keys and secrets in the vault, simply navigating to those sections doesn't enable the encryption functionality - the underlying permission model is what needs to be established first. Locks (D) is incorrect because locks are used to prevent accidental deletion or modification of resources, and have no role in enabling disk encryption or backup integration.

🧠 Memory Tip: Think of Access Policies as the "gatekeeper" - before anyone (including Azure services) can use what's inside the vault, you must first configure who and what is allowed in through the access policy door.

No community discussion yet for this question.