nerdexam
ExamsAZ-500Questions#80
MicrosoftMicrosoft

AZ-500 · Question #80

AZ-500 Question #80: Real Exam Question with Answer & Explanation

The correct answer is C: a parameters file. Explanation A parameters file (option C) is correct because it supports dynamic reference expressions that can construct resource IDs at deployment time - specifically, you can use a reference object within a parameters file to dynamically point to a Key Vault and its secret usin

Submitted by khalil_dz· Mar 6, 2026Secure identity and access

Question

You plan to use Azure Resource Manager templates to perform multiple deployments of identically configured Azure virtual machines. The password for the administrator account of each deployment is stored as a secret in different Azure key vaults. You need to identify a method to dynamically construct a resource ID that will designate the key vault containing the appropriate secret during each deployment. The name of the key vault and the name of the secret will be provided as inline parameters. What should you use to construct the resource ID?

Options

  • Aa key vault access policy
  • Ba linked template
  • Ca parameters file
  • Dan automation account

Explanation

Explanation

A parameters file (option C) is correct because it supports dynamic reference expressions that can construct resource IDs at deployment time - specifically, you can use a reference object within a parameters file to dynamically point to a Key Vault and its secret using values passed as inline parameters, allowing the resource ID to be built differently for each deployment without hardcoding it into the template.

Option A (key vault access policy) is wrong because an access policy controls who can access a Key Vault - it grants permissions, but it cannot construct or resolve a resource ID dynamically during deployment.

Option B (linked template) is wrong because while linked templates allow modular deployments, they are not the mechanism used to dynamically reference a Key Vault secret via a constructed resource ID; they serve a different architectural purpose.

Option D (automation account) is wrong because automation accounts are used for runbook-based process automation, not for dynamically constructing resource IDs within ARM template deployments.

🧠 Memory Tip: Think of the parameters file as the "connector" between your template and external secrets - it's the only place in ARM deployments where you can use a reference block to dynamically resolve a Key Vault resource ID at deployment time using runtime parameter values.

Topics

#ARM Templates#Azure Key Vault#Secrets Management#Dynamic Deployments

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-500 PracticeBrowse All AZ-500 Questions