PL-500 Question #172: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question You are building an approval process for business travel. The approval process must meet the following requirements: - The solution must be deployed to the production environment. The human resources (HR) system uses a different login and password for test and production. - The process must assign an approval task by using the system account. - After the approval process is approved, it must create an entry in the on-premises HR system and create an entry in the requestor manager's calendar. - The approval process must be triggered whenever an employee places a new travel request on a Microsoft SharePoint list. You need to recommend the approach to configure authentication and credentials. Which features should you recommend? To answer, move the appropriate features to the correct requirements. You may use each feature once, more than once, or not at all. You may need to move the split bar between panes or scroll to view content NOTE: Each correct selection is worth one point. Answer:

Explanation

The question tests the ability to correctly identify Azure and Power Platform features for secure credential management, system account authentication, and environment-agnostic connection configuration in an automated approval process.

Approach. The correct interaction involves dragging each feature from the left pane to the appropriate requirement slot on the right, as depicted in the solved image.

• HR system credentials <-> Azure Key Vault: The requirement states that the HR system uses different logins/passwords for test and production environments. Azure Key Vault is the recommended service for securely storing and managing application secrets, such as usernames and passwords, especially when they need to differ across environments or be rotated. It provides a centralized, secure store that can be accessed by applications like Power Automate flows.
• Approvals <-> Service principal: The requirement specifies that approval tasks must be assigned 'by using the system account'. A Service principal is an identity used by applications, services, and automation tools to access specific Azure resources or perform actions programmatically without a user's interactive login. In the context of Power Platform, using a service principal (often tied to an Azure AD application registration) allows unattended flows to authenticate and perform actions using a 'system account' rather than a specific user's credentials, fulfilling the 'system account' requirement.
• Calendar entries <-> Connection reference: The scenario mentions that the solution must be deployed to the production environment. When building Power Platform solutions (like Power Automate flows) that will be moved between environments (e.g., development, test, production), 'Connection references' are used to abstract the actual connections to services like Microsoft Outlook Calendar. This means the flow design references a 'connection reference' rather than a specific connection. When the solution is deployed to a new environment, a new, environment-specific connection can be associated with the connection reference without altering the flow logic. This ensures portability and allows different credentials or instances of a service (e.g., different SharePoint sites or Outlook tenants) to be used in different environments.
• Travel requests <-> Connection reference: Similar to calendar entries, the trigger for 'Travel requests' comes from a Microsoft SharePoint list. For the same reasons of deployability across environments, using a 'Connection reference' for the SharePoint connection is essential. It allows the SharePoint site URL or credentials to be configured differently in test and production environments without modifying the flow's underlying design.

Common mistakes.

• common_mistake. A common mistake would be to use Azure Key Vault for all credential-related requirements or to confuse the purpose of Connection reference with direct connection string management.
• Using Azure Key Vault for Approvals or Calendar/Travel requests: Azure Key Vault is for storing secrets (credentials), not for defining identities for system accounts (Service principal) or for abstracting connections across environments (Connection reference). While the HR system credentials directly benefit from secure storage in Key Vault, the 'Approvals' requirement specifically asks for a 'system account' to perform tasks, which points to a Service principal, and 'Calendar entries' and 'Travel requests' refer to connecting to services in an environment-agnostic way, which is the role of a Connection reference.
• Using Service principal for HR system credentials: A Service principal is an identity for an application or service, not a secure store for general credentials like a username/password for an external HR system. While a service principal might use credentials (like a client secret or certificate) for its own authentication, it doesn't store the HR system's credentials.
• Using Connection reference for HR system credentials: While a connection reference points to a connection which uses credentials, it is not the secure storage mechanism for those credentials themselves, especially when discussing sensitive secrets like HR system passwords that need specialized management (e.g., rotation, access policies, audit logs). Azure Key Vault is designed for this specific purpose.

Concept tested. This question tests knowledge of secure credential management, application identity (system accounts), and environment configuration best practices in Azure and Power Platform solutions, specifically focusing on Azure Key Vault, Service principals, and Connection references for deploying solutions across different environments.

No community discussion yet for this question.