nerdexam
ExamsSC-300Questions#254
MicrosoftMicrosoft

SC-300 · Question #254

SC-300 Question #254: Real Exam Question with Answer & Explanation

This question tests knowledge of Azure Key Vault built-in RBAC roles and the principle of least privilege when assigning permissions to users for different Key Vault operations.

Submitted by omar99· Mar 6, 2026

Question

Hotspot Question You have an Azure subscription that contains the resources shown in the following table. You need to configure access to Vault1. The solution must meet the following requirements: - Ensure that User1 can manage and create keys in Vault1. - Ensure that User2 can access a certificate stored in Vault1. - Use the principle of least privilege. Which role should you assign to each user? To answer select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

  • __typehotspot
  • variantdropdown

Explanation

This question tests knowledge of Azure Key Vault built-in RBAC roles and the principle of least privilege when assigning permissions to users for different Key Vault operations.

Approach. For User1, who needs to manage and create keys in Vault1, the correct role is 'Key Vault Crypto Officer'. This role grants full control over cryptographic keys including creating, deleting, updating, and managing keys, but does not grant access to secrets or certificates - following least privilege. For User2, who only needs to access (read) a certificate stored in Vault1, the correct role is 'Key Vault Certificate User' (or 'Key Vault Certificates Officer' if they need read-only access). 'Key Vault Certificate User' allows reading/using certificate contents, which satisfies the requirement of accessing a stored certificate without granting unnecessary permissions over keys or secrets. These built-in RBAC roles, introduced with the Azure RBAC authorization model for Key Vault, provide granular, least-privilege access compared to the older access policy model.

Concept tested. Azure Key Vault RBAC roles - specifically the granular built-in roles such as Key Vault Crypto Officer (for key management) and Key Vault Certificate User (for certificate access), and applying the principle of least privilege by selecting the most restrictive role that satisfies each user's requirements.

Reference. https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SC-300 PracticeBrowse All SC-300 Questions