SC-300 Question #344: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription that contains a virtual machine named VM1 and an Azure key vault named Vault1. VM1 has a system-assigned managed identity. You need to ensure that VM1 can retrieve the values of secrets stored in Vault1. The solution must minimize administrative effort. What should you do first?

Options

• AConfigure the Resource access settings for Vault1.
• BConfigure the permissions model for Vault1.
• CAdd a user-assigned managed identity to VM1.
• DAssign an Azure role to VM1.

Explanation

Explanation

Assigning an Azure role (specifically the Key Vault Secrets User role) to VM1's system-assigned managed identity is the correct first step, because Azure Key Vault uses Azure Role-Based Access Control (RBAC) to authorize access, and the managed identity must be granted explicit permissions to read secrets before it can retrieve them. Option A (Resource access settings) is a distractor because configuring network/resource access alone doesn't grant the identity permission to read secret values - authorization is a separate concern. Option B (configuring the permissions model) is incorrect as the first step because the permissions model (RBAC vs. Vault Access Policy) is typically already configured; changing it would be a prerequisite only if the vault was misconfigured, and the question asks what to do first to enable access with minimum effort. Option C (adding a user-assigned managed identity) is unnecessary because VM1 already has a system-assigned managed identity, so adding another one increases administrative overhead rather than minimizing it.

Memory Tip 🔑

Think "Identity → Role → Access": once an identity exists (system-assigned is already there), your next move is always to assign a role to grant permissions - you never need a second identity when one already exists.

No community discussion yet for this question.