[{"_1":2,"_143":-5,"_144":-5},"loaderData",{"_3":4},"routes/topics.$name",[5,20,26,32,47,63,69,78,89,98,108,122,133],{"_6":7,"_8":9,"_10":11,"_12":13,"_14":15,"_16":17,"_18":19},"id","e9ac192b35fbc9c99a1811f150e486cb3d535ee4094ebb53597f5e83589d4db9","question","How to create an access policy for your key vault that grants certificate permissions to your user account?\n\n```ps\naz keyvault\n```","answer","\n\n```ps\naz keyvault set-policy --name --upn user@domain.com --certificate-permissions delete get list create purge\n```","options",[],"answerIndexes",[],"hasCode",true,"topic","Key Vault",{"_6":21,"_8":22,"_10":23,"_12":24,"_14":25,"_16":17,"_18":19},"42202fc5a83fbfa98859271c4248ed20a7b081658f4ae48e05ed5594839148b9","Your company is preparing to deploy an application on an Azure Linux virtual machine (VM) named myLinuxVM, and there is a requirement to configure Azure Disk Encryption. You have created a resource group named myResourceGroup in the East US region.\n\nTo achieve the desired configuration, you need to use a key encryption key (KEK) to protect the encryption secret and enable the Key Vault for both disk encryption and template deployments.\n\n```ps\n# Code here\n```","\n\n```ps\naz keyvault create --name \"\" --resource-group \"myResourceGroup\" --location \"eastus\"\naz keyvault update --name \"\" --resource-group \"MyResourceGroup\" --enabled-for-disk-encryption \"true\"\naz keyvault update --name \"\" --resource-group \"MyResourceGroup\" --enabled-for-template-deployment \"true\"\naz keyvault key create --name \"myKEK\" --vault-name \"\" --kty RSA --size 4096\naz vm encryption enable -g \"MyResourceGroup\" --name \"myLinuxVM\" --disk-encryption-keyvault \"\" --key-encryption-key \"myKEK\"\n```",[],[],{"_6":27,"_8":28,"_10":29,"_12":30,"_14":31,"_16":17,"_18":19},"00ac06758ed848e0d6cd0fab08b1707e14f69d21524a74ed1789e15f062359e8","Write the Azure CLI commands to perform the following tasks:\n\n1. Create a Key Vault in Azure.\n1. Add a certificate to the newly created Key Vault using the default policy.\n\n```ps\nkvName=\"\"\nrgName=\"myResourceGroup\"\nlocationName=\"EastUS\"\ncertName=\"ExampleCertificate\"\n\n# Code here\n```","\n\n```bash\nkvName=\"\"\nrgName=\"myResourceGroup\"\nlocationName=\"EastUS\"\ncertName=\"ExampleCertificate\"\n\n# Create a key vault\naz keyvault create --name $kvName --resource-group $rgName --location $locationName\n\n# Add a certificate to Key Vault\naz keyvault certificate create --vault-name $kvName -n $certName -p \"$(az keyvault certificate get-default-policy)\"\n```",[],[],{"_6":33,"_8":34,"_10":35,"_12":36,"_14":43,"_16":46,"_18":19},"333651f46aca7a1bc3aaedb412e2af3bbd073a67f10663e7773c50cab82edf38","Your organization is migrating sensitive data to Azure and has decided to use Azure Key Vault for secure storage. To enhance data protection, the IT team wants to ensure that if any key vault or its associated objects are unintentionally deleted, they can be recovered. Moreover, they want to ensure that once an item is marked as deleted, it cannot be permanently removed until a specified retention period elapses. Which Azure CLI commands should the IT team execute to implement these protective measures?","You need to enablesoft delete (`--enable-soft-delete true`) and purge protection (`--enable-purge-protection true`) \n`az keyvault create --name --retention-days 90` is not a valid command \n`az keyvault set-policy --name --object-id --key-permissions purge` grants a user the permission to purge objects from the Key Vault. However, it doesn't prevent purging during the retention period. \n`az keyvault delete --name --force-immediate` is not a valid command",[37,38,39,40,41,42],"`az keyvault update --name --enable-soft-delete true`","`az keyvault update --name --enable-purge-protection true`","`az keyvault create --name --retention-days 90`","`az keyvault set-policy --name --object-id --key-permissions purge`","`az keyvault backup --name --file `","`az keyvault delete --name --force-immediate`",[44,45],0,1,false,{"_6":48,"_8":49,"_10":50,"_12":51,"_14":61,"_16":46,"_18":19},"4974c06614662ffa46a65c07e4834473ab726c9b25b4d351a363f411871aedd8","You are an Azure administrator responsible for managing a Key Vault named 'SecureVault'. A new application needs to securely store, retrieve, and manage cryptographic keys within 'SecureVault'. The application must be able to encrypt keys before storing them, decrypt keys when retrieving them, and also have the ability to retrieve key information. You need to configure the appropriate permissions for the application's managed identity using the az keyvault set-policy command. Which permissions should you grant to the application's managed identity in the Key Vault's access policy?","`az keyvault set-policy --name 'SecureVault' --object-id 'applicationObjectId' --key-permissions wrapKey unwrapKey get`",[52,53,54,55,56,57,58,59,60],"WRAP","UNWRAP","GET","LIST","UPDATE","RECOVER","RESTORE","SIGN","VERIFY",[44,45,62],2,{"_6":64,"_8":65,"_10":66,"_12":67,"_14":68,"_16":17,"_18":19},"b1c5772f4a5cd7ce21dab75fe0638529284dfb513c96500b1228734e6babce53","Your organization is developing a secure application that involves handling confidential data. You have been tasked with the following requirements:\n\n1. Establish a connection to a remote vault service to manage sensitive keys and secrets.\n1. Retrieve a designated secret from the vault.\n1. Obtain a specific cryptographic key from the vault.\n1. Use the obtained key to perform the following cryptographic operations:\n - Add the secret value to a given plaintext message, then encrypt it using an asymmetric encryption algorithm.\n - Decrypt the resulting ciphertext using the same algorithm.\n\nProvide the code to fulfill these requirements, adhering to industry standards for secure communication and cryptographic practices.\n\n```cs\nvar vaultUrl = \"https://.vault.azure.net/\";\nvar credential = new DefaultAzureCredential();\nvar secretKeyName = \"\";\nvar plaintext = \"\";\nvar encryptionAlgorithm = EncryptionAlgorithm.RsaOaep;\n\n// Code here\n```","\n\n```cs\nvar vaultUrl = \"https://.vault.azure.net/\";\nvar credential = new DefaultAzureCredential();\nvar secretKeyName = \"\";\nvar plaintext = \"\";\nvar encryptionAlgorithm = EncryptionAlgorithm.RsaOaep;\n\nvar client = new KeyClient(vaultUri: new Uri(vaultUrl), credential: credential);\nKeyVaultSecret secret = await client.GetSecretAsync(secretKeyName);\nstring secretValue = secret.Value;\n\nvar keyResponse = await client.GetKeyAsync(secretKeyName);\nKeyVaultKey key = keyResponse.Value;\nCryptographyClient cryptoClient = client.GetCryptographyClient(key.Name, key.Properties.Version);\nEncryptResult encryptResult = cryptoClient.Encrypt(encryptionAlgorithm, Encoding.UTF8.GetBytes(plaintext + secretValue));\nDecryptResult decryptResult = cryptoClient.Decrypt(encryptionAlgorithm, encryptResult.Ciphertext);\n```",[],[],{"_6":70,"_8":71,"_10":72,"_12":73,"_14":77,"_16":46,"_18":19},"8e17e7a59ce2c214ff780c9cf9fb1a7479b3c1bce7037b70eedc05b5fc0f3d43","Azure Key Vault protects data when it's traveling between Azure Key Vault and clients. What protocol does it use for encryption?","Azure Key Vault enforces Transport Layer Security protocol to protect data when it’s traveling between Azure Key Vault and clients. \nThe Secure Sockets Layer protocol has been replaced with the Transport Layer Security protocol. \nPresentation Layer is part of the Open Systems Interconnection model and is not a security protocol.",[74,75,76],"Secure Sockets Layer","Transport Layer Security","Presentation Layer",[45],{"_6":79,"_8":80,"_10":81,"_12":82,"_14":87,"_16":46,"_18":19},"5cb5dac5b508f1b901b677f9c323208570dda229850888f7e53ced8627d11ec6","You are tasked with deploying a cloud-based application that leverages Azure Key Vault for storing sensitive information like certificates and API keys. The application will be rolled out in the following phases:\n\n- Development\n- Testing\n- Staging\n- Production\n\nWhat is the optimal Azure Key Vault configuration to ensure secure and efficient management of secrets across these phases?","By allocating a separate Azure Key Vault for each phase you ensure isolation of sensitive data, enabling you to manage access policies, secret lifecycles, and audit logs independently for each phase. This approach enhances security and operational efficiency.",[83,84,85,86],"Use a single Azure Key Vault for all phases","Set up two Azure Key Vaults: one for Development and Testing, and another for Staging and Production","Establish a unique Azure Key Vault for Production and merge the others into one","Create a dedicated Azure Key Vault for each phase",[88],3,{"_6":90,"_8":91,"_10":92,"_12":93,"_14":97,"_16":46,"_18":19},"8e7bb2fab51be8c3cd789debf968ed3e1e8c6598b9909fcef8760cc0e9ebe3bb","Which of the below methods of authenticating to Azure Key Vault is recommended for most scenarios?","The benefit of this approach is that Azure automatically rotates the identity. \nService principal and secret is not recommended because the application owner or developer must rotate the certificate. \nService principal and certificate is not recommended because it is difficult to automatically rotate the bootstrap secret that's used to authenticate to Key Vault.",[94,95,96],"Service principal and certificate","Service principal and secret","Managed identities",[62],{"_6":99,"_8":100,"_10":101,"_12":102,"_14":107,"_16":46,"_18":19},"71f678b65bab68c92e7d8d088e40bfc7089ec386799bdfd20618be1621f0cf11","What format the response of this command is: `az keyvault secret show --name \"ExamplePassword\" --vault-name $myKeyVault`?","JSON.",[103,104,105,106],"JSON","XML","YAML","Plain text",[44],{"_6":109,"_8":110,"_10":111,"_12":112,"_14":121,"_16":46,"_18":19},"46df430ec01e27bf42b9ec415a11b53e53ee93fa7478f4c36044f19f4be66539","You're designing a cloud-based microservice architecture using Azure Functions. One of the functions requires access to sensitive configuration data stored in Azure Key Vault. To maintain a high level of security, you want to ensure that only the Azure Function has the ability to retrieve secrets from the Key Vault. How should you configure access to the sensitive information in the Key Vault?","Enable a System-assigned Managed Identity for 'mySensitiveFunction' and assign it 'get' and 'list' permissions for the Key Vault.\n\nSystem-assigned Managed Identities are automatically managed by Azure and provide an identity for your Azure resource. This ensures that only the Azure resource can access the secrets in the Key Vault, without any risk of credential exposure. The other options involve storing sensitive information in environment variables, which can potentially be accessed by unauthorized users, thus they are not secure.",[113,114,115,116,117,118,119,120],"Create an Microsoft Entra ID application, assign it 'get' and 'list' permissions for the Key Vault, and embed the application's client ID and client secret in function's environment variables.","Generate a User-assigned Managed Identity, assign it 'get' and 'list' permissions for the Key Vault, and embed the identity's client ID and client secret in function's environment variables.","Enable a System-assigned Managed Identity for the function and assign it 'get' and 'list' permissions for the Key Vault.","Generate an access token to the Key Vault, and store the Key Vault's URI and the access token in the function's environment variables.","Store the Key Vault's URI in the function's environment variables and use a shared access signature (SAS) token to authenticate.","Create a service principal, assign it 'get' and 'list' permissions for the Key Vault, and store the service principal's credentials in the function's environment variables.","Enable Entra ID authentication for the function and assign the function's user identity 'get' and 'list' permissions for the Key Vault.","Use Entra ID B2C to create a user identity, assign it 'get' and 'list' permissions for the Key Vault, and store the user identity's credentials in the function's environment variables.",[62],{"_6":123,"_8":124,"_10":125,"_12":126,"_14":132,"_16":46,"_18":19},"41635b62515e02c7420ea247550775d714f5b70c9e96babc92e42d5e51ce852f","You have downloaded an Azure Functions codebase that is set to be triggered by an HTTP request. This function needs to access a database, and for that, it requires a connection string. You need to ensure the connection string is not stored in plain text within the code or configuration files. You are preparing to create the necessary components to achieve your goal. Which of the following should you create to achieve your goal? Answer by selecting the correct options from the list below.","**Azure Key Vault**: Provides secure storage for secrets like connection strings. **Access Policy**: Determines access to secrets in Azure Key Vault. \nMicrosoft Entra ID Identity Protections: Focuses on risk-based conditional access, not secret storage. \nAzure Storage Account: Used for data storage, not secret storage. \nAzure Policy: Evaluates resource properties against business rules, not for secret storage.",[127,128,129,130,131],"Azure Key Vault","Access Policy","Microsoft Entra ID Identity Protections","Azure Storage Account","Azure Policy",[44,45],{"_6":134,"_8":135,"_10":136,"_12":137,"_14":142,"_16":46,"_18":19},"c35bc269e947275991b8eb48690b1a00373e37ba5dc904c6f73b504b9588970a","You have configured an Azure Key Vault and stored a secret in it. The secret has multiple versions. You need to retrieve a particular version of the secret using a REST API call. What should you include in the REST API call to specify the version you want to retrieve?","To retrieve a specific version of the secret, you would include it as a query string argument in the REST API call: `GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=7.4`. This allows you to specify which version of the secret you wish to retrieve from the Azure Key Vault.",[138,139,140,141],"A session variable","A query string parameter","A JSON payload","A POST parameter",[45],"actionData","errors"]

AZ-204 Quiz

← Back to Topics