Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You have an Azure subscription that contains several resource groups used by different development teams. A new security policy requires that developers can perform these tasks in their own resource group only:
View any resource configuration, including private keys stored in Azure Key Vault.
Create or modify resources that do NOT expose data actions (for example, create a virtual network).
You decide to create a single custom Azure role and assign it at the developers' resource-group scope. Which set of JSON properties correctly meets the requirements?
Actions, DataActions, and AssignableScopes.
Actions and AssignableScopes only.
Actions, NotActions, and AssignableScopes.
Actions, DataActions, NotDataActions, and AssignableScopes.
The policy requires developers to do the following in their own resource group:
Read all control-plane metadata, including Key Vault objects. That requires the Microsoft.KeyVault//read* data action, so the role must include DataActions.
Create or modify resources except those with data actions; that is covered by Actions such as Microsoft.Resources/subscriptions/resourceGroups/.*
The role must not allow data write on Key Vault objects, so NotDataActions must explicitly deny Microsoft.KeyVault//write*.
Therefore, the custom role must contain:
Actions to allow standard management operations.
DataActions to let users read data plane items such as Key Vault secrets.
NotDataActions to block data plane write operations. The AssignableScopes property is mandatory for any custom role, but it does not control the kinds of permissions; it simply states where the role can be assigned. Including only Actions and AssignableScopes would prevent access to Key Vault data. Including Actions plus NotActions still would not expose Key Vault secrets. Adding DataActions without also using NotDataActions would permit writes as well as reads on data plane objects.
Thus the correct option is the set that combines Actions, DataActions, and NotDataActions, with AssignableScopes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Actions, DataActions, and NotDataActions in Azure custom roles?
Open an interactive chat with Bash
What is the purpose of AssignableScopes in an Azure custom role?
Open an interactive chat with Bash
How does Microsoft.KeyVault/*/read differ from Microsoft.KeyVault/*/write in custom roles?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure identity and access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .