Crucial Exams

Microsoft Azure Security Engineer Associate AZ-500 Practice Question

You manage an Azure Key Vault that uses the Azure role-based access control (RBAC) permission model. An Azure Function's system-assigned managed identity needs to read the value of a single secret at runtime, but it must not be able to list or modify any secrets in the vault. Which approach satisfies this requirement with the least privilege?

  • Create a custom Azure RBAC role that includes only the Microsoft.KeyVault/vaults/secrets/get data action and assign it to the managed identity at the scope of the required secret.

  • Assign the built-in Key Vault Secrets User role to the managed identity at the vault scope.

  • Assign the built-in Key Vault Secrets Officer role to the managed identity at the secret scope.

  • Switch the vault to the Vault access policy model and grant the managed identity a secrets Get permission in an access policy.

Microsoft Azure Security Engineer Associate AZ-500
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot