Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You need to give a development team the ability to create, read, and delete secrets in a single Azure Key Vault, but they must be blocked from modifying keys or certificates in that vault. Which Azure built-in role should you assign to the team's Microsoft Entra security group at the Key Vault scope to meet the requirement?
The Key Vault Secrets Officer role grants full data-plane permissions for secrets only (Microsoft.KeyVault/vaults/secrets/*). Assigning this role at the Key Vault resource scope lets the development team create, list, read, and delete secrets while providing no ability to manage keys or certificates.
Key Vault Administrator grants full data-plane access to keys, secrets, and certificates, violating least-privilege. Key Vault Contributor lets users manage the Key Vault resource but does not grant any data-plane permissions, so the team could not work with secret values. User Access Administrator allows management-plane role assignments only and likewise provides no data-plane access to secrets.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between the data-plane and management-plane in Azure Key Vault?
Open an interactive chat with Bash
What permissions does the Key Vault Secrets Officer role provide?
Open an interactive chat with Bash
Why is the least-privilege principle important for security in Azure Key Vault?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure identity and access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .