Question 992 of 997
Implement Azure securitymediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to assign the application to the Key Vault Secrets User RBAC role at the secret scope. This is the only method that applies the principle of least privilege because Azure RBAC supports secret-scoped permissions, allowing you to grant read access exclusively to a specific Microsoft Entra ID application for a single secret without opening access to the entire vault. On the AZ-204 exam, this scenario tests your understanding of the difference between vault-level access policies and granular RBAC assignments; a common trap is choosing the vault access policy, which cannot target individual secrets. Remember that while access policies are vault-wide, RBAC roles can be scoped down to the secret, key, or certificate level. For a quick memory tip: think “RBAC is granular, policies are global”—if you need to lock down one secret, RBAC at the secret scope is your only path.

AZ-204 Implement Azure security Practice Question

This AZ-204 practice question tests your understanding of implement azure security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: azure RBAC allows fine-grained access control to individual Key Vault secrets.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Your company uses Azure Key Vault to store secrets. You need to ensure that only a specific Microsoft Entra ID application can read a particular secret, while other applications are denied access. You want to apply the principle of least privilege. Which access control method should you configure?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "least"

    Why it matters: You want the option with minimum overhead, fewest steps, or lowest impact — not the most feature-rich or comprehensive answer.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Assign the application to the Key Vault Secrets User RBAC role at the secret scope

Option B is correct because Azure RBAC allows you to assign the Key Vault Secrets User role at the secret scope, which grants read access exclusively to the specified Microsoft Entra ID application for that particular secret. This aligns with the principle of least privilege by restricting access to only the necessary secret, without granting broader permissions at the vault level.

Key principle: Azure RBAC allows fine-grained access control to individual Key Vault secrets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Assign the application to the Key Vault Contributor RBAC role

    Why it's wrong here

    The Key Vault Contributor role grants management operations (e.g., creating and deleting vaults, managing access policies), which is too broad and includes write permissions, violating least privilege.

  • Assign the application to the Key Vault Secrets User RBAC role at the secret scope

    Why this is correct

    This role allows read access to secrets. By assigning it at the individual secret scope (instead of vault scope), you restrict access to only that secret.

    Clue confirmation

    The clue word "least" in the question point toward this answer.

    Related concept

    Azure RBAC allows fine-grained access control to individual Key Vault secrets.

  • Use Key Vault access policies

    Why it's wrong here

    Access policies are applied at the vault level and cannot restrict access to individual secrets. They grant the same permissions to all secrets in the vault.

  • Use managed identity and assign the Key Vault Secrets User role at the vault scope

    Why it's wrong here

    Assigning the role at the vault scope grants read access to all secrets in the vault, which is not limited to a single secret.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse vault-scoped access policies or RBAC roles with secret-scoped RBAC, mistakenly thinking they can achieve per-secret isolation with access policies, when in fact only RBAC at the secret scope provides that granularity.

Detailed technical explanation

How to think about this question

Azure RBAC for Key Vault supports data-plane scoping at the individual secret, key, or certificate level via the 'Microsoft.KeyVault/vaults/secrets' resource path, enabling fine-grained access control. When the Key Vault Secrets User role is assigned at this scope, Azure RBAC evaluates the role assignment against the secret's resource ID, ensuring only the designated application's token can perform 'Microsoft.KeyVault/vaults/secrets/read' operations. This is distinct from access policies, which are legacy and always apply at the vault level, and from vault-scoped RBAC, which would allow the application to list and read all secrets.

KKey Concepts to Remember

  • Azure RBAC allows fine-grained access control to individual Key Vault secrets.
  • The 'Key Vault Secrets User' role grants read access to secrets.
  • RBAC role assignments can be scoped to a subscription, resource group, resource, or individual secret/key/certificate.
  • Assigning roles at the secret scope enforces the principle of least privilege for specific secrets.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Azure RBAC allows fine-grained access control to individual Key Vault secrets.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Review azure RBAC allows fine-grained access control to individual Key Vault secrets., then practise related AZ-204 questions on the same topic to reinforce the concept.

Related practice questions

Related AZ-204 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-204 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-204 question test?

Implement Azure security — This question tests Implement Azure security — Azure RBAC allows fine-grained access control to individual Key Vault secrets..

What is the correct answer to this question?

The correct answer is: Assign the application to the Key Vault Secrets User RBAC role at the secret scope — Option B is correct because Azure RBAC allows you to assign the Key Vault Secrets User role at the secret scope, which grants read access exclusively to the specified Microsoft Entra ID application for that particular secret. This aligns with the principle of least privilege by restricting access to only the necessary secret, without granting broader permissions at the vault level.

What should I do if I get this AZ-204 question wrong?

Review azure RBAC allows fine-grained access control to individual Key Vault secrets., then practise related AZ-204 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "least". You want the option with minimum overhead, fewest steps, or lowest impact — not the most feature-rich or comprehensive answer.

What is the key concept behind this question?

Azure RBAC allows fine-grained access control to individual Key Vault secrets.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-204 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-204 exam.