Microsoft Azure Security Technologies (AZ-500)

What should you use to allow a specific user to add and delete certificates in the Azure key vault while adhering to least privilege access?

• A. A key vault access policy
• B. Azure policy
• C. Azure AD Privileged Identity Management (PIM)
• D. Azure DevOps

The correct answer is: A key vault access policy

Using a key vault access policy is the appropriate choice to allow a specific user to manage certificates in the Azure Key Vault while adhering to the principle of least privilege access. Key vault access policies are designed to provide granular control over who can perform specific actions on the resources in the key vault, including creating, deleting, and using certificates. A key vault access policy can be configured to grant the necessary permissions to a specific user or group without giving them broader privileges that may be unnecessary for their role. This capability ensures that users only have access to the actions they need to perform their tasks, aligning with security best practices and minimizing potential risks. Azure policy, while useful for enforcing compliance and governance across resources, operates at a broader level and is not intended for fine-grained control over user permissions within a specific resource like a key vault. Azure AD Privileged Identity Management (PIM) is primarily focused on managing privileged accounts and roles, but it’s not explicitly designed for managing access permissions to specific activities within resources like a key vault. Azure DevOps is a set of development tools and does not apply directly to the management of Azure resource permissions. Overall, utilizing a key vault access policy facilitates the necessary level of access control while adhering to the least privilege principle by