What should you do?

HOTSPOT

You need to resolve the Azure virtual machine (VM) deployment issues.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

View Answer

Answer:

Explanation:

Box 1: Enable access to Azure Resource Manager for template deployment. In the given scenario, you are trying to resolve Azure VM deployment issues. To configure an Azure Key Vault access policy setting for VM deployment, you need to enable access to Azure Resource Manager for template deployment. This will allow the VM deployment process to access the secrets and certificates stored in the Key Vault during the deployment of the VM using an ARM (Azure Resource Manager) template.

Reference: – https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

Box 2: Grant the Microsoft.KeyVault/vaults/deploy/action permission

This is the permission that you should configure on an RBAC Key Vault role to resolve the Azure virtual machine (VM) deployment issues. This permission allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template1. Therefore, option C is correct.

A detailed explanation with references is as follows:

As mentioned in the scenario, the Azure virtual machine (VM) deployment issues are caused by the inability of Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template. To resolve this issue, you need to configure an RBAC Key Vault role that grants Azure Resource Manager the permission to access the key vault.

RBAC Key Vault roles are roles that can be assigned to users, groups, or applications to manage access to key vault secrets, keys, and certificates2. RBAC Key Vault roles are based on Azure role-based access control (Azure RBAC), which is an authorization system that provides fine-grained access management of Azure resources3.

With Azure RBAC, you can control access to resources by creating role assignments, which consist of three elements3:

✑ The security principal: The user, group, or application that you want to grant or deny access to the resource.

✑ The role definition: The predefined or custom set of permissions that you want to grant or deny on the resource. For example, read, write, delete, backup, restore, etc.

✑ The scope: The level at which you want to apply the role assignment. For example, at the management group, subscription, resource group, or individual resource level.

To configure a role assignment that allows Azure Resource Manager to retrieve secrets from the key vault when deploying resources using an ARM template, you need to grant the Microsoft.KeyVault/vaults/deploy/action permission1. This is a special permission that grants Azure Resource Manager a limited permission to get secrets from the key vault during resource deployment1. This permission does not grant any other permissions to Azure Resource Manager on the key vault or its contents1.

To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure portal, follow these steps1:

✑ In the Azure portal, navigate to the Key Vault resource.

✑ Select Access control (IAM), then select Add > Add role assignment.

✑ Under Role, select a built-in or custom role that includes the Microsoft.KeyVault/vaults/deploy/action permission. For example, you can select Key Vault Administrator or Key Vault Secrets User.

✑ Under Assign access to, select Azure AD user, group, or service principal.

✑ Under Select, enter Azure Resource Manager in the search field and select it.

✑ Select Save to create the role assignment.

To grant the Microsoft.KeyVault/vaults/deploy/action permission using the Azure CLI or PowerShell, see Grant permissions for template deployment.