Which two actions should you recommend?

You are designing an Azure resource deployment that will use Azure Resource Manager templates. The deployment will use Azure Key Vault to store secrets.

You need to recommend a solution to meet the following requirements:

Prevent the IT staff that will perform the deployment from retrieving the secrets directly from Key Vault.

Use the principle of least privilege.

Which two actions should you recommend? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A . Create a Key Vault access policy that allows all get key permissions, get secret permissions, and get certificate permissions.
B . From Access policies in Key Vault, enable access to the Azure Resource Manager for template deployment.
C . Create a Key Vault access policy that allows all list key permissions, list secret permissions, and list certificate permissions.
D . Assign the IT staff a custom role that includes the Microsoft.KeyVault/Vaults/Deploy/Action permission.
E . Assign the Key Vault Contributor role to the IT staff.

View Answer

Answer: B,D

Explanation:

B: To access a key vault during template deployment, set enabledForTemplateDeployment on the key vault to true.

D: The user who deploys the template must have the Microsoft.KeyVault/vaults/deploy/action permission for the scope of the resource group and

key vault.

Reference:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter

https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security