Governance & Key Management

Which Azure governance feature lets you audit or deny the creation of resources that do not meet organizational standards, such as requiring a specific tag or blocking public IP addresses?

• A A resource lock
• B Azure Policy ✓
• C A network security group
• D Microsoft Entra PIM

Answer: Azure Policy evaluates resources against rules and can audit non-compliant resources or use a deny effect to block creation that violates standards, such as missing tags or disallowed resource types. Resource locks only prevent deletion or modification of existing resources.

You want to deploy a consistent set of policy assignments, role assignments, and resource templates as a single repeatable package across new subscriptions. Which Azure governance capability is designed for this?

• A A management lock
• B Azure Advisor
• C Azure Blueprints ✓
• D A single resource group

Answer: Azure Blueprints package artifacts such as policy assignments, role assignments, and ARM templates so a compliant environment can be deployed repeatably and tracked across subscriptions. Resource groups and locks do not orchestrate governance artifacts.

You want to use your own key from Azure Key Vault to encrypt Azure Storage data at rest instead of a Microsoft-managed key. Which feature provides this?

• A Client-side encryption only
• B A user delegation SAS
• C Azure Disk Encryption
• D Customer-managed keys for storage encryption ✓

Answer: Customer-managed keys let you control the encryption key for storage service encryption by storing it in Azure Key Vault, including rotation and revocation. Azure Disk Encryption applies to VM disks, not storage account blob and file data.

You need to store cryptographic keys in hardware security modules validated to FIPS 140-2 Level 3 for a compliance requirement. Which Azure Key Vault option should you choose?

• A A storage account with infrastructure encryption
• B A Microsoft Entra application certificate
• C The standard tier with software-protected keys
• D The premium tier with HSM-protected keys ✓

Answer: The Key Vault premium tier stores keys in hardware security modules validated to FIPS 140-2 Level 3, meeting stricter compliance needs. The standard tier protects keys in software, which does not satisfy the HSM requirement.

To prevent secrets in Azure Key Vault from being permanently lost if deleted, which two related protections should be enabled?

• A RBAC and access policies
• B Logging and metrics
• C Soft delete and purge protection ✓
• D Firewall and private endpoint

Answer: Soft delete retains deleted vaults and objects for a recovery period, and purge protection blocks permanent deletion until that period elapses, together guarding against accidental or malicious loss. Firewalls and RBAC control access, not recoverability.

Which assignment grants the least privilege for a user who only needs to read secret values from an Azure Key Vault that uses the Azure RBAC permission model?

• A Contributor on the resource group
• B Key Vault Secrets User ✓
• C Owner on the key vault
• D Key Vault Administrator

Answer: The Key Vault Secrets User role grants read access to secret contents only, following least privilege. Owner, Contributor, and Key Vault Administrator grant far broader permissions than required.