Azure Key Vault - PowerShell Parameters for Object Retention | Exam AZ-204

Azure Key Vault Object Retention Parameters

Prev Question Next Question

Question

You are creating an Azure key vault using PowerShell.

Objects deleted from the key vault must be kept for a set period of 90 days.

Which two of the following parameters must be used in conjunction to meet the requirement? (Choose two.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: <map><m x1="38" x2="303" y1="245" y2="305" ss="0" a="0" /><m x1="38" x2="303" y1="307" y2="365" ss="0" a="0" /><m x1="39" x2="301" y1="483"

https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/new-azurermkeyvault https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete

You want to implement multi-factor authentication by making use of a conditional access policy.

The conditional access policy must be applied to all users when they access the Azure portal.

Which three settings should you configure? To answer, select the appropriate settings to the answer area.

NOTE: Each correct selection is worth one point.

Answer Area @O info OF Delete * Name MFA required for Azure portal access Assignments Users and groups @ Ousers selected > Cloud apps @ 5 O apps selected Conditions @ > O conditions selected Access controls Grant @ > 0 controls selected Session @ .
Answer Area @O info OF Delete * Name MFA required for Azure portal access Assignments Users and groups @ Ousers selected Cloud apps @ O apps selected Conditions @ > O conditions selected Access controls Grant @ 0 controls selected Session @ .

Box 1: The conditional access policy must be applied or assigned to Users and Groups.

Box 2: The conditional access policy must be applied when users access the Azure portal, which is a cloud app.

That is: Microsoft Azure Management Box 3: Access control must require multi-factor authentication when granting access.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfa

To meet the requirement of keeping the deleted objects for a set period of 90 days, you need to use the EnableSoftDelete and EnablePurgeProtection parameters in conjunction.

  • EnableSoftDelete: This parameter enables soft delete for the key vault, which means that when an object (such as a key or secret) is deleted, it is moved to a deleted state instead of being immediately deleted. This allows the object to be recovered if needed. By default, soft delete is disabled in Azure key vaults.

  • EnablePurgeProtection: This parameter enables purge protection for the key vault, which means that deleted objects cannot be permanently deleted until the purge protection period has expired. By default, purge protection is disabled in Azure key vaults.

By using both parameters together, you can ensure that deleted objects are kept in a deleted state for 90 days (assuming you have set the purge protection period to 90 days), after which they can be permanently deleted.

The other two parameters, EnabledForDeployment and EnabledForTemplateDeployment, are not related to this requirement.

  • EnabledForDeployment: This parameter enables the key vault for deployment, which means that it can be used in Azure Resource Manager templates.
  • EnabledForTemplateDeployment: This parameter is similar to EnabledForDeployment but is used specifically for template deployments.

Prev Question Next Question