test14

Question 1

DRAG DROP -
You have an Azure subscription that contains two on-premises locations named site1 and site2.
You need to connect site1 and site2 by using an Azure Virtual WAN.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct
order.
Select and Place:
Actions
Create a virtual hub.
Create VPN sites.
Connect the virtual networks to the hub.
Create a Virtual WAN resource.
Connect the VPN sites to the hub.
Answer Area

Question 2

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy an Azure Kubernetes Service (AKS) cluster named AKS1.
You need to deploy a YAML file to AKS1.
Solution: From Azure Cloud Shell, you run az aks.
Does this meet the goal?

A. Yes
B. No

Question 2

HOTSPOT -
You have the following custom role-based access control (RBAC) role.
```json
{
“id”: “b988327b-7dae-4d00-8925-1cc14fd68be4”,
“properties”: {
“roleName”: “Rolel”,
“description”: “”,
“assignableScopes”: [
“/subscriptions/c691ad84-99f2-42fd-949b-58afd7ef6ab3”
],
“permissions”: [
{
“actions”: [
“Microsoft.Resources/subscription/resourceGroups/resources/read”,
“Microsoft.Resources/subscription/resourceGroups/read”,
“Microsoft.Resourcehealth/”,
“Microsoft.Authorization//read”,
“Microsoft.Compute//read”,
“Microsoft.Support/”,
“Microsoft.Authorization//read”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Resources/deployments/”,
“Microsoft.Resources/subscription/resourceGroups/read”,
“Microsoft.Storage/storageAccounts/read”,
“Microsoft.Compute/virtualMachines/start/action”,
“Microsoft.Compute/virtualMachines/powerOff/action”,
“Microsoft.Compute/virtualMachines/deallocate/action”,
“Microsoft.Compute/virtualMachines/restart/action”,
“Microsoft.Compute/virtualMachines/”,
“Microsoft.Compute/disks/”,
“Microsoft.Compute/availabilitySets/”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Network/virtualNetworks/subnets/read”,
“Microsoft.Network/virtualNetworks/subnets/virtualMachines/read”,
“Microsoft.Network/networkInterfaces/”,
“Microsoft.Compute/snapshots/”
],
“notActions”: [
“Microsoft.Authorization//Delete”,
“Microsoft.Authorization/*/Write”,
“Microsoft.Authorization/elevateAccess/Action”
]
}
]
}
}
~~~
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Statements
Users that are assigned Role1 can assign Role1 to users.
Users that are assigned Role1 can deploy new virtual machines.
Users that are assigned Role1 can set a static IP address on a virtual machine.
Answer Area

Question 2

HOTSPOT -
You configure the custom role shown in the following exhibit.
```json
{
“properties”: {
“roleName”: “rolel”,
“description”: “”,
“roletype”: “true”,
“assignableScopes”: [
“/subscriptions/3d6209d5-c714-4440-9556e-d6342086c2d7/”
],
“permissions”: [
{
“actions”: [
“Microsoft.Authorization//read”,
“Microsoft.Compute/availabilitySets/”,
“Microsoft.Compute/locations/”,
“Microsoft.Compute/virtualMachines/”,
“Microsoft.Compute/virtualMachineScaleSets/”,
“Microsoft.Compute/disks/write”,
“Microsoft.Compute/disks/read”,
“Microsoft.Compute/disks/delete”,
“Microsoft.Network/locations/”,
“Microsoft.Network/networkInterfaces/”,
“Microsoft.Network/networkSecurityGroups/join/action”,
“Microsoft.Network/networkSecurityGroups/read”,
“Microsoft.Network/publicIPAddresses/join/action”,
“Microsoft.Network/publicIPAddresses/read”,
“Microsoft.Network/virtualNetworks/read”,
“Microsoft.Network/virtualNetworks/subnets/join/action”,
“Microsoft.Resources/deployments/”,
“Microsoft.Resources/subscriptions/resourceGroups/read”,
“Microsoft.Support/*”
],
“notActions”: [],
“dataActions”: [],
“notDataActions”: []
}
]
}
}
~~~

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
To ensure that users can sign in to virtual machines that are
Answer Area
To ensure that users can sign in to virtual machines that are assigned role1, modify the [answer choice] section:

Dropdown options:
actions
roletype
notActions
dataActions
notDataActions
assignableScopes
To ensure that role1 can be assigned only to a resource group named RG1, modify the [answer choice] section:

Dropdown options:
actions
roletype
notActions
dataActions
notDataActions
assignableScopes

Question 2

HOTSPOT:
You have an Azure subscription that contains the resources shown in the following table:

Name Type Description
VNET1 Virtual network Contains subnet1 and subnet2
subnet1 Subnet IP address space 10.3.0.0/24
subnet2 Subnet IP address space 10.4.0.0/24
NSG1 Network security group(NS) None
vm1 Virtual machine IP address 10.3.0.15
vm2 Virtual machine IP address 10.4.0.16
storage1 Storage account None
NSG1 is configured as shown in the following exhibit:

Inbound security rules:
Priority Name Port Protocol Source Destination Action
110 HTTPS_VM1_Deny 443 TCP Internet 10.3.0.15 Deny
65000 AllowVnetInBound Any Any VirtualNetwork VirtualNetwork Allow
65001 AllowAzureLoadBalancerInBound Any Any AzureLoadBalancer Any Allow
65500 DenyAllInBound Any Any Any Any Deny
Outbound security rules:
Priority Name Port Protocol Source Destination Action
145 Storage_Access 443 TCP VirtualNetwork Storage Allow
150 Block_Internet Any Any VirtualNetwork Internet Deny
65000 AllowVnetOutBound Any Any VirtualNetwork VirtualNetwork Allow
65001 AllowInternetOutBound Any Any Any Internet Allow
65500 DenyAllOutBound Any Any Any Any Deny
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer Area
Statements Yes No
VM1 can access storage1. ( ) ( )
VM2 can access VM1 by using the HTTPS protocol. ( ) ( )
The security rules for NSG1 apply to any virtual machine on VNET1. ( ) ( )

Question 3

You have an Azure subscription named Sub1 that contains the resources shown in the following table.

You create a user named Admin1.

To what can you add Admin1 as a co-administrator?
A. RG1
B. MG1
C. Sub1
D. VM1

Name | Type |
|—|—|
| MG1 | Management group |
| RG1 | Resource group |
| VM1 | Virtual machine |

Question 4

You have a Microsoft 365 tenant and an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to grant three users named User1, User2, and User3 access to a temporary Microsoft SharePoint document library named Library1.
You need to create groups for the users. The solution must ensure that the groups are deleted automatically after 180 days.
Which two groups should you create? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. a Microsoft 365 group that uses the Assigned membership type
B. a Security group that uses the Assigned membership type
C. a Microsoft 365 group that uses the Dynamic User membership type
D. a Security group that uses the Dynamic User membership type
E. a Security group that uses the Dynamic Device membership type

Question 5

HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table:

Name Member of Role assigned
User1 Group1 None
User2 Group2 None
User3 Group1, Group2 User administrator
You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit.
(Click the Password Reset tab.)

Self-service password reset enabled
None
Selected
All (Selected)
Select group
Group2
(Options displayed for groups)

Number of methods required to reset
1
2 (Selected)
Methods available to users
Mobile app notification
Mobile app code
Email
Mobile phone
Office phone
Security questions
Number of questions required to register
3
4
5 (Selected)
Number of questions required to reset
3 (Selected)
4
5
Select security questions
10 security questions selected.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer Area
Statements Yes No
After User2 answers three security questions correctly, he can reset his password immediately. ( ) ( )
If User1 forgets her password, she can reset the password by using the mobile phone app. ( ) ( )
User3 can add security questions to the password reset process. ( ) ( )

Question 6

You have an Azure subscription that has the Azure container registries shown in the following table.
| Name | Service tier |
|—|—|
| ContReg1 | Premium |
| ContReg2 | Standard |
| ContReg3 | Basic |
You plan to use ACR Tasks and configure private endpoint connections.
Which container registries support ACR Tasks and private endpoints? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point.
Answer Area
ACR Tasks:
ContReg1 only
ContReg1 and ContReg2 only
ContReg1, ContReg2, and ContReg3
Private endpoints:
ContReg1 only
ContReg1 and ContReg2 only
ContReg1, ContReg2, and ContReg3

Question 7

You have an Azure subscription named Subscription1 that has the following providers registered:
✑ Authorization
✑ Automation
✑ Resources
✑ Compute
✑ KeyVault
✑ Network
✑ Storage
✑ Billing
✑ Web
Subscription1 contains an Azure virtual machine named VM1 that has the following configurations:
✑ Private IP address: 10.0.0.4 (dynamic)
✑ Network security group (NSG): NSG1
✑ Public IP address: None
✑ Availability set: AVSet
✑ Subnet: 10.0.0.0/24
✑ Managed disks: No
✑ Location: East US
You need to record all the successful and failed connection attempts to VM1.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Enable Azure Network Watcher in the East US Azure region.
B. Add an Azure Network Watcher connection monitor.
C. Register the MicrosoftLogAnalytics provider.
D. Create an Azure Storage account.
E. Register the Microsoft.Insights resource provider.
F. Enable Azure Network Watcher flow logs.

Question 8

Your company has two on-premises servers named SRV01 and SRV02. Developers have created an application that runs on SRV01. The application calls a service on SRV02 by IP address.
You plan to migrate the application on Azure virtual machines (VMs). You have configured two VMs on a single subnet in an Azure virtual network.
You need to configure the two VMs with static internal IP addresses.
What should you do?

A. Run the New-AzureRMVMConfig PowerShell cmdlet.
B. Run the Set-AzureSubnet PowerShell cmdlet.
C. Modify the VM properties in the Azure Management Portal.
D. Modify the IP properties in Windows Network and Sharing Center.
E. Run the Set-AzureStaticVNetIP PowerShell cmdlet.

Question 9

You have an Azure subscription that contains a storage account named storage1. The storage1 account contains a container named container1.

You need to configure access to container1. The solution must meet the following requirements:
* Only allow read access.
* Allow both HTTP and HTTPS protocols.
* Apply access permissions to all the content in the container.

What should you use?

A. an access policy
B. a shared access signature (SAS)
C. Azure Content Delivery Network (CDN)
D. access keys

Question 10

DRAG DROP -
You have a Microsoft Entra tenant.
You need to ensure that when a new Microsoft 365 group is created, the group name is automatically formatted as follows:
<Department><Group name>
Which three actions should you perform in sequence in the Microsoft Entra admin center? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Actions Answer Area
Set Add suffix to Attribute.
Create a group naming policy.
Set Add prefix to Attribute.
Set Add suffix to String.
Set Add prefix to String.
Set Select type to Department.
Customize the company branding.

Question 11

DRAG DROP-
You have downloaded an Azure Resource Manager (ARM) template to deploy numerous virtual machines (VMs). The ARM template is based on a current VM, but must be
adapted to reference an administrative password.
You need to make sure that the password cannot be stored in plain text.
You are preparing to create the necessary components to achieve your goal.
Which of the following should you create to achieve your goal? Answer by dragging the correct option from the list to the answer area.
Select and Place:
Options

An Azure Key Vault
An Azure Storage account
Azure Active Directory (AD)
Identity Protection
An access policy
An Azure policy
A backup policy

Answer

Question 12

Your company has a main office in London that contains 100 client computers.
Three years ago, you migrated to Azure Active Directory (Azure AD).
The company’s security policy states that all personal devices and corporate-owned devices must be registered or joined to Azure AD.
A remote user named User1 is unable to join a personal device to Azure AD from a home network.
You verify that User1 was able to join devices to Azure AD in the past.
You need to ensure that User1 can join the device to Azure AD.
What should you do?

A. Assign the User administrator role to User1.
B. From the Device settings blade, modify the Maximum number of devices per user setting.
C. Create a point-to-site VPN from the home network of User1 to Azure.
D. From the Device settings blade, modify the Users may join devices to Azure AD setting.

Question 13

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: You create a resource lock, and then you assign the lock to the subscription.
Does this meet the goal?

A. Yes
B. No

Question 14

HOTSPOT -
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active
Directory domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
- Number of methods required to reset: 2
- Methods available to users: Mobile phone, Security questions
- Number of questions required to register: 3
- Number of questions required to reset: 3
You select the following security questions:
- What is your favorite food?
- In what city was your first job?
- What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area

| Statements | Yes | No |
|————————————————————————————————————–|—–|—-|
| SecAdmin1 must answer the following question during the self-service password reset: In what city was your first job? | ○ | ○ |
| BillAdmin1 must answer the following question during the self-service password reset: What is your favorite food? | ○ | ○ |
| User1 must answer the following question during the self-service password reset: What was the name of your first pet? | ○ | ○ |

Name | Role |
|————–|———————-|
| SecAdmin1 | Security administrator |
| BillAdmin1 | Billing administrator |
| User1 | Reports reader |

Question 15

HOTSPOT -
You have an Azure subscription named Subscription1. Subscription1 contains two Azure virtual machines VM1 and VM2. VM1 and VM2 run Windows Server 2016.
VM1 is backed up daily by Azure Backup without using the Azure Backup agent.
VM1 is affected by ransomware that encrypts data.
You need to restore the latest backup of VM1.
To which location can you restore the backup? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
You can perform a file recovery of
VM1 to:
VM1 only
VM1 or a new Azure virtual machine only
VM1 and VM2 only
A new Azure virtual machine only
Any Windows computer that has Internet connectivity
You can restore VM1 to:
VM1 only
VM1 or a new Azure virtual machine only
VM1 and VM2 only
Any Windows computer that has Internet connectivity

Question 16

You have an Azure virtual machine named VM1 and an Azure key vault named Vault1.

On VM1, you plan to configure Azure Disk Encryption to use a key encryption key (KEK).

You need to prepare Vault1 for Azure Disk Encryption.

Which two actions should you perform on Vault1? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Select Azure Virtual machines for deployment.
B. Create a new key.
C. Create a new secret.
D. Configure a key rotation policy.
E. Select Azure Disk Encryption for volume encryption.

Question 17

Your company has an Azure Active Directory (Azure AD) tenant that is configured for hybrid coexistence with the on-premises Active Directory domain.
The on-premise virtual environment consists of virtual machines (VMs) running on Windows Server 2012 R2 Hyper-V host servers.
You have created some PowerShell scripts to automate the configuration of newly created VMs. You plan to create several new VMs.
You need a solution that ensures the scripts are run on the new VMs.
Which of the following is the best solution?

A. Configure a SetupComplete.cmd batch file in the %windir%\setup\scripts directory.
B. Configure a Group Policy Object (GPO) to run the scripts as logon scripts.
C. Configure a Group Policy Object (GPO) to run the scripts as startup scripts.
D. Place the scripts in a new virtual hard disk (VHD).

Question 18

You have an Azure subscription that contains a virtual machine named VM1.

You need to back up VM1. The solution must ensure that backups are stored across three availability zones in the primary region.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Actions
Configure a replication policy.
Set Replication to Zone-redundant storage (ZRS).
For VM1, create a backup policy and configure the backup.
Set Replication to Locally-redundant storage (LRS).
Create a Recovery Services vault.
Answer Area

Question 19

HOTSPOT -
You need to ensure that User1 can create initiative definitions, and User4 can assign initiatives to RG2. The solution must meet the technical requirements.
Which role should you assign to each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
User1:
Contributor for RG1
Contributor for Sub1
Security Admin for RG1
Resource Policy Contributor for Sub1
User4:
Contributor for RG2
Contributor for Sub1
Security Admin for Sub1
Resource Policy Contributor for RG2

Question 20

You have an Azure subscription named Subscription1. Subscription1 contains the resource groups in the following table.

RG1 has a web app named WebApp1. WebApp1 is located in West Europe.
You move WebApp1 to RG2.
What is the effect of the move?
A. The App Service plan for WebApp1 remains in West Europe. Policy2 applies to WebApp1.
B. The App Service plan for WebApp1 moves to North Europe. Policy2 applies to WebApp1.
C. The App Service plan for WebApp1 remains in West Europe. Policy1 applies to WebApp1.
D. The App Service plan for WebApp1 moves to North Europe. Policy1 applies to WebApp1.

Name | Azure region | Policy |
|—|—|—|
| RG1 | West Europe | Policy1 |
| RG2 | North Europe | Policy2 |
| RG3 | France Central | Policy3 |

Question 21

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that has a point-to-site VPN connection to an Azure virtual network named VNet1. The point-to-site connection uses a self-signed certificate.
From Azure, you download and install the VPN client configuration package on a computer named Computer2.
You need to ensure that you can establish a point-to-site VPN connection to VNet1 from Computer2.
Solution: On Computer2, you set the Startup type for the IPSec Policy Agent service to Automatic.
Does this meet the goal?

A. Yes
B. No

Question 22

You download an Azure Resource Manager template based on an existing virtual machine. The template will be used to deploy 100 virtual machines.
You need to modify the template to reference an administrative password. You must prevent the password from being stored in plain text.
What should you create to store the password?

A. an Azure Key Vault and an access policy
B. an Azure Storage account and an access policy
C. a Recovery Services vault and a backup policy
D. Azure Active Directory (AD) Identity Protection and an Azure policy

Question 23

You have an Azure subscription that contains a storage account named storage. The storage account contains a blob that stores images.

Client access to storage1 is granted by using a shared access signature (SAS).

You need to ensure that users receive a warning message when they generate a SAS that exceeds a seven-day time period.

What should you do for storage?

A. Enable a read-only lock.
B. Configure an alert rule.
C. Add a lifecycle management rule.
D. Set Allow recommended upper limit for shared access signature (SAS) expiry interval to Enabled.

Question 24

You have an Azure subscription that contains two storage accounts named contoso101 and contoso102.
The subscription contains the virtual machines shown in the following table.

VNet1 has service endpoints configured as shown in the Service endpoints exhibit. (Click the Service endpoints tab.)

VNet1 | Service endpoints ☆

Virtual network

+ Add Refresh

Filter service endpoints

| Service | Subnet | Status | Locations |
|—|—|—|—|
| Microsoft.AzureActiveDirectory | 1 | | … |
| | Subnet2 | Succeeded | * | … |
| Microsoft.Storage | 1 | | … |
| | Subnet1 | Succeeded | * | … |

The Microsoft.Storage service endpoint has the service endpoint policy shown in the Microsoft.Storage exhibit. (Click the Microsoft.Storage tab.)

Create a service endpoint policy

✔ Validation passed

Basics Policy definitions Tags Review + create

Basics

| | |
|—|—|
| Subscription | Azure Pass - Sponsorship |
| Resource group | RG1 |
| Region | East US |
| Name | Policy1 |

Resources

| | |
|—|—|
| Microsoft.Storage | contoso101 (Storage account) |

Tags

None

ℹ For this policy to take effect, you will need to associate it to one or more subnets that have virtual network service endpoints.
Please visit a virtual network in East US region and then select the subnets to which you would like to associate this policy.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.
Answer Area
Statements Yes No
VM1 can access contoso102.
VM2 can access contoso101.
VM2 uses a private IP address to access Azure AD.

Name | Connected to | Public IP address SKU |
|—|—|—|
| VM1 | VNet1/Subnet1 | Basic |
| VM2 | VNet1/Subnet2 | Standard |

Question 25

You have an Azure policy as shown in the following exhibit:
SCOPE
* Scope (Learn more about setting the scope)
Subscription 1
Exclusions
Subscription 1/ContosoRG1
BASICS
* Policy definition
Not allowed resource types
Assignment name
Not allowed resource types
Assignment ID
/subscriptions/5eb8d0b6-ce3b-4ce0-a631-9f5321bedabb/providers/Microsoft.Authorization/policyAssignments/0e6fb866bf854f54accae2a9
Description
Assigned by
admin1@contoso.com
PARAMETERS
* Not allowed resource types
Microsoft.Sql/servers
What is the effect of the policy?
A. You are prevented from creating Azure SQL servers anywhere in Subscription 1.
B. You can create Azure SQL servers in ContosoRG1 only.
C. You are prevented from creating Azure SQL Servers in ContosoRG1 only.
D. You can create Azure SQL servers in any resource group within Subscription 1.

Question 26

You have an Azure subscription linked to an Azure Active Directory tenant. The tenant includes a user account named User1.
You need to ensure that User1 can assign a policy to the tenant root management group.
What should you do?

A. Assign the Owner role for the Azure Subscription to User1, and then modify the default conditional access policies.
B. Assign the Owner role for the Azure subscription to User1, and then instruct User1 to configure access management for Azure resources.
C. Assign the Global administrator role to User1, and then instruct User1 to configure access management for Azure resources.
D. Create a new management group and delegate User1 as the owner of the new management group.

Question 27

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that contains 10 virtual networks. The virtual networks are hosted in separate resource groups.
Another administrator plans to create several network security groups (NSGs) in the subscription.
You need to ensure that when an NSG is created, it automatically blocks TCP port 8080 between the virtual networks.
Solution: From the Resource providers blade, you unregister the Microsoft.ClassicNetwork provider.
Does this meet the goal?

A. Yes
B. No

Question 28

You have an Azure AD tenant named contoso.com.

You have an Azure subscription that contains an Azure App Service web app named App1 and an Azure key vault named KV1. KV1 contains a wildcard certificate for contoso.com.

You have a user named user1@contoso.com that is assigned the Owner role for App1 and KV1.

You need to configure App1 to use the wildcard certificate of KV1.

What should you do first?

A. Create an access policy for KV1 and assign the Microsoft Azure App Service principal to the policy.
B. Assign a managed user identity to App1.
C. Configure KV1 to use the role-based access control (RBAC) authorization system.
D. Create an access policy for KV1 and assign the policy to User1.