🔐 Azure Key Vault - AZ-204 Practice Questions

Implement secure cloud solutions using Azure Key Vault for secrets, keys, and certificates management.

26Questions Available
1Exam Domains

Practice Key Vault Questions Now

Start a timed practice session focusing on Azure Key Vault topics from the AZ-204 question bank.

Start AZ-204 Practice Quiz →

AZ-204 Key Vault Question Bank (26 Questions)

Browse all 26 practice questions covering Azure Key Vault for the AZ-204 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Develop Azure compute solutions

    How should a developer configure Azure Functions to use a User-Assigned Managed Identity for accessing Azure Key Vault?

    AStore the Key Vault secret in App Settings
    BAssign the User-Assigned Managed Identity to the Function App, grant it Key Vault Secrets Officer role, then use DefaultAzureCredential() in code which selects the managed identity automatically
    CUse a client certificate stored in App Service
    DConfigure IP restrictions on Key Vault to allow only Function App IPs

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  2. Question 2Develop Azure compute solutions

    What Azure App Service feature allows injecting secrets from Azure Key Vault directly as environment variables without code changes?

    AApp Service Key Vault integration add-on
    BKey Vault references in Application Settings — use @Microsoft.KeyVault(SecretUri=https://...) as the value for any App Setting
    CAzure Functions Key Vault binding
    DApp Service Managed Certificate feature

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  3. Question 3Implement Azure security

    What is Azure Key Vault 'certificate' management and how do developers use it?

    AStoring SSL certificates for manual download and installation
    BManaging the full lifecycle of X.509 certificates (creation, renewal, import); apps retrieve current certificate versions via Key Vault SDK or bind certificates directly to App Service/AKS
    CProviding public CA services
    DIssuing Azure AD app registration certificates

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  4. Question 4Implement Azure security

    A developer needs their App Service to access Azure Key Vault secrets without storing credentials anywhere. What is the correct approach?

    AStore a client secret in application settings and reference it in code
    BEnable a system-assigned Managed Identity and grant it Key Vault Secrets User role
    CUse the Key Vault access policy with the app's IP address
    DHard-code the Key Vault URI in the connection string

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  5. Question 5Implement Azure security

    A developer needs to ensure that a Key Vault secret is automatically rotated every 90 days. Which Key Vault feature should they configure?

    ASoft delete policy
    BRotation policy on the secret
    CBackup and restore
    DPurge protection

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  6. Question 6Implement Azure security

    A developer stores a certificate in Azure Key Vault. Which SDK class allows downloading the certificate with its private key?

    ASecretClient (retrieving the certificate as a secret)
    BCertificateClient.GetCertificateAsync()
    CKeyClient.GetKeyAsync()
    DBlobClient

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  7. Question 7Implement Azure security

    A developer wants to prevent Key Vault secrets from being permanently deleted, even by an administrator, for a minimum retention period. Which feature should be enabled?

    ASoft delete with 90-day retention
    BPurge protection
    CPrivate endpoint for Key Vault
    DFirewall rules

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  8. Question 8Develop for Azure storage

    A developer needs to import a PFX certificate into Azure Key Vault and retrieve it for use in an application. Which SDK client and method should be used to import it?

    ASecretClient.SetSecretAsync() with base64-encoded PFX
    BCertificateClient.ImportCertificateAsync() with ImportCertificateOptions containing the PFX bytes
    CKeyClient.ImportKeyAsync()
    DBlobClient.UploadAsync() to blob storage

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  9. Question 9Implement Azure security

    A developer needs to obtain an access token for Azure Key Vault from inside an Azure VM with a system-assigned Managed Identity. Which endpoint should they call?

    Ahttps://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    Bhttp://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net
    Chttps://vault.azure.net/.well-known/openid-configuration
    Dhttp://localhost:50342/oauth2/token

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  10. Question 10Implement Azure security

    A developer needs to prevent a Key Vault secret from being accessed outside of business hours. Which Azure feature enables time-based access control?

    AKey Vault network firewall rules
    BAzure AD Conditional Access policy restricting Key Vault access by time of day
    CKey Vault secret version expiry
    DKey Vault access policy with time conditions

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  11. Question 11Implement Azure security

    What is 'Azure AD Managed Identity' vs 'Service Principal with secret' for application authentication?

    AManaged Identity has more permissions
    BManaged Identity credentials are managed and rotated by Azure automatically with no stored secrets; Service Principal with secret requires manual secret rotation and secure storage of the secret value
    CService Principal is more secure than Managed Identity
    DManaged Identity can only be used by Azure Functions

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  12. Question 12Implement Azure security

    Your application needs to connect to Azure Key Vault without storing any credentials in code or configuration. What should you use?

    AA connection string stored in App Settings
    BA Managed Identity assigned to the app
    CA service principal with a client secret in appsettings.json
    DAn SAS token stored in environment variables

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  13. Question 13Implement Azure security

    Which Azure Key Vault object type should be used to store a database connection string?

    AKey
    BCertificate
    CSecret
    DPolicy

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  14. Question 14Implement Azure security

    Which Azure Key Vault operation allows a developer to decrypt data that was encrypted with a Key Vault key without the key material ever leaving the vault?

    ADecrypt — wrapping the ciphertext in the KV REST API; KV performs the decryption inside the HSM and returns plaintext
    BGet Key — retrieves the key for local decryption
    CDownload Key — exports the key for SDK decryption
    DImport Key — reimports decrypted key material

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  15. Question 15Implement Azure security

    A developer stores a connection string in Azure Key Vault and wants to rotate it without application restart. How can Azure App Service Key Vault references handle this?

    AApplication restart is always required for secret rotation
    BApp Service Key Vault references can be configured to reload automatically (Secret Version='' to always use the latest version); App Service periodically refreshes the secret value
    CThe application must call Key Vault SDK to get the new value
    DSecret rotation requires a new App Service deployment

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  16. Question 16Develop Azure compute solutions

    Which identity type should a developer use when writing a background service that runs in an Azure VM and needs to access Key Vault?

    AApplication client_id + secret stored in VM environment variables
    BSystem-assigned Managed Identity on the VM; grant Key Vault access to the MI; use DefaultAzureCredential in code to automatically use the VM's managed identity
    CA developer's personal Azure AD account
    DA service principal with certificate stored on the VM disk

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  17. Question 17Implement Azure security

    What does 'az keyvault secret set' do for a developer?

    ACreates a new Key Vault
    BCreates or updates a secret in an Azure Key Vault with the specified name and value
    CLists all secrets in a Key Vault
    DRotates a Key Vault secret automatically

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  18. Question 18Implement Azure security

    How does a developer implement Azure Key Vault access using C# SDK without storing credentials?

    AStore client_id and secret in appsettings.json
    BUse new SecretClient(new Uri(kvUri), new DefaultAzureCredential()) — DefaultAzureCredential automatically selects the appropriate credential (Managed Identity, VS IDE, CLI, env vars) based on environment
    CStore a certificate thumbprint in code
    DUse a hardcoded connection string

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  19. Question 19Implement Azure security

    What is Azure Key Vault 'soft delete' and 'purge protection'?

    ASoft delete backs up keys to Azure Storage; purge protection encrypts deleted keys
    BSoft delete retains deleted Key Vault items (secrets, keys, certs) for a configurable retention period (7-90 days) allowing recovery; purge protection prevents permanently deleting soft-deleted items until retention expires
    CSoft delete sends deleted items to a recycle bin; purge protection requires approval for deletion
    DBoth are billing protection features

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  20. Question 20Develop for Azure storage

    A developer needs to set a stored access policy on a Blob Storage container to allow revoking all SAS tokens without regenerating the account key. How is this done?

    ACreate a stored access policy and reference it in SAS tokens; delete the policy to revoke
    BRotate the storage account key
    CSet a blob expiry date in the lifecycle policy
    DDisable public access on the container

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  21. Question 21Implement Azure security

    Which Azure Key Vault object type should be used to store a database connection string securely?

    AKey
    BSecret
    CCertificate
    DManaged HSM key

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  22. Question 22Implement Azure security

    A developer implements a user-assigned Managed Identity instead of a system-assigned one. What is the key advantage?

    AIt is created automatically when the resource is created
    BIt can be shared across multiple Azure resources and has a lifecycle independent of any single resource
    CIt provides stronger encryption than system-assigned identities
    DIt does not require RBAC role assignments

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  23. Question 23Implement Azure security

    A developer stores a cryptographic key in Azure Key Vault and needs to use it to sign data without the key leaving Key Vault. Which SDK operation should be used?

    AKeyClient.GetKeyAsync() then sign locally
    BCryptographyClient.SignAsync() with the key identifier
    CSecretClient.GetSecretAsync() and parse the key
    DCertificateClient.GetCertificateAsync()

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  24. Question 24Implement Azure security

    A developer deploys a Key Vault in a production subscription. They want to ensure the Key Vault cannot be deleted even if a developer accidentally runs az keyvault delete. Which two features must be enabled?

    ASoft delete only
    BPurge protection only
    CBoth soft delete AND purge protection
    DFirewall rules and private endpoints

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  25. Question 25Implement Azure security

    A developer needs to restrict access to an Azure Key Vault to only allow calls from a specific virtual network subnet. Which feature should be configured?

    AKey Vault access policy with subnet filter
    BKey Vault network ACLs with virtual network service endpoint or private endpoint
    CAzure AD Conditional Access policy
    DKey Vault firewall with IP rules only

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz
  26. Question 26Develop for Azure storage

    A developer needs to ensure that a blob uploaded to Azure Storage is encrypted with a customer-managed key stored in Azure Key Vault. Which feature must be configured on the storage account?

    AStorage Service Encryption with Microsoft-managed keys
    BCustomer-managed keys (CMK) using Azure Key Vault in the encryption settings
    CStorage account SAS token with encryption flag
    DAzure Disk Encryption

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start AZ-204 Quiz

Key Key Vault Concepts for AZ-204

key vaultsecretkeycertificatemanaged identityaccess policyrbacrotation

AZ-204 Key Vault Exam Tips

Azure Key Vault questions in AZ-204 are typically scenario-based. Focus on Azure application development, integration services, authentication, and runtime reliability. Priority concepts: key vault, secret, key, certificate, managed identity, access policy.

What AZ-204 Expects

  • Anchor your answer in choose managed developer services that simplify secure integration and deployment.
  • Key Vault scenarios for AZ-204 are frequently mapped to Domain 3 (20-25%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Key Vault interacts with identity, networking, governance, or monitoring patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Key Vault Concepts

  • Know the core Key Vault building blocks cold: key vault, secret, key, certificate.
  • Review the edge-case features and limits for managed identity, access policy; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Key Vault pairs with Identity, Blob Storage in real deployment patterns.
  • For AZ-204, explain why the chosen Key Vault design meets reliability, security, and cost expectations better than the alternatives.

Common AZ-204 Traps

  • Watch for using infrastructure-heavy answers for app-level requirements.
  • Questions in Implement Azure Security often include distractors that look correct for Key Vault but violate least-privilege, compliance, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Key Vault implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Implement Azure Security (20-25%) outcomes for AZ-204?
  • Can you explain security and access boundaries for Key Vault without relying on default-open assumptions?
  • Can you describe how Key Vault integrates with Identity and Blob Storage during failure, scaling, and monitoring events?

Exam Domains Covering Key Vault

Related Resources

More AZ-204 Study Resources