Exam AZ-104 topic 2 question 78 discussion

It should be A, I just created a storage account, then created a file share, went to IAM, and it says : To give individual accounts access to the file share (Kerberos), enable identity-based authentication for the storage account.

After arguing with ChatGPT here is the answer: The correct steps to assign User1 the Storage File Data SMB Share Contributor role for share1 are: 1. Enable identity-based data access for the file shares in storage1. 2. Configure Access control (IAM) for share1 and add User1 as a role assignment with the Storage File Data SMB Share Contributor role. So the correct answer is A.

To assign User1 the Storage File Data SMB Share Contributor role for share1 (a file share in storage1), you first need to enable identity-based data access for file shares in storage1. This is required so that you can use Azure AD-based authentication for accessing the file shares. Once identity-based access is enabled, Azure Active Directory (Azure AD) users like User1 can be assigned roles such as Storage File Data SMB Share Contributor to control access to Azure file shares. You will eventually need to assign the role to User1 using IAM, but first, you must enable identity-based access to the file shares.

chatgpt To assign User1 the Storage File Data SMB Share Contributor role for share1, the first step is to ensure that Azure Active Directory (AD)-based authentication is enabled for the file shares. This allows Azure AD users to be authenticated when accessing the file shares using SMB. In this scenario, the correct action to perform first is: A. Enable identity-based data access for the file shares in storage1. Explanation: Azure Files supports Azure AD-based access control for file shares using SMB. However, before you can assign roles like Storage File Data SMB Share Contributor, you need to enable identity-based access for the file shares within the storage account (storage1 in this case). Once identity-based access is enabled, you can then assign roles such as Storage File Data SMB Share Contributor to Azure AD users like User1, granting them the necessary permissions on share1.

I think I'm going to go with A based on the following information I found when I search the differences between identity-based access and access control IAM: Identity and Access Management (IAM) IAM is a cybersecurity discipline that manages how users access digital resources and what they can do with them. IAM systems verify users' identities and ensure that they have the correct permissions to do their jobs. IAM can also integrate with AI-based cybersecurity tools to analyze data for potential cyber attacks. Access control Access control is a data security process that manages who has access to corporate data and resources. Access control uses policies to verify users' identities and grant them the appropriate level of access. Access control is important for applications that have different levels of authorization for different users.

it´s A as the first step D comes next

It should be D. In the lab, I created following : 1. A user 2. A new storage account 3. A new file share. Then, I went to file share > IAM > Add role assignment > Members > (newly created user) > Role > (search for given role) > select > review+assign > done. No error, nothing.

A. Enable identity-based data access for the file shares in storage1

Tested - Was able to assign the role in Access Control (IAM) without enabling identity-based authentication.

A is correct key words are what should you do first, A is done first before D.

Answer is D. Stop saying A. It is very clea in Microsfot Documentation ( https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal ) Step 2: Open the Add role assignment page (Answer D) Step 3: Select the appropriate role (Answer A)

To assign the SMB Share Contributor role to user1 for Share1, you can follow these steps1: 1. Go to the Azure portal: Log in to your Azure portal. 2. Navigate to the storage account: Browse to the storage account (storage1) that contains the file share (Share1) you created previously1. 3. Select Access Control (IAM): This is where you can manage access to your resources1. 4. Add a role assignment: Select ‘+ Add’, then select ‘Add role assignment’ from the drop-down menu1. 5. Select the role and assign it to the user: In the ‘Add role assignment’ blade, select the ‘Storage File Data SMB Share Contributor’ role from the Role list1. Then, in the ‘Select members’ field, search for and select user11. 6. Review and assign: Review the role assignment details and then click 'Assign’1.

To add RBAC role you just need to assign the role to any Entra user through IAM Kerberos access is a different topic don't confuse this with RBAC

A is correct because this setting allows Azure AD-based authentication for the file shares, which is a prerequisite for assigning roles based on Azure AD identities.

D. Configure Access control (IAM) for share1. Here’s why: Configure Access control (IAM): In Azure, roles such as the Storage File Data SMB Share Contributor are assigned through the Access control (IAM) settings. This process involves selecting the appropriate role and assigning it to a user or group for a specific resource, which in this case is the file share named share1.

Option C: Select Default to Azure Active Directory authorization in the Azure portal for storage1 - This option is the most straightforward and necessary initial step for setting up Azure AD-based authorization. It directly configures the storage account to use Azure AD for access control, which is a prerequisite for assigning Azure AD roles to manage access to file shares.

A is right