It should be A,
I just created a storage account,
then created a file share,
went to IAM,
and it says : To give individual accounts access to the file share (Kerberos), enable identity-based authentication for the storage account.
Still in 2024, is A correct
3. In the File share settings section, select Identity-based access: Not configured.
4. Under Microsoft Entra Domain Services select Set up, then enable the feature by ticking the checkbox.
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal#enable-microsoft-entra-domain-services-authentication-for-your-account
A is correct I am getting the same message when I go to IAM on File Share.
'To give individual accounts access to the file share (Kerberos), enable identity-based authentication for the storage account'
but its not asking how to give access, its asking what to do first. So dont you need to configure the access control before enabling identity-based data access for the file shares in storage1?
I also thought it was A. Then I freaked and started doubting when I saw the Vote Distribution being 50-50 between A & D. Thanks for testing and confirming for us. Correct answer should be A then!
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
How it works
Azure file shares use the Kerberos protocol to authenticate with an AD source.
You can enable identity-based authentication on your new and existing storage accounts using one of three AD sources: AD DS, Azure AD DS, or Azure AD Kerberos (hybrid identities only). Only one AD source can be used for file access authentication on the storage account, which applies to all file shares in the account. Before you can enable identity-based authentication on your storage account, you must first set up your domain environment.
After arguing with ChatGPT here is the answer:
The correct steps to assign User1 the Storage File Data SMB Share Contributor role for share1 are:
1. Enable identity-based data access for the file shares in storage1.
2. Configure Access control (IAM) for share1 and add User1 as a role assignment with the Storage File Data SMB Share Contributor role.
So the correct answer is A.
Today, Feb 2025, you i could add Storage File Data SMB Share Contributor role for a user without enable identity-based data access for the file shares in storage1.
D is correct
C. Select Default to Azure Active Directory authorization in the Azure portal for storage1: While this step is necessary, it comes after enabling identity-based data access. Without enabling identity-based access first, this setting alone won't work.
By the way - If I need wait for moderator approval my comment. Why comments with wrong answers are visible? I see a lot of new comments (1-6 months ago) "YEA I HAD A CHAT WITH CHAT GPT THE ANSWER IS 100% A" - Hollllyyy and the price is higher and higher....
Correct answer is D
I tried the same way like macrawat however in my case that works - inside created file share "share1" I was able to grant access from IAM to user. State of identity-based access is "not configured" as on screenshot from microsoft doc
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal
Just repro in a lab with a new storage account.
Identity-based access can be enabled in two steps for a particular share in this storage account. This allows individual users to use their Active Directory or Microsoft Entra account to gain access to a specific file share.
Step 1: Enable an identity source
To assign User1 the Storage File Data SMB Share Contributor role for share1 (a file share in storage1), you first need to enable identity-based data access for file shares in storage1. This is required so that you can use Azure AD-based authentication for accessing the file shares.
Once identity-based access is enabled, Azure Active Directory (Azure AD) users like User1 can be assigned roles such as Storage File Data SMB Share Contributor to control access to Azure file shares.
You will eventually need to assign the role to User1 using IAM, but first, you must enable identity-based access to the file shares.
chatgpt
To assign User1 the Storage File Data SMB Share Contributor role for share1, the first step is to ensure that Azure Active Directory (AD)-based authentication is enabled for the file shares. This allows Azure AD users to be authenticated when accessing the file shares using SMB.
In this scenario, the correct action to perform first is:
A. Enable identity-based data access for the file shares in storage1.
Explanation:
Azure Files supports Azure AD-based access control for file shares using SMB. However, before you can assign roles like Storage File Data SMB Share Contributor, you need to enable identity-based access for the file shares within the storage account (storage1 in this case).
Once identity-based access is enabled, you can then assign roles such as Storage File Data SMB Share Contributor to Azure AD users like User1, granting them the necessary permissions on share1.
I think I'm going to go with A based on the following information I found when I search the differences between identity-based access and access control IAM:
Identity and Access Management (IAM)
IAM is a cybersecurity discipline that manages how users access digital resources and what they can do with them. IAM systems verify users' identities and ensure that they have the correct permissions to do their jobs. IAM can also integrate with AI-based cybersecurity tools to analyze data for potential cyber attacks.
Access control
Access control is a data security process that manages who has access to corporate data and resources. Access control uses policies to verify users' identities and grant them the appropriate level of access. Access control is important for applications that have different levels of authorization for different users.
It should be D.
In the lab, I created following :
1. A user
2. A new storage account
3. A new file share.
Then, I went to file share > IAM > Add role assignment > Members > (newly created user) > Role > (search for given role) > select > review+assign > done.
No error, nothing.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
macrawat
Highly Voted 1 year, 11 months agoc75e123
2 months, 2 weeks agoyettie79
1 year, 11 months agoriquesg
1 year, 10 months agogarmatey
1 year, 9 months agoIndy429
1 year, 2 months agoSlimus
1 year, 11 months agomfalkjunk
Highly Voted 1 year, 11 months agoAndreLima
1 year, 9 months agomaxsteele
1 year, 5 months agovrm1358
Most Recent 4 weeks agoBravo_Dravel
1 month, 1 week agoyoungjanpawel
2 months agoyoungjanpawel
2 months agoMaDota
1 month, 3 weeks agodanlo
2 months, 2 weeks agoMark74
3 months agoJPA210
4 months agoYoooom
4 months, 2 weeks agojamesf
4 months, 2 weeks agojamesf
4 months, 2 weeks agominura
5 months ago117b84e
5 months, 1 week agob35c3ef
5 months, 4 weeks ago[Removed]
6 months agoThisisacat
7 months, 1 week ago