It should be A,
I just created a storage account,
then created a file share,
went to IAM,
and it says : To give individual accounts access to the file share (Kerberos), enable identity-based authentication for the storage account.
A is correct I am getting the same message when I go to IAM on File Share.
'To give individual accounts access to the file share (Kerberos), enable identity-based authentication for the storage account'
but its not asking how to give access, its asking what to do first. So dont you need to configure the access control before enabling identity-based data access for the file shares in storage1?
I also thought it was A. Then I freaked and started doubting when I saw the Vote Distribution being 50-50 between A & D. Thanks for testing and confirming for us. Correct answer should be A then!
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
How it works
Azure file shares use the Kerberos protocol to authenticate with an AD source.
You can enable identity-based authentication on your new and existing storage accounts using one of three AD sources: AD DS, Azure AD DS, or Azure AD Kerberos (hybrid identities only). Only one AD source can be used for file access authentication on the storage account, which applies to all file shares in the account. Before you can enable identity-based authentication on your storage account, you must first set up your domain environment.
After arguing with ChatGPT here is the answer:
The correct steps to assign User1 the Storage File Data SMB Share Contributor role for share1 are:
1. Enable identity-based data access for the file shares in storage1.
2. Configure Access control (IAM) for share1 and add User1 as a role assignment with the Storage File Data SMB Share Contributor role.
So the correct answer is A.
To assign User1 the Storage File Data SMB Share Contributor role for share1 (a file share in storage1), you first need to enable identity-based data access for file shares in storage1. This is required so that you can use Azure AD-based authentication for accessing the file shares.
Once identity-based access is enabled, Azure Active Directory (Azure AD) users like User1 can be assigned roles such as Storage File Data SMB Share Contributor to control access to Azure file shares.
You will eventually need to assign the role to User1 using IAM, but first, you must enable identity-based access to the file shares.
chatgpt
To assign User1 the Storage File Data SMB Share Contributor role for share1, the first step is to ensure that Azure Active Directory (AD)-based authentication is enabled for the file shares. This allows Azure AD users to be authenticated when accessing the file shares using SMB.
In this scenario, the correct action to perform first is:
A. Enable identity-based data access for the file shares in storage1.
Explanation:
Azure Files supports Azure AD-based access control for file shares using SMB. However, before you can assign roles like Storage File Data SMB Share Contributor, you need to enable identity-based access for the file shares within the storage account (storage1 in this case).
Once identity-based access is enabled, you can then assign roles such as Storage File Data SMB Share Contributor to Azure AD users like User1, granting them the necessary permissions on share1.
I think I'm going to go with A based on the following information I found when I search the differences between identity-based access and access control IAM:
Identity and Access Management (IAM)
IAM is a cybersecurity discipline that manages how users access digital resources and what they can do with them. IAM systems verify users' identities and ensure that they have the correct permissions to do their jobs. IAM can also integrate with AI-based cybersecurity tools to analyze data for potential cyber attacks.
Access control
Access control is a data security process that manages who has access to corporate data and resources. Access control uses policies to verify users' identities and grant them the appropriate level of access. Access control is important for applications that have different levels of authorization for different users.
It should be D.
In the lab, I created following :
1. A user
2. A new storage account
3. A new file share.
Then, I went to file share > IAM > Add role assignment > Members > (newly created user) > Role > (search for given role) > select > review+assign > done.
No error, nothing.
Answer is D.
Stop saying A.
It is very clea in Microsfot Documentation ( https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal )
Step 2: Open the Add role assignment page (Answer D)
Step 3: Select the appropriate role (Answer A)
To assign the SMB Share Contributor role to user1 for Share1, you can follow these steps1:
1. Go to the Azure portal: Log in to your Azure portal.
2. Navigate to the storage account: Browse to the storage account (storage1) that contains the file share (Share1) you created previously1.
3. Select Access Control (IAM): This is where you can manage access to your resources1.
4. Add a role assignment: Select ‘+ Add’, then select ‘Add role assignment’ from the drop-down menu1.
5. Select the role and assign it to the user: In the ‘Add role assignment’ blade, select the ‘Storage File Data SMB Share Contributor’ role from the Role list1. Then, in the ‘Select members’ field, search for and select user11.
6. Review and assign: Review the role assignment details and then click 'Assign’1.
A is correct because this setting allows Azure AD-based authentication for the file shares, which is a prerequisite for assigning roles based on Azure AD identities.
D. Configure Access control (IAM) for share1.
Here’s why:
Configure Access control (IAM): In Azure, roles such as the Storage File Data SMB Share Contributor are assigned through the Access control (IAM) settings. This process involves selecting the appropriate role and assigning it to a user or group for a specific resource, which in this case is the file share named share1.
Option C: Select Default to Azure Active Directory authorization in the Azure portal for storage1 - This option is the most straightforward and necessary initial step for setting up Azure AD-based authorization. It directly configures the storage account to use Azure AD for access control, which is a prerequisite for assigning Azure AD roles to manage access to file shares.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
macrawat
Highly Voted 1 year, 6 months agoyettie79
1 year, 6 months agoriquesg
1 year, 5 months agogarmatey
1 year, 4 months agoIndy429
9 months, 3 weeks agoSlimus
1 year, 6 months agoqrlkaidhn
1 year, 3 months agomfalkjunk
Highly Voted 1 year, 6 months agoAndreLima
1 year, 4 months agomaxsteele
1 year agominura
Most Recent 4 days, 23 hours ago117b84e
1 week, 4 days agob35c3ef
4 weeks, 1 day agoSeMo0o0o0o
1 month agoThisisacat
2 months, 1 week agoajay01avhad
2 months, 1 week agoY2
2 months, 2 weeks agoMakoporosh
3 months agoDicer
3 months, 2 weeks agoLearnerFL
4 months agohakeem89
4 months ago23169fd
4 months, 1 week agoDJHASH786
1 month ago3c5adce
4 months, 3 weeks ago3c5adce
4 months, 3 weeks agoAmir1909
6 months, 2 weeks ago