Anser is A:
An Azure role assignment condition is an optional check that you can add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-role-assignments-portal
The answer is D.
A. role assignment condition: This would control access at the container level, not individual blobs. You need more granular control for specific blobs based on tags.
B. stored access policy: This can be used to define access levels for a container or blob, but it wouldn't allow you to filter based on tags dynamically.
C. just-in-time (JIT) VM access: This is used for managing access to virtual machines, not blob storage.
D. shared access signature (SAS): This provides temporary access to blobs with granular control over permissions. You can generate SAS tokens with conditions based on blob index tags, allowing users to access only the relevant blobs.
Answer: D. a shared access signature (SAS)
Because SAS tokens support blob index tag filtering, you can generate tokens scoped to specific blobs based on tags, controlling user access precisely as required.
Answer is: A
"The benefits of using role assignment conditions are:
Enable finer-grained access to resources - For example, if you want to grant a user read access to blobs in your storage accounts only if the blobs are tagged as Project=Sierra, you can use conditions on the read action using tags as an attribute."
Ref: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac
D. a shared access signature (SAS)
If your blobs are tagged and you need users to access only certain tags, you create a SAS that includes conditions related to those tags. When the user attempts to access, they match the SAS signature constraints, effectively only viewing blobs with the permitted tags.
On the other hand, Role assignment conditions might offer control at a broader scope and not as precisely at the blob level based on index tags.
D. a shared access signature (SAS)
While role assignment conditions are powerful for broad access management, SAS tokens provide the flexibility and granularity needed to limit access based on blob index tags efficiently.
chatGpt said:
To ensure that users can view only specific blobs based on blob index tags in an Azure Storage account, you should include Option D: a shared access signature (SAS) in the solution.
A role assignment condition can `Restrict access to blobs based on a blob index tag`
Ref: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-portal
Answer: A - Role assignment condition.
Stored access policy is a setup for SAS token. But since we don't mention here how users will access blobs, this means it should work both for SAS and AAD, which automatically removes option B & D.
Option B is also invalid because:
A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Answer: D
Finding data using blob index tags can be performed by the Storage Blob Data Owner and by anyone with a Shared Access Signature that has permission to find blobs by tags (the f SAS permission).
In addition, RBAC users with the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action permission can perform this operation.
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal#finding-data-using-blob-index-tags
Remember the principle of least privilege roles/access.
Here is the whole procedure to do it via role assignment condition. Answer is A. This is a fairly new feature called ABAC (Attribute-based access control).
https://learningbydoing.cloud/blog/control-access-to-azure-storage-blobs-with-abac/
Answer - D
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-manage-find-blobs?tabs=azure-portal
Important
Setting blob index tags can be performed by the Storage Blob Data Owner and by anyone with a Shared Access Signature that has permission to access the blob's tags (the t SAS permission).
Permissions and authorization
You can authorize access to blob index tags using one of the following approaches:
Using Azure role-based access control (Azure RBAC) to grant permissions to a Microsoft Entra security principal. Use Microsoft Entra ID for superior security and ease of use. For more information about using Microsoft Entra ID with blob operations, see Authorize access to data in Azure Storage.
Using a shared access signature (SAS) to delegate access to blob index. For more information about shared access signatures, see Grant limited access to Azure Storage resources using shared access signatures (SAS).
Using the account access keys to authorize operations with Shared Key. For more information, see Authorize with Shared Key.
This section is not available anymore. Please use the main Exam Page.AZ-104 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Siraf
Highly Voted 2 years agosreemog
Highly Voted 1 year, 6 months agokhamrumunnu
Most Recent 1 month, 2 weeks agovrm1358
3 months, 3 weeks agoJosh219
5 months, 1 week agoJosh219
5 months, 1 week ago117b84e
9 months, 4 weeks agoSofiaLorean
1 year agovarinder82
1 year, 1 month agotashakori
1 year, 4 months agoWatcharin_start
1 year, 4 months agodevops_devops
1 year, 5 months agoNickybambi
1 year agoXerinzxx
1 year, 6 months agoSgtDumitru
1 year, 7 months agorumino
1 year, 6 months agoamsioso
1 year, 7 months agoAhkhan
1 year, 7 months agoPrabodhM
1 year, 7 months agoPrabodhM
1 year, 7 months agoPrabodhM
1 year, 7 months agojosola
1 year, 7 months ago