ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 93 discussion

Actual exam question from Microsoft's AZ-104
Question #: 93
Topic #: 2
[All AZ-104 Questions]

HOTSPOT -

You have an Azure subscription named Sub1 that contains the blob containers shown in the following table.



Sub1 contains two users named User1 and User2. Both users are assigned the Reader role at the Sub1 scope.

You have a condition named Condition1 as shown in the following exhibit.



You have a condition named Condition2 as shown in the following exhibit.



You assign roles to User1 and User2 as shown in the following table.



For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by HoT77777 at Aug. 31, 2023, 8:43 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sugarbubbles
Highly Voted 1 year, 7 months ago
Answer is NNY The conditions are difficult to read, but they mean (according to reference 1): a. If the user performs a reading operation, then he may only read from “cont1” b. If the user performs a writing operation, then he may only write to blobs like “*2*” Given that, then: 1- User 1 can read Blob2 - No, because he is reading, then the condition a. applies, and he is not reading cont1 2- User 1 can read Blob3 - No, because he is reading, then the condition a. applies, and he is not reading cont1 3- User 2 can read blob 1 - Yes. He is not writing, so the condition b. does not apply. He has permissions granted by the role on the scope he is reading - Storage Blob Data Owner on storage1, which contains blob1 References: 1. https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format 2. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 151 times
Stunomatic
6 months, 1 week ago
1- No because condition 1 applied on cont2 2- user 1 can read blob3 because its exist in cont3 not cont1 therefore no condition applied only default condition which is read. 3. Y
upvoted 1 times
...
[Removed]
1 year, 7 months ago
ANSWER IS NNY condition1 - read action cannot perform since it encloses a parenthesis and exclamation point which indicate not. It also include OR which if the resource name string is equal to "cont1" then it cannot read it, again because it all enclose to a !(condition). so, USER1 CAN READ BLOB2? No. because it falls to a condition that it cannot not read. USER1 CAN READ BLOB2? No. Again because it falls to a condition that it cannot not read. USER2 CAN READ BLOB1? Yes. condition2 says that it cannot write or if it contains string like "2" (wild card search with * asterisk). it all surpasses all the condition into false. note: user1 has a reader role but it also has a condition1 which prevent it to read. user2 is the owner so it has read and write permission, but it also has a condition2 which prevent it to write. but it can read.
upvoted 22 times
Batiste2023
1 year, 6 months ago
Please consult the syntax reference on this topic: Exclamation marks just introduce the ACTION section of a condition - they do not imply a negation (although that's what I, too, first thought...). To summarize the syntax: each condition includes - an ACTION part that determines which action is to be limited by the condition and - an EXPRESSION part that says under which circumstances the action is allowed (expression evaluates to TRUE) or not (evaluates to FALSE). Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format#simple-condition In the light of this, the correct answers are N: the expression evaluates to FALSE N: the expression evaluates to FALSE Y: the action mentioned in the condition does not apply to what the question asks about.
upvoted 13 times
...
Aniruddha_dravyakar
1 year, 7 months ago
I agree Joshua thanks
upvoted 2 times
...
...
QL112233
1 year, 3 months ago
Human language, reader role cannot read unless it's blob one, writer role cannot write unless it's blob 2
upvoted 8 times
...
...
HoT77777
Highly Voted 1 year, 8 months ago
Based on the documentation is NNY
upvoted 28 times
Ycheqri
1 year, 7 months ago
Totally agree with this answer. Explanation: In a nutshell the two conditions can be read as such: - condition 1: user 1 can read only blobs from container cont1 - condition 2: user 2 can write only to blobs with path matching the pattern *2*. user 1 has azure blob data reader but restricted to read only blobs in container . user 2 has azure blob data owner and doesn't have any read restrictions (the condition is targeting write action). That means He can read all blobs from all containers in storage account. Documetation: https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format
upvoted 9 times
Ycheqri
1 year, 7 months ago
Forgot to mention the authorized read container for user 1. user 1 has azure blob data reader but restricted to read only blobs in container Cont1.
upvoted 1 times
...
Aniruddha_dravyakar
1 year, 7 months ago
There is OR condition
upvoted 6 times
...
...
Lapiduse
1 year, 7 months ago
This is not an answer
upvoted 2 times
...
...
70ec7c1
Most Recent 1 month, 1 week ago
Answer is YYY:
upvoted 1 times
70ec7c1
1 month, 1 week ago
User1 has Reader role and Condition1 applied at the subscription level. RBAC roles are additive. In other words, it is the union of all the roles. This means that even if we have restricted to only cont1 in the Storage Blob Data Reader Role, User1 still has the original Reader role provided. The read access to cont2 and cont3 are not restricted at the Reader role and per the additive rule, this role is not negated. Thus, User1 can read all containers and their blobs per the Reader role at the sub1. So User1 can read both blob2 in cont2 and blob3 in cont3.

User2 has the Reader role at the sub1 scope and the Storage Blob Data Owner with condition at the storage1 scope. Once again, both roles are additive. So, User2 can read all containers, and now additional, can write to storage1 containers so long as the blob path is like "*2*"
upvoted 1 times
...
...
iamsks
1 month, 2 weeks ago
N N Y
upvoted 1 times
...
krish_76
2 months, 2 weeks ago
Answer is NNY Tested in Azure environment Condition 1 beats both option of reading any blob and cont1 - N Condition 1 applies again - so user 1 cannot read blob 3 - N Condition 2 applies for User - He can read blob1 as he is the owner of storage1 which has the blob inside - Y
upvoted 1 times
...
Priyanshu_Ji
4 months, 1 week ago
As per the conclusive evidences i am able to see here, i concluded, the answer should be NNY. Request @examtopics to either update the correct answer. or justify your answer please.
upvoted 2 times
...
GreenTick
5 months ago
whoever create this question must be put in prison. this question is very simple to answer, but was made difficult by all the wordings, half baked table and scrambled facts.
upvoted 2 times
...
sca88
5 months, 2 weeks ago
Should be NNY
upvoted 1 times
...
behradcld
7 months, 3 weeks ago
ChatGPT says NNN which I beleive based on explanation it provided
upvoted 1 times
...
[Removed]
7 months, 3 weeks ago
WRONG No No Yes
upvoted 2 times
...
azmlan
9 months ago
Answer is NNY The first part !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) is checking if the action being performed is NOT the "read blob" action (Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read). The OR means that if the first part evaluates to false (i.e. the action IS "read blob"), then it will evaluate the second part of the condition. The second part @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'cont1' is checking if the name of the storage container is equal to "cont1". So in plain language, this condition allows any action EXCEPT reading blobs, OR it allows reading blobs ONLY from a container named "cont1".
upvoted 2 times
...
ximim58473
9 months, 3 weeks ago
The answer is NNY
upvoted 1 times
...
OscarFRItz
10 months ago
Tested: NNY
upvoted 1 times
...
testtaker09
10 months, 2 weeks ago
was in the exam today 17/06/2024
upvoted 1 times
...
robsoneuclides
11 months ago
NNY the image is wrong
upvoted 2 times
...
Miccc
11 months, 1 week ago
Answer is NNN The condition has OR check, not AND
upvoted 5 times
...
3c5adce
11 months, 3 weeks ago
Based on the documentation is NNY
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago