Exam AZ-104 topic 2 question 93 discussion

Answer is NNY The conditions are difficult to read, but they mean (according to reference 1): a. If the user performs a reading operation, then he may only read from “cont1” b. If the user performs a writing operation, then he may only write to blobs like “*2*” Given that, then: 1- User 1 can read Blob2 - No, because he is reading, then the condition a. applies, and he is not reading cont1 2- User 1 can read Blob3 - No, because he is reading, then the condition a. applies, and he is not reading cont1 3- User 2 can read blob 1 - Yes. He is not writing, so the condition b. does not apply. He has permissions granted by the role on the scope he is reading - Storage Blob Data Owner on storage1, which contains blob1 References: 1. https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format 2. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Based on the documentation is NNY

Answer is NNY Tested in Azure environment Condition 1 beats both option of reading any blob and cont1 - N Condition 1 applies again - so user 1 cannot read blob 3 - N Condition 2 applies for User - He can read blob1 as he is the owner of storage1 which has the blob inside - Y

As per the conclusive evidences i am able to see here, i concluded, the answer should be NNY. Request @examtopics to either update the correct answer. or justify your answer please.

whoever create this question must be put in prison. this question is very simple to answer, but was made difficult by all the wordings, half baked table and scrambled facts.

Should be NNY

ChatGPT says NNN which I beleive based on explanation it provided

WRONG No No Yes

Answer is NNY The first part !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) is checking if the action being performed is NOT the "read blob" action (Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read). The OR means that if the first part evaluates to false (i.e. the action IS "read blob"), then it will evaluate the second part of the condition. The second part @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'cont1' is checking if the name of the storage container is equal to "cont1". So in plain language, this condition allows any action EXCEPT reading blobs, OR it allows reading blobs ONLY from a container named "cont1".

The answer is NNY

Tested: NNY

was in the exam today 17/06/2024

NNY the image is wrong

Answer is NNN The condition has OR check, not AND

Based on the documentation is NNY

I thought the answer is YYN. Because isn't the "!" infront of the action standing for "NOT"? So isn't it saying: if the action is everything but NOT reading (in condition a) and NOT writing (in condition b)? Not trying to confuse people, just aking..

I say Yes-Yes-No. Here is why I think it's Yes-Yes-No. It says, "Sub1 contains two users named User1 and User2. Both users are assigned the Reader role at the Sub1 scope." User1 and User2 got reader role. So, they both can read. However, conditions: Condition1 and Condition2. If you look at ActionMaches in blue, Condtion1 has blobs/read' and Condition2 has blob/write' Normally Owner can read. But it does not say blob/read' on Condition2 which is linked to User2 (Owner) in this case. So, the User2 (Owner) can not read blob1 this time. Let me know if my logic is wrong.