Exam AZ-305 topic 1 question 66 discussion

1. For the blobs - a user delegation SAS only To maximize security it's better to use a user delegation SAS: From docs: As a security best practice, we recommend that you use Azure AD credentials when possible, rather than the account key, which can be more easily compromised. When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS to help ensure better security. This also prevents using shared keys & supports time-limited access. Note: user delegation SAS do not support stored access policies. 2. For the file shares - Azure AD credentials It fulfills the requirement to maximize security (the most secure way recommended by Microsoft), but doesn't support time-limited access, which is optional and has lower priority than security. Source: https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas.

User Delegation SAS (for blobs): Security: User delegation SAS uses Azure AD credentials to generate the SAS token, providing a higher level of security. Time-limited access: SAS tokens can be configured with specific start and expiry times, supporting time-limited access. Azure AD Credentials (for file shares): Security: Azure AD provides secure authentication and authorization, eliminating the need for shared keys. Access Management: Azure AD allows fine-grained access control and integration with SMB protocol for file shares.

WRONG For the blobs: A user delegation shared access signature (SAS) only For the file shares: Azure AD credentials (Keyword: maximize security)

For the Blobs: c)A user delegation shared access signature (SAS) For the File Shares: a) Azure AD credentials

a user delegation SAS only Azure AD credentials https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas

Stored access policies allow you to define a set of permissions on a container or blob that you can associate with a service-level SAS (signed with the storage account key), whereas a user delegation SAS is signed with EntraID credentials. So it should be SAS only for the 1st option

I think the correct answer should be: - For the blobs: 'a user delegation SAS only' (more secure and granular access control) - For the file shares: 'Azure AD credentials' But who knows..

This question appeared in my exam on 13th May 2024. The given answer is correct.

i agree with 1. A user delegation SAS only 2. Azure AD credentials

Final Answer : 1. A user delegation SAS only 2. Azure AD credentials

Answer: - user delegation SAS only - AzureAD authentication

I'm not 100% sure on the correct answers but found the following info: "Stored access policies are not supported for the user delegation SAS or the account SAS." https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy So "user SAS + stored access policies" are wrong at least for both questions. File Share doesn't allow Azure AD (only AD DS like btboudreaux said) login so I guess it is regular user SAS for question2? It feels wrong though.

I'm confused about the File Shares part of the question. The question states that the File Shares will be accessed over SMB. According to this documentation, and testing, you cannot access File Shares via SMB by Azure AD alone. You need On Prem Synced accounts or Azure ADDS. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview