Exam AZ-104 topic 3 question 90 discussion

N-N-N User 1 does not have Storage Blob Data Reader or Storage Blob Data Contributor role to read File1. https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

Correct Answer: 1-Yes: Public Access is enabled for blob 2- No: Azure Storage Account Contributor role can't access the file share 3- No: Access Key is disabled on the storage account

The key point of the question is that Access Key access was disabled. In Azure Portal, a Contributor would normally be able to read data even though it is a Control/Mgmt Plane roles, because they would use the access key behind the scenes. However, access keys have been disabled.

NYN Y - https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor

Can User1 read File1? ❌ No User1 has the Reader role, which allows viewing metadata and configuration but not reading the contents of blobs or files. Can User2 read File2? ✅ Yes User2 has the Storage Account Contributor role, which includes read and write permissions for both Blob containers and Azure Files shares. Can User3 read File1 and File2? ✅ Yes User3 has an access key for the storage account (contoso2024), which grants full access to both Blob and File storage.

Hello Everyone, I have my exam scheduled on 14th November 2024 and I have purchased the ExamTopics dump this time. Earlier I had followed the dump of IT Exams but I wasn't able to clear the exam. However, I scored above 90% in Storage Account section in my last attempt on 17th Sept 2024 and this question was there in the exam. This is what I feel should be the correct answer. User1 can read File1 as user1 has Read Access Reader Role. User2 can read file2: No as User2 has storage account contributor Role. The contributor role gives you access to manage but not to access it. User3 can Read File1 and File2: In the shared access signature there is nothing mentioned about the Read permission. Hence User3 doesn’t have any read permission. I referred the below Microsoft Document: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Key Points: Public Access at Storage Account Level: When Allow Blob Public Access is enabled at the storage account level, it means that public access can be granted at the container or blob level. However, this setting alone does not open up the storage account for public access. Public Access at the Container/Blob Level: For actual public access, you must explicitly configure each container or blob to allow public access. The container can be set to one of the following: No public access: Only authorized users can access the container and blobs. Blob-level public access: Public users can access individual blobs, but not list the contents of the container. Container-level public access: Public users can access the blobs and list the contents of the container. This is what i was trying to understand sometimes while using AWS S3 I face this problem.

Storage Acct Public access does not mean that Blobs/Containers can be read. It is just that Storage Acct is accessible from public network. Roles are required to read files/blobs. Hence N, N,Y

1) Yes - Reader role allows reading of data 2) No - User2 role does not allow reading of data 3) Yes - access keys give access to all the data Note: Anonymous (or public) access for storage account does not allow reading of data; you will have to give a container level anonymous access to allow reading of data

WRONG No (Reader can´t read contents of Blob Container) No (Storage account contributor can´t read contents of File Share) No (key access is disabled)

Public Access is enabled for blob, why not all of 3 users can read?

The Reader role in Azure RBAC allows users to view Azure resources but not make any changes. Specifically, this role includes permissions to view the configuration of the storage account but does not grant permissions to read the data within the storage account, such as the contents of blob containers. To read data within a blob container, you need a role that includes the necessary data access permissions. The appropriate role for this purpose is: So, N N N

Final Answer: N N N

Tested it. 1. Y - Public access enabled (even my grandpa will have access, dont argue). Portal doesn't matter. If you have the URI you can read it whilst sipping coconut drink with umbrella on yacht. 2. N - File Share can use Entra Id or if user has access to Account Key use that see:(https://learn.microsoft.com/en-us/azure/storage/files/authorize-data-operations-portal) But Account Key is DISABLED, so he can't fallback to that authentication method. So its N. 3. N.

Answer should be No-No-No 1. No, Reader does not allow to read contents . It only allows to read the metadata and other settings. 2. No, Storage account contributor also does not allow to read data. Only access to read/change settings. 3. No, since access keys are disabled

NNN - tested in lab - not even my global admin can read data with these settings. Allow public access setting means that is possible to open the containers data for public. but they are still by default private. if you make it public then all of them would have to be Y. but in portal its still no access. Storage account contributor: Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. so even though it has no Data actions it would normally have access to the data trough the access key which is default auth method in portal. However since that is disabled it has no access. same issue with my global admin. and also why 3 i a N. a role like Storage Blob Data Reader will have access without the keys.

No one can access since there's no key allowed and role access is disabled.