Exam AZ-104 topic 3 question 90 discussion

N-N-N User 1 does not have Storage Blob Data Reader or Storage Blob Data Contributor role to read File1. https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

Correct Answer: 1-Yes: Public Access is enabled for blob 2- No: Azure Storage Account Contributor role can't access the file share 3- No: Access Key is disabled on the storage account

1) Yes - Reader role allows reading of data 2) No - User2 role does not allow reading of data 3) Yes - access keys give access to all the data Note: Anonymous (or public) access for storage account does not allow reading of data; you will have to give a container level anonymous access to allow reading of data

WRONG No (Reader can´t read contents of Blob Container) No (Storage account contributor can´t read contents of File Share) No (key access is disabled)

Public Access is enabled for blob, why not all of 3 users can read?

The Reader role in Azure RBAC allows users to view Azure resources but not make any changes. Specifically, this role includes permissions to view the configuration of the storage account but does not grant permissions to read the data within the storage account, such as the contents of blob containers. To read data within a blob container, you need a role that includes the necessary data access permissions. The appropriate role for this purpose is: So, N N N

Final Answer: N N N

Tested it. 1. Y - Public access enabled (even my grandpa will have access, dont argue). Portal doesn't matter. If you have the URI you can read it whilst sipping coconut drink with umbrella on yacht. 2. N - File Share can use Entra Id or if user has access to Account Key use that see:(https://learn.microsoft.com/en-us/azure/storage/files/authorize-data-operations-portal) But Account Key is DISABLED, so he can't fallback to that authentication method. So its N. 3. N.

Answer should be No-No-No 1. No, Reader does not allow to read contents . It only allows to read the metadata and other settings. 2. No, Storage account contributor also does not allow to read data. Only access to read/change settings. 3. No, since access keys are disabled

NNN - tested in lab - not even my global admin can read data with these settings. Allow public access setting means that is possible to open the containers data for public. but they are still by default private. if you make it public then all of them would have to be Y. but in portal its still no access. Storage account contributor: Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. so even though it has no Data actions it would normally have access to the data trough the access key which is default auth method in portal. However since that is disabled it has no access. same issue with my global admin. and also why 3 i a N. a role like Storage Blob Data Reader will have access without the keys.

No one can access since there's no key allowed and role access is disabled.

1 - No Public blob access doesn't mean that any data is publicly accessible. It just means that it's in general allowed to make containers publicly accessible. See: By default, a storage account allows public access to be configured for containers in the account, but does not enable public access to your data. Public access to blob data is never permitted unless you take the additional step to explicitly configure the public access setting for a container. https://azure.microsoft.com/de-de/updates/choose-to-allow-or-disallow-blob-public-access-on-azure-storage-accounts/

ANSWERS = N-N-N Storage Account Contributor: DataActions => none Reader: DataActions => none Storage account access keys: disabled "These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key." Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal

YNN, correct