ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 2 question 77 discussion

Actual exam question from Microsoft's AZ-500
Question #: 77
Topic #: 2
[All AZ-500 Questions]

HOTSPOT -
You have an Azure subscription that contains a resource group named RG1. RG1 contains a storage account named storage1.
You have two custom Azure roles named Role1 and Role2 that are scoped to RG1.
The permissions for Role1 are shown in the following JSON code.

The permissions for Role2 are shown in the following JSON code.

You assign the roles to the users shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
by Custodian at April 27, 2022, 3:09 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
damtrx
Highly Voted 2 years, 7 months ago
User 1 can't read the Storage because Microsoft.Storage/storageAccounts/read will allow him just to LIST the storage accounts User 2 HAS the option to do whatever he want on the storage account so he can read the data. User 3 can't access Azure backup because the provider is not enabled in the Access Policy
upvoted 33 times
Hot_156
1 month, 3 weeks ago
LAB!!! N - User1 cannot read data Y - User2 can see the container and File shares tabs and open the files. N/Y - I was not able to test this but based on the perms and Gemini, this is possible
upvoted 1 times
...
jorgesoma
10 months, 1 week ago
Correct. NYN
upvoted 1 times
...
juandmi
2 years, 3 months ago
No - No - No because User 2 has no dataActions defined, so he cannot read any data
upvoted 11 times
juandmi
2 years, 3 months ago
I need to correct myself. No - No - Yes User 3 is able to perform restores with Microsoft.Storage/storageAccounts/*
upvoted 6 times
juandmi
2 years, 3 months ago
I'm correcting myself again. data access with Key and SAS will work for user1 and user2. And I think Microsoft.RecoveryServices/ is not needed for user3 https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-backup-contributor So: YES - YES -YES
upvoted 5 times
chikorita
2 years, 2 months ago
bro, take a break, have a coffee, then comment please dont confuse other :(
upvoted 60 times
saturation97
2 years ago
Definitely take a break but please....NO coffee.
upvoted 20 times
...
...
...
...
...
damtrx
2 years, 7 months ago
Correction. User 3 has the option to do restore : Microsoft.Storage/storageAccounts/restoreBlobRanges/action - Restore blob ranges to the state of the specified time
upvoted 8 times
...
Load full discussion...
...
Ga__ium
Highly Voted 2 years, 7 months ago
I assume that "dataactions" is not set, so data cannot be read.
upvoted 25 times
Jimmy500
10 months, 1 week ago
Correct , all should has been no,no,no
upvoted 1 times
...
orcnylmz
2 years, 6 months ago
Agreed. I think No - No - No https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader
upvoted 5 times
...
koreshio
2 years, 6 months ago
yup, without "datactions" allowed, they should not be able to read blob data. The roles specify "actions" only which are control-plane actions and not data-plane actions.
upvoted 6 times
...
...
randy0077
Most Recent 4 weeks, 1 day ago
NNN no data action to read storage data.
upvoted 1 times
...
Hot_156
2 months, 2 weeks ago
actions vs. dataActions - Revisited (and Corrected): actions: Control plane. Managing the resource itself (create, delete, modify settings, list keys). Microsoft.Storage/storageAccounts/read lets you see that a storage account exists and view its properties, but NOT its contents. dataActions: Data plane. Accessing the data within the resource (blobs, queues, tables, files). You need dataActions to read the actual data (blobs, files, etc.) within a storage account. Role1: Has no dataActions. User1 can see the storage account exists and list its keys, but cannot read any blob, file, queue, or table data. Role2: Has Microsoft.Storage/storageAccounts/* under actions. This is a broad control plane permission. It allows User2 to manage the storage account (change settings, etc.), and see it exist. Crucially, Role2 lacks any dataActions permissions. So it CANNOT read data. User3: Inherits the permissions of both roles. Still has no permissions in the dataActions.
upvoted 2 times
...
schpeter_091
5 months ago
Microsoft.Storage/storageAccounts/* : Create and manage storage accounts Microsoft.Storage/storageAccounts/read: Returns the list of storage accounts or gets the properties for the specified storage account. to read blobs' data user should have: 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' --> Return a blob or a list of blobs. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage
upvoted 1 times
...
codeunit
6 months, 2 weeks ago
User1 can read data in storage1. Yes: User1 is assigned Role1, which allows Microsoft.Storage/storageAccounts/read, granting read access to storage account metadata but not to blobs/files themselves directly. User2 can read data in storage1. Yes: User2 is assigned Role2, which has Microsoft.Storage/storageAccounts/* permissions, providing access to read data within the storage account, including blobs and files. User3 can restore storage1 from a backup in Azure Backup. No: Neither Role1 nor Role2 provide permissions to restore storage accounts from Azure Backup, as there are no permissions related to Azure Backup specifically.
upvoted 2 times
...
xRiot007
9 months, 2 weeks ago
I really hate these question. User1 can read data. What exactly is DATA? If we are talking about storage account properties, sure, he can read that. If we are talking about blobs and files, he can't.
upvoted 2 times
...
RaphaelG
11 months, 1 week ago
I'm going through the storage account documentation and there is an interesting piece of information "If a role includes Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account [...]". Therefore, to me, it actually is: 1. Yes (explicit) 2. Yes (via Microsoft.Storage/storageAccounts/*) 3. No (no backup permissions)
upvoted 1 times
xRiot007
9 months, 2 weeks ago
I saw that phrasing too and it's confusing the F out of me. Microsoft should define their roles better because this thing literally looks like a hack.
upvoted 1 times
...
...
az2022
11 months, 1 week ago
No, Yes, No
upvoted 1 times
...
kevgen33091
11 months, 1 week ago
Y-Y-N The answer is correct. The description of role 2 is 'Storage Account Contributor' which cannot play backup restore action. Storage Account Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor Storage Account Backup Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-backup-contributor
upvoted 1 times
chema77
6 months, 4 weeks ago
Y-Y-Y imho. Restoring both managed and unmanaged disks will work with Storage Account Contributor permissions https://learn.microsoft.com/en-us/azure/backup/backup-rbac-rs-vault
upvoted 1 times
...
...
bob_sez
1 year, 5 months ago
Role1 has more than just read, it also has ListAccountSas/Action and ListKeys/Action which allows read/write access to data within the storage account: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader-and-data-access Dont just get hung up on just the read permission in that role.
upvoted 2 times
...
xxavimr
1 year, 5 months ago
The respond is correct surprisingly. The role 1 is a built-in role called "Reader and Data Access". https://www.azadvertizer.net/azrolesadvertizer/c12c1c16-33a1-487b-954d-41c89c60f349.html With Microsoft.Storage/storageAccounts/ListAccountSas/action permission, you may get SAS and do read/write operations. If you see this link, https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles and look for "Reader and Data Access" role, you see its definition. Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. The second box is also yes as it has an asterisk for storageaccount YES, YES, NO
upvoted 2 times
...
wardy1983
1 year, 5 months ago
Explanation: USER 1 = Microsoft.Storage/storageAccounts/read= Returns the list of storage accounts or gets the properties for the specified storage account user 2 = wildcards (*) so YES user 3= not defined Microsoft.Storage/storageAccounts/restoreBlobRanges/action
upvoted 3 times
...
wardy1983
1 year, 5 months ago
Explanation: USER 1 = Microsoft.Storage/storageAccounts/read= Returns the list of storage accounts or gets the properties for the specified storage account user 2 = wildcards (*) so YES user 3= not defined Microsoft.Storage/storageAccounts/restoreBlobRanges/action
upvoted 1 times
...
flafernan
1 year, 5 months ago
The "Microsoft.Storage/storageAccounts/*/" attribute in a role assignment applies to Azure Storage and provides access to all containers and blobs within all storage accounts in the specified scope. However, it does not provide access to, for example, Azure Backup and does not automatically grant the ability to restore backups from Azure Backup. To grant permissions to restore backups from Azure Backup, you must meet the correct role in the specific scope. Be careful not to get confused.
upvoted 1 times
...
TheProfessor
1 year, 5 months ago
Why User 3 can not restore a back up even having the permission Microsoft.Storage/storageAccounts/* This is the permission of built-in "storage-account-backup-contributor" role. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-backup-contributor
upvoted 2 times
...
DarkSide321
1 year, 6 months ago
**Role1 Permissions**: - Can list keys, generate SAS, and read storage account properties. By using keys or SAS, **User1** can read data in storage1. Data Actions are not required. **Role2 Permissions**: - Wildcard permissions for storage accounts. So, **User2** can read data in storage1. **User3**: - Has both Role1 and Role2 permissions, but can't restore storage1 from Azure Backup. Thus: 1. User1: **Yes** 2. User2: **Yes** 3. User3: **No**.
upvoted 3 times
xRiot007
9 months, 2 weeks ago
Reading storage account property or listing keys is one thing and having access to the data itself is another thing.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago