Exam AZ-104 topic 3 question 43 discussion

B) "Storage Blob Data Contributor" & C) "Reader" The following line says it all: "The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to blob containers in the Azure portal. For example, if you assign the Storage Blob Data Contributor role to user Mary at the level of a container named sample-container, then Mary is granted read, write, and delete access to all of the blobs in that container. However, if Mary wants to view a blob in the Azure portal, then the Storage Blob Data Contributor role by itself will not provide sufficient permissions to navigate through the portal to the blob in order to view it. The additional permissions are required to navigate through the portal and view the other resources that are visible there." - https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

TESTED IN LAB: Assigning the Storage Account Contributor and Storage Blob Data Reader rolls to the group and having the user (which is a part of that group) sign in to the portal, the storage account isn't even listed under storage accounts. After removing the Storage Blob Data Reader and assigning the Reader roll to the group, the storage account is listed and the users of the group can creat blobs/fileshares etc. ANSWER: BC

Upload & read the data in the storage account not in the blob.

To ensure that the members of Group1 can upload files to the Azure Storage account named storage1 using the Azure portal, while adhering to the principle of least privilege, you need to assign them roles that provide the minimum required permissions. The most appropriate roles are: Storage Blob Data Contributor (Option B): This role allows users to read, write, and delete blobs in the storage account. It's specific to blob data operations, which is what you need for uploading files. Storage Blob Data Reader (Option E): This role allows users to read blob data. It's complementary to the Data Contributor role, ensuring users can also read the data they upload. So the correct answer remains: B. Storage Blob Data Contributor E. Storage Blob Data Reader

Answer is A and B. "You need to ensure that the members of a group named Group1 can upload files by using the Azure portal." You cannot upload files using the reader role

B & C are correct

You don't know if You need to charge blobs or files

B and C is correct

B) "Storage Blob Data Contributor" & C) "Reader"

BC is right answer!! Get Up-to-date: https://www.pinterest.com/pin/937522847419095399

This was on my exam. Most likely the correct answer is provided by NaoVaz.

B, C is correct!

ebanie

Answer is BC

To ensure that members of Group1 can upload files using the Azure portal while adhering to the principle of least privilege, you need to assign roles that give them just enough permissions to perform the task without any extraneous permissions. B. `Storage Blob Data Contributor`: This role allows for reading, writing, and deleting Azure Storage blobs (object data). This role is necessary for members to be able to upload files. C. `Reader`: This role gives the user read access to see the storage account and its properties but doesn't allow for any modifications. This role would be needed to navigate to the storage account in the Azure portal. Assigning these roles should give Group1 members the ability to upload files to the storage account via the Azure portal without giving them more permissions than they need.

You need to ensure that the members of a group named Group1 can upload files by using the Azure portal. Files is clearly mentioned in the question, by selecting 'Storage Blob Data Contributor' your scope is limited to only containers & blobs. So, in my opinion A & C are the correct options.

Question is still relevant, came on exam today