Exam AZ-104 topic 9 question 2 discussion

I think is A, because storage1 and storage2 have enabled Azure Active Directory Domain services. I think that you have to enable in storage 2 identity-based access for the file shares too. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#enable-identity-based-authentication

A. On storage2, enable identity-based access for the file shares. To grant Group4 Azure RBAC read-only permissions to all the Azure file shares, you should enable identity-based access for the file shares on storage2. Identity-based access enables you to manage access to file shares based on Azure AD identities, including users, groups, and service principals. By enabling identity-based access, you can grant access to specific users or groups and manage access control centrally from Azure AD. Recreating storage2 with Hierarchical namespace enabled (Option B) is not relevant to granting RBAC permissions to Azure file shares. Changing the account kind type to StorageV2 (general purpose v2) (Option C) is not relevant to granting RBAC permissions to Azure file shares. Creating a shared access signature (SAS) (Option D) provides temporary access to resources in storage accounts, but it does not allow you to grant RBAC permissions to Azure file shares. Therefore, the correct answer is A. On storage2, enable identity-based access for the file shares.

A is right

I think it should be A. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

RBAC = Role Based Access Control and you will give Reader Role so you would need Azure AD for this, no? So A seems like a right answer

the closest is A. the question is wrong. Azure RBAC is for Azure resource, not for File Share. Identity-based access is Azure AD which needs Azure AD role.

storage 1 and 4 already had azure AD enabled so the only storage that does not have is storage 2 and you enable it. Storage 3 IS BOB NOT FILE share so yeah :) it also makes sense as it wants group4 plus RBAC. SAS does not go by Azure AD groupss

You have to look in the table. storag2 has the auth disabled.

Once either Azure AD DS or on-premises AD DS authentication is enabled, you can use Azure built-in roles or configure custom roles for Azure AD identities and assign access rights to any file shares in your storage accounts. The assigned permission allows the granted identity to get access to the share only, nothing else, not even the root directory. You still need to separately configure directory or file-level permissions for Azure file shares.

Why not D ? Since the File shares exist on Storage1, Storage2 and Storage4 !!

A is the correct answer

The question only asks about File Shares not Blob Storage

The answer should be D? Because with A we can give only to storage1 file shares only.