Exam AZ-104 topic 2 question 67 discussion

Best answer

If there was indeed an option for User Access Administrator, that would be correct. But in this case, owner will do the trick.

Did you use free access? Are these questions from free access enough to clear exam.

Exactly, only owner if I'm correct?

Did you use free access? Are these questions from free access enough to clear exam

Storage Account Contributor does not follow the principle of least privilege. Storage Account Contributor would allow a user that is requested to ONLY have the ability to READ/VIEW the data in the storage account, to do many other things such as Write/List/Delete/Move the data in the storage accounts. They only need to be able to view/read. Therefore, Reader, and Data Access follow this principle. RBAC roles for Storage Accounts: Role: Read and Data Access - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Please see reference documentation from MS Learn on Read and Data Access role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access

Storage Account Contributor does not follow the principle of least privilege. Storage Account Contributor would allow a user that is requested to ONLY have the ability to READ/VIEW the data in the storage account, to do many other things such as Write/List/Delete/Move the data in the storage accounts. They only need to be able to view/read. Therefore, Reader, and Data Access follow this principle. RBAC roles for Storage Accounts: Role: Read and Data Access - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Please see reference documentation from MS Learn on Read and Data Access role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access

Its not okay to be wrong in this instance where you're vomiting it all over the internet. Storage Account Contributor does not follow the principle of least privilege. Storage Account Contributor would allow a user that is requested to ONLY have the ability to READ/VIEW the data in the storage account, to do many other things such as Write/List/Delete/Move the data in the storage accounts. They only need to be able to view/read. Therefore, Reader, and Data Access follow this principle. RBAC roles for Storage Accounts: Role: Read and Data Access - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Please see reference documentation from MS Learn on Read and Data Access role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access

It's true that Reader&Data Access allows writing, but you need to grant the role with the least permissions that will allow viewing, and according to https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal, Storage Acct Contributor gives you even more permissions. So it ought to be R&DA.

I think so as its least privilege

Storage account contributor cannot assign roles

The appropriate role should be "User Acess Administrator" but it is not an option. Therefore, the next "least privilege" role would be "Owner". Storage Account Contributor - Permits management of storage accounts. Provides access to the account key, which can be used to *access data* via Shared Key authorization. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles