ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 67 discussion

Actual exam question from Microsoft's AZ-104
Question #: 67
Topic #: 2
[All AZ-104 Questions]

DRAG DROP
-

You have an Azure subscription named Sub1 that contains two users named User1 and User2.

You need to assign role-based access control (RBAC) roles to User1 and User2. The users must be able to perform the following tasks in Sub1:

• User1 must view the data in any storage account.
• User2 must assign users the Contributor role for storage accounts.

The solution must use the principle of least privilege.

Which RBAC role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Muffay at Jan. 4, 2023, 3:57 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Muffay
Highly Voted 2 years, 1 month ago
Answer is correct. "Reader and Data Access": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys." "Owner" is needed to manage permissions, as "User Access Administrator" is not offered as an option.
upvoted 96 times
...
mohsanarfandanish
Highly Voted 1 year, 11 months ago
Cleared Exam 930 was appeared in exam 18/3/2023 ANS most upvoted
upvoted 19 times
...
[Removed]
Most Recent 6 months ago
CORRECT since User Access Administrator is not provided in the options to follow the less privilege principle, the owner is correct for sure.
upvoted 2 times
...
18c2076
11 months, 3 weeks ago
Storage Account Contributor does not follow the principle of least privilege. Storage Account Contributor would allow a user that is requested to ONLY have the ability to READ/VIEW the data in the storage account, to do many other things such as Write/List/Delete/Move the data in the storage accounts. They only need to be able to view/read. Therefore, Reader, and Data Access follow this principle. RBAC roles for Storage Accounts: Role: Read and Data Access - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Please see reference documentation from MS Learn on Read and Data Access role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access
upvoted 1 times
...
Amir1909
1 year ago
Correct
upvoted 1 times
...
jeru81
1 year ago
Answer is wrong. there is a 5th option User Access Administrator, which is cut out here. You see the 5 dots? -Reader and Data Access -User Access Administrator ;)
upvoted 9 times
MSBITSM
1 year ago
If there was indeed an option for User Access Administrator, that would be correct. But in this case, owner will do the trick.
upvoted 2 times
...
...
devops_devops
1 year, 1 month ago
This question was in exam 15/01/24
upvoted 3 times
...
Ahkhan
1 year, 3 months ago
I got this question today in my exam—11/14 2023.
upvoted 3 times
Azc_T
1 year, 2 months ago
Did you use free access? Are these questions from free access enough to clear exam.
upvoted 1 times
...
...
Rednevi
1 year, 5 months ago
Remember: Contributor can NOT assign roles
upvoted 2 times
Alandt
1 year, 2 months ago
Exactly, only owner if I'm correct?
upvoted 1 times
fe0b3b4
1 year, 2 months ago
Also User Access Administrator: User Access Administrator: can assign roles but can’t do anything with the actual resources, so manages access but not the resources. Contributor: can do everything with the actual resources but can’t assign roles, so manages the resources but not the access to them. Owner: can do everything, most powerful role in Azure.
upvoted 3 times
Alandt
1 year, 1 month ago
Good point!
upvoted 1 times
...
...
...
...
Rams786
1 year, 5 months ago
This question was on my exam on 22 Sep 2023. scored 900 i answered most Voted
upvoted 3 times
Azc_T
1 year, 2 months ago
Did you use free access? Are these questions from free access enough to clear exam
upvoted 1 times
Indy429
1 year, 2 months ago
No you should get Contributor access to be able to go through everything, especially the case studies
upvoted 1 times
3c5adce
10 months ago
How do you access the case studies?
upvoted 1 times
rodrod
4 months, 1 week ago
he just explained...
upvoted 1 times
...
...
...
...
...
skavichal
1 year, 8 months ago
user 1 Reader and data access user2 should be owner, Storage Account Contributor can't be possible as it can read roles and roles assignment but can't assign any role to user.
upvoted 2 times
...
Athul07
1 year, 9 months ago
User1: Reader User2: Storage Account Contributor
upvoted 1 times
18c2076
11 months, 3 weeks ago
Storage Account Contributor does not follow the principle of least privilege. Storage Account Contributor would allow a user that is requested to ONLY have the ability to READ/VIEW the data in the storage account, to do many other things such as Write/List/Delete/Move the data in the storage accounts. They only need to be able to view/read. Therefore, Reader, and Data Access follow this principle. RBAC roles for Storage Accounts: Role: Read and Data Access - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Please see reference documentation from MS Learn on Read and Data Access role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access
upvoted 1 times
...
...
SIAMIANJI
1 year, 9 months ago
User1: Storage Account Contributor User2: Owner
upvoted 1 times
18c2076
11 months, 3 weeks ago
Storage Account Contributor does not follow the principle of least privilege. Storage Account Contributor would allow a user that is requested to ONLY have the ability to READ/VIEW the data in the storage account, to do many other things such as Write/List/Delete/Move the data in the storage accounts. They only need to be able to view/read. Therefore, Reader, and Data Access follow this principle. RBAC roles for Storage Accounts: Role: Read and Data Access - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Please see reference documentation from MS Learn on Read and Data Access role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access
upvoted 1 times
...
...
zellck
2 years, 1 month ago
User1: Read and Data Access User 2: Owner https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader-and-data-access Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
upvoted 10 times
...
Whatsamattr81
2 years, 1 month ago
View Data in ANY storage account (assume storage account only) Reader and Data Access gives a lot more than just storage account permissions - but Storage account contributor gives you access to do a lot ore than just Read / View data. Tricky one. Neither choices are perfect. But SAC role lets you do more than just 'view' data...
upvoted 3 times
18c2076
11 months, 3 weeks ago
Its not okay to be wrong in this instance where you're vomiting it all over the internet. Storage Account Contributor does not follow the principle of least privilege. Storage Account Contributor would allow a user that is requested to ONLY have the ability to READ/VIEW the data in the storage account, to do many other things such as Write/List/Delete/Move the data in the storage accounts. They only need to be able to view/read. Therefore, Reader, and Data Access follow this principle. RBAC roles for Storage Accounts: Role: Read and Data Access - Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Please see reference documentation from MS Learn on Read and Data Access role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#reader-and-data-access
upvoted 1 times
...
lkjsatlwjwwge
2 years, 1 month ago
It's true that Reader&Data Access allows writing, but you need to grant the role with the least permissions that will allow viewing, and according to https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal, Storage Acct Contributor gives you even more permissions. So it ought to be R&DA.
upvoted 1 times
...
...
Henryjb3
2 years, 1 month ago
Would the second answer be Storage Account Contributor, since it is the least privilege?
upvoted 3 times
Nickouh
2 years, 1 month ago
I think so as its least privilege
upvoted 1 times
...
VWSAM025
2 years, 1 month ago
Storage account contributor cannot assign roles
upvoted 3 times
...
KennethLZK
2 years, 1 month ago
The appropriate role should be "User Acess Administrator" but it is not an option. Therefore, the next "least privilege" role would be "Owner". Storage Account Contributor - Permits management of storage accounts. Provides access to the account key, which can be used to *access data* via Shared Key authorization. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
upvoted 3 times
...
...
Ashfaque_9x
2 years, 1 month ago
User 1: "Reader and Data Access" User 2: "Owner"
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago