ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 5 question 62 discussion

Actual exam question from Microsoft's AZ-500
Question #: 62
Topic #: 5
[All AZ-500 Questions]

HOTSPOT
-

You have an Azure subscription that contains two users named User1 and User2 and the blob containers shown in the following table.



Policy1 is configured as shown in the following exhibit.



You assign the roles for storage1 as shown in the following table.



The storage1 account has the following shared access signature (SAS) named SAS1:

• Allowed services: Blob
• Allowed resource types: Container
• Allowed permissions: Read, Write, List, Add, Create
• Blob versioning permissions: enables deletion of versions
• Allowed blob index permissions: Read/Write
• Starr and expiry date/time:
o Start: 12/1/2021
o End: 12/31/2021

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by Dinraj at Jan. 13, 2023, 9:41 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
tutonata
Highly Voted 2 years, 1 month ago
Y: container 2 doesn't have policy applied to SAS is in full effect N: policy is applied to container 1 and limits permissions to READ N: SAS has expired on Dec 31/2021 so it's invalid. RBAC roles are irrelevant here since statements say WHEN USING SAS1. Using has SAS in a URL has nothing to do with user RBAC assignments.
upvoted 33 times
adminpack
1 year, 6 months ago
CGPT: So, when there's a conflict, the more restrictive setting usually wins. If a SAS associated with a container's Access Policy tries to perform an action the Access Policy doesn't allow, the action will be denied. Conversely, if the SAS itself has more restrictive permissions than the Access Policy it's associated with, then the SAS's restrictions apply.
upvoted 2 times
[Removed]
1 year, 6 months ago
Tested in Lab SAS token permissions superceded the read only access policy, if SAS token has allowed write permissions then you can write to the container
upvoted 2 times
...
...
...
heatfan900
Highly Voted 1 year, 7 months ago
Y, Y, N User 1 can write to container 2 because the SAS TOKEN allows it at the STORAGE ACCT level between 12/1-12/31, therefore, you the user will have the access outlined in the token against any container hosted in the SA. User 2 can write to container 1 for same reasons as User 1 can for container 2. User 1 cannot read from container two based on the SAS TOKEN on 1/10/22 because it expired on 12/31. A SAS TOKEN is collection of permissions issued against, in this case, an SA which bypasses any policy or RBAC assignments within Azure. It operates based on its own configuration. This is why anyone, whether part of the Azure Tenant or not, can use the SAS TOKEN to access files. Think of it as a link sent to a friend to share a file hosted in Dropbox.
upvoted 12 times
pentium75
8 months, 4 weeks ago
I think you're overlooked that the SAS allows only access to containers but not objects. So he can create and delete containers in the storage account, but he can NOT write objects INTO a container.
upvoted 1 times
...
Pamban
11 months, 2 weeks ago
agreed with the answer. SAS token permission is in effect over the read only access policy. so answer is YYN
upvoted 1 times
...
...
pentium75
Most Recent 8 months, 4 weeks ago
User permissions and roles are totally irrelevant because the user is using SAS, not his account. Access policy is also irrelevant because it was not used when generating the SAS. NO - SAS applies only to containers (not objects). He can create and delete containers, but he not write objects INTO a container. NO - same NO - SAS expired
upvoted 4 times
sauliusm
3 months, 1 week ago
All NO because the SAS1 is not valid, because the allowed resource list includes only 'container' . Since this is a storage account SAS, it has to include at least 'service' as the allowed resource type to be valid
upvoted 2 times
...
...
bxlin
11 months, 1 week ago
1-Y SAS applies 2-N Stored access policy wins 3-N SAS expired
upvoted 1 times
...
epomatti
1 year, 3 months ago
Nowhere in the question it states that the SAS was generated with the Stored Policy.
upvoted 2 times
...
xxavimr
1 year, 5 months ago
The second is NO. According to documentation, A stored access policy provides an additional level of control over service-level shared access signatures (SASs) on the server side https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy They are compatible as it is a service SAS
upvoted 3 times
...
TheProfessor
1 year, 6 months ago
Answer is correct. SAS1 is applied at the STORAGE LEVEL.
upvoted 2 times
...
[Removed]
1 year, 8 months ago
NNN N.User1 does not have write role permission N: policy is applied to container 1 and limits permissions to READ N: SAS has expired on Dec 31/2021 so it's invalid.
upvoted 3 times
Mnguyen0503
1 year, 3 months ago
Wrong. SAS1 gives User1 Write permission. RBAC is not applied here when SAS is in use.
upvoted 2 times
...
...
ServerBrain
1 year, 8 months ago
BOX 1, User1 has Storage Blob Data Reader role assigned, so cannot write top container1..
upvoted 1 times
...
sigvast
1 year, 9 months ago
Given answers are correct. A stored access policy by itself does nothing if not link to a SAS. So in this question, RBAC and policies are irrelevant and you only have to look at the SAS settings.
upvoted 2 times
...
zellck
1 year, 12 months ago
YNN is the answer. https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy A stored access policy provides an additional level of control over service-level shared access signatures (SASs) on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature. You can also use a stored access policy to revoke a signature after it has been issued.
upvoted 4 times
...
PapaLion
2 years ago
BOX 1 : YES because SAS WIN no policy are applied. BOX 2 : NO because Policy Wins on SAS Token. BOX 3 : YES because Policy is Expired and SAS Win. This is my honest opinion.
upvoted 1 times
zellck
1 year, 12 months ago
For 3, SAS1 has also expired.
upvoted 3 times
...
...
PapaLion
2 years ago
Service SAS with stored access policy. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.
upvoted 1 times
...
sapthami
2 years ago
1. No - Because User1 has Storage Blob Data reader role assigned.
upvoted 2 times
pentium75
8 months, 4 weeks ago
He uses SAS key, it's totally irrelevant which permissions his account has or even who he is.
upvoted 1 times
...
sapthami
2 years ago
2. Yes 3. No - Because User1 can read from Container2
upvoted 2 times
ETV
2 years ago
correct
upvoted 1 times
...
...
...
danco104
2 years, 1 month ago
User1 has Storage Blob Date Reader role on Storage1. Does it not mean limitation? Not sure but in that case question 1 should be NO. Am I right or not?
upvoted 3 times
pentium75
8 months, 4 weeks ago
He uses SAS key, it's totally irrelevant which permissions his account has or even who he is.
upvoted 1 times
...
...
majstor86
2 years, 1 month ago
YES YES NO
upvoted 3 times
...
Nick66
2 years, 2 months ago
For me the second answer should be NO because a stored access policy restricts the permissions configured at the SAS: Shared access signatures (SAS) enable restricted access to entities within a storage account. A stored access policy provides additional control over service-level SAS on the server side. Establishing a stored access policy serves to group shared access signatures and to provide additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.
upvoted 2 times
pentium75
8 months, 4 weeks ago
No because the SAS key does not use the access policy.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago