Exam AZ-500 topic 2 question 83 discussion

Box1 and Box2: AD DS Only Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following three methods: • On-premises Active Directory Domain Services (AD DS) • Azure Active Directory Domain Services (Azure AD DS) • Azure Active Directory (Azure AD) Kerberos for hybrid user identities Note Azure Files supports authentication for Azure AD DS with full or partial (scoped) synchronization with Azure AD. For environments with scoped synchronization present, administrators should be aware that Azure Files only honors Azure RBAC role assignments granted to principals that are synchronized. Role assignments granted to identities not synchronized from Azure AD to Azure AD DS will be ignored by the Azure Files service.

As per https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#how-it-works, I believe: Box 1: Azure AD only (same as how for on-prem AD it's Azure AD) Box 2: AD DS only (same as how for on-prem AD it's AD DS)

For Azure File Share: Answer: AD DS only This is because Azure Files (when using SMB protocol) supports Active Directory Domain Services (AD DS) authentication for assigning permissions to the Azure file share itself. Azure AD is not directly used for managing file share-level permissions in this context. For Folder in the File Share: Answer: Both Permissions for folders within the Azure file share can be managed using either Azure AD or AD DS, depending on your configuration: Azure AD can be used if the file share is configured for Azure AD authentication. AD DS can be used if the file share is configured for AD DS authentication. Thus, both Azure AD and AD DS can be used for folder-level permissions, depending on the authentication method chosen.

1. Azure Ad and Azure ADDs 2. Azure AD only

To me it's unclear what "identity store" is supposed to mean. However, there's this sentence in the documentation: "None of the authentication methods support assigning share-level permissions to computer accounts (machine accounts) using Azure RBAC, because computer accounts can't be synced to an identity in Microsoft Entra ID. If you want to allow a computer account to access Azure file shares using identity-based authentication, use a default share-level permission or consider using a service logon account instead." This indicates that share-level permissions are somehow using Entra ID while folder-level permissions are using AD/ADDS. So I'd say first answer is "Azure AD only".

To correctly assign permissions to an Azure file share and the folders within the share, considering an environment that syncs with an Active Directory Domain Services (AD DS) domain, you need to choose the appropriate identity store. The correct answers are: Azure file share: AD DS only: Azure Files supports identity-based authentication over SMB (Server Message Block) by integrating with AD DS. This allows you to use on-premises AD DS to authenticate and authorize users for accessing Azure file shares. Folders in the file share: AD DS only: Since the Azure file share is integrated with AD DS for authentication and authorization, the permissions for folders within the file share will also rely on AD DS. So the correct options are: For the Azure file share: AD DS only For folders in the file share: AD DS only

In exam 1/28/24

On exam 1/2/24

in exam 08/12/23

box1: ad ds and azure ad (microsoft entra) box2: ad ds and azure ad (microsoft entra) https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview https://techcommunity.microsoft.com/t5/azure-storage-blog/general-availability-introducing-azure-ad-support-for-azure/ba-p/3826733

box1: AD DS only The selected Azure AD identity must be a hybrid identity and cannot be a cloud only identity. This means that the same identity is also represented in AD DS. https://learn.microsoft.com/en-us/azure/storage/files/storagefiles- identity-ad-ds-assign-permissions?tabs=azureportal Box 2: AD DS only

I chose the answers presented. In exam taken 24 July 2023 Box 1: Azure AD - https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions Box 2 - Azure AD and AD DS - read what's in the Important note which talks about AD DS and Azure AD DS - https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-configure-permissions

To assign permissions to an Azure file share and its folders, you can use the Azure Active Directory (Azure AD) identity store. Azure AD provides a centralized identity and access management solution for Azure services, including Azure file shares.

1. Azure AD only 2. AD DS only https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#ad-ds This is because the share-level permission is configured against the identity represented in Azure AD, whereas the directory/file-level permission is enforced with that in AD DS.

1. Azure AD only. 2. Azure AD DS only Share-level permissions on Azure file shares are configured for Azure Active Directory (Azure AD) users, groups, or service principals, while directory and file-level permissions are enforced using Windows access control lists (ACLs). https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

1. AD DS only 2. AD DS only

I would say both supports ADDS and Azure AD based on the supported authenticaton scenarios in this link: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview