Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 3 question 58 discussion

Actual exam question from Microsoft's AZ-104
Question #: 58
Topic #: 3
[All AZ-104 Questions]

HOTSPOT
-

You have an Azure subscription that contains a user named User1 and a storage account named storage1. The storage1 account contains the resources shown in the following table.



User1 is assigned the following roles for storage1:

• Storage Blob Data Reader
• Storage Table Data Contributor
• Storage File Data SMB Share Contributor

For storage1, you create a shared access signature (SAS) named SAS1 that has the settings shown in the following exhibit. (Click the Exhibit tab.)



To which resources can User1 write by using SAS1 and key1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by elior19940 at Jan. 16, 2023, 6:09 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
kamlau
Highly Voted 1 year, 8 months ago
key1: folder1, container1, table1 SAS1: table1 I think that key 1 is the key of storage account which is created when creating storage account. Thus, it should be able to access all in storage account. SAS1 allows table only which is shown in the exhibit.
upvoted 93 times
CheMetto
2 months, 1 week ago
I agree with this answer. With The access Key you are like the owner of the storage, that's why you should never give it to someone. So that's why key1 is everything. Sas 1 is table for obvious reason
upvoted 3 times
...
Szala90
1 year, 8 months ago
I’m not agree with you. Question was about write access. User 1 don’t have write access to blob because of Storage blob data reader access. So answers should be: key1: folder1, table1 SAS1: table1 only
upvoted 58 times
Slimus
1 year, 5 months ago
Wrong, kamlau's answer is correct "key1: folder1, container1, table1". Storage account access keys provide full access to the configuration of a storage account, as well as the data. Always be careful to protect your access keys. ref: https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#regenerate-access-keys
upvoted 15 times
tableton
6 months ago
Access keys give you full rights to everything in your storage account, but with SAS you’re able to limit the access capabilities of its users. https://pragmaticworks.com/blog/3-things-to-know-about-shared-access-signatures
upvoted 2 times
...
nchebbi
10 months, 4 weeks ago
Please review the link you refrenced: it's titled "how to authorize access to blob data in the Azure portal" through the portal azure scans for the roles you have the permission: Microsoft.Storage/storageAccounts/listkeys/action it will use it to get the access key to show you the data in the container, inside the container you have the Authentication method either Entra ID or Access keys.
upvoted 3 times
...
...
Renss78
1 year, 6 months ago
key has nothing to do with rbac?
upvoted 6 times
SivaPannier
1 year, 1 month ago
The Key permissions are superseded by RBAC, hence the answer is Key1: Folder1 and Table1 SAS1: Table only Pls refer the link below, https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-the-account-access-key
upvoted 13 times
B1gflp
11 months, 3 weeks ago
This answer is correct. Basically the user only has read access to the container hence the Reader role. Azure Files SMB is not supported by SAS which eliminates container from the second answer also.
upvoted 2 times
...
Load full discussion...
...
...
...
habbey
1 year, 5 months ago
Are you saying with access keys we can write to file shares and blobs? I was thinking only AzureAD/SAS token can write to blobs and only SAS tokens can write to FileShares
upvoted 3 times
...
...
ConanBarb
Highly Voted 1 year, 7 months ago
The correct answer is definitely (ExamTopic's provided answer is unfortunately wrong): Using key1: Table1, folder1, and container1 Using SAS1: Table1 only Reasoning: 1. The question clearly states: "To which resources can User1 write by using SAS1 and key1?" This means that the RBAC for User1 will not apply. Hence, when using the SAS1 this means that only Table services (i.e. "Table1") will be allowed, regardless of the RBAC. 2. The signing key "key1", which is one of the two storage account access keys, are to be seen as the "root password" for the storage account. Exhibit: "Your storage account access keys are similar to a root password for your storage account." https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string Go to your Storage Account and select the Access keys blade. There you will find the two keys and connection strings using each of them. These connection strings give "root access" to everything. Hence, when using key1 all services are granted.
upvoted 67 times
josola
10 months, 3 weeks ago
It looks your answer is incorrect:" To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action." if not then "When you attempt to access blob data in the Azure portal, the portal first checks whether you have been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. If you have been assigned a role with this action, then the portal uses the account key for accessing blob data. If you have not been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account." https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-the-account-access-key
upvoted 7 times
...
...
SeMo0o0o0o
Most Recent 1 month ago
WRONG key1: Table1, folder1, and container1 SAS1: Table1 only
upvoted 1 times
...
ajay01avhad
2 months, 1 week ago
Access Permissions: Key1: Since User1 has the roles for Table and File storage but only read access for Blob storage, the configuration should match the roles allowing full access for Table and File storage but limited access for Blob storage. Therefore, the correct answer is folder1 and Table1 only for Key1. SAS1: The SAS token allows permissions for Blob, File, and Table services. Therefore, it should grant access to Table1 and container1 only based on the allowed services in the SAS token configuration. Correct Answer: Key1: folder1 and Table1 only SAS1: Table1 and container1 only
upvoted 2 times
...
ajay01avhad
2 months, 1 week ago
Best Matching Option for Key1: Table1, folder1, and container1: This option ensures full access across all storage types in the account. Best Matching Option for SAS1: Table1, folder1, and container1: This option ensures full access as defined in the SAS token across all specified storage types.
upvoted 1 times
...
varinder82
4 months, 1 week ago
Final Answer : Key1: Folder1 and Table1 SAS1: Table only
upvoted 1 times
...
varinder82
4 months, 2 weeks ago
Final Answer : key1: Table1, folder1, and container1 SAS1: Table1 only
upvoted 1 times
...
Joseeph
4 months, 3 weeks ago
Key1: folder1 and Table1 only SAS1: Table only Agradezco a akkam89, quien copió el link del vídeo de Youtube, donde comprueban esta respuesta.
upvoted 1 times
...
WeepingMaplte
5 months, 2 weeks ago
Key:1 Table1, folder1 and container1 SAS1: Table1 Storage account access keys provide full access to the configuration of a storage account, as well as the data. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#regenerate-access-keys:~:text=Storage%20account%20access%20keys%20provide%20full%20access%20to%20the%20configuration%20of%20a%20storage%20account%2C%20as%20well%20as%20the%20data.
upvoted 1 times
...
01525bd
6 months, 2 weeks ago
To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. This Azure role may be a built-in or a custom role. Built-in roles that support Microsoft.Storage/storageAccounts/listkeys/action include the following, in order from least to greatest permissions: The Reader and Data Access role The Storage Account Contributor role The Azure Resource Manager Contributor role The Azure Resource Manager Owner role https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-the-account-access-key So it is safe to say that RBAC matters for access keys.
upvoted 1 times
...
Amir1909
6 months, 2 weeks ago
key1: folder1, container1, table1 SAS1: table1
upvoted 2 times
...
smirnoffpremium
7 months ago
Passed AZ-104 today 03/07/24 879%. 99% of Examtopics questions in my test with exact same wording. This question was on the test, I answered 1)folder1+table1 2)table1+container1. Very Thanks to Examtopics.
upvoted 1 times
AnVai
6 months, 3 weeks ago
Is it sufficient to prepare with free available questions?(28 pages)
upvoted 1 times
Forkbeard
5 months, 1 week ago
This question comes up a lot. I have taken multiple tests and have always passed. I always prepare with the complete set of questions and to me they were invaluable. Practising with these questions has taught me more than reading Microsoft Learn and watching videos, because of the elaborate discussings accompanying the questions. It is not very expensive, you gain some experience and it helps you pass the exam. If you already have a couple years of professional experience with the topic you can use the free version. If not, the paid version helps pass the exam and teaches you more of what you need to understand Azure. If in doubt, use the paid version.
upvoted 1 times
...
...
...
orlan
7 months ago
As there are so many doubts in the answer I have decided to test it myself. For Key1, User1 can see container1, folder1 and table1. For SAS1: Only Table1 can be accessed.
upvoted 7 times
...
edurakhan
7 months, 1 week ago
Storage account access keys provide full access to the configuration of a storage account, as well as the data https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal key1: folder1, container1, table 1 SAS1: table1 (obviously)
upvoted 1 times
...
SDiwan
8 months ago
Correct answer: Key1 : Folder1 and Table only, users RBAC permissions are enforced here since the user does not have "Microsoft.Storage/storageAccounts/listkeys/action" permission. SAS1: Table1 only
upvoted 3 times
...
devops_devops
8 months, 3 weeks ago
This question was in exam 15/01/24
upvoted 5 times
...
akkam89
8 months, 3 weeks ago
https://www.youtube.com/watch?v=1tOwTOqY_ls&list=PLlKA5U_Yqgof3H0YWhzvarFixW9QLTr4S&index=57&ab_channel=azurewala
upvoted 10 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel