Exam AZ-104 topic 3 question 58 discussion

key1: folder1, container1, table1 SAS1: table1 I think that key 1 is the key of storage account which is created when creating storage account. Thus, it should be able to access all in storage account. SAS1 allows table only which is shown in the exhibit.

The correct answer is definitely (ExamTopic's provided answer is unfortunately wrong): Using key1: Table1, folder1, and container1 Using SAS1: Table1 only Reasoning: 1. The question clearly states: "To which resources can User1 write by using SAS1 and key1?" This means that the RBAC for User1 will not apply. Hence, when using the SAS1 this means that only Table services (i.e. "Table1") will be allowed, regardless of the RBAC. 2. The signing key "key1", which is one of the two storage account access keys, are to be seen as the "root password" for the storage account. Exhibit: "Your storage account access keys are similar to a root password for your storage account." https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string Go to your Storage Account and select the Access keys blade. There you will find the two keys and connection strings using each of them. These connection strings give "root access" to everything. Hence, when using key1 all services are granted.

Agreed Key1: Table1,folder1 and container1 You cannot use Azure RBAC to disallow someone from writing to a blob if they have the storage account access key. The access key provides full access to the storage account, overriding any RBAC permissions SAS1: Table1 only SAS ha indicated only services allowed Table

SAS Configuration: Allowed Services: Defines the type of Azure Storage service the SAS can access (e.g., Blob, File, Queue, Table). Allowed Resource Types: Specifies the scope of access within the allowed services (e.g., Service, Container, Object). Allowed Permissions: Determines the actions that can be performed (e.g., Read, Write, Delete).

key1: Full access to all services of the storage account. RBAC are considered only if you use an access using managed identity. The key give full access to everyone that known it. So it's a best practice to rotate keys frequently. SAS is more secure than give key, because it give limited access for limited time SAS: only table1, that is the only service checked.

No, RBAC (Role-Based Access Control) cannot override storage account key permissions in Azure. Storage account access keys provide full access to the configuration of a storage account, We are generating SAS1 using KEY1 Therefore if RBAC cannot override KEY then Kamlau is right.

WRONG key1: Table1, folder1, and container1 SAS1: Table1 only

Access Permissions: Key1: Since User1 has the roles for Table and File storage but only read access for Blob storage, the configuration should match the roles allowing full access for Table and File storage but limited access for Blob storage. Therefore, the correct answer is folder1 and Table1 only for Key1. SAS1: The SAS token allows permissions for Blob, File, and Table services. Therefore, it should grant access to Table1 and container1 only based on the allowed services in the SAS token configuration. Correct Answer: Key1: folder1 and Table1 only SAS1: Table1 and container1 only

Best Matching Option for Key1: Table1, folder1, and container1: This option ensures full access across all storage types in the account. Best Matching Option for SAS1: Table1, folder1, and container1: This option ensures full access as defined in the SAS token across all specified storage types.

Final Answer : Key1: Folder1 and Table1 SAS1: Table only

Final Answer : key1: Table1, folder1, and container1 SAS1: Table1 only

Key1: folder1 and Table1 only SAS1: Table only Agradezco a akkam89, quien copió el link del vídeo de Youtube, donde comprueban esta respuesta.

Key:1 Table1, folder1 and container1 SAS1: Table1 Storage account access keys provide full access to the configuration of a storage account, as well as the data. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#regenerate-access-keys:~:text=Storage%20account%20access%20keys%20provide%20full%20access%20to%20the%20configuration%20of%20a%20storage%20account%2C%20as%20well%20as%20the%20data.

To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. This Azure role may be a built-in or a custom role. Built-in roles that support Microsoft.Storage/storageAccounts/listkeys/action include the following, in order from least to greatest permissions: The Reader and Data Access role The Storage Account Contributor role The Azure Resource Manager Contributor role The Azure Resource Manager Owner role https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-the-account-access-key So it is safe to say that RBAC matters for access keys.

key1: folder1, container1, table1 SAS1: table1

Passed AZ-104 today 03/07/24 879%. 99% of Examtopics questions in my test with exact same wording. This question was on the test, I answered 1)folder1+table1 2)table1+container1. Very Thanks to Examtopics.

As there are so many doubts in the answer I have decided to test it myself. For Key1, User1 can see container1, folder1 and table1. For SAS1: Only Table1 can be accessed.