Exam SC-300 topic 3 question 46 discussion

Answer C

In the Azure portal, go into your storage account to grant your web app access. Select Access control (IAM) in the left pane, and then select Role assignments. You'll see a list of who has access to the storage account. Now you want to add a role assignment to a robot, the app service that needs access to the storage account. Select Add > Add role assignment to open the Add role assignment page. https://learn.microsoft.com/en-us/entra/identity-platform/multi-service-web-app-access-storage?tabs=azure-portal%2Cprogramming-language-csharp#grant-access-to-the-storage-account

C is the correct answer because access to resources in Azure is dealt with through Azure Role-Based Access Control (RBAC). This allows fine-grained access management for Azure. System-assigned managed identities can be assigned roles through IAM settings of a resource, granting them permissions to perform certain actions. To access files in Azure Storage, you would assign the Storage Blob Data Reader role for read access and the Storage Blob Data Contributor role for write access to the managed identity in the IAM settings. Here's the Microsoft documentation needed about granting access using RBAC and Azure AD identities: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Access control (IAM) settings in Azure allow you to manage access to various resources within your Azure subscription. If you want to ensure that the WebApp1 web app can read and write files in storage1, you must grant the web app the appropriate permissions on the storage1 storage account. By configuring access control (IAM) for the storage account "storage1", you can assign the necessary permissions (such as "Storage Blob Data Contributor" or "Storage Blob Data Reader") to the web app's managed identity to access the Blob services can access to read and write files.