Exam SC-300 topic 2 question 85 discussion

Answer C) User3 (Storage Blob Data Reader) supports ABAC Currently, conditions can be added to built-in or custom role assignments that have blob storage or queue storage data actions. These include the following built-in roles: Storage Blob Data Contributor Storage Blob Data Owner Storage Blob Data Reader Storage Queue Data Contributor Storage Queue Data Message Processor Storage Queue Data Message Sender Storage Queue Data Reader https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-format#actions

C - Only User3: Storage Blob Data Reader supports ABAC.

Within the roles in the question, only User3: Storage Blob Data Reader supports the use of ABAC. You can test this yourself by adding role assignment in Azure. The Conditions tab is greyed out with all the other roles in the question. If you choose Storage Blob Data Reader, you can fill out the conditions.

User3 : Storage Blob Data Reader Example Azure role assignment conditions for Blob Storage Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using request, resource, environment, and principal attributes in both the standard and premium storage account performance tiers. https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-examples?tabs=portal-visual-editor

Attribute-based access control (ABAC) grants access based on attributes of users, resources, and the environment. - User roles (User1, User2, User3, User4) are a simpler form of access control. Out of the options, only Storage Blob Data Reader and Virtual Machine Contributor roles are specific to resource types (Storage Blob and Virtual Machine). These roles suggest ABAC might be used for finer-grained control. So, the answer is either C or D. While both Storage Blob Data Reader and Virtual Machine Contributor roles might be used with ABAC, it's more likely for data access. Therefore, the most likely user to benefit from ABAC is User3: Storage Blob Data Reader. So the answer is: C. User3

C https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview

Currently, conditions can be added to built-in or custom role assignments that have blob storage or queue storage data actions. Conditions are added at the same scope as the role assignment. Just like role assignments, you must have Microsoft.Authorization/roleAssignments/write permissions to add a condition.