Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Microsoft Discussions

Exam AZ-103 topic 1 question 21 discussion

Actual exam question from Microsoft's AZ-103
Question #: 21
Topic #: 1
[All AZ-103 Questions]

You have a resource group named RG1. RG1 contains an Azure Storage account named storageaccount1 and a virtual machine named VM1 that runs Windows
Server 2016. Storageaccount1 contains the disk files for VM1.
You apply a ReadOnly lock to RG1.
What can you do from the Azure portal?

  • A. Generate an automation script for RG1.
  • B. View the keys of storageaccount1.
  • C. Start VM1.
  • D. Upload a blob to storageaccount1.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
ReadOnly means authorized users can read a resource, but they can't delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
Incorrect Answers:
C: A ReadOnly lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. These operations require a POST request.
References:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
by msftfan at March 9, 2020, 10:07 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
msftfan
Highly Voted 3 years, 9 months ago
A is correct
upvoted 49 times
baobabko
3 years, 6 months ago
Tried and it works - can export template for locked Storage Account. Cannot view keys. (POST requests are not allowed on a resource with ReadOnly lock)
upvoted 7 times
...
praveen97
3 years, 5 months ago
Agree with msftfan. A is correct answer. I have tried in my tenant. I am able to export the template and generate the automation script for Resource Group. With ReadOnly lock, we can't view the keys in storage account. Tested this as well.
upvoted 3 times
...
chaudha4
2 years, 6 months ago
Even A is not possible. I put a read lock on the Resource group. Went to the deployments tab. Selected the deployment and clicked "View template" and got the error below. Error goes away if I remove the read lock on RG. ------- The scope '/subscriptions/../resourceGroups/rg-vm1/providers/Microsoft.Resources/deployments/CreateVm-canonical.0001-com-ubuntu-server-focal-2-20210526134944' cannot perform write operation because following scope(s) are locked: '/subscriptions/.../resourceGroups/rg-vm1'. Please remove the lock and try again. (Code: ScopeLocked)
upvoted 1 times
chaudha4
2 years, 6 months ago
I stand corrected. I was using the wrong tab. The correct tab would be under "Automation" call "Export Template". I am able to export the template with read -lock on RG. So A is the right answer.
upvoted 4 times
...
...
...
MedRaito
Highly Voted 3 years, 8 months ago
Hey All, I just tested the scenario, when locking RG you cannot acces to the Keys but you can generate the automation script. So the answer is : A
upvoted 16 times
...
Jhinga
Most Recent 2 years, 3 months ago
A read-only lock on a storage account prevents users from listing the account keys. The Azure Storage List Keys operation is handled through a POST request to protect access to the account keys, which provide complete access to data in the storage account. When a read-only lock is configured for a storage account, users who don't have the account keys must use Azure AD credentials to access blob or queue data. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue). So B, C, D are incorrect. We are left with A, seems to be correct.
upvoted 2 times
...
Lkk51
2 years, 6 months ago
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json A read-only lock on a storage account prevents users from listing the account keys. The Azure Storage List Keys operation is handled through a POST request to protect access to the account keys
upvoted 1 times
...
I
2 years, 10 months ago
Well, if the question ReadOnly lock is working on RG1, then here need automation script. So option A is correct. But if the question is ReadOnly lock to Storageaccount1, option B is correct. Therefore, check the question carefully when doing the exam. I do belive every time, they only slightly change one or two key words from the question then the answer is different.
upvoted 1 times
I
2 years, 10 months ago
Alright, I change my mind. Most of us didn't check the question clearly including me! The question says that RG1 has been lock as ReadOnly then what can you do from Azure Potal? Of course, we can do nothing but viewing... Sorry for the incorrect reply at previous.
upvoted 1 times
...
...
rich59
2 years, 10 months ago
Tested on my subscription 1. I could not start a VM in resource group 2. I could not upload a blob to the storage account 3. I could not generate an automation script 4. I COULD VIEW KEYS OF STORAGE ACCOUNT
upvoted 3 times
...
ms70743
2 years, 11 months ago
A is correct answer
upvoted 1 times
...
Thi
3 years ago
A. Generate an automation script for RG1.
upvoted 1 times
...
Thi
3 years, 1 month ago
A. Generate an automation script for RG1.
upvoted 1 times
...
deepualan
3 years, 3 months ago
A read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.
upvoted 1 times
...
Saman2020
3 years, 3 months ago
Put a Read Only lock on a Stg Acct and it didn’t let me to see the Keys! I thought this is a Read action!
upvoted 1 times
...
eumevito
3 years, 3 months ago
Answer is A.. tested here also. I was not able to View the keys.
upvoted 1 times
...
Gbala
3 years, 3 months ago
Tested it... I was not able to view the storage keys and was not able to start the VM with reader access... but i was able to export the JSON script for automation ,... so definitely the answer is "A"
upvoted 2 times
Gbala
3 years, 3 months ago
ignore my previous comment.. was confused with the reader access and reader lock... with applying reader-lock on my resource group I was able to view the keys... so answer is "B"
upvoted 1 times
...
...
KaiserdomTW
3 years, 3 months ago
A. Generate an automation script for RG1. Is the answer, proof on 20200712
upvoted 2 times
...
narru
3 years, 4 months ago
Which one is correct? Ans A OR B?
upvoted 1 times
manishkhare
3 years, 4 months ago
A is correct. List Keys require a post request which will not be allowed for ReadOnlyLock https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
upvoted 1 times
...
...
EMORT
3 years, 4 months ago
A read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.
upvoted 1 times
...
_syamantak
3 years, 4 months ago
Correct Answer is A. If a resource group is locked by readonly lock , no keys can be listed. Also any no vm can be restarted when the RG is under read only lock.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel