ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 17 question 2 discussion

Actual exam question from Microsoft's AZ-204
Question #: 2
Topic #: 17
[All AZ-204 Questions]

HOTSPOT -
You need to configure security and compliance for the corporate website files.
Which Azure Blob storage settings should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by Kuna_Lambo at March 12, 2021, 8:58 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
clarionprogrammer
Highly Voted 4 years, 2 months ago
shared access signature (SAS) token change feed
upvoted 107 times
surprise0011
2 years, 2 months ago
received 2023-04-17 went with above, score 926
upvoted 8 times
...
...
mlantonis
Highly Voted 4 years ago
Box 1: shared access signature (SAS) token According to the diagram, blob storage is accessed from Azure CDN. Azure CDN doesn't support authentication with managed identity. If you want to grant limited access to private storage containers, you can use the Shared Access Signature (SAS) feature of your Azure storage account. Also, using a managed identity you can't restrict access by IP as requested. Box 2: change feed The purpose of the change feed is to provide transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account. The file updates must be read-only, stored in the order in which they occurred, include only create, update, delete, and copy operations, and be retained for compliance reasons. Reference: https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal
upvoted 62 times
1CY1
11 months, 3 weeks ago
Answer : C) SAS, B) change feed. Going to go with SAS. There still does not seem to be access to blob storage even in Premium with managed identity. At least I cannot find it.
upvoted 1 times
...
huhezculynvhzaljgs
3 years, 7 months ago
Professor is back :)))
upvoted 9 times
...
edengoforit
3 years, 4 months ago
File access must restrict access by IP, protocol, and Azure AD rights. Auditing of the file updates and transfers must be enabled to comply with General Data Protection Regulation (GDPR). The file updates must be read-only, stored in the order in which they occurred, include only create, update, delete, and copy operations, and be retained for compliance reasons.
upvoted 1 times
...
...
4b6d959
Most Recent 10 months, 1 week ago
Got this case City Power and Lights on my exam 9th Aug 2024. Went with highly voted answer, Scored:871 - shared access signature (SAS) token - change feed
upvoted 2 times
...
applepie
1 year, 11 months ago
An example of Access storage blobs using an Azure CDN custom domain It's using SAS. https://learn.microsoft.com/en-us/azure/cdn/cdn-storage-custom-domain-https
upvoted 2 times
...
Vmwarevirtual
2 years ago
Appeared the exam I toke at 27-5-2023 I chose SAS and change feed https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal
upvoted 1 times
...
aragones
2 years, 1 month ago
Got this 2023-05-12. Make sure to prepare VanArsdel Inc Canada study case
upvoted 2 times
...
st0rmtrooperx
2 years, 6 months ago
Got this on Dec 16th, 2022. Scored 921 and answered SAS token and change feed.
upvoted 6 times
...
OPT_001122
2 years, 7 months ago
SAS change feed
upvoted 3 times
...
coffecold
2 years, 7 months ago
RBAC and change feed. why RBAC? Triggering keywords for me are "Azure AD" and "restrict File Access". It seems that some kind of authorization is set for groups.
upvoted 2 times
...
Eltooth
2 years, 11 months ago
SAS token change feed
upvoted 3 times
...
AzureDJ
3 years, 3 months ago
shared access signature (SAS) token change feed
upvoted 1 times
...
kozchris
3 years, 3 months ago
Answer: SAS/Change Feed From problem description: "Security - File access must restrict access by IP, protocol, and Azure AD rights." The keyword here is IP. From https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support "With a SAS, you can define various parameters of access to a blob, such as start and expiry times, permissions (read/write), and IP ranges. " SAS is from AD so you get the AD rights. For Change Feed see: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal
upvoted 3 times
...
leonidn
3 years, 4 months ago
Agree on RBAC. Change feed The change feed provides ordered, guaranteed, durable, immutable, read-only log of these changes. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal
upvoted 2 times
...
cool_tool
3 years, 10 months ago
RBAC change feed
upvoted 7 times
ning
3 years, 9 months ago
Correct, file access is AD User based rights. IP and Protocol, can be configured separately
upvoted 1 times
...
...
Kuna_Lambo
4 years, 3 months ago
managed identity change feed
upvoted 4 times
inputoutput
4 years, 3 months ago
According to the diagram, blob storage is accessed from Azure CDN. Azure CDN doesn't support authentication with managed identity. I think the correct answer is Shared Access Token. https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support
upvoted 10 times
Kuna_Lambo
4 years, 3 months ago
Thanks, I think you are right.
upvoted 1 times
...
jay158
3 years, 11 months ago
See the arrow -- Flow is from Storage to CDN. Diagram does not show, how Storage is populated. No one will populate storage via CDN
upvoted 2 times
...
rdemontis
4 years, 2 months ago
Exactly, and using a managed identity you can't restrict access by IP as requested. User delegation SAS is the right choice in this case (you need AAD integration) and change feed is the service designed for file audits. https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal
upvoted 16 times
kwaazaar
4 years, 2 months ago
But RBAC is supported on file shares too. It needs Azure AD Domain Services, I think.
upvoted 1 times
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel