Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam AZ-104 topic 2 question 44 discussion

Actual exam question from Microsoft's AZ-104
Question #: 44
Topic #: 2
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain.
The domain contains the security principals shown in the following table.

In Azure AD, you create a user named User2.
The storage1 account contains a file share named share1 and has the following configurations.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
im82
Highly Voted 2 years ago
Was on exam today 19.11.2021. Passed with 920 Correct answer: Y-N-Y
upvoted 91 times
janemark
11 months, 1 week ago
Is the site enough to pass the exam?
upvoted 5 times
Aquintero
4 months, 2 weeks ago
todos los examenes que he realizado los he pasado, estudiando el Microsoft learn y aqui con examtopics. pero seria mucho mejor que crees un ambiente de pruebas y coloques en practica en lo que tengas dudas
upvoted 7 times
...
RougePotatoe
10 months, 2 weeks ago
No you will fail
upvoted 14 times
PERCY23
1 week ago
HAHAHA
upvoted 1 times
...
shadad
10 months ago
LOL come on man dont scare him :D It will be enough as most people pointed to. however, its better to read and learn.
upvoted 20 times
GBAU
10 months ago
If you understand the answers to the questions you will probably pass but if you just try to memorise them you won't.
upvoted 18 times
shadad
9 months, 2 weeks ago
You are right.
upvoted 5 times
...
...
...
...
karthikwarrior
5 months, 2 weeks ago
Yes absolutely!!
upvoted 3 times
...
...
sunflower1
1 year ago
Is this set of questions enough to pass the exam???
upvoted 2 times
RougePotatoe
10 months, 2 weeks ago
No you will fail
upvoted 7 times
Qhispikay
10 months, 2 weeks ago
emotional damage
upvoted 43 times
...
...
...
azuresam
1 year, 8 months ago
Does this site questions enough to get cleared in the exam
upvoted 14 times
GenjamBhai
1 year, 7 months ago
Y-N-N https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#restrictions Azure AD DS and on-premises AD DS authentication do not support authentication against computer accounts. You can consider using a service logon account instead. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#share-level-permissions-for-specific-azure-ad-users-or-groups If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#azure-ad-ds Second, all users that exist in Azure AD can be authenticated and authorized. The user can be cloud only or hybrid. The sync from Azure AD to Azure AD DS is managed by the platform without requiring any user configuration. However, the client must be domain joined to Azure AD DS, it cannot be Azure AD joined or registered.
upvoted 19 times
IAGirl
1 year, 7 months ago
So is Y-N-Y
upvoted 2 times
IAGirl
1 year, 7 months ago
answer must be: Y-N-N
upvoted 6 times
...
...
...
obaali1990
8 months, 3 weeks ago
Sure, all depends on you
upvoted 3 times
...
...
...
ech
Highly Voted 2 years, 2 months ago
Yo cannot give share-level priviledges to a computer object. Ans is correct.
upvoted 43 times
ExamWolf
2 weeks, 1 day ago
You can if you add the computer object to a group first :)
upvoted 1 times
...
nir977
1 year, 11 months ago
Y-N-N because user2 is cloud-only user created in AAD and does not have netbios and other chars defined in storage
upvoted 20 times
ubiquituz
1 day, 9 hours ago
this is the correct answer....only hybrid identities (on-prem synched to ms entra can be assigned share-level rbac roles. cloud only (ms entra/AAD users) can not be assigned... as well as computer accounts too, however computer can use the default share level permission https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
upvoted 1 times
...
allyQ
9 months, 3 weeks ago
I have created an AAD user ( not snyched from the WinDC) and can give it the Storage file data SMB Elev. Contributor role.
upvoted 7 times
...
...
...
mattpaul
Most Recent 1 month, 2 weeks ago
I passed with these questions and many friends passed too, all questions appeared in the real exam a great study resource, contact me on [email protected]
upvoted 2 times
...
897dd59
2 months, 2 weeks ago
should be Y-N-Y 1/ you cannot assign for object: computer 2/ user2 is a cloud user => can fully managed on cloud
upvoted 1 times
...
AMEHAR
3 months, 1 week ago
Y -N -N
upvoted 2 times
...
GoldenDisciple2
3 months, 1 week ago
Microsoft clearly states the user must have a hybrid identity therefor the 3rd one is a NO. "If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD." https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#:~:text=If%20you%20intend%20to%20use%20a%20specific%20Azure%20AD%20user%20or%20group%20to%20access%20Azure%20file%20share%20resources%2C%20that%20identity%20must%20be%20a%20hybrid%20identity%20that%20exists%20in%20both%20on%2Dpremises%20AD%20DS%20and%20Azure%20AD.
upvoted 2 times
...
Oryx360
3 months, 2 weeks ago
Isn't so stupid to ask questions like this? I think it is the Indian guys who setup these questions they think it is too smart to test like this. It is so full of shit.
upvoted 4 times
DimsumDestroyer
3 months, 1 week ago
Come on man, don't say things like that.
upvoted 6 times
sardonique
2 months, 4 weeks ago
he probably wanted to say that the questions are badly formulated and context is far from clear
upvoted 2 times
mmissaoui97
2 months, 2 weeks ago
no , since we can read english , he said the indian guys ... :)
upvoted 3 times
...
...
...
...
tabauruguay
6 months, 1 week ago
The problem is the question. It asks if you can assign the role to share1. It doesn't say if the user can authenticate from on-premise. You can assign the role to share1 just fine, you will not be able to login from on-premise because that user won't be sync'd. However, for the question itself the answer is "Y".
upvoted 2 times
...
Andy_S
6 months, 1 week ago
Y-N-N In JSON we can see parameter "directoryServiceOptions" has a value "AD" which means File Share is enabled for authentication to users having SESSION TICKET (Kerbeross) issued by LOCAL Domain Controller. It means that this file share can be accessed from computers JOINED to AD (OnPrem) and by Users created in OnPrem AD AND Synced to AAD (for RBAC).
upvoted 3 times
Andy_S
6 months, 1 week ago
Ref: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/2021-04-01/storageaccounts?pivots=deployment-language-bicep https://www.linkedin.com/pulse/configuring-active-directory-authentication-over-smb-azure-skerritt/
upvoted 3 times
...
...
RandomNickname
6 months, 3 weeks ago
Y,N,N As per link: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal 1: Hybrid users are supported 2:Because computer accounts don't have an identity in Azure AD, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a default share-level permission. 3: Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), aren't supported
upvoted 3 times
RandomNickname
6 months, 3 weeks ago
For 3rd question, changing it to Y. It is a cloud user, however it is synced to on prem and visible there, so should be able to add since it doesn't "only exist in Azure AD" as per link
upvoted 1 times
...
...
Vanilla007
7 months ago
Third option should be Y right? Because even tough user 2 is cloud user, file share is in AZ storage account so he must be able to access if given access??
upvoted 2 times
...
etanvandan7
7 months ago
If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is [email protected] and you have synced to Azure AD as [email protected] using Azure AD Connect sync or Azure AD Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to [email protected]. The same concept applies to groups and service principals. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal hence user2 is cloud only not present in the forest directory ie user2 should be in either AD DS and Azure AD tenant (HYBRID) or onPREM AD and Azure AD tenant (HYBRID) Y-N-N shd be the answer
upvoted 1 times
...
Chris76
7 months, 1 week ago
YNY - The AAD is synced to onprem hence user2 will also be in AD
upvoted 1 times
DimsumDestroyer
3 months, 1 week ago
There's no such thing as AAD to AD user creation sync. Both cloud provisioning or full client AAD connect ONLY use onprem to cloud user provisioning.
upvoted 2 times
...
...
Nutella3005
7 months, 1 week ago
I just tested this on our Portal. Created a Cloud user on our AAD and then picked a random file share on a storage account, went to IAM and added the Storage File Data SMB Share Elevated Contributor role. I was able to assign this to the AAD user just fine.
upvoted 3 times
...
Chris76
7 months, 2 weeks ago
The third answer is Y. Because the AAD tenant is synced to AD. Hence users created from AD will be classed as hybrid identities being able to sign-in to onprem.
upvoted 2 times
...
NJTH
8 months ago
Exact samen question was op on todays exam. (7th April 2023)
upvoted 9 times
AhmedAbouHelwa
8 months ago
Hello I'll take the exam on 15 April, so could u plz tell me about the exam ?
upvoted 1 times
...
...
VinayV
8 months, 3 weeks ago
what is the correct btw? so much discussion here but no majority answer
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...