Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam

Exam AZ-104 topic 2 question 44 discussion

Actual exam question from Microsoft's AZ-104
Question #: 44
Topic #: 2
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain.
The domain contains the security principals shown in the following table.

In Azure AD, you create a user named User2.
The storage1 account contains a file share named share1 and has the following configurations.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
ech
Highly Voted 2 years, 11 months ago
Yo cannot give share-level priviledges to a computer object. Ans is correct.
upvoted 47 times
ExamWolf
10 months ago
You can if you add the computer object to a group first :)
upvoted 1 times
...
nir977
2 years, 9 months ago
Y-N-N because user2 is cloud-only user created in AAD and does not have netbios and other chars defined in storage
upvoted 25 times
allyQ
1 year, 7 months ago
I have created an AAD user ( not snyched from the WinDC) and can give it the Storage file data SMB Elev. Contributor role.
upvoted 8 times
...
ubiquituz
9 months, 2 weeks ago
this is the correct answer....only hybrid identities (on-prem synched to ms entra can be assigned share-level rbac roles. cloud only (ms entra/AAD users) can not be assigned... as well as computer accounts too, however computer can use the default share level permission https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal
upvoted 2 times
...
...
...
theorut
Highly Voted 2 years, 6 months ago
Y-N-Y - I've tested this in my lab and was able to add a AzureAD account in a Hybrid environment. So please ignore if someone states Y-N-N.
upvoted 16 times
...
SeMo0o0o0o
Most Recent 2 weeks, 4 days ago
correct
upvoted 1 times
...
mojo86
1 month, 1 week ago
The answer given is correct. Because computer accounts don't have an identity in Microsoft Entra ID, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a default share-level permission.
upvoted 1 times
...
tashakori
6 months ago
Yes No No
upvoted 2 times
...
Amir1909
6 months, 3 weeks ago
Yes No No
upvoted 1 times
...
vsvaid
8 months ago
Y -N -N, Hybrid user will work Computer and cloud users will not work
upvoted 1 times
...
31c21da
8 months, 1 week ago
The key to whether you can assign user2 depends on whether user2 is a cloud-only identity. Initially, yes, as the user is created in Azure AD. However, the question also mentions an Azure AD 'contoso.com' syncs to an on-premises AD. Once user2 is synced, they become a hybrid identity. So, the crucial point here is what the question is aiming to test. If the question is testing whether a user created in Azure AD is initially a cloud-only identity, the answer will be 'N'. If it is testing whether the user will be synced, the answer is 'Y'. Since we don't know the intent of the question, we cannot definitively say whether the answer is N or Y...
upvoted 5 times
ggogel
7 months, 4 weeks ago
This is not how this works. You can't sync users from AAD to AD. Users need to be created in AD to become a hybrid identity. If they a re created in AAD they are considered cloud-only. So the user is completely unknown to the AD and therefor can't access that share.
upvoted 3 times
...
...
GoldBear
9 months, 1 week ago
Does this question represent the level of knowledge that you need to memorize to perform the role of System Admin? Seems to have to much details to remember, on the job you would run test on these items to verify if it meets the requirement.
upvoted 2 times
...
897dd59
12 months ago
should be Y-N-Y 1/ you cannot assign for object: computer 2/ user2 is a cloud user => can fully managed on cloud
upvoted 1 times
...
AMEHAR
1 year ago
Y -N -N
upvoted 3 times
...
GoldenDisciple2
1 year ago
Microsoft clearly states the user must have a hybrid identity therefor the 3rd one is a NO. "If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD." https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#:~:text=If%20you%20intend%20to%20use%20a%20specific%20Azure%20AD%20user%20or%20group%20to%20access%20Azure%20file%20share%20resources%2C%20that%20identity%20must%20be%20a%20hybrid%20identity%20that%20exists%20in%20both%20on%2Dpremises%20AD%20DS%20and%20Azure%20AD.
upvoted 3 times
...
Andy_S
1 year, 3 months ago
Y-N-N In JSON we can see parameter "directoryServiceOptions" has a value "AD" which means File Share is enabled for authentication to users having SESSION TICKET (Kerbeross) issued by LOCAL Domain Controller. It means that this file share can be accessed from computers JOINED to AD (OnPrem) and by Users created in OnPrem AD AND Synced to AAD (for RBAC).
upvoted 4 times
Andy_S
1 year, 3 months ago
Ref: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/2021-04-01/storageaccounts?pivots=deployment-language-bicep https://www.linkedin.com/pulse/configuring-active-directory-authentication-over-smb-azure-skerritt/
upvoted 3 times
...
...
RandomNickname
1 year, 4 months ago
Y,N,N As per link: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal 1: Hybrid users are supported 2:Because computer accounts don't have an identity in Azure AD, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a default share-level permission. 3: Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), aren't supported
upvoted 6 times
RandomNickname
1 year, 4 months ago
For 3rd question, changing it to Y. It is a cloud user, however it is synced to on prem and visible there, so should be able to add since it doesn't "only exist in Azure AD" as per link
upvoted 2 times
CheMetto
1 month, 3 weeks ago
The sync in 2 way only for group. The user on the cloud won't be synced on prem
upvoted 1 times
...
...
...
Vanilla007
1 year, 4 months ago
Third option should be Y right? Because even tough user 2 is cloud user, file share is in AZ storage account so he must be able to access if given access??
upvoted 3 times
...
etanvandan7
1 year, 4 months ago
If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is [email protected] and you have synced to Azure AD as [email protected] using Azure AD Connect sync or Azure AD Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to [email protected]. The same concept applies to groups and service principals. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal hence user2 is cloud only not present in the forest directory ie user2 should be in either AD DS and Azure AD tenant (HYBRID) or onPREM AD and Azure AD tenant (HYBRID) Y-N-N shd be the answer
upvoted 1 times
...
Chris76
1 year, 4 months ago
YNY - The AAD is synced to onprem hence user2 will also be in AD
upvoted 1 times
DimsumDestroyer
1 year ago
There's no such thing as AAD to AD user creation sync. Both cloud provisioning or full client AAD connect ONLY use onprem to cloud user provisioning.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...