ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 45 discussion

Actual exam question from Microsoft's AZ-204
Question #: 45
Topic #: 4
[All AZ-204 Questions]

HOTSPOT -
You are developing an application to store and retrieve data in Azure Blob storage. The application will be hosted in an on-premises virtual machine (VM). The
VM is connected to Azure by using a Site-to-Site VPN gateway connection. The application is secured by using Azure Active Directory (Azure AD) credentials.
The application must be granted access to the Azure Blob storage account with a start time, expiry time, and read permissions. The Azure Blob storage account access must use the Azure AD credentials of the application to secure data access. Data access must be able to be revoked if the client application security is breached.
You need to secure the application access to Azure Blob storage.
Which security features should you use? To answer select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Shared access signature (SAS) token
When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security.

Box 2: Stored access policy -
Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys.
A shared access signature can take one of the following two forms:
✑ Service SAS with stored access policy. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share.
The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints ג€" the start time, expiry time, and permissions ג€" defined for the stored access policy.
✑ Ad hoc SAS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
by eazy_breezy_jeezy at April 29, 2022, 2:27 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
coffecold
Highly Voted 2 years, 8 months ago
storage account access keys : similar to a root password for your storage account, not for distrbution system assigned managed identity : only for use within of services in azure SAS token : right answer Stored Access Policy : right answer user assigned managed identity : only for use within of services in azure, this must connect to a server outside CORS protectection : Site-to-Site VPN gateway, there is no other domain involved
upvoted 29 times
...
0cc50bf
Most Recent 10 months, 2 weeks ago
The only solution I see is SAS token and User Assigned Managed Identity. Because the application must use AD credentials to access storage, it must use a User Delegation SAS, not a service SAS or account SAS. Therefore it cannot have a stored access policy, those are only for service SAS. So the application must be manually assigned a managed identity, and the SAS must be issued for this identity. This identity can then be revoked later.
upvoted 1 times
Dan696969
6 months ago
Fed this question to two AI solutions Box1: SAS token (one said system assigned identity but majority is saying SAS) Box2: Both said stored access policy if someone has a link i can feed it to my AI.
upvoted 1 times
...
...
macobuzi
1 year, 10 months ago
Why not System-Assigned Managed Identity + Stored Access Policy? I think it's also a valid option.
upvoted 1 times
0cc50bf
10 months, 2 weeks ago
No, the VM that hosts the application is on-prem outside of Azure, it cannot have a system managed identity.
upvoted 1 times
...
...
vmakharashvili
2 years, 4 months ago
Correct
upvoted 2 times
...
OPT_001122
2 years, 6 months ago
SAS token Stored Access Policy The answer is correct
upvoted 1 times
...
finnishr
2 years, 9 months ago
The answer is correct since none of the other possible combinations make sense. Even though service level SAS doesnt use Azure AD credentials.
upvoted 3 times
finnishr
2 years, 9 months ago
Stored Access Policies definitely wont work. I'd pick SAS and CORS.
upvoted 1 times
ArturKon
2 years, 9 months ago
"Data access must be able to be revoked if the client application security is breached." - isn't that a clue to use access policy? Typical SAS is not revokable itself.
upvoted 2 times
...
...
gmishra88
2 years, 8 months ago
SAS with user-delegation works with AD roles
upvoted 2 times
...
...
sghaha
3 years, 2 months ago
in Korean https://docs.microsoft.com/ko-kr/azure/storage/common/storage-sas-overview
upvoted 1 times
...
eazy_breezy_jeezy
3 years, 2 months ago
A user delegation SAS makes sense for the "Application" answer, but I don't think any of the provided options for the Azure Storage side work. Stored Access Policies only work with a Service-level SAS, so that wouldn't make sense with a user delegation SAS. Seems like the closest option there would have been something like "RBAC role assignments" or "user delegation keys", just to spit ball. https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview#user-delegation-sas https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#revoke-a-user-delegation-sas
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel