AZ-104 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-104 Exam - Question 84

HOTSPOT -

You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain.

The domain contains the security principals shown in the following table.

In Azure AD, you create a user named User2.

The storage1 account contains a file share named share1 and has the following configurations.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Reference:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

Discussion

17 comments
Sign in to comment
im82
Nov 19, 2021

Was on exam today 19.11.2021. Passed with 920 Correct answer: Y-N-Y

azuresam
Apr 7, 2022

Does this site questions enough to get cleared in the exam

GenjamBhai
May 4, 2022

Y-N-N https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#restrictions Azure AD DS and on-premises AD DS authentication do not support authentication against computer accounts. You can consider using a service logon account instead. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#share-level-permissions-for-specific-azure-ad-users-or-groups If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#azure-ad-ds Second, all users that exist in Azure AD can be authenticated and authorized. The user can be cloud only or hybrid. The sync from Azure AD to Azure AD DS is managed by the platform without requiring any user configuration. However, the client must be domain joined to Azure AD DS, it cannot be Azure AD joined or registered.

IAGirl
May 9, 2022

So is Y-N-Y

IAGirl
May 9, 2022

answer must be: Y-N-N

SDiwan
Feb 2, 2024

Y-N-Y, the question mentions that Azure AD is synced with on-prem AD.

Gpsn
Dec 26, 2023

Agree with Y-N-N. The last 'N' because Azure AD DS and Azure Files still work with Hybrid entities only and NOT with Cloud Only entities. The latest I could find is here: https://techcommunity.microsoft.com/t5/azure-storage-blog/general-availability-azure-active-directory-kerberos-with-azure/ba-p/3612111

amurp35
Jun 27, 2024

The question states that Azure AD syncs to on-prem AD, so is it really a cloud-only entity?

obaali1990
Mar 20, 2023

Sure, all depends on you

sunflower1
Nov 26, 2022

Is this set of questions enough to pass the exam???

RougePotatoe
Jan 24, 2023

No you will fail

Qhispikay
Jan 30, 2023

emotional damage

janemark
Jan 2, 2023

Is the site enough to pass the exam?

RougePotatoe
Jan 24, 2023

No you will fail

shadad
Feb 8, 2023

LOL come on man dont scare him :D It will be enough as most people pointed to. however, its better to read and learn.

GBAU
Feb 9, 2023

If you understand the answers to the questions you will probably pass but if you just try to memorise them you won't.

shadad
Feb 27, 2023

You are right.

PERCY23
Dec 2, 2023

HAHAHA

karthikwarrior
Jun 22, 2023

Yes absolutely!!

Aquintero
Jul 25, 2023

todos los examenes que he realizado los he pasado, estudiando el Microsoft learn y aqui con examtopics. pero seria mucho mejor que crees un ambiente de pruebas y coloques en practica en lo que tengas dudas

Mentalfloss
Jul 17, 2024

Why are there so many BOTs spamming the comments with claims they took the exam, then came back here to find the questions they claim were on it?

ech
Sep 27, 2021

Yo cannot give share-level priviledges to a computer object. Ans is correct.

nir977
Dec 20, 2021

Y-N-N because user2 is cloud-only user created in AAD and does not have netbios and other chars defined in storage

allyQ
Feb 17, 2023

I have created an AAD user ( not snyched from the WinDC) and can give it the Storage file data SMB Elev. Contributor role.

ubiquituz
Dec 8, 2023

this is the correct answer....only hybrid identities (on-prem synched to ms entra can be assigned share-level rbac roles. cloud only (ms entra/AAD users) can not be assigned... as well as computer accounts too, however computer can use the default share level permission https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

ExamWolf
Nov 24, 2023

You can if you add the computer object to a group first :)

RandomNickname
May 18, 2023

Y,N,N As per link: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal 1: Hybrid users are supported 2:Because computer accounts don't have an identity in Azure AD, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a default share-level permission. 3: Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), aren't supported

RandomNickname
May 19, 2023

For 3rd question, changing it to Y. It is a cloud user, however it is synced to on prem and visible there, so should be able to add since it doesn't "only exist in Azure AD" as per link

31c21da
Jan 13, 2024

The key to whether you can assign user2 depends on whether user2 is a cloud-only identity. Initially, yes, as the user is created in Azure AD. However, the question also mentions an Azure AD 'contoso.com' syncs to an on-premises AD. Once user2 is synced, they become a hybrid identity. So, the crucial point here is what the question is aiming to test. If the question is testing whether a user created in Azure AD is initially a cloud-only identity, the answer will be 'N'. If it is testing whether the user will be synced, the answer is 'Y'. Since we don't know the intent of the question, we cannot definitively say whether the answer is N or Y...

ggogel
Jan 25, 2024

This is not how this works. You can't sync users from AAD to AD. Users need to be created in AD to become a hybrid identity. If they a re created in AAD they are considered cloud-only. So the user is completely unknown to the AD and therefor can't access that share.

Andy_S
May 31, 2023

Y-N-N In JSON we can see parameter "directoryServiceOptions" has a value "AD" which means File Share is enabled for authentication to users having SESSION TICKET (Kerbeross) issued by LOCAL Domain Controller. It means that this file share can be accessed from computers JOINED to AD (OnPrem) and by Users created in OnPrem AD AND Synced to AAD (for RBAC).

Andy_S
May 31, 2023

Ref: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/2021-04-01/storageaccounts?pivots=deployment-language-bicep https://www.linkedin.com/pulse/configuring-active-directory-authentication-over-smb-azure-skerritt/

Vanilla007
May 13, 2023

Third option should be Y right? Because even tough user 2 is cloud user, file share is in AZ storage account so he must be able to access if given access??

tabauruguay
Jun 1, 2023

The problem is the question. It asks if you can assign the role to share1. It doesn't say if the user can authenticate from on-premise. You can assign the role to share1 just fine, you will not be able to login from on-premise because that user won't be sync'd. However, for the question itself the answer is "Y".

GoldenDisciple2
Aug 31, 2023

Microsoft clearly states the user must have a hybrid identity therefor the 3rd one is a NO. "If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD." https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#:~:text=If%20you%20intend%20to%20use%20a%20specific%20Azure%20AD%20user%20or%20group%20to%20access%20Azure%20file%20share%20resources%2C%20that%20identity%20must%20be%20a%20hybrid%20identity%20that%20exists%20in%20both%20on%2Dpremises%20AD%20DS%20and%20Azure%20AD.

AMEHAR
Sep 1, 2023

Y -N -N

GoldBear
Dec 12, 2023

Does this question represent the level of knowledge that you need to memorize to perform the role of System Admin? Seems to have to much details to remember, on the job you would run test on these items to verify if it meets the requirement.

GlixRox
Jun 21, 2024

Welcome to Microsoft and most IT cert exams... I still don't understand the logic behind it. It doesn't test your skills, it tests how well you can memorize specific data that you literally have to look up when you're implementing, because it changes all the time. One day the cert industry will wake up and start doing performance based exams, which is what is ACTUALLY needed in the industry to qualify candidates.

tashakori
Mar 20, 2024

Yes No No

Chris76
May 6, 2023

YNY - The AAD is synced to onprem hence user2 will also be in AD

DimsumDestroyer
Aug 28, 2023

There's no such thing as AAD to AD user creation sync. Both cloud provisioning or full client AAD connect ONLY use onprem to cloud user provisioning.

etanvandan7
May 12, 2023

If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="156066706724557a7b656770783b767a7b617a667a3b767a78">[email protected]</a> and you have synced to Azure AD as <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f085839582c1b0939f9e849f839fde939f9d">[email protected]</a> using Azure AD Connect sync or Azure AD Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f580869087c4b5969a9b819a869adb969a98">[email protected]</a>. The same concept applies to groups and service principals. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal hence user2 is cloud only not present in the forest directory ie user2 should be in either AD DS and Azure AD tenant (HYBRID) or onPREM AD and Azure AD tenant (HYBRID) Y-N-N shd be the answer

897dd59
Sep 26, 2023

should be Y-N-Y 1/ you cannot assign for object: computer 2/ user2 is a cloud user => can fully managed on cloud

vsvaid
Jan 23, 2024

Y -N -N, Hybrid user will work Computer and cloud users will not work

Amir1909
Feb 28, 2024

Yes No No

OpOmOp
Jul 9, 2024

Pay attention to it: contoso.com that syncs TO an on-premises Active Directory domain. I have no idea how it was made, maybe with powershell scripts. But User2 will be synchronized to on-prem AD domain.