Exam AZ-104 All QuestionsBrowse all questions from this exam
Go to Exam
Question 84

HOTSPOT -

You have an Azure subscription that contains a storage account named storage1. The subscription is linked to an Azure Active Directory (Azure AD) tenant named contoso.com that syncs to an on-premises Active Directory domain.

The domain contains the security principals shown in the following table.

In Azure AD, you create a user named User2.

The storage1 account contains a file share named share1 and has the following configurations.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Reference:

    https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

Discussion
im82

Was on exam today 19.11.2021. Passed with 920 Correct answer: Y-N-Y

azuresam

Does this site questions enough to get cleared in the exam

GenjamBhai

Y-N-N https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#restrictions Azure AD DS and on-premises AD DS authentication do not support authentication against computer accounts. You can consider using a service logon account instead. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#share-level-permissions-for-specific-azure-ad-users-or-groups If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#azure-ad-ds Second, all users that exist in Azure AD can be authenticated and authorized. The user can be cloud only or hybrid. The sync from Azure AD to Azure AD DS is managed by the platform without requiring any user configuration. However, the client must be domain joined to Azure AD DS, it cannot be Azure AD joined or registered.

IAGirl

So is Y-N-Y

IAGirl

answer must be: Y-N-N

SDiwan

Y-N-Y, the question mentions that Azure AD is synced with on-prem AD.

Gpsn

Agree with Y-N-N. The last 'N' because Azure AD DS and Azure Files still work with Hybrid entities only and NOT with Cloud Only entities. The latest I could find is here: https://techcommunity.microsoft.com/t5/azure-storage-blog/general-availability-azure-active-directory-kerberos-with-azure/ba-p/3612111

amurp35

The question states that Azure AD syncs to on-prem AD, so is it really a cloud-only entity?

obaali1990

Sure, all depends on you

sunflower1

Is this set of questions enough to pass the exam???

RougePotatoe

No you will fail

Qhispikay

emotional damage

janemark

Is the site enough to pass the exam?

RougePotatoe

No you will fail

shadad

LOL come on man dont scare him :D It will be enough as most people pointed to. however, its better to read and learn.

GBAU

If you understand the answers to the questions you will probably pass but if you just try to memorise them you won't.

shadad

You are right.

PERCY23

HAHAHA

karthikwarrior

Yes absolutely!!

Aquintero

todos los examenes que he realizado los he pasado, estudiando el Microsoft learn y aqui con examtopics. pero seria mucho mejor que crees un ambiente de pruebas y coloques en practica en lo que tengas dudas

Mentalfloss

Why are there so many BOTs spamming the comments with claims they took the exam, then came back here to find the questions they claim were on it?

ech

Yo cannot give share-level priviledges to a computer object. Ans is correct.

nir977

Y-N-N because user2 is cloud-only user created in AAD and does not have netbios and other chars defined in storage

allyQ

I have created an AAD user ( not snyched from the WinDC) and can give it the Storage file data SMB Elev. Contributor role.

ubiquituz

this is the correct answer....only hybrid identities (on-prem synched to ms entra can be assigned share-level rbac roles. cloud only (ms entra/AAD users) can not be assigned... as well as computer accounts too, however computer can use the default share level permission https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

ExamWolf

You can if you add the computer object to a group first :)

RandomNickname

Y,N,N As per link: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal 1: Hybrid users are supported 2:Because computer accounts don't have an identity in Azure AD, you can't configure Azure role-based access control (RBAC) for them. However, computer accounts can access a file share by using a default share-level permission. 3: Authentication and authorization against identities that only exist in Azure AD, such as Azure Managed Identities (MSIs), aren't supported

RandomNickname

For 3rd question, changing it to Y. It is a cloud user, however it is synced to on prem and visible there, so should be able to add since it doesn't "only exist in Azure AD" as per link

31c21da

The key to whether you can assign user2 depends on whether user2 is a cloud-only identity. Initially, yes, as the user is created in Azure AD. However, the question also mentions an Azure AD 'contoso.com' syncs to an on-premises AD. Once user2 is synced, they become a hybrid identity. So, the crucial point here is what the question is aiming to test. If the question is testing whether a user created in Azure AD is initially a cloud-only identity, the answer will be 'N'. If it is testing whether the user will be synced, the answer is 'Y'. Since we don't know the intent of the question, we cannot definitively say whether the answer is N or Y...

ggogel

This is not how this works. You can't sync users from AAD to AD. Users need to be created in AD to become a hybrid identity. If they a re created in AAD they are considered cloud-only. So the user is completely unknown to the AD and therefor can't access that share.

Andy_S

Y-N-N In JSON we can see parameter "directoryServiceOptions" has a value "AD" which means File Share is enabled for authentication to users having SESSION TICKET (Kerbeross) issued by LOCAL Domain Controller. It means that this file share can be accessed from computers JOINED to AD (OnPrem) and by Users created in OnPrem AD AND Synced to AAD (for RBAC).

Andy_S

Ref: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/2021-04-01/storageaccounts?pivots=deployment-language-bicep https://www.linkedin.com/pulse/configuring-active-directory-authentication-over-smb-azure-skerritt/

AMEHAR

Y -N -N

GoldenDisciple2

Microsoft clearly states the user must have a hybrid identity therefor the 3rd one is a NO. "If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD." https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#:~:text=If%20you%20intend%20to%20use%20a%20specific%20Azure%20AD%20user%20or%20group%20to%20access%20Azure%20file%20share%20resources%2C%20that%20identity%20must%20be%20a%20hybrid%20identity%20that%20exists%20in%20both%20on%2Dpremises%20AD%20DS%20and%20Azure%20AD.

tabauruguay

The problem is the question. It asks if you can assign the role to share1. It doesn't say if the user can authenticate from on-premise. You can assign the role to share1 just fine, you will not be able to login from on-premise because that user won't be sync'd. However, for the question itself the answer is "Y".

Vanilla007

Third option should be Y right? Because even tough user 2 is cloud user, file share is in AZ storage account so he must be able to access if given access??

tashakori

Yes No No

GoldBear

Does this question represent the level of knowledge that you need to memorize to perform the role of System Admin? Seems to have to much details to remember, on the job you would run test on these items to verify if it meets the requirement.

GlixRox

Welcome to Microsoft and most IT cert exams... I still don't understand the logic behind it. It doesn't test your skills, it tests how well you can memorize specific data that you literally have to look up when you're implementing, because it changes all the time. One day the cert industry will wake up and start doing performance based exams, which is what is ACTUALLY needed in the industry to qualify candidates.

OpOmOp

Pay attention to it: contoso.com that syncs TO an on-premises Active Directory domain. I have no idea how it was made, maybe with powershell scripts. But User2 will be synchronized to on-prem AD domain.

Amir1909

Yes No No

vsvaid

Y -N -N, Hybrid user will work Computer and cloud users will not work

897dd59

should be Y-N-Y 1/ you cannot assign for object: computer 2/ user2 is a cloud user => can fully managed on cloud

etanvandan7

If you intend to use a specific Azure AD user or group to access Azure file share resources, that identity must be a hybrid identity that exists in both on-premises AD DS and Azure AD. For example, say you have a user in your AD that is <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="156066706724557a7b656770783b767a7b617a667a3b767a78">[email protected]</a> and you have synced to Azure AD as <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f085839582c1b0939f9e849f839fde939f9d">[email protected]</a> using Azure AD Connect sync or Azure AD Connect cloud sync. For this user to access Azure Files, you must assign the share-level permissions to <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f580869087c4b5969a9b819a869adb969a98">[email protected]</a>. The same concept applies to groups and service principals. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal hence user2 is cloud only not present in the forest directory ie user2 should be in either AD DS and Azure AD tenant (HYBRID) or onPREM AD and Azure AD tenant (HYBRID) Y-N-N shd be the answer

Chris76

YNY - The AAD is synced to onprem hence user2 will also be in AD

DimsumDestroyer

There's no such thing as AAD to AD user creation sync. Both cloud provisioning or full client AAD connect ONLY use onprem to cloud user provisioning.