Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 119

HOTSPOT -

You have an Azure subscription that contains a resource group named RG1. RG1 contains a storage account named storage1.

You have two custom Azure roles named Role1 and Role2 that are scoped to RG1.

The permissions for Role1 are shown in the following JSON code.

The permissions for Role2 are shown in the following JSON code.

You assign the roles to the users shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Reference:

    https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Discussion
damtrx

User 1 can't read the Storage because Microsoft.Storage/storageAccounts/read will allow him just to LIST the storage accounts User 2 HAS the option to do whatever he want on the storage account so he can read the data. User 3 can't access Azure backup because the provider is not enabled in the Access Policy

damtrx

Correction. User 3 has the option to do restore : Microsoft.Storage/storageAccounts/restoreBlobRanges/action - Restore blob ranges to the state of the specified time

juandmi

No - No - No because User 2 has no dataActions defined, so he cannot read any data

juandmi

I need to correct myself. No - No - Yes User 3 is able to perform restores with Microsoft.Storage/storageAccounts/*

juandmi

I'm correcting myself again. data access with Key and SAS will work for user1 and user2. And I think Microsoft.RecoveryServices/ is not needed for user3 https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-backup-contributor So: YES - YES -YES

chikorita

bro, take a break, have a coffee, then comment please dont confuse other :(

saturation97

Definitely take a break but please....NO coffee.

Malikusmanrasheed

checked in the portal. Microsoft.Storage/storageAccounts/read --> Returns the list of storage accounts or gets the properties for the specified storage account. Answer 1 = No Microsoft.Storage/storageAccounts/* --> Everything Answer 2 = Yes (user 2 can go crazy) Answer 3 - not sure. Probably not, becuase of missing azure backup persmissions

Jimmy500

Sorry, incorrect for 2nd it is tricky as you see there is nothing in dataAction so there is no way to read data from STORAGE ACCOUNT . Final answer is no no no

jorgesoma

Correct. NYN

Ga__ium

I assume that "dataactions" is not set, so data cannot be read.

orcnylmz

Agreed. I think No - No - No https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader

koreshio

yup, without "datactions" allowed, they should not be able to read blob data. The roles specify "actions" only which are control-plane actions and not data-plane actions.

Jimmy500

Correct , all should has been no,no,no

TheProfessor

I think answer is N N N. DataAction is blank. To read data, it should have permission: "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" ],

DarkSide321

**Role1 Permissions**: - Can list keys, generate SAS, and read storage account properties. By using keys or SAS, **User1** can read data in storage1. Data Actions are not required. **Role2 Permissions**: - Wildcard permissions for storage accounts. So, **User2** can read data in storage1. **User3**: - Has both Role1 and Role2 permissions, but can't restore storage1 from Azure Backup. Thus: 1. User1: **Yes** 2. User2: **Yes** 3. User3: **No**.

xRiot007

Reading storage account property or listing keys is one thing and having access to the data itself is another thing.

bob_sez

Role1 has more than just read, it also has ListAccountSas/Action and ListKeys/Action which allows read/write access to data within the storage account: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader-and-data-access Dont just get hung up on just the read permission in that role.

xxavimr

The respond is correct surprisingly. The role 1 is a built-in role called "Reader and Data Access". https://www.azadvertizer.net/azrolesadvertizer/c12c1c16-33a1-487b-954d-41c89c60f349.html With Microsoft.Storage/storageAccounts/ListAccountSas/action permission, you may get SAS and do read/write operations. If you see this link, https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles and look for "Reader and Data Access" role, you see its definition. Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. The second box is also yes as it has an asterisk for storageaccount YES, YES, NO

wardy1983

Explanation: USER 1 = Microsoft.Storage/storageAccounts/read= Returns the list of storage accounts or gets the properties for the specified storage account user 2 = wildcards (*) so YES user 3= not defined Microsoft.Storage/storageAccounts/restoreBlobRanges/action

_fvt

I would tell Yes - Yes - No. Reader Action on the storage account doesn't gives rights to read the data, it should also be like blobreader in the DataActions. So user1 and user2 cannot read data from the portal. However, both have access to the access keys so they for sure can at the end do whatever they wants on the data. User3 doesn't have AzureBackup permissions to access azure backup and restore.

_fvt

https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-the-account-access-key

_fvt

Still Yes - Yes - No, But some correction from the link above to my first comment: => user1 and user2 CAN read data from the PORTAL. The portal will use the ListKey (POST) action and then use the key to access the data: "When you attempt to access blob data in the Azure portal, the portal first checks whether you have been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. If you have been assigned a role with this action, then the portal uses the account key for accessing blob data. If you have not been assigned a role with this action, then the portal attempts to access data using your Azure AD account."

xRiot007

I really hate these question. User1 can read data. What exactly is DATA? If we are talking about storage account properties, sure, he can read that. If we are talking about blobs and files, he can't.

RaphaelG

I'm going through the storage account documentation and there is an interesting piece of information "If a role includes Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account [...]". Therefore, to me, it actually is: 1. Yes (explicit) 2. Yes (via Microsoft.Storage/storageAccounts/*) 3. No (no backup permissions)

xRiot007

I saw that phrasing too and it's confusing the F out of me. Microsoft should define their roles better because this thing literally looks like a hack.

az2022

No, Yes, No

kevgen33091

Y-Y-N The answer is correct. The description of role 2 is 'Storage Account Contributor' which cannot play backup restore action. Storage Account Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor Storage Account Backup Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-backup-contributor

wardy1983

Explanation: USER 1 = Microsoft.Storage/storageAccounts/read= Returns the list of storage accounts or gets the properties for the specified storage account user 2 = wildcards (*) so YES user 3= not defined Microsoft.Storage/storageAccounts/restoreBlobRanges/action

flafernan

The "Microsoft.Storage/storageAccounts/*/" attribute in a role assignment applies to Azure Storage and provides access to all containers and blobs within all storage accounts in the specified scope. However, it does not provide access to, for example, Azure Backup and does not automatically grant the ability to restore backups from Azure Backup. To grant permissions to restore backups from Azure Backup, you must meet the correct role in the specific scope. Be careful not to get confused.

TheProfessor

Why User 3 can not restore a back up even having the permission Microsoft.Storage/storageAccounts/* This is the permission of built-in "storage-account-backup-contributor" role. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-backup-contributor

hfk2020

if you need to read data then it should be in dataaction since that is the data plane, hence 1st 2 are NO

Ario

No - Yes - NO