AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 119

HOTSPOT -

You have an Azure subscription that contains a resource group named RG1. RG1 contains a storage account named storage1.

You have two custom Azure roles named Role1 and Role2 that are scoped to RG1.

The permissions for Role1 are shown in the following JSON code.

The permissions for Role2 are shown in the following JSON code.

You assign the roles to the users shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Reference:

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Discussion

17 comments
Sign in to comment
damtrx
Sep 1, 2022

User 1 can't read the Storage because Microsoft.Storage/storageAccounts/read will allow him just to LIST the storage accounts User 2 HAS the option to do whatever he want on the storage account so he can read the data. User 3 can't access Azure backup because the provider is not enabled in the Access Policy

damtrx
Sep 1, 2022

Correction. User 3 has the option to do restore : Microsoft.Storage/storageAccounts/restoreBlobRanges/action - Restore blob ranges to the state of the specified time

juandmi
Jan 14, 2023

No - No - No because User 2 has no dataActions defined, so he cannot read any data

juandmi
Jan 14, 2023

I need to correct myself. No - No - Yes User 3 is able to perform restores with Microsoft.Storage/storageAccounts/*

juandmi
Jan 15, 2023

I'm correcting myself again. data access with Key and SAS will work for user1 and user2. And I think Microsoft.RecoveryServices/ is not needed for user3 https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-backup-contributor So: YES - YES -YES

chikorita
Feb 16, 2023

bro, take a break, have a coffee, then comment please dont confuse other :(

saturation97
Apr 12, 2023

Definitely take a break but please....NO coffee.

Malikusmanrasheed
May 26, 2023

checked in the portal. Microsoft.Storage/storageAccounts/read --> Returns the list of storage accounts or gets the properties for the specified storage account. Answer 1 = No Microsoft.Storage/storageAccounts/* --> Everything Answer 2 = Yes (user 2 can go crazy) Answer 3 - not sure. Probably not, becuase of missing azure backup persmissions

Jimmy500
Jun 22, 2024

Sorry, incorrect for 2nd it is tricky as you see there is nothing in dataAction so there is no way to read data from STORAGE ACCOUNT . Final answer is no no no

jorgesoma
Jun 19, 2024

Correct. NYN

Ga__ium
Sep 7, 2022

I assume that "dataactions" is not set, so data cannot be read.

orcnylmz
Oct 15, 2022

Agreed. I think No - No - No https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader

koreshio
Oct 16, 2022

yup, without "datactions" allowed, they should not be able to read blob data. The roles specify "actions" only which are control-plane actions and not data-plane actions.

Jimmy500
Jun 22, 2024

Correct , all should has been no,no,no

TheProfessor
Sep 23, 2023

I think answer is N N N. DataAction is blank. To read data, it should have permission: "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" ],

DarkSide321
Oct 21, 2023

**Role1 Permissions**: - Can list keys, generate SAS, and read storage account properties. By using keys or SAS, **User1** can read data in storage1. Data Actions are not required. **Role2 Permissions**: - Wildcard permissions for storage accounts. So, **User2** can read data in storage1. **User3**: - Has both Role1 and Role2 permissions, but can't restore storage1 from Azure Backup. Thus: 1. User1: **Yes** 2. User2: **Yes** 3. User3: **No**.

xRiot007
Jul 17, 2024

Reading storage account property or listing keys is one thing and having access to the data itself is another thing.

_fvt
Jul 27, 2023

I would tell Yes - Yes - No. Reader Action on the storage account doesn't gives rights to read the data, it should also be like blobreader in the DataActions. So user1 and user2 cannot read data from the portal. However, both have access to the access keys so they for sure can at the end do whatever they wants on the data. User3 doesn't have AzureBackup permissions to access azure backup and restore.

_fvt
Aug 8, 2023

https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-the-account-access-key

_fvt
Aug 8, 2023

Still Yes - Yes - No, But some correction from the link above to my first comment: => user1 and user2 CAN read data from the PORTAL. The portal will use the ListKey (POST) action and then use the key to access the data: "When you attempt to access blob data in the Azure portal, the portal first checks whether you have been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. If you have been assigned a role with this action, then the portal uses the account key for accessing blob data. If you have not been assigned a role with this action, then the portal attempts to access data using your Azure AD account."

wardy1983
Nov 15, 2023

Explanation: USER 1 = Microsoft.Storage/storageAccounts/read= Returns the list of storage accounts or gets the properties for the specified storage account user 2 = wildcards (*) so YES user 3= not defined Microsoft.Storage/storageAccounts/restoreBlobRanges/action

xxavimr
Nov 20, 2023

The respond is correct surprisingly. The role 1 is a built-in role called "Reader and Data Access". https://www.azadvertizer.net/azrolesadvertizer/c12c1c16-33a1-487b-954d-41c89c60f349.html With Microsoft.Storage/storageAccounts/ListAccountSas/action permission, you may get SAS and do read/write operations. If you see this link, https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles and look for "Reader and Data Access" role, you see its definition. Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. The second box is also yes as it has an asterisk for storageaccount YES, YES, NO

bob_sez
Nov 24, 2023

Role1 has more than just read, it also has ListAccountSas/Action and ListKeys/Action which allows read/write access to data within the storage account: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader-and-data-access Dont just get hung up on just the read permission in that role.

Ario
Jul 4, 2023

No - Yes - NO

hfk2020
Sep 16, 2023

if you need to read data then it should be in dataaction since that is the data plane, hence 1st 2 are NO

TheProfessor
Nov 2, 2023

Why User 3 can not restore a back up even having the permission Microsoft.Storage/storageAccounts/* This is the permission of built-in "storage-account-backup-contributor" role. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-account-backup-contributor

flafernan
Nov 6, 2023

The "Microsoft.Storage/storageAccounts/*/" attribute in a role assignment applies to Azure Storage and provides access to all containers and blobs within all storage accounts in the specified scope. However, it does not provide access to, for example, Azure Backup and does not automatically grant the ability to restore backups from Azure Backup. To grant permissions to restore backups from Azure Backup, you must meet the correct role in the specific scope. Be careful not to get confused.

wardy1983
Nov 15, 2023

Explanation: USER 1 = Microsoft.Storage/storageAccounts/read= Returns the list of storage accounts or gets the properties for the specified storage account user 2 = wildcards (*) so YES user 3= not defined Microsoft.Storage/storageAccounts/restoreBlobRanges/action

kevgen33091
May 21, 2024

Y-Y-N The answer is correct. The description of role 2 is 'Storage Account Contributor' which cannot play backup restore action. Storage Account Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor Storage Account Backup Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-account-backup-contributor

az2022
May 23, 2024

No, Yes, No

RaphaelG
May 24, 2024

I'm going through the storage account documentation and there is an interesting piece of information "If a role includes Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account [...]". Therefore, to me, it actually is: 1. Yes (explicit) 2. Yes (via Microsoft.Storage/storageAccounts/*) 3. No (no backup permissions)

xRiot007
Jul 17, 2024

I saw that phrasing too and it's confusing the F out of me. Microsoft should define their roles better because this thing literally looks like a hack.

xRiot007
Jul 17, 2024

I really hate these question. User1 can read data. What exactly is DATA? If we are talking about storage account properties, sure, he can read that. If we are talking about blobs and files, he can't.