You have an application named App1 that does not support Azure Active Directory (Azure AD) authentication.
You need to ensure that App1 can send messages to an Azure Service Bus queue. The solution must prevent App1 from listening to the queue.
What should you do?
To ensure that App1 can send messages to an Azure Service Bus queue without supporting Azure Active Directory (Azure AD) authentication, you need to use Shared Access Signatures (SAS). Adding a shared access policy to the queue allows you to configure specific permissions, such as sending messages, without granting listen permissions. This setup aligns with the security requirement to prevent App1 from listening to the queue while still allowing it to send messages.
It looks right
it looks left
then it crosses the road
make sure everything is clear remember the policy
i am in the middle
I'm in the top
I'm in the top
i am in the middle
I'm in the top
I'm in the top
make sure everything is clear remember the policy
i am in the middle
I'm in the top
I'm in the top
i am in the middle
I'm in the top
I'm in the top
then it crosses the road
make sure everything is clear remember the policy
i am in the middle
I'm in the top
I'm in the top
i am in the middle
I'm in the top
I'm in the top
make sure everything is clear remember the policy
i am in the middle
I'm in the top
I'm in the top
i am in the middle
I'm in the top
I'm in the top
In the link below, it is clear that there are only two ways of authorisation to Azure service bus : Active directory or SAS. When Active directory is not supported by the App service in the given situation, there is only other way is SAS. https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-authentication-and-authorization
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-authentication-and-authorization Configure Access control (IAM) for the Service Bus - Since App1 does not support Azure AD, we cannot use managed identities. So, configuring access control is not required. Modify the locks of the queue - Locks are used to prevent accidental deletion or modification of Azure resources. Configure Access control (IAM) for the queue - Since App1 does not support Azure AD, we cannot use managed identities. So, configuring access control is not required. B is the answer; shared access policy
B, IAM is not supported by the App1 according the question description
Sorry B is not correct .....SAS is different from a shared access policy which does not apply here. The answer is A (there is a RBAC role called Azure Service Bus Data Sender which can be assigned to an Application) - All the details are here: https://docs.microsoft.com/en-us/azure/service-bus-messaging/authenticate-application
Update: However, cant select A due to the Scenario of not supporting Azure AD Auth. Answer B option needs to be written out correctly as SAS
https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas he rights conferred by the policy rule can be a combination of: 'Send' - Confers the right to send messages to the entity 'Listen' - Confers the right to listen (relay) or receive (queue, subscriptions) and all related message handling 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities
it would be D if AD is supported Not A (narrowest scope ) but the correct answer in the given scenario is - B
A shared policy that can only send messages
I had this question in the exam that i took on July 14th 2021
B. Add a shared access policy to the queue. "Shared access authorization policies" The rights provided by the policy rule can be a combination of: Send – Gives the right to send messages to the entity Listen – Gives the right to listen or receive to the entity Manage – Gives the right to manage the topology of the namespace, including creation and deletion of entities https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies
Sorry. wrong link above. Corrected link for Service Bus shared access authorization policy: B. Add a shared access policy to the queue. "Shared access authorization policies" The rights conferred by the policy rule can be a combination of: 'Send' - Confers the right to send messages to the entity 'Listen' - Confers the right to receive (queue, subscriptions) and all related message handling 'Manage' - Confers the right to manage the topology of the namespace, including creating and deleting entities https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies
shared access will be the correct answer.
for given scenario answer is correct based on following description preferred choice is Azure AD which is not available as per question Azure Service Bus supports authorizing access to a Service Bus namespace and its entities using Azure Active Directory (Azure AD). Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities. Microsoft recommends using Azure AD with your Azure Service Bus applications when possible.
In the link below, it is clear that there are only two ways of authorisation to Azure service bus : Active directory or SAS. When Active directory is not supported by the App service in the given situation, there is only other way is SAS.
Question appeared On AZ-303 exam on 08/12/2021 - 49 questions, 4Q - Fabrikan case study