-
Question with two answers possibly correct
updated 7 months ago
2 Members
·
2
Posts
-
Question says:
You have an Azure subscription that contains an Azure File Share named TDShare1 that contains sensitive data. You want to ensure that only authorized users can access this data for compliance requirements, and users must only have access to specific files and folders. You registered TDShare1 to use AD DS authentication and Microsoft Entra Connect sync for specific AD user access. You need to give your active directory users access to TDShare1. What should you do?
Create a shared access signature (SAS) with a stored access policy.
Enable anonymous access to the storage account.
Restart Netlogon service on the AD DS domain controller.
Configure role-based access control (RBAC).> Correct answer: Configure role-based access control (RBAC).
> The option that says: Create a shared access signature (SAS) with a stored access policy is incorrect because while SAS tokens can provide limited access to a storage account, they are not a suitable authentication mechanism for controlling access to sensitive data.
I don’t think the recommended answer is wrong. However, I think that is possible for the SAS answer to also be right since it is delegated access. If a user has the share, they are essentially “authorized”.
In the explanation for why SAS is not correct, it says they are not a suitable authentication mechanism. But the question does not require authenticated users, it requires authorized users.
I believe the key distinction is that RBAC is identity based. I believe if the question stated “You want to ensure that only users who’s identity has been authenticated…” it would clarify the distinction between RBAC and SAS.
-
Dear samabc,
Thank you for your feedback on the Azure File Share question. We understand your concern that the explanation for dismissing the Shared Access Signature (SAS) option was misleading, as it incorrectly referred to SAS as an authentication mechanism when the question focuses on authorization. You also noted that SAS could technically provide delegated access and suggested rephrasing the question to clarify the need for identity-based access.
We agree that the explanation inaccurately described SAS and needed clarification. SAS is an authorization mechanism, but it’s unsuitable here because it doesn’t integrate with AD DS authentication, isn’t identity-based, and may not meet compliance requirements for sensitive data, as it allows access to anyone with the token.
The correct answer, Configure role-based access control (RBAC), is appropriate because it enables share-level access for AD users, and when combined with NTFS permissions, ensures granular file/folder access aligned with AD DS authentication.
To address your suggestion, we’ve updated the question to specify “only users whose identity has been authenticated via AD DS” to emphasize identity-based access control. We’ve also revised the explanation to correct the SAS dismissal and include NTFS permissions for clarity. These updates will be reflected on the portal soon.
Thank you for helping us improve our content. If you have further questions, please reach out.
Best regards,
Irene @ Tutorials Dojo
Log in to reply.