Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You manage an Azure Storage account that contains multiple blob containers. A managed identity named app-mi used by a web app must be able to upload and download blobs only from the container named images. The solution must use Azure AD authorization and must not expose any shared keys or SAS tokens. Which action should you perform?
Generate a user-delegation SAS for app-mi with read and write permissions on the images container.
Assign the built-in role Storage Blob Data Owner to app-mi, scoped to the storage account.
Assign the built-in role Storage Account Contributor to app-mi at the resource-group level.
Assign the built-in role Storage Blob Data Contributor to app-mi, scoped to the images container.
To use Azure AD-based access control, assign an Azure RBAC data role to the security principal. The Storage Blob Data Contributor role grants read, write, and delete permissions to blob data while providing no management-plane rights. By scoping the role assignment to the images container, the managed identity can access only that container and nowhere else, and no account keys or SAS tokens are required.
Storage Blob Data Owner at the storage-account scope would grant full data permissions to every container, including the ability to set POSIX ACLs, which is broader than required.
Storage Account Contributor allows management of the storage account resource but does not grant data-plane access to blobs.
A user-delegation SAS still produces a token that must be distributed, violating the requirement to avoid exposing SAS tokens.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure RBAC and how does it work for data roles?
Open an interactive chat with Bash
What permissions does the Storage Blob Data Contributor role include?
Open an interactive chat with Bash
Why is using SAS tokens not recommended in this scenario?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .