Microsoft Azure Security Engineer Associate AZ-500 Practice Question
Your company stores sensitive financial reports in a private Azure Blob Storage container. External auditors, who do not have Microsoft Entra ID accounts, need read-only access to a single report for the next two weeks. You must provide them with a URL that prevents container listing and automatically expires after the deadline. Which approach should you use?
Generate a service-level shared access signature scoped to the specific blob with Read permission and a two-week expiry.
Assign the auditors to the Storage Blob Data Reader role on the storage account and send them the blob URL.
Create an Azure AD user delegation SAS on the container with List and Read permissions.
Regenerate the storage account access keys immediately and again after two weeks.
A service-level shared access signature (service SAS) can be scoped to an individual blob, limited to the Read (r) permission, and configured with start and expiry times. Because it is signed with the storage account key, recipients do not need Microsoft Entra ID identities, and with only the Read permission they cannot list the container. Role-based access control requires Entra ID accounts and cannot be delivered simply as a URL. A user delegation SAS depends on Entra ID authentication and therefore will not work for external users without accounts. Rotating the storage account access keys would grant full rights to anyone holding the key and would require manual key distribution and later revocation, failing the requirement for scoped, time-bound, read-only access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service-level shared access signature (service SAS) in Azure Blob Storage?
Open an interactive chat with Bash
How does a service-level SAS differ from a user delegation SAS?
Open an interactive chat with Bash
Why is using the Storage Blob Data Reader role not suitable for external users without Microsoft Entra ID accounts?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .