Learn how to manage user access to Azure Blob Storage using role assignments with conditions. Understand the impact of Reader and Owner roles at subscription and storage account scopes.
Table of Contents
Question
You have an Azure subscription named Sub1 that contains the blob containers shown in the following table.
| Name | In storage account | Contains blob |
|---|---|---|
| cont1 | storage1 | blob1 |
| cont2 | storage2 | blob2 |
| cont3 | storage3 | blob3 |
Sub1 contains two users named User1 and User2. Both users are assigned the Reader role at the Sub1 scope.
You have a condition named Condition1 as shown in the following exhibit.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contl'
)
)
You have a condition named Condition2 as shown in the following exhibit.
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write1})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/blobs:path] StringLike 1*2*1
)
)
You assign roles to User1 and User2 as shown in the following table.
| User | Role | Scope | Role assignment condition |
|---|---|---|---|
| User1 | Storage Blob Data Reader | sub1 | Condition1 |
| User2 | Storage Blob Data Owner | storage1 | Condition2 |
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
- User1 can read blob2.
- User1 can read blob3.
- User2 can read blob1.
Answer
- User1 can read blob2: No
- User1 can read blob3: Yes
- User2 can read blob1: No
Explanation
No, User1 cannot read blob2.
Explanation: User1 is assigned the Storage Blob Data Reader role at the subscription (Sub1) scope with Condition1. Condition1 allows read access only if the container name is ‘cont1’. Since blob2 is in cont2, User1 does not have read access to it.
Yes, User1 can read blob3.
Explanation: Although blob3 is not in cont1, User1 has the Reader role assigned at the subscription (Sub1) scope. This role grants read access to all resources in the subscription, including blob3, regardless of the condition.
No, User2 cannot read blob1.
Explanation: User2 is assigned the Storage Blob Data Owner role at the storage1 scope with Condition2. Condition2 allows write access only if the blob path contains ‘2’. Since blob1’s path does not contain ‘2’, User2 does not have read or write access to it, even though they have the Owner role. The condition restricts the Owner permissions.
In summary, role assignments with conditions allow fine-grained access control to Azure Blob Storage. The scope of the role assignment and the specific conditions determine the effective permissions for each user.
Microsoft AZ-104 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft AZ-104 exam and earn Microsoft AZ-104 certification.