Skip to Content

Microsoft AZ-104: How to Set Warning for Shared Access Signature (SAS) Expiry Over 7 Days in Azure Storage?

By: Author Alex Lim

Posted on

Categories Exam

Learn how to configure Azure Storage to display a warning message when users generate a shared access signature (SAS) token with an expiry period exceeding 7 days. Ensure SAS token security best practices in your Azure environment.

Table of Contents

Question

You have an Azure subscription that contains a storage account named storage. The storage account contains a blob that stores images.

Client access to storage1 is granted by using a shared access signature (SAS).

You need to ensure that users receive a warning message when they generate a SAS that exceeds a seven-day time period.

What should you do for storage?

A. Enable a read-only lock.
B. Configure an alert rule.
C. Add a lifecycle management rule.
D. Set Allow recommended upper limit for shared access signature (SAS) expiry interval to Enabled.

Answer

D. Set Allow recommended upper limit for shared access signature (SAS) expiry interval to Enabled.

Explanation

To ensure that users receive a warning message when they generate a shared access signature (SAS) token with an expiry interval exceeding 7 days for the Azure storage account “storage1”, you should set the “Allow recommended upper limit for shared access signature (SAS) expiry interval” option to Enabled.

Here’s why this is the correct solution:

  1. The “Allow recommended upper limit for shared access signature (SAS) expiry interval” setting, when enabled, displays a warning message to users if they attempt to generate a SAS token with an expiry period longer than the recommended maximum duration.
  2. By default, Azure recommends a maximum SAS token expiry interval of 7 days to maintain security best practices. Enabling this setting aligns with the requirement of warning users when they exceed the 7-day period.
  3. Enabling a read-only lock (Option A) would prevent any modifications to the storage account, but it does not specifically address the SAS expiry warning requirement.
  4. Configuring an alert rule (Option B) allows you to receive notifications based on specific conditions, but it does not directly provide a warning to users generating SAS tokens.
  5. Adding a lifecycle management rule (Option C) is used to automatically transition blobs to different storage tiers or delete them based on age, but it is not related to SAS token expiry warnings.

Therefore, setting the “Allow recommended upper limit for shared access signature (SAS) expiry interval” to Enabled (Option D) is the most appropriate solution to ensure users receive a warning message when they generate a SAS token exceeding the recommended 7-day expiry period for the “storage1” storage account.

Microsoft AZ-104 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft AZ-104 exam and earn Microsoft AZ-104 certification.