BenchMark Quizzes by MDFT Pro

Assign Storage Blob Roles With Conditional Access Support

MDFT Pro, a well-known training agency, stores extensive educational content including course videos, training documents, and student project files in Azure Storage blob containers. Claire, the Data Access Administrator, needs to grant User1 access to specific blob data in storage account named storage1 while implementing conditional access policies for enhanced security.

Mark, the Storage Access Coordinator, must identify which roles support conditional access policies when assigning blob data permissions to ensure secure and controlled access to educational content.

The company requires fine-grained access control to ensure that users can only access educational content under specific conditions, such as from approved devices, during business hours, or from certain geographic locations. The role assignment must support Azure RBAC conditions to enforce these security policies while providing appropriate access to the educational materials stored as blob data.

The security team has mandated that all blob data access must support conditional access policies to comply with their data governance framework and protect sensitive educational intellectual property from unauthorized access.

Which two roles can Claire assign to User1 to meet both the blob data access and conditional access requirements?

Choose all correct answers from the options below.

Explanations for each answer:

Owner is incorrect. The Owner role provides full access to all resources and permissions but is too broad for blob-specific access. While it supports conditions, it's not designed specifically for blob data access and violates the principle of least privilege.
Storage Account Contributor is incorrect. Storage Account Contributor allows management of storage accounts but doesn't provide data plane access to blob contents. This role also doesn't support conditional access policies for blob data operations.
Storage Account Backup Contributor is incorrect. This role is specifically designed for backup operations and doesn't provide general blob data access. It's not appropriate for regular user access to blob data and doesn't support conditional access for standard blob operations.
Storage Blob Data Contributor is correct. Storage Blob Data Contributor provides read, write, and delete access to blob data while supporting Azure RBAC conditions. This role is perfect for users who need to manage blob data with conditional access policies.
Storage Blob Data Owner is correct. Storage Blob Data Owner provides full access to blob data including the ability to manage permissions and supports Azure RBAC conditions. This role offers comprehensive blob data access with conditional access support.
Storage Blob Delegator is incorrect. Storage Blob Delegator allows generating user delegation SAS keys but doesn't provide direct access to blob data. This role is used for SAS token creation rather than direct blob data access and doesn't meet the requirement.

Learn More About Storage Blob RBAC:

Azure Storage Blob Data Access

Exam Preparation Quiz

Assign Storage Blob Roles With Conditional Access Support