BenchMark Quizzes by MDFT Pro

Protect Business-Critical Data with Immutability

You work as a Data Protection Specialist for MDFT Pro, a well-known training agency that provides professional certification courses to students globally. Mark, the Compliance Officer, has mandated that all student examination records, course completion certificates, and assessment results must be stored in Azure Blob Storage with strict data retention controls.

Due to regulatory requirements for educational institutions, this business-critical data must not be modified or deleted for a user-specified interval to ensure data integrity for auditing purposes. The system must protect the data from overwrites and deletes while allowing trainers and administrators to read the data multiple times for reporting and verification purposes. You have been tasked with implementing a WORM (Write Once, Read Many) storage solution that meets these compliance requirements.

Which two actions should you perform to protect the data in the Azure Blob storage account?

Choose all correct answers from the options below.

Explanations for each answer:

Configure a time-based retention policy for the storage account is correct. A time-based retention policy maintains blob data in a WORM (Write Once, Read Many) state for a specified interval. During the retention period, blobs cannot be modified or deleted, satisfying the requirement to protect data for a user-specified interval and allowing multiple read operations.
Create a service shared-access signature (SAS) is incorrect. A service SAS provides delegated access to storage resources with specific permissions and time limits. However, SAS tokens control access authorization, not data immutability. A SAS with read-only permissions doesn't prevent someone with write access from modifying data.
Enable point-in-time restore for containers in the storage account is incorrect. Point-in-time restore allows you to restore blob data to an earlier state within a retention period. While useful for recovery from accidental deletion or corruption, it doesn't prevent data modification or deletion during the retention period itself.
Enable version-level immutability support for the storage account is correct. Version-level immutability support allows you to apply WORM policies to individual blob versions. This feature must be enabled at the storage account level and works with blob versioning to ensure that once data is written, it cannot be modified or deleted for the specified retention period.
Create an account shared-access signature (SAS) is incorrect. An account SAS provides delegated access across multiple storage services and resources. Like service SAS, it only manages access permissions and expiration times, not data immutability. It cannot prevent authorized users from modifying or deleting data.
Enable the blob change feed for the storage account is incorrect. The blob change feed provides ordered, transaction logs of all changes to blobs in your storage account. While valuable for auditing and tracking changes, it doesn't prevent data modification or deletion—it only records what changes occurred.

Learn more about Immutable Blob Storage:

Immutable Storage Overview

Practice Exam

Protect Business-Critical Data with Immutability

Discuss this question on social media: