You need to grant a user access to a specific blob container. What is the most secure approach to provide temporary access?

  1. Make the container public
  2. Grant reader access to the storage account
  3. Create a Shared Access Signature (SAS) ✓
  4. Grant storage account access key

Correct answer: Create a Shared Access Signature (SAS)

Option C is correct because a Shared Access Signature (SAS) token provides delegated, time-limited access to a specific resource such as a blob container with exactly the permissions needed, following the principle of least privilege and allowing the access to expire automatically. Option A is incorrect because making the container public removes all authentication controls and exposes data to anyone on the internet, which is the least secure approach. Option B is incorrect because granting reader access to the entire storage account grants broader access than necessary and does not limit exposure to a single container. Option D is incorrect because sharing the storage account access key grants full administrative control over all resources in the account and cannot be scoped or time-limited without rotating the key.

Topic: · azure storage, shared access signature, least privilege, az-104

Practice Microsoft Azure Administrator (AZ-104) Questions Free