AZ-104 Microsoft Azure Administrator

Generate shared access signature tokens

Practice Test

True or False: A shared access signature (SAS) token is a string which denotes a specific service that is valid for a specific time.

  • True
  • False

Answer: True.

Explanation: A SAS token is indeed a specific string of characters granted by Azure to provide specific access to a service for a specified amount of time.

True or False: With a SAS, you have granular control over what the client can do with your Azure resource.

  • True
  • False

Answer: True.

Explanation: SAS does provide you with granular control. It gives you the opportunity to control what kind of permissions a client has to your resources.

Which of the following can a SAS token provide access to? (Select All That Apply)

  • a. Storage accounts.
  • b. Virtual networks.
  • c. Subscription certificates.
  • d. Virtual machines.

Answer: a, d.

Explanation: SAS tokens can give access to many types of Azure resources, but for the AZ-104 exam, storage accounts and virtual machines are a focus.

What does a Stored Access Policy provide control over?

  • a. Object-level permissions.
  • b. Service-level permissions.
  • c. Account-level permissions.
  • d. User-level permissions.

Answer: b. Service-level permissions.

Explanation: Stored Access Policies control service-level permissions. They are associated with the container in the storage account’s settings.

Which protocol is used with SAS tokens for secure data transfer?

  • a. SFTP.
  • b. FTPS.
  • c. SCP.
  • d. HTTPS.

Answer: d. HTTPS.

Explanation: HTTPS protocol is used in Azure for secure data transfer using SAS tokens.

True or False: A SAS token gives a user account-level access to services.

  • True
  • False

Answer: False.

Explanation: A SAS token provides limited and temporary access to objects in the storage account, not account-level access.

In a SAS token, what does the signature contain?

  • a. The IP address of the requester.
  • b. An encrypted hash.
  • c. The expiration date of the token.
  • d. The permissions granted to the holder.

Answer: b. An encrypted hash.

Explanation: The signature of a SAS token contains a string-to-sign, which is an encrypted hash.

True or False: We can delegate access to Azure resources by using Shared Access Signature.

  • True
  • False

Answer: True

Explanation: Shared Access Signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a client with an SAS that allows the client to access resources in a storage account for a specified period of time and with a specified set of permissions.

What is required for the regeneration of a SAS token?

  • a. Active Directory credentials.
  • b. An Encryption Certificate.
  • c. A stored access policy.
  • d. Azure portal access.

Answer: c. A stored access policy.

Explanation: A Stored Access Policy is required for the regeneration of a SAS token. It gives you the flexibility to manage the SAS keys without sharing your account key.

True or False: SAS can be utilized to provide permission to clients to access just one or more specific blobs.

  • True
  • False

Answer: True

Explanation: SAS can certainly be used to provide granular level access control to clients, be it at the level of a blob or an entire storage account. This includes read, write, deletion and listing permissions.

Interview Questions

What is Azure Shared Access Signature (SAS)?

A Shared Access Signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a client with a SAS that allows the client to access a resource in Azure Storage without sharing your account key.

What are the two types of Shared Access Signatures in Azure?

The two types of Shared Access Signatures in Azure are Service-level SAS and Account-level SAS.

What does Service-level Shared Access Signature provide?

Service-level Shared Access Signature provides access to specific resources in a storage account with specified permissions and for a set time period.

Can the start and expiry time of a SAS token be modified after it is created?

No, once a SAS token is created, the start and expiry time cannot be changed.

Is the Azure Storage account key required for creating a Shared Access Signature?

Yes, the Azure Storage account key is required for creating a Shared Access Signature.

Can I use Shared Access Signature to delegate access to resources in my storage account to someone who does not have an Azure account?

Yes, a Shared Access Signature can be used to provide someone limited access to your Azure Storage account without providing them with your account keys.

What is the major difference between an Account-level SAS and a Service-level SAS?

The Account-level SAS provides access to all the resources in the storage account, unlike the Service-level SAS which only provides access to specific resources.

Can we use both IP and protocol restrictions while generating Shared Access Signature tokens in Azure?

Yes, when creating a Shared Access Signature token, you can specify IP restrictions and protocol restrictions such as allowing only HTTPS traffic.

Why should I regenerate my storage account keys if I believe a Shared Access Signature was leaked?

Regenerating your storage account keys invalidates any Shared Access Signature tokens that were previously associated with it, thereby preventing unauthorized access.

What purpose does the “Allowed services” option serve when creating a SAS token in Azure Portal?

The “Allowed services” option in the creation of a SAS token specifies which services may be accessed with this Shared Access Signature. These services could be Blob, File, Queue, and Table services.

Should a SAS token be included with every request that’s made to Azure Storage?

Yes, a SAS token must be included with every request that is made to Azure Storage.

Can you specify an IP range when creating a SAS?

Yes, it is possible to specify an IP range when creating a Shared Access Signature (SAS). It restricts the IP addresses that can use the SAS.

Can you control the allowed HTTP methods (GET, PUT, POST, DELETE, MERGE) with a SAS token?

Yes, a SAS token allows control over the allowed HTTP methods.

Is it recommended to include a start time while creating a SAS token?

It is generally recommended to avoid including a start time in a SAS token, unless specifically required, because slight clock differences between machines can lead to failures.

What happens when a SAS token is issued with delete permissions on a blob?

If a SAS token is issued with delete permissions on a blob, the client can perform a delete operation on the blob.

Related Post

AZ-104 Microsoft Azure Administrator

Configure and use Azure Monitor for networks

extutorials.com
AZ-104 Microsoft Azure Administrator

Configure and review backup reports

extutorials.com
AZ-104 Microsoft Azure Administrator

Configure VM network settings

extutorials.com

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

AZ-900 Microsoft Azure Fundamentals

Describe Azure Resource Manager and Azure Resource Manager templates (ARM templates)

AZ-900 Microsoft Azure Fundamentals

Describe virtual networking, including the purpose of Azure Virtual Networks, Azure virtual subnets, peering, Azure DNS, Azure VPN Gateway, and Azure ExpressRoute

AZ-900 Microsoft Azure Fundamentals

Describe the purpose of Azure Arc

AZ-900 Microsoft Azure Fundamentals

Identify appropriate use cases for each cloud service (IaaS, PaaS, SaaS)