A Windows VM in VNet-App must access an Azure Files share over a private IP address. The storage account must not be reachable through its public endpoint, and the VM should resolve the file share name without custom host-file entries. Which three actions are required? Select three.

Enable a service endpoint for Microsoft.Storage on the subnet instead of a private endpoint.

A service endpoint keeps the public endpoint model and does not create a private IP address.

Grant the VM's managed identity the Storage File Data SMB Share Reader role to create the private path.

RBAC controls authorization, but it does not create private connectivity or DNS resolution.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Create a private endpoint for the file service in VNet-App. — A private endpoint is required because the VM must reach Azure Files over a private IP in the VNet. The private DNS zone for the file service must be created and linked so the normal storage FQDN resolves to that private address. Public network access also needs to be disabled to prevent fallback to the public endpoint. These three steps work together: connectivity, name resolution, and exposure control. Why others are wrong: A service endpoint does not provide a private IP, so it cannot satisfy the requirement. RBAC roles are still needed for authorization, but they do not create private networking or DNS behavior. The question is about private network reachability, not file permissions, so identity assignment is not the correct fix.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.