An Azure Automation job running on a VM uses a managed identity to upload and overwrite JSON files in one container named configs. The job must not list, delete, or modify any other containers in the storage account. Which role assignment is the best choice?

Storage Blob Data Owner at the storage account scope

This would grant broader permissions than necessary and at a much wider scope than the single container.

Contributor at the resource group scope

Contributor is an ARM management role, not a blob data role, so it does not authorize uploads to the container data plane.

Storage Queue Data Contributor at the storage account scope

This role applies to queue storage, not blob containers, so it would not authorize JSON file uploads.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Storage Blob Data Contributor at the configs container scope — The correct pattern is data-plane RBAC on the managed identity, scoped as narrowly as possible. Storage Blob Data Contributor gives upload and overwrite capability without granting account keys or broader administrative control. By assigning it at the configs container scope, the job can operate only where needed and cannot access other containers. This is the cleanest least-privilege design for recurring file uploads from a VM-based automation task. Why others are wrong: Storage Blob Data Owner at the storage account scope is far too broad for a single-container task. Contributor is the wrong role family because it manages Azure resources rather than blob data. Storage Queue Data Contributor targets queues, not blobs. The question is really about pairing the correct data-plane role with the correct scope, and only one option does that properly.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.