- A
Store the storage account key in an environment variable on the VM
Why wrong: This still exposes a long-lived secret on the VM and gives access far broader than the single container.
- B
Create a service SAS with write permission on the storage account
Why wrong: A SAS is still a shared secret, and using the account scope is broader than the single container requirement.
- C
Assign Storage Blob Data Contributor to the VM's managed identity at the container scope
A managed identity avoids stored credentials, and the Storage Blob Data Contributor role grants blob read/write permissions without exposing account keys. Assigning it at the container scope keeps access limited to one container instead of the whole storage account. This is the least-privilege, Azure-native approach for an app that needs ongoing upload access.
- D
Assign Contributor on the storage account to the VM's system-assigned identity
Why wrong: Contributor is an Azure Resource Manager role, not a data-plane blob access role, so it does not grant the needed container upload permissions.
AZ-104 Implement and Manage Storage Practice Question
This AZ-104 practice question tests your understanding of implement and manage storage. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A Windows VM runs an application that uploads files to a blob container every hour. Security forbids storing storage account keys or long-lived SAS tokens on the VM. The application must be able to write only to that container and nothing else. What should the administrator configure?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Assign Storage Blob Data Contributor to the VM's managed identity at the container scope
Option C is correct because it uses Azure RBAC to grant the VM's managed identity the Storage Blob Data Contributor role at the container scope. This allows the application to write only to that specific container without requiring any storage account keys or SAS tokens on the VM, satisfying the security requirement. Managed identities provide an automatically managed service principal in Azure AD, enabling secure authentication to Azure services without storing credentials.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Store the storage account key in an environment variable on the VM
Why it's wrong here
This still exposes a long-lived secret on the VM and gives access far broader than the single container.
When this WOULD be correct
If the question had no security restriction against storing keys and required the simplest method to grant an application access to a storage account, storing the key in an environment variable would be a valid approach.
- ✗
Create a service SAS with write permission on the storage account
Why it's wrong here
A SAS is still a shared secret, and using the account scope is broader than the single container requirement.
When this WOULD be correct
If the requirement was to grant write access to all containers in a storage account for a limited time, and the VM could securely retrieve a short-lived SAS token from a vault or generate it at runtime, a service SAS with write permission at the account level would be appropriate.
- ✓
Assign Storage Blob Data Contributor to the VM's managed identity at the container scope
Why this is correct
A managed identity avoids stored credentials, and the Storage Blob Data Contributor role grants blob read/write permissions without exposing account keys. Assigning it at the container scope keeps access limited to one container instead of the whole storage account. This is the least-privilege, Azure-native approach for an app that needs ongoing upload access.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Assign Contributor on the storage account to the VM's system-assigned identity
Why it's wrong here
Contributor is an Azure Resource Manager role, not a data-plane blob access role, so it does not grant the needed container upload permissions.
When this WOULD be correct
If the question required the VM to have full management access to the storage account (e.g., to create/delete containers, manage firewall rules, or perform all data operations) and security constraints allowed broader permissions, then assigning Contributor at the storage account scope to the managed identity would be appropriate.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.
✓Assign Storage Blob Data Contributor to the VM's managed identity at the container scopeCorrect answer▾
Why this is correct
A managed identity avoids stored credentials, and the Storage Blob Data Contributor role grants blob read/write permissions without exposing account keys. Assigning it at the container scope keeps access limited to one container instead of the whole storage account. This is the least-privilege, Azure-native approach for an app that needs ongoing upload access.
✗Store the storage account key in an environment variable on the VMWrong answer — click to see why▾
Why this is wrong here
Storing the storage account key in an environment variable violates the security requirement that forbids storing keys on the VM. The key grants full access to the storage account, not just the container.
★ When this WOULD be the correct answer
If the question had no security restriction against storing keys and required the simplest method to grant an application access to a storage account, storing the key in an environment variable would be a valid approach.
Why candidates choose this
Candidates may think environment variables are a secure way to store secrets, or they may default to using keys because it's a familiar method without considering the security constraint.
✗Create a service SAS with write permission on the storage accountWrong answer — click to see why▾
Why this is wrong here
A service SAS with write permission on the storage account would grant write access to all containers within the account, violating the requirement to restrict writes to only that specific container. Additionally, long-lived SAS tokens are forbidden by security policy.
★ When this WOULD be the correct answer
If the requirement was to grant write access to all containers in a storage account for a limited time, and the VM could securely retrieve a short-lived SAS token from a vault or generate it at runtime, a service SAS with write permission at the account level would be appropriate.
Why candidates choose this
Candidates may think a SAS token provides fine-grained access without needing keys, but they overlook that a service SAS at the account level grants broader permissions than needed, and the security policy prohibits long-lived tokens.
✗Assign Contributor on the storage account to the VM's system-assigned identityWrong answer — click to see why▾
Why this is wrong here
Contributor role at the storage account scope grants full management access to the storage account, including the ability to read and write all containers and blobs, which violates the principle of least privilege and the requirement to restrict the application to write-only access to a single container.
★ When this WOULD be the correct answer
If the question required the VM to have full management access to the storage account (e.g., to create/delete containers, manage firewall rules, or perform all data operations) and security constraints allowed broader permissions, then assigning Contributor at the storage account scope to the managed identity would be appropriate.
Why candidates choose this
Candidates may confuse 'Contributor' with a data role, or think that assigning a role to the managed identity is the correct approach but overlook the scope and permission level, assuming Contributor provides sufficient write access without realizing it includes excessive permissions.
Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse the Contributor role (which grants management-plane access) with the Storage Blob Data Contributor role (which grants data-plane access), and fail to realize that scoping the role to the container level is necessary to restrict access to only that container.
Detailed technical explanation
How to think about this question
Under the hood, Azure RBAC for blob storage uses Azure AD authentication with OAuth 2.0 tokens. When a managed identity is assigned to a VM, Azure automatically rotates the identity's credentials and obtains tokens from Azure AD on behalf of the application. The Storage Blob Data Contributor role includes the 'Microsoft.Storage/storageAccounts/blobServices/containers/write' action, which when scoped to a container, restricts write operations to that container only. This approach also supports conditional access policies and audit logging via Azure AD, unlike SAS tokens.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
Quick reference
Access Control Model Comparison
| Model | Acronym | Who Controls Access? | Best For |
|---|---|---|---|
| Discretionary Access Control | DAC | Resource owner | Small teams, file shares |
| Mandatory Access Control | MAC | System / security labels | Classified govt / military |
| Role-Based Access Control | RBAC | Administrator (via roles) | Enterprise environments |
| Attribute-Based Access Control | ABAC | Policy engine (user + resource attributes) | Fine-grained, dynamic policies |
| Rule-Based Access Control | RuBAC | System rules / ACLs | Firewall rules, network ACLs |
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Implement and Manage Storage — study guide chapter
Learn the concepts, then practise the questions
- →
Implement and Manage Storage practice questions
Targeted practice on this topic area only
- →
All AZ-104 questions
1,170 questions across all exam domains
- →
AZ-104 study guide
Full concept coverage aligned to exam objectives
- →
AZ-104 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-104 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Manage Azure Identities and Governance practice questions
Practise AZ-104 questions linked to Manage Azure Identities and Governance.
Implement and Manage Storage practice questions
Practise AZ-104 questions linked to Implement and Manage Storage.
Deploy and Manage Azure Compute practice questions
Practise AZ-104 questions linked to Deploy and Manage Azure Compute.
Implement and Manage Virtual Networking practice questions
Practise AZ-104 questions linked to Implement and Manage Virtual Networking.
Monitor and Maintain Azure Resources practice questions
Practise AZ-104 questions linked to Monitor and Maintain Azure Resources.
AZ-104 Azure RBAC practice questions
Practise AZ-104 questions linked to AZ-104 Azure RBAC.
AZ-104 storage account practice questions
Practise AZ-104 questions linked to AZ-104 storage account.
AZ-104 virtual network practice questions
Practise AZ-104 questions linked to AZ-104 virtual network.
AZ-104 NSG practice questions
Practise AZ-104 questions linked to AZ-104 NSG.
AZ-104 Azure Monitor practice questions
Practise AZ-104 questions linked to AZ-104 Azure Monitor.
AZ-104 backup practice questions
Practise AZ-104 questions linked to AZ-104 backup.
AZ-104 managed identity practice questions
Practise AZ-104 questions linked to AZ-104 managed identity.
Practice this exam
Start a free AZ-104 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-104 question test?
Implement and Manage Storage — This question tests Implement and Manage Storage — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Assign Storage Blob Data Contributor to the VM's managed identity at the container scope — Option C is correct because it uses Azure RBAC to grant the VM's managed identity the Storage Blob Data Contributor role at the container scope. This allows the application to write only to that specific container without requiring any storage account keys or SAS tokens on the VM, satisfying the security requirement. Managed identities provide an automatically managed service principal in Azure AD, enabling secure authentication to Azure services without storing credentials.
What should I do if I get this AZ-104 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More AZ-104 practice questions
- A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra…
- A subnet contains several application servers. You need to allow inbound TCP 3389 only from a management subnet named Su…
- A subscription admin wants to investigate who changed a resource and also review the platform-generated events for that…
- Based on the exhibit, which Azure feature should the administrator use to track this kind of platform-wide service issue…
- An administrator wants a script running on an Azure VM to create a resource in Azure without storing any passwords or cl…
- A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in anoth…
Last reviewed: Jun 11, 2026
This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.