Question 728 of 1,170
Implement and Manage StoragemediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to generate a user delegation SAS from Entra ID with only the required container permissions and a two-hour expiry. This is correct because a user delegation SAS is signed with Entra ID credentials instead of the storage account key, so the contractor never learns the key, and the SAS can be scoped to a single container with precise permissions and a hard expiration, ensuring access expires automatically without manual cleanup. On the AZ-104 exam, this scenario tests your understanding of shared access signatures and the principle of least privilege, often appearing as a trap where candidates mistakenly choose a service SAS or a stored access policy, which still rely on the account key. A common memory tip is to remember that “user delegation” means “user identity from Entra ID,” so if the question says “no key sharing,” think “user delegation SAS.”

AZ-104 Implement and Manage Storage Practice Question

This AZ-104 practice question tests your understanding of implement and manage storage. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A contractor needs to upload files to one blob container for the next two hours. The contractor must not learn the storage account key, and access should expire automatically without manual cleanup. What is the best way to grant access?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Generate a user delegation SAS from Entra ID with only the required container permissions and a two-hour expiry.

A user delegation SAS is the correct choice because it is secured with Entra ID credentials rather than the storage account key, ensuring the contractor never learns the key. The SAS can be scoped to exactly the required container permissions and a two-hour expiry, providing automatic, time-limited access without manual cleanup. This approach aligns with the principle of least privilege and eliminates the need to share or rotate storage account keys.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Share the storage account key and ask the contractor to stop using it after two hours.

    Why it's wrong here

    A storage account key is a long-lived secret that grants very broad access. It does not expire automatically after two hours, and manual cleanup is easy to miss. This approach is much less secure than a scoped temporary SAS.

  • Create an account SAS with broad permissions and send it to the contractor by email.

    Why it's wrong here

    An account SAS is still a shared secret and can be broader than necessary. It is better than a storage key, but it is not the most secure choice when Entra ID is available. It also does not give the least-privilege, identity-based control described in the scenario.

  • Generate a user delegation SAS from Entra ID with only the required container permissions and a two-hour expiry.

    Why this is correct

    A user delegation SAS is generated from Entra ID credentials, so the administrator does not expose the storage account key. It can be scoped to a single container, limited to upload permissions, and given a short expiration time. That combination satisfies least privilege and automatic expiration for temporary contractor access.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Assign the contractor the Storage Blob Data Contributor role at the storage account scope.

    Why it's wrong here

    RBAC is a valid authorization model, but it does not automatically expire after two hours. The administrator would need to remove the role assignment manually later. The scenario specifically asks for access that expires automatically, which makes a temporary SAS the better fit.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse an account SAS (which still uses the storage account key) with a user delegation SAS (which uses Entra ID), leading them to choose Option B because they think any SAS automatically avoids key exposure, but only the user delegation SAS truly prevents the contractor from learning the key.

Trap categories for this question

  • Scenario analysis trap

    An account SAS is still a shared secret and can be broader than necessary. It is better than a storage key, but it is not the most secure choice when Entra ID is available. It also does not give the least-privilege, identity-based control described in the scenario.

Detailed technical explanation

How to think about this question

A user delegation SAS is signed with a user delegation key obtained from Entra ID (formerly Azure AD) via the OAuth 2.0 token exchange, not the storage account key. This key is temporary and tied to the requesting user's identity, allowing fine-grained control over expiry down to the second. In contrast, an account SAS uses the storage account key for signing, which is a static secret that must be protected and rotated, making it unsuitable for scenarios where the key must remain confidential.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Storage — This question tests Implement and Manage Storage — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Generate a user delegation SAS from Entra ID with only the required container permissions and a two-hour expiry. — A user delegation SAS is the correct choice because it is secured with Entra ID credentials rather than the storage account key, ensuring the contractor never learns the key. The SAS can be scoped to exactly the required container permissions and a two-hour expiry, providing automatic, time-limited access without manual cleanup. This approach aligns with the principle of least privilege and eliminates the need to share or rotate storage account keys.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

3 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A records team stores monthly regulatory exports in a blob container. The files are rarely opened, but auditors may request one specific file later the same day. The team wants the lowest storage cost possible while keeping a path to restore a single file on demand. Which approach should you use?

hard
  • A.Keep the blobs in the Hot tier and rely on lifecycle rules to delete them after 90 days.
  • B.Move the blobs to the Archive tier and use high-priority rehydration when a file is requested.
  • C.Move the blobs to the Cool tier because it is offline until accessed.
  • D.Use the Cold tier because it requires a rehydration job before the blob becomes readable.

Why B: The Archive tier offers the lowest storage cost for rarely accessed data, and high-priority rehydration allows a single file to be restored within approximately one hour, meeting the auditor's same-day request requirement. This approach minimizes cost while retaining the ability to retrieve a specific file on demand.

Variation 2. A partner must upload files to one blob container for 12 hours. You do not want to share the storage account key. Which two temporary access methods can be used? Select two.

easy
  • A.Service SAS, because it grants scoped access to a container or blob for a limited time.
  • B.User delegation SAS, because it is issued with Microsoft Entra ID and supports limited-time access.
  • C.Storage account shared key, because it can be time-limited when copied into an email.
  • D.Anonymous access, because it can be enabled for the container and expires automatically after 12 hours.
  • E.Resource lock, because it can restrict the partner to one container without requiring any token.

Why A: Option A is correct because a Service SAS (Shared Access Signature) allows you to delegate limited-time, scoped access to a specific container or blob without exposing the storage account key. It can be configured with a start time, expiry time, and permissions (e.g., write, read), making it ideal for a 12-hour upload window. This method ensures the partner can only access the designated container for the required duration.

Variation 3. A partner must upload files to one blob container for 12 hours. You do not want to share the storage account key, and the access should expire automatically. Which access method should you use?

easy
  • A.Role assignment in Azure RBAC
  • B.Shared access signature (SAS)
  • C.Private endpoint
  • D.Storage account lock

Why B: A shared access signature (SAS) is the correct choice because it provides time-limited, delegated access to a specific blob container without exposing the storage account key. You can set an expiry time of 12 hours, and the SAS token can be generated with only the permissions needed (e.g., write). Once the token expires, access is automatically revoked, meeting the requirement for automatic expiration.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.