The correct answer is that the user can list containers in a storage account within DataRG. This is because the custom RBAC role includes the action 'Microsoft.Storage/storageAccounts/blobServices/containers/read', which specifically grants permission to list Azure Storage containers at the control plane level. Since the role is assigned at the resource group scope, the user can list containers in any storage account belonging to that group, but cannot read, write, or delete blob data, nor delete containers themselves. On the DP-203 exam, this scenario tests your understanding of how custom RBAC actions map to specific Azure Storage operations and the importance of scope inheritance—a common trap is confusing control plane actions (like listing containers) with data plane actions (like reading blob content). Remember the memory tip: "Read containers, not blobs" to distinguish that the 'read' action on containers only enables listing, not accessing the data inside.
DP-203 Design and implement data security Practice Question
This DP-203 practice question tests your understanding of design and implement data security. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
{
"RoleName": "CustomStorageReader",
"Actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/DataRG"
]
}
Refer to the exhibit. A custom RBAC role is defined as shown. A user is assigned this role at the resource group scope. Which operation can the user perform?
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
List containers in a storage account within DataRG
The custom RBAC role includes the 'Microsoft.Storage/storageAccounts/blobServices/containers/read' action, which allows listing containers. Since the user is assigned this role at the resource group scope (DataRG), they can list containers in any storage account within that resource group. The role does not include any data plane actions (e.g., read/write/delete blob data) or container deletion permissions, so only the list operation is permitted.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
List containers in a storage account within DataRG
Why this is correct
The action permits reading container properties and listing containers.
Related concept
Read the scenario before looking for a memorised answer.
✗
Read blob data from containers
Why it's wrong here
Reading blob data requires 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse control plane container listing permissions with data plane blob read permissions, assuming that 'read' on containers implies access to blob content, whereas Azure RBAC strictly separates these scopes.
Detailed technical explanation
How to think about this question
Azure RBAC separates control plane (Azure Resource Manager) and data plane permissions. The 'Microsoft.Storage/storageAccounts/blobServices/containers/read' action is a control plane operation that lists containers via the Azure Storage REST API (List Containers), but it does not grant access to blob content. To read blob data, the role must include a data plane action such as 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read', which is typically assigned via built-in roles like 'Storage Blob Data Reader'. This distinction is critical for securing storage accounts in production environments.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this DP-203 question in full detail.
Design and implement data security — This question tests Design and implement data security — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: List containers in a storage account within DataRG — The custom RBAC role includes the 'Microsoft.Storage/storageAccounts/blobServices/containers/read' action, which allows listing containers. Since the user is assigned this role at the resource group scope (DataRG), they can list containers in any storage account within that resource group. The role does not include any data plane actions (e.g., read/write/delete blob data) or container deletion permissions, so only the list operation is permitted.
What should I do if I get this DP-203 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This DP-203 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-203 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.