Practice Test 1 | Microsoft Azure Security Technologies | AZ-500 | Dumps | Mock Test

In this question, we must answer, whether by creating a new SAS with a new stored access policy  unauthorized user will not able to access azure storage account 

Answer A. Yes

Just revoking SAS (shared access signature) will not revoke SAS permission. The SAS token is generated, with account access key. However. if, you generate a SAS, With SAP (Store Access Policy), then SAS permission will be revoked. In order to create SAS from SAP, please go to you blob container blade, and select the access policy option, and then you can create a SAS with SAP, as shown in the diagram below. 

To understand, SAS and SAP better, please see the explanation given after the diagram. 

Explanation:  

A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example:

• What resources the client may access.
• What permissions they have to those resources.
• How long the SAS is valid.

Types of shared access signatures

Azure Storage supports three types of shared access signatures:

• User delegation SAS
• Service SAS
• Account SAS

User delegation SAS

A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

For more information about the user delegation SAS, see Create a user delegation SAS (REST API).

Service SAS

A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

For more information about the service SAS, see Create a service SAS (REST API).

Account SAS

An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All the operations available via a service or user delegation SAS are also available via an account SAS.

SAP

Anyone with the correct SAS can access the file while it is still valid. The only way you can revoke access to the storage is to regenerate the access keys. This regeneration requires you to update all apps by using a shared key to use the new one. There is another option that uses SASs by associating them with a stored access policy(SAP)

After you added SAS functionality to your app, it highlighted the inflexibility of creating a SAS for each image, with its own expiration and access controls. You want to update your app to use a stored access policy on the storage container. With the policy in place, you want to test that you can update the expiration and affect all the created SAS tokens.

access policy. Finally, you’ll test that the SAS tokens can all be changed by updating the stored access policy in the Azure porta

You can create a stored access policy on four kinds of storage resources:

• Blob containers
• File shares
• Queues
• Tables

The stored access policy you create for a blob container can be used for all the blobs contained in it and the container itself. The stored access policy is created with the following properties:

• Identifier: The name you use to reference the stored access policy.
• Start time: A DateTimeOffset value for the date and time when the policy might start to be used. This value can be null.
• Expiry time: A DateTimeOffset value for the date and time when the policy expires. After this time, requests to the storage will fail with a 403 error-code message.

For more information on stored access policies, one can visit the below URL-

https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy