Answer: Storage Blob Data Reader for container1

The **Storage Blob Data Reader** role is the appropriate choice for granting read access to Azure Blob Storage containers. This role specifically allows users to read blob data and metadata without granting write or delete permissions. When assigning this role at the **container1** level (Option B), it follows the principle of least privilege by: - **Providing access only to container1** - Group1 can read blobs in container1 but has no access to container2 or other resources in the storage account - **Limiting permissions to read-only** - No ability to modify, delete, or write data - **Being container-scoped** - More granular than account-level assignments **Why other options are less suitable:** - **Option A (Storage Table Data Reader for myaccount1)**: Incorrect service type (Tables vs Blobs) and provides account-level access to all tables - **Option C (Storage Blob Data Reader for myaccount1)**: Provides read access to ALL containers in the storage account, violating least privilege - **Option D (Storage Table Data Reader for container1)**: Incorrect service type (Tables vs Blobs) and container scope doesn't apply to table services Since the requirement is specifically for read access to container1 in Azure Data Lake Storage (which uses blob storage), Option B provides the most precise and minimal permissions required.

Author: LeetQuiz Editorial Team