Answer-first summary for fast verification
Answer: Storage Blob Data Contributor for fs1
## Detailed Explanation To meet the specified requirements while adhering to the principle of least privilege, the **Storage Blob Data Contributor** role assigned specifically to container **fs1** is the optimal solution. ### Why Option D is Correct: **Storage Blob Data Contributor for fs1** provides exactly the required permissions: - **Read access**: Allows viewing file contents and metadata - **Write access**: Enables creating, modifying, and deleting files - **List access**: Permits viewing the directory structure and file listings This role assignment at the container level (fs1) ensures: - **Targeted access**: DepartmentA can only access files within fs1 - **No cross-container access**: Since the role is scoped to fs1 only, DepartmentA cannot access fs2 - **Principle of least privilege**: Grants only the necessary permissions for the specific container, nothing more ### Analysis of Other Options: **Option A (Contributor for fs1)**: This is an Azure Resource Manager role, not a data plane role. It manages the container itself (delete, modify properties) but doesn't grant data access permissions for reading/writing files. **Option B (Storage Blob Data Owner for fs1)**: While this would work, it provides excessive permissions including the ability to set POSIX access control lists and ownership. This violates the principle of least privilege by granting more authority than needed. **Option C (Storage Blob Data Contributor for storage1)**: This role at the storage account level would grant access to both fs1 AND fs2 containers, violating the requirement to prevent access to fs2. ### Key Considerations: - Azure RBAC roles can be scoped at different levels: subscription, resource group, storage account, or container - For granular access control, assigning roles at the container level is essential when multiple containers require different access patterns - The Storage Blob Data Contributor role specifically addresses data plane operations without granting unnecessary management plane permissions
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have a Microsoft Entra tenant containing an Azure Data Lake Storage Gen2 account named 'storage1'. The account has two containers: 'fs1' and 'fs2'. A Microsoft Entra group named 'DepartmentA' must be configured with the following requirements:
Which role should you assign to the 'DepartmentA' group?
A
Contributor for fs1
B
Storage Blob Data Owner for fs1
C
Storage Blob Data Contributor for storage1
D
Storage Blob Data Contributor for fs1
No comments yet.