Microsoft Azure Architect Design (AZ-304) Practice Test

Which security solution should be recommended to allow finance department users access to Azure blobs for a limited time?

• A. access keys
• B. conditional access policies
• C. certificates
• D. shared access signatures (SAS)

The correct answer is: shared access signatures (SAS)

The most appropriate solution for allowing finance department users access to Azure blobs for a limited time is through the use of shared access signatures (SAS). Shared access signatures provide a way to grant restricted access to Azure storage resources without exposing account keys. When using SAS, you can specify an expiry time, allowing users to have access for a defined period. The flexibility of SAS is particularly beneficial in scenarios where temporary access is required. You can create a SAS token that grants permissions such as read, write, or delete, along with an expiry timestamp, ensuring that once the specified time elapses, access is automatically revoked. This enhances security by minimizing the risk of long-term access credentials being misused. In contrast, access keys give full control over the storage account and do not have expiration times, which makes them less suitable for temporary access scenarios. Conditional access policies are designed to enforce user requirements based on certain factors like user location or device state but do not specifically address temporary access to individual resources like blobs. Certificates can be used for authentication but are not suitable for managing time-limited access to storage resources. Thus, shared access signatures emerge as the optimal solution when temporary access is needed.