nerdexam
ExamsAZ-104Questions#742
MicrosoftMicrosoft

AZ-104 · Question #742

AZ-104 Question #742: Real Exam Question with Answer & Explanation

This question assesses understanding of Azure Files identity-based access configuration, specifically the interplay between on-premises Active Directory authentication, Azure AD user types, and default share-level permissions.

Submitted by zhang_li· Mar 4, 2026Implement and manage storage

Question

Hotspot Question You have an Azure subscription linked to a hybrid Microsoft Entra tenant. The tenant contains the users shown in the following table. You create the Azure Files shares shown in the following table. You configure identity-based access for contoso2024 as shown in the following exhibit. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Options

  • __typehotspot
  • variantdropdown

Explanation

This question assesses understanding of Azure Files identity-based access configuration, specifically the interplay between on-premises Active Directory authentication, Azure AD user types, and default share-level permissions.

Approach. To answer correctly, one must select 'No' for User1, 'Yes' for User2's access to share2, and 'No' for User2's access to share3.

  • Statement 1: User1 can access the content in share1. -> Select No.

    • Reasoning: The exhibit clearly shows that 'Active Directory' (on-premises AD DS) is the enabled identity source. The crucial note explicitly states that 'User accounts solely based in Azure AD are currently not supported' with this configuration. If User1 is a cloud-only Azure AD user (as inferred from the correct answer), they cannot authenticate via the on-premises AD method configured for the storage account. Therefore, User1 cannot access share1.

  • Statement 2: User2 can access the content in share2. -> Select Yes.

    • Reasoning: Given that User2 can access share2 (as per the correct answer), User2 must be an on-premises Active Directory user (or a synced hybrid identity). With 'Active Directory' enabled as the identity source, User2 can successfully authenticate. The default share-level permission is set to 'Storage File Data SMB Share Contributor' for 'all authenticated users and groups'. Since User2 can authenticate and there's no indication of specific denying permissions on share2, User2 will be granted contributor access.

  • Statement 3: User2 can access the content in share3. -> Select No.

    • Reasoning: User2 is an authenticated on-premises AD user, and the default share-level permission is 'Contributor'. However, the correct answer states User2 cannot access share3. This indicates that specific permissions (either more granular share-level permissions or underlying NTFS permissions on the files/folders within share3) have been configured to explicitly deny User2 or a group User2 belongs to. Even with a default 'Contributor' role, explicit denials or more restrictive permissions on a specific share will take precedence.

Common mistakes.

  • common_mistake. Common mistakes stem from misinterpreting the identity source configuration and the hierarchy of permissions:
  • Assuming all Azure AD users can access: A common error is assuming that because a user is in a Microsoft Entra tenant, they can automatically access Azure Files when on-premises AD DS is the sole identity source. The explicit note in the exhibit ('User accounts solely based in Azure AD are currently not supported') clarifies this limitation.
  • Ignoring explicit denials/overrides: For User2 on share3, assuming 'Yes' simply because User2 is an authenticated user and the default role is Contributor. This ignores that specific share-level or NTFS permissions can override defaults or grant more restrictive access, leading to a denial of access for a particular user or group on a specific share.
  • Confusing different identity solutions: Not differentiating between on-premises AD DS, Azure AD DS, and Azure AD Kerberos, and how they apply to different user types (hybrid vs. cloud-only) or client types (domain-joined vs. Azure AD-joined).

Concept tested. The core concepts tested are Azure Files identity-based authentication mechanisms, specifically:

  1. On-premises Active Directory integration: Understanding that when on-premises AD DS is configured as the identity source for Azure Files, only users whose identities originate from or are synced with that on-premises AD can authenticate.
  2. Azure AD user types: Recognizing the distinction between hybrid users (synced from on-premises AD) and cloud-only Azure AD users, and their respective capabilities with different Azure Files authentication methods.
  3. Azure Files share-level permissions: Understanding how these permissions are applied, including default settings for authenticated users, and that they act as a high-level access gate, working in conjunction with underlying NTFS permissions. The concept that explicit permissions can override defaults is also tested.

Reference. https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql

Topics

#Azure Files#Azure Files identity-based access#Microsoft Entra hybrid identity#Azure Files permissions

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-104 PracticeBrowse All AZ-104 Questions