AZ-500 · Question #78
AZ-500 Question #78: Real Exam Question with Answer & Explanation
The correct answer is A: Yes. Explanation Regenerating the access keys for Sa1 immediately invalidates all existing Shared Access Signatures (SASs) and stored access policies that were derived from those keys, effectively revoking all unauthorized access to both the blob service and the file service simultane
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure Subscription named Sub1. You have an Azure Storage account named Sa1 in a resource group named RG1. Users and applications access the blob service and the file service in Sa1 by using several shared access signatures (SASs) and stored access policies. You discover that unauthorized users accessed both the file service and the blob service. You need to revoke all access to Sa1. Solution: You regenerate the access keys. Does this meet the goal?
Options
- AYes
- BNo
Explanation
Explanation
Regenerating the access keys for Sa1 immediately invalidates all existing Shared Access Signatures (SASs) and stored access policies that were derived from those keys, effectively revoking all unauthorized access to both the blob service and the file service simultaneously. Since SASs are cryptographically signed using the storage account keys, once the keys are regenerated, any SAS tokens signed with the old keys become permanently invalid. This is the most efficient and comprehensive method to revoke all access at once, covering both services mentioned in the scenario.
Why "No" (Option B) is wrong: There is no alternative solution presented here that would better meet the goal - regenerating access keys is precisely the recommended Microsoft approach for emergency revocation of all SAS-based access across an entire storage account.
Why this matters: Stored access policies can be individually revoked, but if you need to revoke all access quickly - especially when keys may be compromised - regenerating keys is the nuclear option that cuts off everything instantly.
🧠 Memory Tip: Think of the storage account key as the "master key" to a building - if someone copies it to make unauthorized copies (SASs), changing the master lock (regenerating the key) makes all copies useless immediately, regardless of how many were made.
Topics
Community Discussion
No community discussion yet for this question.