5.3.3. Compute, Storage, and Database Questions
Question 7
Your application securely shares files using account SAS. One SAS token is compromised.
How should you stop the compromised SAS token from being used?
- A. Disable public anonymous access
- B. Regenerate the storage account access keys
- C. Switch to managed identities
- D. Enable secure transfer required
Answer: B
Explanation: Regenerating storage account keys invalidates all SAS tokens created with those keys. Other options don't revoke existing SAS tokens.
Question 8
You need to provide public anonymous access to a file in Azure Storage following least privilege.
Which two actions should you perform?
- A. For the container, set Public access level to Blob
- B. For the container, set Public access level to Container
- C. For the storage account, set Blob public access to Enabled
- D. For the storage account, set Blob public access to Disabled
Answer: A and C
Explanation: Blob public access must be enabled at the storage account level. Setting container access to "Blob" allows anonymous read to individual blobs only—more restrictive than "Container" which allows listing.
Question 9
You enable Always Encrypted for an Azure SQL database.
Which scenario is supported?
- A. Copying data from one column to another
- B. Encrypting existing data
- C. Range queries on encrypted columns
- D. LIKE operations on encrypted columns
Answer: B
Explanation: Always Encrypted supports encrypting existing data. It does not support copying between columns, range queries, or LIKE operations on encrypted columns.
Question 10
You implement dynamic data masking. A user named User1 needs to see the actual data.
What should you do?
- A. Create a Conditional Access policy
- B. Grant the UNMASK permission to User1
- C. Use ALTER TABLE to edit the masking function
- D. Use ALTER TABLE to drop the masking function
Answer: B
Explanation: GRANT UNMASK to a specific user removes the mask for that user only. Altering or dropping the mask affects all users.