Home › Azure AZ-500 › cloudcomputing › az500compstoragedb › Which Azure storage feature lets a security engi…
Which Azure storage feature lets a security engineer generate a TIME-LIMITED, scope-bound URL for one-off blob downloads — without sharing the storage account key?
AA user-delegation SAS (user-delegation Shared Access Signature) signed with Entra credentials
BPublic bucket policy with anonymous read
CAzure DNS
DSharing the storage account access key publicly
Answer & Solution
Correct answer: A. A user-delegation SAS (user-delegation Shared Access Signature) signed with Entra credentials
User-delegation SAS gives time-bound + Entra-signed URLs (per AZ-500 §3 storage SAS). The other options leak the master key or expose data.
Related questions
Which Azure Storage feature should a security engineer enable to require all reads/writes Which Azure VM security feature lets a security engineer require all data passing between Which Azure SQL feature lets a security engineer enable Microsoft Entra ID-based DB loginsWhich Azure SQL feature should a security engineer enable to obscure sensitive column valuWhich Azure SQL Database feature should a security engineer recommend to encrypt sensitiveWhich Azure SQL Database feature should a security engineer enable to encrypt data at restWhich Azure storage authentication option should a security engineer prefer over shared-keWhich Azure storage feature should a security engineer use to PROTECT BLOBS from accidenta