Skip to main content
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-305
  6. >
  7. This article

Azure AZ-305 Drill: Secure Blob Storage Access - Conditional Access vs. SAS

·642 words·4 mins·
Architecture Drills Microsoft Azure AZ-305 Azure CAF Governance Blob Storage Security
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-305 Design Microsoft Azure Infrastructure Solutions exam, many candidates struggle with secure delegated access and time-bound permissions. In the enterprise world, this decision often hinges on balancing strong data governance, short-term access requirements, and user identity controls. Let’s drill into a simulated hybrid cloud storage security scenario.

The Scenario
#

Tailspin Manufacturing operates a hybrid cloud environment where critical financial data is stored in Azure Blob Storage containers. The finance department, consisting of 10 users, requires access to these blobs exclusively during the month of April for quarterly financial reporting. Outside this window, access must be locked down to ensure strict data governance compliance and prevent unauthorized data exposure. The organization mandates integration with Azure Active Directory (AAD) identities and prefers a solution minimizing ongoing administrative overhead while ensuring secure, auditable access.

Key Requirements
#

Design a secure, time-limited access solution for the finance team to use blob storage only during April, with strong governance and minimal operational complexity.

The Options
#

  • A) Shared Access Signature (SAS) tokens scoped to one month
  • B) Azure Conditional Access Policies targeting finance users
  • C) Client certificates distributed to finance machines
  • D) Storage account access keys manually shared with finance group

Correct Answer
#

A) Shared Access Signature (SAS) tokens scoped to one month.

The Architect’s Analysis
#

Correct Answer
#

Option A: Shared Access Signature (SAS)

Step-by-Step Winning Logic
#

A SAS token is a URI that grants restricted access rights to Azure Storage resources without exposing your account key. By generating SAS tokens with a defined expiry that exactly matches April’s dates, Tailspin ensures access automatically expires after the required period without manual intervention. This aligns well with the Microsoft Cloud Adoption Framework (CAF) pillars of Security (least privilege access), Operational Excellence (reducing manual overhead), and Reliability (time-bound access reduces security risks). SAS tokens integrate seamlessly with Azure RBAC and audit logs for governance and compliance tracking.

The Traps (Distractor Analysis)
#

  • Why not B: Conditional Access Policy?
    Conditional Access controls user authentication and device compliance but does not natively provide fine-grained, temporary access control to storage blobs. It manages authentication but cannot limit access by arbitrary time windows within a month.

  • Why not C: Certificates?
    Managing client certificates at scale is operationally heavy and complex. Certificates do not inherently support time-bound access, and distribution/revocation is cumbersome in large enterprises.

  • Why not D: Storage Access Keys?
    Access keys grant full control, are long-lived, and sharing keys violates principle of least privilege and governance mandates. Keys cannot be scoped or time-constrained directly.

The Architect Blueprint
#

  • Mermaid Diagram illustrating SAS-based secure blob access flow:
graph TD FinanceUser[Finance User - AAD] -->|Request SAS Token - valid for April| TokenService[SAS Token Generator] TokenService -->|Issue SAS Token| FinanceUser FinanceUser -->|Access Blob Storage via SAS| BlobStorage[Azure Blob Container] style TokenService fill:#0078D4,stroke:#333,color:#fff style BlobStorage fill:#5C2D91,stroke:#333,color:#fff

Diagram Note: Finance users authenticate with AAD, request a SAS token scoped for one month, then use the token for secure, temporary blob access.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost Pros Cons
A) SAS Tokens Low Minimal (no extra cost) Time-bound, scoped, secure, easy to automate Requires secure token generation and distribution tooling
B) Conditional Access Medium Included with Azure AD P2 Controls user login policies Cannot restrict blob access by time frame directly
C) Client Certificates High Cost for cert management Strong authentication Operationally complex, no native time constraints
D) Storage Access Keys Low No cost Simple to implement Full key exposure, no granularity, violates governance

Real-World Practitioner Insight
#

Exam Rule
#

“For the AZ-305 exam, always pick SAS tokens when asked about time-limited, delegated storage access.”

Real World
#

Enterprises use SAS tokens combined with Azure AD integration to enable secure, short-lived access to storage without compromising keys, aligning with governance and audit requirements. Conditional Access policies complement SAS by safeguarding initial user authentication.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: CertDevPro.com

CertDevPro.com is the flagship hub of Stonehenge Digital Education. We bridge the gap between passing exams and leading high-stakes enterprise projects. Curated by 21-year industry veteran Jeff Taakey, this platform provides strategic blueprints across AWS, Azure, and Google Cloud to solve core business and technical pain points for architects worldwide.


Disclaimer: This is a study note based on simulated scenarios for the GCP ACE exam. It is not an official question from Google Cloud.