Microsoft Azure Architect Design (AZ-304) Practice Test

To provide specific Azure AD user accounts with read access to Cosmos DB databases, what should be included in the recommendation?

• A. Shared access signatures (SAS) and conditional access policies
• B. Certificates and Azure Key Vault
• C. A resource token and an Access control (IAM) role assignment
• D. Master keys and Azure Information Protection policies

The correct answer is: A resource token and an Access control (IAM) role assignment

The recommendation to include a resource token and an Access control (IAM) role assignment is rooted in the principles of Azure Cosmos DB's security and access management framework. Azure Cosmos DB utilizes access control mechanisms to ensure that only authorized users can perform specified actions on databases. A resource token is a type of credential that grants limited access permissions to specific resources within Cosmos DB. The use of resource tokens allows for fine-grained access control, enabling administrators to specify which operations (like read, write, or delete) a user can perform and on which specific data. This is particularly beneficial for granting read access without exposing broader control or administrative privileges. Additionally, Access control (IAM) role assignments in Azure provide a way to manage permissions at a broader level by assigning users to specific roles that have defined permissions within Azure resources. By using IAM role assignments, organizations can streamline the management of permissions across their resources and ensure that users only have access rights that align with their needs and organizational policies. Together, resource tokens and IAM role assignments form a cohesive strategy for managing user access to Azure Cosmos DB, providing a layer of security that is well-suited for handling specific permissions for Azure AD user accounts. This ensures that the principle of least privilege is upheld, minimizing the risk of