Question 12 - Microsoft Identity SC-300 Real Exam Questions [March 2026 Update]

Q: 12

You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains an Azure Cosmos DB database named DB1 and an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 uses a managed identity. You need to ensure that AKS1 can access DB1. The solution must meet the following requirements: • Ensure that AKS1 uses the managed identity to access DB1. • Follow the principle of least privilege. Which role should you assign to the managed identity of AKS1.

Options

Correct Answer:

Explanation

The primary requirement is to allow the AKS1 managed identity to access the data within the DB1 Cosmos DB account. This requires a data plane role. The "Azure Cosmos DB Data Reader Role" is the only option that explicitly grants permissions to read data. While the scope is the resource group (RG1), which is broader than the specific database (DB1), it is the only choice that fulfills the fundamental requirement of data access. The other roles are control plane roles, which manage the Azure resource itself but do not grant access to the data stored within it, or are excessively permissive.

Why Incorrect

B: The Owner role at the subscription scope is excessively permissive, granting full control over all resources in the subscription, which is a severe violation of the principle of least privilege.

C: The standard Reader role provides read-only access to the management (control) plane of resources. It allows viewing the Cosmos DB account's properties but not the data it contains.

D: The "Azure Cosmos DB Account Reader Role" is a control plane role. It allows reading account metadata, keys, and connection strings, but it does not grant permission to read the actual data.

References

1. Microsoft Learn: Configure role-based access control for your Azure Cosmos DB account. This document distinguishes between control plane and data plane operations. It clarifies that roles like "Cosmos DB Account Reader Role" are for control plane management

while data access requires specific data plane roles. The question's "Azure Cosmos DB Data Reader Role" maps conceptually to the built-in Cosmos DB Built-in Data Reader role for the data plane.

Section: "Control plane vs. data plane" and "Built-in role definitions".

2. Microsoft Learn: Azure built-in roles for Azure Cosmos DB. This document details the permissions for control plane roles. It shows that the Cosmos DB Account Reader Role has the Microsoft.DocumentDB/databaseAccounts//read permission

which allows reading account properties but not the data within containers.

Section: "Azure Cosmos DB" table

entry for "Cosmos DB Account Reader Role".

3. Microsoft Learn: Secure access to data in Azure Cosmos DB. This guide explains that to access data using Azure AD identities (like a managed identity)

you must configure Azure Cosmos DB's specific data plane RBAC

which is distinct from the Azure RBAC roles used for management.

Section: "Role-based access control".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE