You manage a collection of large video files that is stored in an Azure Storage account. A user
wants access to one of your video files within the next seven days. You need to allow the user
access only to the video file, and then revoke access once the user no longer needs it. What should
you do?

A.
Give the user the secondary key for the storage account.
Once the user is done with the file, regenerate the secondary key.

B.
Create an Ad-Hoc Shared Access Signature for the Blob resource.
Set the Shared Access Signature to expire in seven days.

C.
Create an access policy on the container.
Give the external user a Shared Access Signature for the blob by using the policy.
Once the user is done with the file, delete the policy.

D.
Create an access policy on the blob.
Give the external user access by using the policy.
Once the user is done with the file, delete the policy.

Explanation:
See the 3 below:
By default, only the owner of the storage account may access blobs, tables, and queues within that
account. If your service or application needs to make these resources available to other clients
without sharing your access key, you have the following options for permitting access:
1. You can set a container’s permissions to permit anonymous read access to the container and its
blobs. This is not allowed for tables or queues.
2. You can expose a resource via a shared access signature, which enables you to delegate
restricted access to a container, blob, table or queue resource by specifying the interval for which
the resources are available and the permissions that a client will have to it.
3. You can use a stored access policy to manage shared access signatures for a container or its
blobs, for a queue, or for a table. The stored access policy gives you an additional measure of
control over your shared access signatures and also provides a straightforward means to revoke
them.