Storage Access
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Microsoft Azure Administrator premium course — no separate purchase.
Included in this chapter:
- Two gates: the network layer and the authorization layer
- The authorization layer: keys, SAS, and stored access policies
- Identity-based access for Azure Files (SMB)
- Exam-pattern recognition
Choosing a data-access mechanism for Azure Storage
| Dimension | Access key (Shared Key) | SAS token | Microsoft Entra ID (RBAC) |
|---|---|---|---|
| Credential | Account key1/key2 (512-bit) | Signed token: Entra key (user delegation) or account key (service/account) | Entra identity: user, group, or managed identity |
| Scope of access | Full access to all data in the account | Specific resources, permissions, and time window | Per-resource Azure role assignment (least privilege) |
| Granularity / least privilege | None: all or nothing | Fine-grained (per resource, permission, expiry, IP) | Fine-grained via built-in/custom data roles |
| Revocation | Regenerate the key (breaks all tokens it signed) | Delete the stored access policy (service SAS) or rotate the signing key/credential | Remove the role assignment |
| Identity audited | No: one shared secret, no per-user trail | No: SAS generation isn't audited | Yes: actions tie to an Entra principal |
| Microsoft recommendation | Avoid; disable Shared Key where possible | Use a user delegation SAS when a token is needed | Preferred default for blob, queue, and table data |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.