Domain 2 of 5 · Chapter 1 of 3

Storage Access

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Azure Administrator premium course — no separate purchase.

Included in this chapter:

  • Two gates: the network layer and the authorization layer
  • The authorization layer: keys, SAS, and stored access policies
  • Identity-based access for Azure Files (SMB)
  • Exam-pattern recognition

Choosing a data-access mechanism for Azure Storage

DimensionAccess key (Shared Key)SAS tokenMicrosoft Entra ID (RBAC)
CredentialAccount key1/key2 (512-bit)Signed token: Entra key (user delegation) or account key (service/account)Entra identity: user, group, or managed identity
Scope of accessFull access to all data in the accountSpecific resources, permissions, and time windowPer-resource Azure role assignment (least privilege)
Granularity / least privilegeNone: all or nothingFine-grained (per resource, permission, expiry, IP)Fine-grained via built-in/custom data roles
RevocationRegenerate the key (breaks all tokens it signed)Delete the stored access policy (service SAS) or rotate the signing key/credentialRemove the role assignment
Identity auditedNo: one shared secret, no per-user trailNo: SAS generation isn't auditedYes: actions tie to an Entra principal
Microsoft recommendationAvoid; disable Shared Key where possibleUse a user delegation SAS when a token is neededPreferred default for blob, queue, and table data

Decision tree

SMB Azure Files share?(keep Windows identities)YesIdentity-based authenticationAD DS / Entra Kerberos (SMB)NoCaller has an Entra identity?(user, group, managed identity)YesMicrosoft Entra ID (RBAC)preferred default; least privilegeNo (external)Need on-demand revocationwithout rotating keys?NoUser delegation SASEntra-signed; no account key exposedYesService SAS +stored access policyLast resort: access keys (key1/key2) — full access, no scopingrotate regularly; disallow Shared Key where possible

Cheat sheet

  • Network rules and authorization are two independent gates: both must pass
  • A new storage account allows all networks until you restrict it
  • A virtual network rule requires the Microsoft.Storage service endpoint on the subnet
  • Use IP rules for on-premises callers, virtual network rules for Azure subnets
  • A storage account allows up to 400 virtual network rules and 400 IP rules
  • Allow first-party Azure services through the firewall with the trusted-services exception
  • The three SAS types are distinguished by what signs them
  • Prefer a user delegation SAS: it never exposes the account key
  • An account SAS spans services; a service SAS reaches one
  • Always send a SAS over HTTPS with least privilege and short lifetime
  • Bind a service SAS to a stored access policy to revoke it without rotating keys
  • Stored access policies: five per container, and service-SAS only
  • Each account has two access keys that grant full, unscoped access
  • Rotate access keys one at a time so applications never lose access
  • Disallow Shared Key authorization to enforce Entra Conditional Access
  • Azure Files identity-based authentication works over SMB only
  • Enable exactly one Azure Files identity source per storage account
  • Azure Files SMB authorizes in two layers: share-level RBAC then file-level NTFS ACLs
  • Choose Microsoft Entra Kerberos for cloud-only identities or macOS clients
  • Management roles like Owner and Contributor grant no access to blob or file data
  • A private endpoint created without RBAC on the target shows Pending until the owner approves it
  • A private endpoint needs a privatelink private DNS zone linked to every VNet that resolves it
  • Each storage service needs its own private endpoint
  • AzFilesHybrid's Join-AzStorageAccount domain-joins the account as an AD DS computer object
  • A user delegation SAS can never outlive its 7-day user delegation key
  • Azure Files AD DS auth needs hybrid identities and a domain-joined client for ACLs

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. Azure Storage firewall rules
  2. Manage account access keys
  3. Grant limited access to data with shared access signatures (SAS)
  4. Overview - Azure Files identity-based authentication