DEV Community

Cover image for How to Control Storage Access in Microsoft Azure.
Oluwanifesimi
Oluwanifesimi

Posted on

How to Control Storage Access in Microsoft Azure.

What Is a Storage Account in Azure?
A storage account in Microsoft Azure is like a secure container that holds all your cloud-based data services. It provides a unique namespace for storing:

  • Blobs (unstructured data like images, videos, backups)
  • Files (shared file systems via SMB/NFS)
  • Queues (message storage for communication between apps)
  • Tables (NoSQL key-value data)
  • Disks (used by virtual machines)

Each storage account is globally unique and can be accessed over HTTP/HTTPS. You can choose performance tiers (Standard or Premium) and redundancy options (LRS, ZRS, GRS, etc.) depending on your needs

Controlling Storage Access in Azure
Azure offers multiple layers of access control to keep your data secure and accessible only to the right people or services:

1. Role-Based Access Control (RBAC)

  • Assign roles to users, groups, or apps.
  • Roles define what actions they can perform (e.g., read, write, delete).
  • Common roles: Storage Blob Data Reader, Contributor, Owner.

2. Microsoft Entra ID (formerly Azure AD)

  • Use identity-based access for secure authentication.
  • Recommended over shared keys for better security and manageability.

3. Shared Access Signatures (SAS)

  • Generate time-limited URLs with specific permissions.
  • Useful for temporary access to blobs, files, or queues.

4. Access Control Lists (ACLs)

  • Fine-grained permissions for files and directories.
  • Especially useful with Azure Data Lake Storage.

5. Network Access Controls

  • Restrict access based on IP ranges or virtual networks.
  • You can allow or deny public access to containers.

6. Encryption & TLS

  • Data is encrypted at rest and in transit.
  • You can enforce minimum TLS versions for secure connections.

Access Control
You can control who gets in and what they can do using:

  • Azure roles (RBAC) – assign permissions.
  • Microsoft Entra ID – for identity-based access.
  • SAS tokens – temporary secure links.
  • Network rules – limit access by IP or VNet.
  • Encryption – protects data at rest and in transit.

In this hands-on project, you will learn how to:

  • Create and configure storage containers and file shares
  • Upload files and manage access tiers
  • Generate and test Shared Access Signature (SAS) tokens
  • Rotate storage account keys to revoke access

step 1:Create a storage container

  • Login to Microsoft Azure at https://portal.azure.com login
  • From the Azure portal home page, in the search box, enter storage accounts.
  • Select storage accounts under services. storage account

  • Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)
    storage created

  • On the storage account blade, under the Data storage submenu, select Containers.

  • Select + Add container.
    add container

  • In the Name field, enter storage-container.

  • Select Create.
    storage-container

Upload a file to the storage container

  • Select the storage container you just created.
    select container

  • Select Upload and upload the file you prepared.
    upload

  • Once the file is ready for upload, select Upload.

With the file uploaded, notice that the Access tier is displayed. For something we uploaded just for testing, it doesn’t need to be assigned to the Hot access tier. In the next few steps, you’ll change the access tier for the file.

Change the access tier

  • Select the file you just uploaded (the file name is a hyperlink).

  • Select Change tier.
    change tier

  • Select Cold.

  • Select Save
    cold tier

  • Select Home to return to the Azure portal home page

step 2:Create a file share

  • From the Azure portal home page, in the search box, enter storage accounts.
  • Select storage accounts under services.
  • Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.) store
  • On the storage account blade, under the Data storage submenu, select File shares.
  • Select + File share. file share
  • On the Basics tab, in the name field enter file-share. file _share

  • On the Backup tab, uncheck Enable backup.
    uncheck

  • Select Review + create.

  • Select Create.

  • Once the file share is created, select Upload.

  • Upload the same file you uploaded to the blob storage or a different file, it’s up to you.
    upload blob

  • Select Home to return to the Azure portal home page.

step 3:Create a shared access signature token

  • From the Azure portal home page, in the search box, enter storage accounts.
  • Select storage accounts under services. select srg
  • Select the storage account you created in the Prepare exercise. the storage
  • On the storage account blade, select Storage browser.
  • Expand Blob containers.

  • Select the storage container you created earlier, storage-container.
    blob storage

  • Select the ellipses (three dots) on the end of the line for the image you uploaded
    three dots

  • Select Generate SAS
    generate SAS

Note: When you generate a shared access signature, you set the duration. Once the duration is over, the link stops working. The **Start automatically populates with the current date and time.

  • Set Signing method to Account key.
  • Set Signing key to Key 1.
  • Set Stored access policy to None.
  • Set Permissions to Read.
  • Enter a custom start and expiry time or leave the defaults
  • Set Allowed protocols to HTTPS only.
  • Select Generate SAS token and URI.
  • Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open. sas token

link

  • Select Home to return to the Azure portal home page.

Note: With the SAS token created, anyone with that link can access the file for the duration that was set when you created the SAS token. However, controlling access to a resource or file is about more than just granting access. It’s also about being able to revoke access. To revoke access with a SAS token, you need to invalidate the token. You invalidate the token by rotating the key that was used.

step 4:Rotate access keys

  • From the Azure portal home page, in the search box, enter storage accounts.
  • Select storage accounts under services. srg4
  • Select the storage account you created in the Prepare exercise. slct srg4
  • Expand the Security + networking submenu.
  • Select Access keys. access key
  • For Key 1, select Rotate key.

  • Read and then acknowledge the warning about regenerating the access key by selecting Yes
    rotate key

  • Once you see the success message for rotating the access key, go back to the window or tab you used to check the SAS token and refresh the page. You should receive an authentication failed error
    error

Conclusion

Controlling storage access in Microsoft Azure is essential for safeguarding your cloud data and ensuring only authorized users and services can interact with your resources. Through this hands-on project, you've explored how to configure containers and file shares, manage access tiers, generate secure Shared Access Signature (SAS) tokens, and rotate storage account keys to revoke access when needed.

Whether you're building scalable apps or migrating enterprise workloads, mastering storage access controls will help you build secure, resilient cloud solutions. Keep exploring Azure's powerful security features—and your data will thank you for it.

Top comments (0)