What Is a Storage Account in Azure?
A storage account in Microsoft Azure is like a secure container that holds all your cloud-based data services. It provides a unique namespace for storing:
- Blobs (unstructured data like images, videos, backups)
- Files (shared file systems via SMB/NFS)
- Queues (message storage for communication between apps)
- Tables (NoSQL key-value data)
- Disks (used by virtual machines)
Each storage account is globally unique and can be accessed over HTTP/HTTPS. You can choose performance tiers (Standard or Premium) and redundancy options (LRS, ZRS, GRS, etc.) depending on your needs
Controlling Storage Access in Azure
Azure offers multiple layers of access control to keep your data secure and accessible only to the right people or services:
1. Role-Based Access Control (RBAC)
- Assign roles to users, groups, or apps.
- Roles define what actions they can perform (e.g., read, write, delete).
- Common roles: Storage Blob Data Reader, Contributor, Owner.
2. Microsoft Entra ID (formerly Azure AD)
- Use identity-based access for secure authentication.
- Recommended over shared keys for better security and manageability.
3. Shared Access Signatures (SAS)
- Generate time-limited URLs with specific permissions.
- Useful for temporary access to blobs, files, or queues.
4. Access Control Lists (ACLs)
- Fine-grained permissions for files and directories.
- Especially useful with Azure Data Lake Storage.
5. Network Access Controls
- Restrict access based on IP ranges or virtual networks.
- You can allow or deny public access to containers.
6. Encryption & TLS
- Data is encrypted at rest and in transit.
- You can enforce minimum TLS versions for secure connections.
Access Control
You can control who gets in and what they can do using:
- Azure roles (RBAC) – assign permissions.
- Microsoft Entra ID – for identity-based access.
- SAS tokens – temporary secure links.
- Network rules – limit access by IP or VNet.
- Encryption – protects data at rest and in transit.
In this hands-on project, you will learn how to:
- Create and configure storage containers and file shares
- Upload files and manage access tiers
- Generate and test Shared Access Signature (SAS) tokens
- Rotate storage account keys to revoke access
step 1:Create a storage container
- Login to Microsoft Azure at https://portal.azure.com
- From the Azure portal home page, in the search box, enter storage accounts.
- Select storage accounts under services.
Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)
On the storage account blade, under the Data storage submenu, select Containers.
In the Name field, enter storage-container.
Upload a file to the storage container
Once the file is ready for upload, select Upload.
With the file uploaded, notice that the Access tier is displayed. For something we uploaded just for testing, it doesn’t need to be assigned to the Hot access tier. In the next few steps, you’ll change the access tier for the file.
Change the access tier
- Select the file you just uploaded (the file name is a hyperlink).
Select Cold.
Select Home to return to the Azure portal home page
step 2:Create a file share
- From the Azure portal home page, in the search box, enter storage accounts.
- Select storage accounts under services.
- Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)
- On the storage account blade, under the Data storage submenu, select File shares.
- Select + File share.
- On the Basics tab, in the name field enter file-share.
Select Review + create.
Select Create.
Once the file share is created, select Upload.
Upload the same file you uploaded to the blob storage or a different file, it’s up to you.
Select Home to return to the Azure portal home page.
step 3:Create a shared access signature token
- From the Azure portal home page, in the search box, enter storage accounts.
- Select storage accounts under services.
- Select the storage account you created in the Prepare exercise.
- On the storage account blade, select Storage browser.
- Expand Blob containers.
Select the storage container you created earlier, storage-container.
Select the ellipses (three dots) on the end of the line for the image you uploaded
Note: When you generate a shared access signature, you set the duration. Once the duration is over, the link stops working. The **Start automatically populates with the current date and time.
- Set Signing method to Account key.
- Set Signing key to Key 1.
- Set Stored access policy to None.
- Set Permissions to Read.
- Enter a custom start and expiry time or leave the defaults
- Set Allowed protocols to HTTPS only.
- Select Generate SAS token and URI.
- Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open.
- Select Home to return to the Azure portal home page.
Note: With the SAS token created, anyone with that link can access the file for the duration that was set when you created the SAS token. However, controlling access to a resource or file is about more than just granting access. It’s also about being able to revoke access. To revoke access with a SAS token, you need to invalidate the token. You invalidate the token by rotating the key that was used.
step 4:Rotate access keys
- From the Azure portal home page, in the search box, enter storage accounts.
- Select storage accounts under services.
- Select the storage account you created in the Prepare exercise.
- Expand the Security + networking submenu.
- Select Access keys.
- For Key 1, select Rotate key.
Read and then acknowledge the warning about regenerating the access key by selecting Yes
Once you see the success message for rotating the access key, go back to the window or tab you used to check the SAS token and refresh the page. You should receive an authentication failed error
Conclusion
Controlling storage access in Microsoft Azure is essential for safeguarding your cloud data and ensuring only authorized users and services can interact with your resources. Through this hands-on project, you've explored how to configure containers and file shares, manage access tiers, generate secure Shared Access Signature (SAS) tokens, and rotate storage account keys to revoke access when needed.
Whether you're building scalable apps or migrating enterprise workloads, mastering storage access controls will help you build secure, resilient cloud solutions. Keep exploring Azure's powerful security features—and your data will thank you for it.
Top comments (0)