Update and Maintain Resources in Azure - Control Storage Access

In this section, we’ll work through a series of tasks focused on managing an Azure Storage Account and its key components.
Note: This builds on the project covered in my previous article.

Scenario

An Azure administrator wants to deepen your understanding of storage accounts, containers, and file shares. As the need to share files continues to grow, they’re looking for someone confident in handling these services. Your task is to create a storage container, set up a file share, and upload files to both.

Create a Storage Container

Start by navigating to the Storage Account page and selecting the storage account you created in the previous “Prepare” exercise.

• On the storage account blade, under the Data storage submenu, select Containers.
• Select + Add container.

• In the Name field, enter storage-container.
• Select Create.storage-container

Upload a file to the storage container

• Select the storage container you just created.

• Select Upload and upload the file you prepared.

• Once the file is ready for upload, select Upload.

After uploading the file, you’ll see its assigned access tier. Since this file was only uploaded for testing purposes, there’s no need for it to remain in the Hot tier. In the following steps, you’ll update the file’s access tier to a more appropriate option.

Change the Access Tier

• Select the file you just uploaded (the file name is a barplot.fig).

• Select Change tier.

• Select Cold.
• Select Save.

Note: In this step, you updated the access tier for a specific blob or file. If you want to apply a default access tier across all blobs, you can configure this setting at the storage account level.

Create a File Share

• Navigate to the Storage Accounts page and choose the storage account you created in the previous Prepare exercise. This should be named marchsa and linked to the guided-project-rg resource group.

• Within the storage account panel, locate the Data storage section and select File shares.

• Select + File share.

• On the Basics tab, in the name field, enter file-share.

• On the Backup tab, uncheck Enable backup.

• Select Review + create.
• Select Create.

• Once the file share is created, select Upload.

• Upload the same file you uploaded to the blob storage or a different file, it’s up to you.

The next step is to determine how to manage access to the uploaded files. Azure offers several methods for controlling file access, such as role-based access control (RBAC). However, in this case, the Azure administrator has requested the use of shared access tokens or keys.

Create a Shared Access Signature (SAS) Token

• First, open the storage account you set up in the preparation exercise.
• Then, in the storage account panel, navigate to the Storage browser and expand the Blob containers section.

• Select the storage container you created earlier, storage-container.

• Select the ellipses (three dots) on the end of the line for the image you uploaded.
• Select Generate SAS.

Note: When generating a shared access signature (SAS), you must define a validity period. Once this time expires, the link will no longer function. The Start field is automatically filled with the current date and time.

Configure the settings as follows:

• Set the signing method to Account key.
• Choose Key 1 as the signing key.
• Leave the stored access policy set to None.
• Assign Read permissions.
• Specify a custom start and expiry time, or keep the default values.
• Restrict allowed protocols to HTTPS only.

Finally, select Generate SAS token and URL.

• Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open.

Once the SAS token is generated, anyone who has the link can access the file for the duration you specified. But managing access isn’t just about granting permissions—it’s also about being able to take them away when needed.

To revoke access granted through a SAS token, you must invalidate it. This is done by rotating the key that was used to create the token.

Rotating access keys:

• Go to the Storage accounts page and open the storage account you created earlier.
• Navigate to the Security + networking section.
• Select Access keys.

• For Key 1, select Rotate key.
• Read and then acknowledge the warning about regenerating the access key by selecting Yes.

• After the access key rotation is successful, return to the tab or window where you tested the SAS token and refresh the page. You should now see an authentication failed error, confirming that access has been revoked.

Conclusion

The Control Storage Access exercise highlighted key administrative tasks involved in managing and securing storage resources in Microsoft Azure. It included creating a storage container to organize blob data and adjusting the access tier to balance cost and performance based on how the data is used.

The exercise also covered setting up a file share to support structured storage and collaboration across different systems. To provide secure, temporary access, a Shared Access Signature (SAS) token was generated—allowing delegated access without exposing primary account keys. Additionally, rotating storage access keys demonstrated an important security practice by refreshing credentials and reducing the risk of unauthorized access.

Overall, these steps emphasize the importance of effective storage management, cost efficiency, and strong security measures when working with Azure storage services.