DEV Community

Cover image for Securing Azure Storage: A Hands-on Guide to Managed Identities, Key Vaults, and Immutability
Emmanuel
Emmanuel

Posted on

Securing Azure Storage: A Hands-on Guide to Managed Identities, Key Vaults, and Immutability

#security #azurestorage #managedidentity #keyvault

Azure Storage security involves multiple layers of protection
working together. In this guide from Microsoft Learn , we are going to eliminate that risk by configuring a User-Assigned Managed Identity (allowing our app to authenticate without passwords) and leveraging an Azure Key Vault to manage encryption keys securely.

You will learn how to:

  • Eliminate credential management using Managed Identities
  • Centralize key management using Azure Key Vault -Protect data from modification using Immutable Blob Storage
  • Add an extra encryption layer using Encryption Scopes

Who this is for:
Anyone new to Azure security who wants hands-on experience securing cloud storage.

Estimated time: 20–25 minutes

Task Overview:

  • Create the storage account and managed identity.
  • Secure access to the storage account with a key vault and key.
  • Configure the storage account to use the customer managed key in the key vault
  • Configure a time-based retention policy and an encryption scope.

STEP 01:

Create the storage account and managed identity

  1. In the global Azure search bar, search for and select Storage accounts. Create a storage account for the web app.

  1. Select + Create.
  2. For the Resource group field, click Create new, assign your group a custom name, and select OK..
  3. Provide a Storage account name. Ensure the name is unique and meets the naming requirements.

Click next to move to the Encryption tab.

Check the box for Enable infrastructure encryption.
Notice the warning, This option cannot be changed after this storage account is created. Select Review + Create. Wait for the resource to deploy.

STEP 02:

Provide a managed identity for the web app to use.

Search for and select Managed identities.

Select Create.
Select your resource group.
Give your managed identity a name.
Select Review and create, and then Create.

STEP 03:

Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs.

Search for and select your storage account.
Select the Access Control (IAM) blade.
Select Add role assignment (center of the page).

On the Job functions roles page, search for and select the Storage Blob Data Reader role.

  1. On the Members page, select Managed identity.
  2. Select Select members, in the Managed identity drop-down select User-assigned managed identity.
  3. Select the managed identity you created in the previous step.
  4. Click Select and then Review + assign the role.
  5. Select Review + assign a second time to add the role assignment.

Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions.

Secure access to the storage account with a key vault and key

STEP 04:
To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions.

  1. In the portal, search for and select Resource groups. By now you know how to search using the Azure portal search bar.
  2. Select your resource group, and then the Access Control (IAM) blade.
  3. Select Add role assignment (center of the page).
  4. On the Job functions roles page, search for and select the Key Vault Administrator role.

  1. On the Members page, select User, group, or service principal.
  2. Select Select members.
  3. Search for and select your user account. Your user account is shown in the top right of the portal.
  4. Click Select and then Review + assign.

  1. Select Review + assign a second time to add the role assignment. You are now ready to continue with the lab.

STEP 05:

Create a key vault to store the access keys.

In the portal, search for and select Key vaults.

STEP 06:

  1. Select Create.
  2. Select your resource group.
  3. Provide the name for the key vault. The name must be unique.
  4. Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.
  5. Select Review + create.

  1. Wait for the validation checks to complete and then select Create.
  2. After the deployment, select Go to resource. On the Overview blade ensure both Soft-delete and Purge protection are enabled.

STEP 07:
*Create a customer-managed key in the key vault.
*
Customer-managed keys allow organizations to control their own encryption lifecycle instead of relying solely on Microsoft-managed encryption.

In your key vault, in the Objects section, select the Keys blade.
Select Generate/Import and Name the key.
Take the defaults for the rest of the parameters, and Create the key.

Configure the storage account to use the customer managed key in the key vault

Before you can complete the next steps, you must assign the Key Vault Crypto Service Encryption User role to the managed identity.

STEP 08:

  1. Select your resource group, and then the Access Control (IAM) blade.
  2. Select Add role assignment (center of the page).
  3. On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.

STEP 09:

  1. On the Members page, select Managed identity.
  2. Select Select members, in the Managed identity drop-down select User-assigned managed identity.
  3. Select your managed identity.
  4. Click Select and then Review + assign.


Select Review + assign a second time to add the role assignment.

Configure the storage account to use the customer managed key in your key vault.

STEP 10:

  1. Return to your the storage account.
  2. In the Security + networking section,
  3. select the Encryption blade.
  4. Select Customer-managed keys.
  5. Select a key vault and key.

STEP 11:
Select your key vault and key.
Select to confirm your choices.
Ensure the Identity type is User-assigned.
Select an identity.
Select your managed identity then select Add.
Save your changes.

If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Configure a time-based retention policy and an encryption scope.

The developers require a storage container where files can’t be modified, even by the administrator.

STEP 12:
Navigate to your storage account. In the Data storage section,

  1. Select the Containers blade.
  2. Create a container called hold. Take the defaults. Be sure to Create the container.

  1. Upload a file to the container.

  1. In the Settings section, select the Access policy blade.
  2. In the Immutable blob storage section, select + Add policy. Immutable Blob Storage helps organizations meet compliance requirements and protects against ransomware by preventing data deletion or modification during the retention period.
  3. For the Policy type, select time-based retention.
  4. Set the Retention period to 5 days.
  5. Be sure to Save your changes.

  1. Try to delete the file in the container.
  2. Verify you are notified failed to delete blobs due to policy.


The developers require an encryption scope that enables infrastructure encryption. Learn more about infrastructure encryption.

Navigate back to your storage account.
In the Security + networking blade, select Encryption.
In the Encryption scopes tab, select Add.
Give your encryption scope a name.
The Encryption type is Microsoft-managed key.
Set Infrastructure encryption to Enable.
Create the encryption scope.

Return to your storage account and create a new container.
Notice on the New container page, there is the Name and Public access level.
Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.

What You Accomplished

In this guide you successfully implemented four layers of
Azure Storage security:

  • Managed Identity — your app accesses storage without storing credentials
  • Key Vault + Customer-Managed Key — you control the encryption keys for your storage data
  • Immutable Blob Storage — files in your container cannot be modified or deleted during the retention period
  • Encryption Scope — an additional encryption layer applied at the container level

These security controls work together to protect your data
against unauthorized access, accidental deletion, and
compliance risks.

You have successfully configured an end-to-end cloud security framework for Azure Storage! By leveraging managed identities, safeguarding keys via Azure Key Vault, and setting up time-based immutability parameters, you have built a production-ready, zero-trust storage layer.

How did you customize your configuration? Let me know in the comments section below!

Top comments (0)