Choosing and Configuring Azure Storage for Your Company Application

Beyond simple storage: Implementing Managed Identities, Encryption, and Immutability.

Setting up storage for a modern app isn't just about creating a folder; it’s about building a secure data lifecycle. In this guide, we’ll move from basic setups to an enterprise-grade configuration using Managed Identities, Azure Key Vault, and Immutable Policies.

The Technical Roadmap: From Architecture to Execution
With the strategy in place, we now move into the implementation phase. Follow the verified blueprint below to deploy a hardened, enterprise-grade storage environment for your application. Note: Pay close attention to the encryption settings—once committed, they become the permanent foundation of your data security.

Phase 1: Create the storage account and managed identity.

• In the portal, search for and select Storage accounts.

• Select ** + Create**.

• For resource group, click Create new, give it a name and select OK to save your changes. Then provide a unique Storage account name.

• Move to the Encryption tab, check the box for Enable infrastructure encryption. Notice the warning, This option cannot be changed after this storage account is created and leave other default settings. Click Review + create, then create. Wait for Deplotment to complete and click Go to resource.

• In the portal, search for and select Managed identities

• Select + Create.

• Select your resource group from the drop down, give your managed identity a name. Then select Review and create, then Create. Click Go to resource.

• Search for and select your storage account.

• Click Access Control (IAM) blade and then select ** Add role assignment**.

• On the Job functions roles page, search for and select the Storage Blob Data Reader role, then click Next.

• On the Members page, select Managed identity. Select + Select members. In the Managed identity drop-down select User-assigned managed identity. Then select the managed identity you created in the previous step. Click Select and then click Review + assign twice to add the role assignment.

Phase 2: Identity & Access Management (IAM)

• In the portal, search for and select Resource groups, then select the resource group you created.

• Select Access Control (IAM) blade and then click Add role assignment.

• On the Job functions roles page, search for and select the Key Vault Administrator role, then selct Next.

• On the Members page, select User, group, or service principal, select + Select members, search for and select your user account. Your user account is shown in the top right of the portal. Click Select and then Review + assign twice to add role assignment.

• In the portal, search for and select Key vaults.

• Select + Create.

• Select your resource group, and provide a unique name for the key vault.

• Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected. Then select Review + create and create.

• Wait for Deployment to complete and click Go to resource.

• On the Overview blade, ensure both Soft-delete and Purge protection are Enabled, but if any/both are Disabled, kindly click and change it to Enabled.

• In your key vault, in the Objects section, select the Keys blade and click Generate/Import.

• Name the key, take the default settings for the rest of the parameters, and click Create.

Phase 3: Configure the storage account to use the customer managed key in the key vault

• In the portal, search for and select Resource groups through to your resource group, then click Access Control (IAM) blade and then select Add role assignment

• On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.

• On the Members page, select Managed identity, then select + Select members. In the Managed identity drop-down select User-assigned managed identity, select your managed identity, click Select and then Review + assign twice to add the role assignment.

• Return to your the storage account. In the Security + networking section, select the Encryption blade and then select Customer-managed keys and also select Select a key vault and key.

• Select Key vaults and then select your key vault and key, then Select to confirm your choices.

• Ensure the Identity type is User-assigned, else select Select an identity. Select your managed identity, click Add and Save your changes to update your storage account.

Phase 4: Configure an time-based retention policy and an encryption scope

• Navigate to your storage account. In the Data storage section, select the Containers blade and click + Add container. Give it a name and take the defaults, be sure to Create the container.

• Upload a file to the container.

• In the Settings section, select the Access policy blade. In the Immutable blob storage section, select + Add policy. And for the Policy type, select time-based retention. Set the Retention period, keep other defaults and be sure to Save your changes.

• Try to delete the file in the container. Verify you are notified failed to delete blobs due to policy.

• Navigate back to your storage account. In the Security + networking blade and select Encryption.

In the Encryption scopes:

i. select Add

ii. give your encryption scope a name

iii. let the Encryption type be Microsoft-managed key

iv. set Infrastructure encryption to Enable.

v. click Create

• Return to your storage account and create a new container. Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.

Summary
This guide transforms a standard cloud storage setup into an enterprise-grade, "Zero-Trust" data environment. By moving through these four phases, you have successfully shifted from basic file hosting to a hardened application data lifecycle.

Comments

[SKILL.SCH]

Nice