DEV Community

Cover image for How to Secure Azure Files and Blob Storage Using Managed Identities.
SULIAT
SULIAT

Posted on

How to Secure Azure Files and Blob Storage Using Managed Identities.

#azure #microsoft #security #cloud

INTRODUCTION

Keeping cloud storage safe means more than just setting a password. When applications need access to storage resources, the real challenge is making sure that access is controlled, auditable, and free from hardcoded credentials that can be leaked or misused.
Azure addresses this through a combination of Managed Identities, Role-Based Access Control (RBAC), and Key Vaults. These tools work together to give you fine grained control over who and what can touch your data.
This article walks you through building that secure environment from the ground up, starting with a properly encrypted storage account and finishing with policies that prevent data from being tampered with or deleted.

What Are Managed Identities, RBAC, and Key Vaults?

Managed Identities

Managed Identity is an automated access control mechanism that eliminates the need for human intervention in managing permissions for a storage account. Instead of manually approving or denying requests, the system itself handles all authentication and authorization decisions determining who or what is allowed to enter or exit the storage account. It grants or restricts access to people and applications automatically, using either a system-assigned managed identity (fully automated by the system) or a user-assigned managed identity (a manually created identity that can be shared across resources). In essence, managed identity streamlines the approval and permission process by letting the system autonomously govern all incoming and outgoing access to the storage account.

Azure Role-Based Access Control (RBAC)

Not everyone in an organization needs the same level of access, and the same principle applies to cloud resources. RBAC lets you define exactly what each identity is allowed to do. A storage reader can view data but cannot delete it. An administrator can manage keys but may not have access to the data itself. Each role is scoped precisely, so nothing gets more permission than it actually needs.

Key Vault

Encryption keys, certificates, and application secrets all need somewhere secure to live. Azure Key Vault provides that central location, keeping sensitive values out of your codebase and making them available to authorized services at runtime with full logging of every access.

In this article, the objectives are to secure storage for Azure Files and Azure Blob Storage by walking through four essential steps which are creating the storage account and managed identity, securing access with a Key Vault and key, configuring a customer-managed key, and setting up a time-based retention policy and encryption scope.

Create the storage account and managed identity.

Step 1: Create a Storage Account with Infrastructure Encryption.

  • In the portal, search for and select Storage accounts.

select

  • Select + Create.

create

  • For Resource group select Create new. Give your resource group a name and select OK to save your changes.

mayrg

  • Provide a Storage account name. Ensure the name is unique and meets the naming requirements.

search

  • Move to the Encryption tab. Check the box for Enable infrastructure encryption. Notice the warning, This option cannot be changed after this storage account is created.

move

  • Select Review + Create.

review

  • Wait for the resource to deploy.

deploy

Step 2: Provide a managed identity for the web app to use.

  • Search for and select Managed identities.

Imanaged

  • Select Create.

+create

  • Select your resource group.

group

  • Give your managed identity a name.

Identity

  • Select Review and create, and then Create.

Icrate

Step 3: Assign the correct permissions to the managed identity. The identity only needs to read and list containers and blobs.

  • Search for and select your storage account.

storage

  • Select the Access Control (IAM) blade.

access

  • Select Add role assignment (center of the page).

add

  • On the Job functions roles page, search for and select the Storage Blob Data Reader role.

Idata

  • On the Members page, select Managed identity.

page

  • Select Select members, in the Managed identity drop-down select User-assigned managed identity.

user

  • Select the managed identity you created in the previous step.

step

  • Click Select and then Review + assign the role.

click

  • Select Review + assign a second time to add the role assignment.

assign

  • Your storage account can now be accessed by a managed identity with the Storage Data Blob Reader permissions.

Secure access to the storage account with a key vault and key

Step 1: To create the key vault and key needed for this part of the lab, your user account must have Key Vault Administrator permissions.

  • In the portal, search for and select Resource groups.

portal

  • Select your resource group, and then the Access Control (IAM) blade.

blade

  • Select Add role assignment (center of the page).

assign

  • On the Job functions roles page, search for and select the Key Vault Administrator role.

vault

  • On the Members page, select User, group, or service principal.

Imotion

  • Select Select members.

members

  • Search for and select your user account. Your user account is shown in the top right of the portal.

RIGHT

  • Click Select and then Review + assign.

then

  • Select Review + assign a second time to add the role assignment.

time
Step 2: Create a key vault to store the access keys.

  • In the portal, search for and select Key vaults.

keys

  • Select Create.

create

  • Select your resource group.

Imay

  • Provide the name for the key vault. The name must be unique.

name

  • Ensure on the Access configuration tab that Azure role-based access control (recommended) is selected.

Itab

  • Select Review + create.

select

  • Wait for the validation checks to complete and then select Create.

validation

  • After the deployment, select Go to resource.

go to

  • On the Overview blade ensure both Soft-delete and Purge protection are enabled.

purge

Step 3: Create a customer-managed key in the key vault.

  • In your key vault, in the Objects section, select the Keys blade.

keys blade

  • Select Generate/Import and Name the key.

Import

  • Take the defaults for the rest of the parameters, and Create the key.

rest

Configure the storage account to use the customer managed key in the key vault

Step 1: In the portal, search for and select Resource groups.

portal

  • Select your resource group, and then the Access Control (IAM) blade.

control

  • Select Add role assignment (center of the page).

Ipage

  • On the Job functions roles page, search for and select the Key Vault Crypto Service Encryption User role.

crypto

  • On the Members page, select Managed identity.

members

  • Select Select members, in the Managed identity drop-down select User-assigned managed identity.

down

  • Select your managed identity.

step

  • Click Select and then Review + assign.

review

  • Select Review + assign a second time to add the role assignment.

role
Step 2: Configure the storage account to use the customer managed key in your key vault.

  • Return to your the storage account.

return

  • In the Security + networking section, select the Encryption blade.

blade

  • Select Customer-managed keys.

Imanaged

  • Select a key vault and key. Select your key vault and key.

a key

  • Select to confirm your choices.

confirm

  • Ensure the Identity type is User-assigned.

type

  • Select an identity.

choices

  • Select your managed identity then select Add.

ensure

  • Save your changes.

yours

  • If you receive an error that your identity does not have the correct permissions, wait a minute and try again.

Configure a time-based retention policy and an encryption scope.

Step 1: The developers require a storage container where files can’t be modified, even by the administrator.

  • Navigate to your storage account.

storage

  • In the Data storage section, select the Containers blade.

data

  • Create a container called hold. Take the defaults. Be sure to Create the container.

container

  • Upload a file to the container.

upload

  • In the Settings section, select the Access policy blade.

file

  • In the Immutable blob storage section, select + Add policy.

settings

  • For the Policy type, select time-based retention.

policy

  • Set the Retention period to 5 days.

retention

  • Be sure to Save your changes.

period

  • Try to delete the file in the container.

deleted

  • Verify you are notified failed to delete blobs due to policy.

failed

Step 2: The developers require an encryption scope that enables infrastructure encryption.

  • Navigate back to your storage account.

back

  • In the Security + networking blade, select Encryption.

blad

  • In the Encryption scopes tab, select Add.

scopes

  • Give your encryption scope a name.

mage

  • The Encryption type is Microsoft-managed key.

mic

  • Set Infrastructure encryption to Enable.

enable

  • Create the encryption scope.

encrypt

  • Return to your storage account and create a new container.

new

  • Notice on the New container page, there is the Name and Private access level.

access

  • Notice in the Advanced section you can select the Encryption scope you created and apply it to all blobs in the container.

apply

Conclusion

Securing Azure Storage is not just about setting a password. It's about building layered, identity-driven protection where every component has only the permissions it needs and no more.
By combining Managed Identities, RBAC, Key Vaults, Customer-Managed Keys, immutable storage policies, and encryption scopes, you've built a storage environment that mirrors real-world enterprise security requirements.

Have questions or want to share what you built? Drop a comment below.

Top comments (0)