How to Control Storage Access in Microsoft Azure.

Azure Storage provides secure, scalable cloud storage for various data types, including blobs, files, queues, and tables. However, managing access to these resources is critical to prevent unauthorized data exposure while ensuring legitimate users and applications can retrieve what they need.

In this hands-on project, you will learn how to:

• Create and configure storage containers and file shares
• Upload files and manage access tiers
• Generate and test Shared Access Signature (SAS) tokens
• Rotate storage account keys to revoke access

Step 1 Create a storage container

• Login to Microsoft Azure at https://portal.azure.com

• From the Azure portal home page, in the search box, enter storage accounts.
• Select storage accounts under services.

• Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)

• On the storage account blade, under the Data storage submenu, select Containers.
• Select + Add container.

• In the Name field, enter storage-container.
• Select Create.

Upload a file to the storage container

• Select the storage container you just created.

• Select Upload and upload the file you prepared.
• Once the file is ready for upload, select Upload.

Change the access tier

• Select the file you just uploaded (the file name is a hyperlink).

• Select Change tier.

• Select Cold.
• Select Save.

Setp 2 Create a file share

• From the Azure portal home page, in the search box, enter storage accounts.
• Select storage accounts under services.

• Select the storage account you created in the Prepare exercise. The storage account name is the hyperlink to the storage account. (Note: it should be associated with the resource group guided-project-rg.)

• On the storage account blade, under the Data storage submenu, select File shares.
• Select + File share.

• On the Basics tab, in the name field enter file-share.

• On the Backup tab, uncheck Enable backup.

• Select Review + create.
• Select Create.

• Once the file share is created, select Upload.

• Upload the same file you uploaded to the blob storage or a different file, it’s up to you.

• Select Home to return to the Azure portal home page.

Step 3 Create a shared access signature token

• From the Azure portal home page, in the search box, enter storage accounts.
• Select storage accounts under services.

• Select the storage account you created in the Prepare exercise.

• On the storage account blade, select Storage browser.

• Expand Blob containers.
• Select the ellipses (three dots) on the end of the line for the image you uploaded.

• Select Generate SAS.

Note: When you generate a shared access signature, you set the duration. Once the duration is over, the link stops working. The **Start automatically populates with the current date and time.

Set Signing method to Account key.
Set Signing key to Key 1.
Set Allowed protocols to HTTPS only.
Select Generate SAS token and URI.

Copy the Blob SAS URL and paste it in another window or tab of your browser. It should display the image you uploaded. Keep this tab or window open.

Note: With the SAS token created, anyone with that link can access the file for the duration that was set when you created the SAS token. However, controlling access to a resource or file is about more than just granting access. It’s also about being able to revoke access. To revoke access with a SAS token, you need to invalidate the token. You invalidate the token by rotating the key that was used.

Step 4 Rotate access keys

• From the Azure portal home page, in the search box, enter storage accounts.
• Select storage accounts under services.

• Select the storage account you created in the Prepare exercise.

• Expand the Security + networking submenu.
• Select Access keys.

• For Key 1, select Rotate key.
• Read and then acknowledge the warning about regenerating the access key by selecting Yes.

• Once you see the success message for rotating the access key, go back to the window or tab you used to check the SAS token and refresh the page. You should receive an authentication failed error.

Conclusion
This lab has provided hands-on experience in securing Azure Storage through containers, file shares, SAS tokens, and key management. Key takeaways include:

Blob Storage & File Shares – Learned how to create and manage different storage types.Access Control with SAS Tokens – Generated temporary access links with configurable permissions and expiration. Key Rotation for Security – Revoked access by rotating storage account keys, ensuring compromised tokens become invalid.