Controlling and Securing Azure Storage Access: A Step-by-Step Guide

Introduction

In modern applications, secure data storage is non-negotiable. Developers must ensure that storage accounts are protected from unauthorized access, accessed only through approved identities, and encrypted with customer-managed keys. With role-based access control (RBAC), managed identities, and immutable storage, Azure makes this possible.

In this hands-on guide, we’ll cover how to:

• Create a storage account and managed identity.
• Secure access with a Key Vault and customer-managed keys.
• Configure encryption scopes for additional protection.
• Apply time-based retention policies for immutable blob storage.

By the end, you’ll know how to ensure your storage account is accessible only through secure channels a critical step in protecting sensitive application data.

Skilling Objectives

You will learn to:

• Create a storage account with encryption.
• Assign a managed identity with RBAC.
• Secure keys in Azure Key Vault and configure customer-managed keys.
• Enable immutable blob storage with retention policies.
• Apply an encryption scope for stronger infrastructure encryption.

Step 1: Create the Storage Account & Managed Identity

💡 Why start here?
A storage account is the foundation for storing data in Azure, while a managed identity provides secure, passwordless access for your app.

Create the Storage Account

1. In the Azure Portal, search for Storage accounts → + Create.
   
   

2. Create a new Resource group (e.g. rg-alpha).

3. Provide a unique storage account name (e.g. ibrahimstrg).
   

4. On the Encryption tab, check Enable infrastructure encryption (this can’t be changed later).

5. Click Review + Create, then wait for deployment.
   
   

Create the Managed Identity

1. Search for Managed Identities → + Create.
   
   

2. Select your resource group and provide a name (e.g. IbrahimIdentities).

3. Click Review + Create.
   

Assign Permissions

1. Open your storage account → Access Control (IAM).

2. Select + Add role assignment.
   

3. From roles, select Storage Blob Data Reader.
   

4. Under Members, choose Managed identity → User-assigned managed identity.
   

5. Select your managed identity → Review + assign.
   

✅ The managed identity now has secure access to the storage account.

Step 2: Secure Access with Key Vault

💡 Why use Key Vault?
Instead of embedding keys in code or configs, Key Vault keeps them secure, centralized, and managed with RBAC.

Assign Yourself Key Vault Permissions

1. In your resource group → Access Control (IAM).

2. Select + Add role assignment.
   

3. Assign Key Vault Administrator role to your user account.
   
   
   

Create a Key Vault

1. In the portal, search for Key vaults → + Create.
   
   

2. Select your resource group and provide a unique name (e.g. ConsoleKey).
   

3. Under Access configuration, select Azure role-based access control (recommended).

4. Review + create → wait for deployment → Go to resource.
   
   

5. Confirm Soft-delete and Purge protection are enabled.
   
   

Generate a Customer-Managed Key

1. In the Key Vault, open Objects → Keys.

2. Select + Generate/Import.
   

3. Provide a name (e.g. customerkey) → keep defaults → Create.
   

Step 3: Configure Storage with Customer-Managed Key

💡 Why customer-managed keys?
They give you full control over encryption, helping with compliance and governance requirements.

Give the Managed Identity Key Access

1. In your resource group → Access Control (IAM).

2. Select + Add role assignment.
   

3. Assign Key Vault Crypto Service Encryption User role to your managed identity.
   
   
   

Configure Storage to Use the Key

1. Open your storage account → Security + networking → Encryption.

2. Select Customer-managed keys.
   

3. Choose your Key Vault and key.
   

4. Ensure Identity type = User-assigned → select your managed identity → Save.
   

⏳ If you see a permission error, wait 1–2 minutes and retry.

Step 4: Apply Immutable Blob Storage with Retention Policy

💡 What is immutable storage?
It ensures data can’t be modified or deleted even by administrators for a defined retention period.

Steps

1. In your storage account → Containers → + Container, create one named hold.
   

2. Upload a file.
   

3. Under Access policy → + Add policy → select Time-based retention.

4. Set Retention period = 5 days → Save.
   

✅ Try deleting the file — you’ll be blocked due to the policy.

Step 5: Configure Encryption Scope

💡 Why encryption scopes?
They allow applying specific encryption settings (e.g. infrastructure encryption) at the container or blob level.

Steps

1. In your storage account → Encryption → Encryption scopes → + Add.

2. Give it a name, choose Microsoft-managed key, enable Infrastructure encryption.
   

3. Create a new container and apply this encryption scope to all blobs within.

Cleanup Resources

If this is only for practice, clean up to avoid costs:

• Azure Portal: Delete the resource group.

• PowerShell:

  Remove-AzResourceGroup -Name resourceGroupName

• CLI:

  az group delete --name resourceGroupName

Conclusion

In this project, you’ve learned how to:

• Create a storage account and managed identity.
• Secure storage with Key Vault and customer-managed keys.
• Apply immutable blob storage and encryption scopes.

These steps are essential for protecting sensitive data in the cloud. By combining RBAC, managed identities, and encryption, you ensure your app’s storage is both secure and compliant.

🔐 With this workflow, your storage account isn’t just functional — it’s locked down by design.