DEV Community

Cover image for Controlling and Securing Azure Storage Access: A Step-by-Step Guide
Oladosu Ibrahim
Oladosu Ibrahim

Posted on

Controlling and Securing Azure Storage Access: A Step-by-Step Guide

Introduction

In modern applications, secure data storage is non-negotiable. Developers must ensure that storage accounts are protected from unauthorized access, accessed only through approved identities, and encrypted with customer-managed keys. With role-based access control (RBAC), managed identities, and immutable storage, Azure makes this possible.

In this hands-on guide, we’ll cover how to:

  • Create a storage account and managed identity.
  • Secure access with a Key Vault and customer-managed keys.
  • Configure encryption scopes for additional protection.
  • Apply time-based retention policies for immutable blob storage.

By the end, you’ll know how to ensure your storage account is accessible only through secure channels a critical step in protecting sensitive application data.

Skilling Objectives

You will learn to:

  • Create a storage account with encryption.
  • Assign a managed identity with RBAC.
  • Secure keys in Azure Key Vault and configure customer-managed keys.
  • Enable immutable blob storage with retention policies.
  • Apply an encryption scope for stronger infrastructure encryption.

Step 1: Create the Storage Account & Managed Identity

💡 Why start here?
A storage account is the foundation for storing data in Azure, while a managed identity provides secure, passwordless access for your app.

Create the Storage Account

  1. In the Azure Portal, search for Storage accounts+ Create.
    Image1
    Image2

  2. Create a new Resource group (e.g. rg-alpha).

  3. Provide a unique storage account name (e.g. ibrahimstrg).
    Image3

  4. On the Encryption tab, check Enable infrastructure encryption (this can’t be changed later).

  5. Click Review + Create, then wait for deployment.
    Image4
    Image5

Create the Managed Identity

  1. Search for Managed Identities+ Create.
    Image6
    Image7

  2. Select your resource group and provide a name (e.g. IbrahimIdentities).

  3. Click Review + Create.
    Image8

Assign Permissions

  1. Open your storage accountAccess Control (IAM).
  2. Select + Add role assignment.
    Image9

  3. From roles, select Storage Blob Data Reader.
    Image10

  4. Under Members, choose Managed identityUser-assigned managed identity.
    Image11

  5. Select your managed identity → Review + assign.
    Image12

✅ The managed identity now has secure access to the storage account.

Step 2: Secure Access with Key Vault

💡 Why use Key Vault?
Instead of embedding keys in code or configs, Key Vault keeps them secure, centralized, and managed with RBAC.

Assign Yourself Key Vault Permissions

  1. In your resource groupAccess Control (IAM).
  2. Select + Add role assignment.
    Image13

  3. Assign Key Vault Administrator role to your user account.
    Image14
    Image15
    Image16

Create a Key Vault

  1. In the portal, search for Key vaults+ Create.
    Image17
    Image18

  2. Select your resource group and provide a unique name (e.g. ConsoleKey).
    Image 19

  3. Under Access configuration, select Azure role-based access control (recommended).

  4. Review + create → wait for deployment → Go to resource.
    Image20
    Image21

  5. Confirm Soft-delete and Purge protection are enabled.
    Image22
    Image23

Generate a Customer-Managed Key

  1. In the Key Vault, open Objects → Keys.
  2. Select + Generate/Import.
    Image24

  3. Provide a name (e.g. customerkey) → keep defaults → Create.
    Image25

Step 3: Configure Storage with Customer-Managed Key

💡 Why customer-managed keys?
They give you full control over encryption, helping with compliance and governance requirements.

Give the Managed Identity Key Access

  1. In your resource groupAccess Control (IAM).
  2. Select + Add role assignment.
    Image 26

  3. Assign Key Vault Crypto Service Encryption User role to your managed identity.
    Image27
    Image28
    Image29

Configure Storage to Use the Key

  1. Open your storage accountSecurity + networking → Encryption.
  2. Select Customer-managed keys.
    Image30

  3. Choose your Key Vault and key.
    Image31

  4. Ensure Identity type = User-assigned → select your managed identity → Save.
    Image32

⏳ If you see a permission error, wait 1–2 minutes and retry.

Step 4: Apply Immutable Blob Storage with Retention Policy

💡 What is immutable storage?
It ensures data can’t be modified or deleted even by administrators for a defined retention period.

Steps

  1. In your storage account → Containers → + Container, create one named hold.
    Image33

  2. Upload a file.
    Image34

  3. Under Access policy → + Add policy → select Time-based retention.

  4. Set Retention period = 5 daysSave.
    Image35

✅ Try deleting the file — you’ll be blocked due to the policy.

Step 5: Configure Encryption Scope

💡 Why encryption scopes?
They allow applying specific encryption settings (e.g. infrastructure encryption) at the container or blob level.

Steps

  1. In your storage account → Encryption → Encryption scopes → + Add.
  2. Give it a name, choose Microsoft-managed key, enable Infrastructure encryption.
    Image36

  3. Create a new container and apply this encryption scope to all blobs within.

Cleanup Resources

If this is only for practice, clean up to avoid costs:

  • Azure Portal: Delete the resource group.

Image37

  • PowerShell:
  Remove-AzResourceGroup -Name resourceGroupName
Enter fullscreen mode Exit fullscreen mode
  • CLI:
  az group delete --name resourceGroupName
Enter fullscreen mode Exit fullscreen mode

Conclusion

In this project, you’ve learned how to:

  • Create a storage account and managed identity.
  • Secure storage with Key Vault and customer-managed keys.
  • Apply immutable blob storage and encryption scopes.

These steps are essential for protecting sensitive data in the cloud. By combining RBAC, managed identities, and encryption, you ensure your app’s storage is both secure and compliant.

🔐 With this workflow, your storage account isn’t just functional — it’s locked down by design.

Top comments (0)