Introduction
In modern applications, secure data storage is non-negotiable. Developers must ensure that storage accounts are protected from unauthorized access, accessed only through approved identities, and encrypted with customer-managed keys. With role-based access control (RBAC), managed identities, and immutable storage, Azure makes this possible.
In this hands-on guide, we’ll cover how to:
- Create a storage account and managed identity.
- Secure access with a Key Vault and customer-managed keys.
- Configure encryption scopes for additional protection.
- Apply time-based retention policies for immutable blob storage.
By the end, you’ll know how to ensure your storage account is accessible only through secure channels a critical step in protecting sensitive application data.
Skilling Objectives
You will learn to:
- Create a storage account with encryption.
- Assign a managed identity with RBAC.
- Secure keys in Azure Key Vault and configure customer-managed keys.
- Enable immutable blob storage with retention policies.
- Apply an encryption scope for stronger infrastructure encryption.
Step 1: Create the Storage Account & Managed Identity
💡 Why start here?
A storage account is the foundation for storing data in Azure, while a managed identity provides secure, passwordless access for your app.
Create the Storage Account
In the Azure Portal, search for Storage accounts → + Create.
Create a new Resource group (e.g.
rg-alpha
).On the Encryption tab, check Enable infrastructure encryption (this can’t be changed later).
Create the Managed Identity
Select your resource group and provide a name (e.g.
IbrahimIdentities
).
Assign Permissions
- Open your storage account → Access Control (IAM).
Under Members, choose Managed identity → User-assigned managed identity.
✅ The managed identity now has secure access to the storage account.
Step 2: Secure Access with Key Vault
💡 Why use Key Vault?
Instead of embedding keys in code or configs, Key Vault keeps them secure, centralized, and managed with RBAC.
Assign Yourself Key Vault Permissions
- In your resource group → Access Control (IAM).
Create a Key Vault
Select your resource group and provide a unique name (e.g.
ConsoleKey
).
Under Access configuration, select Azure role-based access control (recommended).
Generate a Customer-Managed Key
- In the Key Vault, open Objects → Keys.
Step 3: Configure Storage with Customer-Managed Key
💡 Why customer-managed keys?
They give you full control over encryption, helping with compliance and governance requirements.
Give the Managed Identity Key Access
- In your resource group → Access Control (IAM).
Assign Key Vault Crypto Service Encryption User role to your managed identity.
Configure Storage to Use the Key
- Open your storage account → Security + networking → Encryption.
Ensure Identity type = User-assigned → select your managed identity → Save.
⏳ If you see a permission error, wait 1–2 minutes and retry.
Step 4: Apply Immutable Blob Storage with Retention Policy
💡 What is immutable storage?
It ensures data can’t be modified or deleted even by administrators for a defined retention period.
Steps
In your storage account → Containers → + Container, create one named
hold
.
Under Access policy → + Add policy → select Time-based retention.
✅ Try deleting the file — you’ll be blocked due to the policy.
Step 5: Configure Encryption Scope
💡 Why encryption scopes?
They allow applying specific encryption settings (e.g. infrastructure encryption) at the container or blob level.
Steps
- In your storage account → Encryption → Encryption scopes → + Add.
Give it a name, choose Microsoft-managed key, enable Infrastructure encryption.
Create a new container and apply this encryption scope to all blobs within.
Cleanup Resources
If this is only for practice, clean up to avoid costs:
- Azure Portal: Delete the resource group.
- PowerShell:
Remove-AzResourceGroup -Name resourceGroupName
- CLI:
az group delete --name resourceGroupName
Conclusion
In this project, you’ve learned how to:
- Create a storage account and managed identity.
- Secure storage with Key Vault and customer-managed keys.
- Apply immutable blob storage and encryption scopes.
These steps are essential for protecting sensitive data in the cloud. By combining RBAC, managed identities, and encryption, you ensure your app’s storage is both secure and compliant.
🔐 With this workflow, your storage account isn’t just functional — it’s locked down by design.
Top comments (0)