Provision of private storage for internal company documents

Introduction

In today’s digital landscape, securing sensitive corporate data is a critical responsibility for every organization. Businesses require storage solutions that not only protect confidential documents from unauthorized access but also ensure high availability and disaster recovery in the event of regional outages. Microsoft provides powerful cloud storage capabilities through Azure Storage Account, enabling organizations to build scalable, secure, and resilient storage infrastructures.

In this guide, I will walk through the step-by-step process of provisioning private storage for internal company documents using Azure Storage Accounts. The tutorial covers configuring geo-redundant storage (GRS) for high availability, creating secure private containers, generating Shared Access Signatures (SAS) for controlled external collaboration, implementing lifecycle management policies to optimize storage costs, and configuring object replication for backup and business continuity. By the end of this project, you will have a secure and enterprise-ready storage solution tailored for corporate document management.

Create a storage account for the internal private company documents.

• In the portal, search for and select Storage accounts.

• Select + Create.

• Select the Resource group created in the previous lab.

• Set the Storage account name to privatestrg001. Add an identifier to the name to ensure the name is unique.

• Select Review, and then Create the storage account.

• Wait for the storage account to deploy, and then select Go to resource.

This storage requires high availability if there’s a regional outage. Read access in the secondary region is not required. Configure the appropriate level of redundancy.

• In the storage account, in the Data management section, select the Redundancy blade.

• Ensure Geo-redundant storage (GRS) is selected.

• Be sure to save and click refresh to ensure that it is saved

• Review the primary and secondary location information.

Create a storage container, upload a file, and restrict access to the file.

• In the storage account, in the Data storage section, select the Containers blade.

• Select + Container.

• Ensure the Name of the container is private.

• Ensure the Public access level is Private (no anonymous access).

• As you have time, review the Advanced settings, but take the defaults.

• Select Create.

For testing, upload a file to the private container. The type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publically accessible.

• Select the container.

• Select Upload.

• Browse to files and select a file.

• Upload the file.

• Select the uploaded file.

• On the Overview tab, copy the URL.

• Paste the URL into a new browser tab.

• Verify the file doesn’t display and you receive an error.

An external partner requires read and write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).

• Select your uploaded blob file and move to the Generate SAS tab.

• In the Permissions drop-down, ensure the partner has only Read permissions.

• Verify the Start and expiry date/time is for the next 24 hours.

• Select Generate SAS token and URL.

• Copy the Blob SAS URL to a new browser tab.

• Verify you can access the file. If you have uploaded an image file it will display in the browser.

To save on costs, after 30 days, move blobs from the hot tier to the cool tier.

• Return to the storage account.

• In the Overview section, notice the Default access tier is set to Hot.

• In the Data management section, select the Lifecycle management blade.

• Select Add rule.

• Set the Rule name to movetocool.

• Set the Rule scope to Apply rule to all blobs in the storage account.

• Select Next.

• Ensure Last modified is selected.

• Set More than (days ago) to 30.

• In the Then drop-down select Move to cool storage.

• As you have time, review other lifecycle options in the drop-down.

• Add the rule.

The public website files need to be backed up to another storage account.

• In your storage account, create a new container called backup. Use the default values.

• Navigate to your fragnantstrg storage account.

• In the Data management section, select the Object replication blade.

• Select Create replication rules.

• Set the Destination storage account to the private storage account.

• Set the Source container to public and the Destination container to backup.

• Create the replication rule.

• Optionally, as you have time, upload a file to the public container. Return to the private storage account and refresh the backup container. Within a few minutes your public website file will appear in the backup folder.

Conclusion

Provisioning secure and highly available storage is an essential part of modern cloud infrastructure management. In this project, we successfully configured a private Azure Storage Account with geo-redundant storage to ensure resilience during regional outages, secured sensitive corporate files through private container access, and implemented Shared Access Signatures (SAS) to enable temporary and controlled external collaboration.

Additionally, we optimized long-term storage costs by configuring lifecycle management policies to automatically transition blobs from the hot tier to the cool tier after 30 days. Finally, we enhanced data protection and business continuity by setting up object replication between storage accounts for automated backup of public website content.

This hands-on implementation demonstrates how Microsoft cloud storage solutions can help organizations maintain security, scalability, availability, and operational efficiency while managing critical internal documents in the cloud.