Configuring Access Control for Storage Accounts
Start course
Microsoft Azure offers a wide range of options to secure and protect your data, regardless of the format. Whether you're dealing with documents, SQL databases or big data, there are multiple solutions ranging from authentication to virtual networks.
In this course, we will cover the protection of your data from external and internal threats, whether those threats be malicious or accidental. We will see how good design combined with the right configuration can secure your organization's most precious asset: its data.

Learning Objectives

  • Configure security policies to classify, protect, and manage data
  • Configure data retention for storage and databases
  • Set up Azure SQL security features and auditing
  • Learn how to configure storage account security and access
  • Learn how to secure HDInsight clusters
  • Configure Cosmos DB security
  • Configure Data Lake security
  • Learn good design features of an Azure application
  • See how Azure App Services can secure your app
  • See how a governance policy can help formalize security requirements

Intended Audience

  • People preparing for Microsoft’s AZ-500 exam
  • System administrators
  • App developers


  • Experience with Microsoft Azure
  • Experience with Office 365
  • Basic knowledge of computer security principles
  • Basic networking knowledge



Azure controls access to resources, such as storage and queues, using role-based access control or RBAC. An Azure AD security principle, which can be a user, a group, an application service principle, or a managed identity for Azure resources, can be granted access to resources at the level of subscription, resource group, storage account or an individual container or queue. Before assigning to a user or group, you need to determine the scope of access required. It is best to allow only the absolutely necessary scope of access to resources. 

Starting with the narrowest, the levels of scope are:

An individual container: at this scope, a role assignment applies to all of the blobs in the container as well as container properties and metadata. 

An individual queue: at this scope, a role assignment applies to messages in the queue as well as queue properties and metadata. 

The storage account: at this scope, a role assignment applies to all containers and their blobs or to all queues and their messages. 

The resource group: at this scope, a role assignment applies to all of the containers or queues, and all of the storage accounts in the resource group.

The subscription: at this scope, a role assignment applies to all of the containers or queues, and all of the storage accounts and all the resource groups in the subscription.

To assign role-based access control to a storage account, select the storage account, then select Access control and click the Add button under Add a role assignment. Within Add role assignment, select a role from the drop-down list, then select the user or group you want to assign the role to, then click Save. If you go into Role Assignments, you can view what roles are being assigned to users.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.