Access Keys
Start course

Securing Azure Storage starts with an overview outlining the various authentication and authorization methods available to access Azure storage resources. We then look at each method, examining its benefits and disadvantages. Setting up access to storage resources using account keys and the various shared access signature variants demonstrates the practical implications and use cases of each access method. The course ends with a look at implementing Azure files as a mapped drive within an Azure virtual machine.

Learning Objectives

  • Overview of Azure account storage authentication and access
  • Create an account key rotation policy
  • See how to integrate storage account keys with Azure Key Vault
  • Implement Shared Access Signatures
  • Map a virtual machine drive to an Azure file share

Intended Audience

  • Students working towards the AZ-500: Microsoft Azure Security Technologies exam
  • Those wanting to learn how to secure an Azure storage account


  • Be familiar with Active Directory concepts such as managed identities and role-based access control, Azure Key Vault, and the basics of Azure storage resources

Access keys consist of two 512-bit keys that are generated when the account is created. These keys give unlimited access to all resources within the storage account, making them equivalent to a global admin. Naturally, the widespread use of access keys violates the principle of least privileged access and should be avoided. The keys can be rotated within the storage account, and using only one key at a time with applications is recommended to reduce administrative overhead when rotating keys. You can set a key expiration policy reminding you to rotate the keys manually. The reminder is in the form of a notification banner, so not what I'd describe as a fail-safe. Take note that you may need to rotate both access keys at least once before creating the policy.

To avoid missing the rotation reminder, you can set up an Azure policy to check for violations of the expiration policy. Go to or search for policy on the portal's home page. Once in policy, click assignments under authoring, and then assign policy. In assign policy, click the more button at the end of the scope field, select the storage account's resource group from the resource group drop-down list, and hit the select button. Now we select the pre-defined policy definition by clicking the more button at the end of the policy definition field and typing storage account keys into the search field in the available definitions pane. With Storage account keys should not be expired highlighted; click the select button. That's it. Now create the policy. With the policy in place, set up the necessary alerts.

If all of this seems too involved, you can use Azure key vault to manage the storage account keys and implement automatic key rotation, bearing in mind that not all connected applications and services support automated key rotation. Integrating a storage account with Azure Key Vault can be done using PowerShell scripts. After connecting to your Azure account, select the subscription you want to work with using Set-AzContext with the appropriate subscription Id. Next, we need to prepare variables holding key - excuse the pun - information. The resource group name, the storage account name, the key vault name, the id of the key vault app, and which storage account key you're integrating. Next, we get our user id from the connection context and the storage account with Get-AzStorageAccount. We give the key vault access to the storage account with the New-AzRoleAssignment command, specifying the storage account key operator service role. 

Use the Set-AzKeyVaultAccessPolicy command to allow your user account to manage storage accounts, specifying the vault name, the user, and storage permissions. Next, we add the storage account to the key vault with Add-AzKeyVaultManagedStorageAccount. The parameters are the vault name, the storage account name, the storage account id, and the key we're integrating. Disable auto regenerate key prevents the key from being regenerated during the integration process. If you want the key vault to manage key regeneration, you can use the same command, replacing disable auto regenerate key with regeneration period, specifying the number of days. 

While it's good to have Azure key vault manage the storage account keys, access keys aren't the preferred authentication method due to their global permissions, the potential for misuse, and being compromised.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.