Securing Azure Storage starts with an overview outlining the various authentication and authorization methods available to access Azure storage resources. We then look at each method, examining its benefits and disadvantages. Setting up access to storage resources using account keys and the various shared access signature variants demonstrates the practical implications and use cases of each access method. The course ends with a look at implementing Azure files as a mapped drive within an Azure virtual machine.
Learning Objectives
- Overview of Azure account storage authentication and access
- Create an account key rotation policy
- See how to integrate storage account keys with Azure Key Vault
- Implement Shared Access Signatures
- Map a virtual machine drive to an Azure file share
Intended Audience
- Students working towards the AZ-500: Microsoft Azure Security Technologies exam
- Those wanting to learn how to secure an Azure storage account
Prerequisites
- Be familiar with Active Directory concepts such as managed identities and role-based access control, Azure Key Vault, and the basics of Azure storage resources
Azure files is a cloud version of Windows file share that can replace on-premises file servers. Azure files are offered in three variants. Two standard variants use hard disk drives, one supporting local and zone redundancy and the other supporting geo-redundancy. The third is a premium variant utilizing SSDs with local and zone redundancy.
You might use Azure files as an initial step in a full cloud migration or as part of a backup and disaster recovery plan. In any case, users will need to be authenticated and authorized to access the files just as they would in an on-premises scenario. The following authentication options are predicated on accessing files using SMB, server message block protocol, as NFS, Network File System, doesn't support identity-based authentication.
Depending on your infrastructure architecture and whether you are migrating from on-premises to Azure, there are three main identity provider scenarios, plus one using a storage account key.
Azure storage accounts can be domain joined to on-premises active directory domain services just as you would a Windows file server or a NAS device. Having said that, the customer-owned domain controller can be deployed anywhere, like a cloud-based VM in Azure or with some other provider. If you're in the process of migrating from on-premises to the cloud or you want to mimic Windows file server or NAS functionality with Azure file shares, Microsoft recommends joining your Azure storage account to your customer-owned AD.
Using Azure-based active directory domain services provides fundamentally similar functionality as customer-owned AD DS as far as storage accounts are concerned, but with the benefit of a domain controller that can be used with Azure resources. If you want to perform a lift-and-shift application migration to Azure, this is the recommended setup, enabling application and storage authentication.
If your organization is using hybrid user identities, so on-prem AD users that are synced with Azure, you'll need to authenticate with Azure AD Kerberos. Users don't need line-of-sight authentication with a domain controller but can use a token, such as a Kerberos ticket issued by Azure AD, to access Azure file shares using SMB.
While you can use a storage account key to mount an Azure file share, it is not identity-based authentication and has some serious drawbacks in terms of access control, i.e., it's non-existent. The storage account name is used as the username and the account key as the password. This method of authorization gives the file share full permissions on all files and folders contained within, overriding individual file/folder access attributes, so not ideal. The NTLMv2 protocol is used when authenticating over SMB in this scenario.
Identity-based authentication excludes machine or computer accounts that can't be associated with an Azure AD identity.
Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.