The course is part of this learning path


Securing Azure Storage starts with an overview outlining the various authentication and authorization methods available to access Azure storage resources. We then look at each method, examining its benefits and disadvantages. Setting up access to storage resources using account keys and the various shared access signature variants demonstrates the practical implications and use cases of each access method. The course ends with a look at implementing Azure files as a mapped drive within an Azure virtual machine.

Learning Objectives

  • Overview of Azure account storage authentication and access
  • Create an account key rotation policy
  • See how to integrate storage account keys with Azure Key Vault
  • Implement Shared Access Signatures
  • Map a virtual machine drive to an Azure file share

Intended Audience

  • Students working towards the AZ-500: Microsoft Azure Security Technologies exam
  • Those wanting to learn how to secure an Azure storage account


  • Be familiar with Active Directory concepts such as managed identities and role-based access control, Azure Key Vault, and the basics of Azure storage resources

You can think of an Azure storage account as an administrative envelope encompassing blob containers, file shares, queues, and tables. Like other Azure resources, access happens in either the control or management plane and the data plane. Typically, users access a storage account through the control plane to administer its resources, while applications and services go through the data plane to access the resources' contents. These two modes aren't mutually exclusive, as users can write and read data, and applications can perform some administrative functions. Unless I state otherwise, the authentication and authorization methods discussed here apply to both users, applications, and services. 

There are three methods to authenticate and authorize a storage account, irrespective of going through the control or data plane. Access keys, shared access signatures, and role-based access control form a hierarchy. Access keys are analogous to an admin account with global access to all resources in the storage account through to shared access signatures and RBAC allowing permissions to be set on individual objects. Access keys and shared access signatures take a "set and forget" approach in that you give out a key for users and applications to access storage resources. The key or signature is entirely self-contained, specifying authentication and authorization information. Revoking access is problematic for both of these methods. On the other hand, RBAC enables easy ongoing permission management while offering a high level of permission control. All these methods have pros and cons that we'll discuss, but spoiler alert – RBAC is Microsoft's preferred option.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.