Last updated: May 2026

Azure Storage Intermediate AZ-104 ⏱ 13 min read

Storage Account Security

Azure Storage is secure by default — encrypted at rest, encrypted in transit, private access only. But "secure by default" is just the baseline. Production storage accounts need additional layers: network restrictions, proper authentication, key rotation policies, and threat detection. This page covers every security layer available for Azure Storage accounts.

What you'll learn Storage account access keys and their risks · Azure AD authentication (recommended) · Storage firewall and virtual network rules · Private endpoints · Encryption at rest — Microsoft-managed vs customer-managed keys · Secure transfer (HTTPS enforcement) · Microsoft Defender for Storage · Key rotation

Table of Contents

Access Keys
Azure AD Authentication
Storage Firewall and Network Rules
Private Endpoints
Encryption at Rest
Secure Transfer (HTTPS Only)
Microsoft Defender for Storage
Access Key Rotation
Security Checklist
Practice Questions

Access Keys

Every storage account has two 512-bit access keys (key1 and key2). These give full unrestricted access to everything in the storage account — all services, all containers, all data. Anyone with an access key can read, write, and delete everything.

⚠️

Access Keys Are Extremely Sensitive Treat storage account access keys like root passwords. Never commit them to source code, never include them in client-side applications, never share them unnecessarily. Use Azure AD authentication or SAS tokens instead.

Two keys exist so you can rotate one at a time without downtime — update your applications to use key2, then rotate key1, then switch back to key1, then rotate key2.

Azure CLI Get and rotate storage account keys

# List storage account keys
az storage account keys list \
  --account-name mystorageaccount2026 \
  --resource-group myResourceGroup

# Rotate key1
az storage account keys renew \
  --account-name mystorageaccount2026 \
  --resource-group myResourceGroup \
  --key key1

Azure AD Authentication

The recommended authentication method. Instead of using storage account keys, use Azure AD identities (users, service principals, managed identities) with RBAC roles:

Role	Access Level
Storage Blob Data Owner	Full access including ACL management
Storage Blob Data Contributor	Read, write, delete blobs
Storage Blob Data Reader	Read blobs only
Storage Queue Data Contributor	Read, write, delete queue messages
Storage Table Data Contributor	Read, write, delete table entities

💡

Disable Access Keys for Tightest Security You can disable access key authentication entirely on a storage account — forcing all access to use Azure AD. This is the most secure configuration for sensitive data.

Storage Firewall and Network Rules

By default, storage accounts accept connections from all networks. The storage firewall lets you restrict access to specific networks:

Firewall Options

Allow all networks — Default, accessible from anywhere on internet
Selected networks — Only specific VNets and IP ranges
Disabled (private endpoint only) — No public internet access at all

Azure CLI Restrict storage account to specific IPs and VNet

# Deny all public access by default
az storage account update \
  --name mystorageaccount2026 \
  --resource-group myResourceGroup \
  --default-action Deny

# Allow a specific IP range
az storage account network-rule add \
  --account-name mystorageaccount2026 \
  --resource-group myResourceGroup \
  --ip-address 203.0.113.0/24

# Allow a specific VNet subnet
az storage account network-rule add \
  --account-name mystorageaccount2026 \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --subnet mySubnet

ℹ️

Trusted Microsoft Services When you enable the firewall, some Azure services (like Azure Backup, Azure Monitor) may lose access. Enable "Allow trusted Microsoft services to access this storage account" to maintain access for these services.

Private Endpoints

A Private Endpoint gives your storage account a private IP address within your VNet. Traffic between your VNet and the storage account travels over the Microsoft backbone — never over the public internet.

	Firewall Rules	Private Endpoint
Public internet access	Restricted but possible	Fully disabled
Traffic path	Public internet (TLS encrypted)	Private Microsoft backbone
DNS	Public DNS	Private DNS zone
Cost	Free	~₹500–800/month per endpoint
Best for	Restricting access	Maximum security, compliance requirements

Encryption at Rest

All data in Azure Storage is encrypted at rest using AES-256 — automatically, by default, with no configuration required. You choose who manages the encryption keys:

Microsoft-Managed Keys (Default)

Azure manages the encryption keys automatically. No configuration needed. Suitable for most workloads.

Customer-Managed Keys (CMK)

You provide your own encryption keys stored in Azure Key Vault. You control key rotation and can revoke access by deleting the key. Required for some compliance frameworks (HIPAA, PCI-DSS).

Customer-Provided Keys

You provide the encryption key with every request — Azure never stores your key. Maximum control but complex to implement.

Secure Transfer (HTTPS Only)

Enable "Secure transfer required" to reject any HTTP connections — only HTTPS allowed. This should always be enabled for production accounts.

Azure CLI Enforce HTTPS-only access

az storage account update \
  --name mystorageaccount2026 \
  --resource-group myResourceGroup \
  --https-only true

Microsoft Defender for Storage

Microsoft Defender for Storage provides threat detection for your storage accounts — it analyses access patterns and alerts you to suspicious activity:

Access from unusual locations or Tor exit nodes
Unusual data extraction (potential data exfiltration)
Upload of malware or suspicious files
Anonymous access to previously private data
Brute-force attempts on access keys

Access Key Rotation

Access keys should be rotated regularly. Best practice:

Rotate keys every 90 days (or per your security policy)
Always rotate both keys over two cycles to avoid downtime
Use Azure Key Vault to automate key rotation
Store keys in Key Vault, not in application config files

Security Checklist

Control	Recommended Setting
Authentication	Azure AD (disable shared keys for sensitive data)
Network access	Selected networks or Private Endpoint only
Public blob access	Disabled (unless explicitly needed)
Secure transfer	Enabled (HTTPS only)
Minimum TLS version	TLS 1.2
Encryption	Microsoft-managed (or CMK for compliance)
Defender for Storage	Enabled
Key rotation	Every 90 days, automated via Key Vault

💡

AZ-104 Exam Tip Know that all data is encrypted at rest by default. Know the difference between Microsoft-managed keys and Customer-Managed Keys. Know that "Secure transfer required" enforces HTTPS. Know that storage firewall restricts network access. Know that Private Endpoints provide private-only access.

📝 Practice Questions

Click an option to check your answer. AZ-104 style questions.

Q1. Are Azure Storage accounts encrypted at rest by default?

A Yes — all storage data is automatically encrypted at rest using AES-256

B No — encryption must be explicitly enabled

C Only for Premium storage accounts

D Only when GRS redundancy is enabled

Q2. Why does Azure provide two access keys instead of one for each storage account?

A One key is for read-only and one is for read/write access

B To enable zero-downtime key rotation — update apps to key2, rotate key1, switch back

C One key is for Blob Storage and the other is for File/Queue/Table Storage

D One is a backup that activates only if the primary key is compromised

Q3. What does enabling "Secure transfer required" on a storage account do?

A Enables encryption at rest for all data

B Rejects all HTTP connections — only HTTPS is allowed

C Requires all access to use SAS tokens

D Enables Customer-Managed Key encryption

Q4. What is the benefit of using a Private Endpoint for a storage account over firewall rules?

A Private endpoints are cheaper than firewall rules

B Traffic never traverses the public internet — the storage account has no public endpoint

C Private endpoints automatically enable Azure AD authentication

D Private endpoints improve storage performance by 10x

Q5. A compliance regulation requires the company to control and audit their own encryption keys for storage. What should they configure?

A Microsoft-managed keys (default)

B Customer-Managed Keys (CMK) stored in Azure Key Vault

C Disable encryption for this storage account

D Use SAS tokens for all access

← Previous Shared Access Signatures Next → Static Website Hosting

Comments

Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.