Azure Administrator 2.1: Configure Access to Storage

AZ-104 Exam Objective

This guide covers objective 2.1 of the Azure Administrator Associate (AZ-104) exam, focusing on configuring access to Azure Storage services.

What You'll Learn

  • • Configure Azure Storage firewalls and virtual networks
  • • Create and use Shared Access Signature (SAS) tokens
  • • Configure stored access policies
  • • Manage access keys
  • • Configure identity-based access for Azure Files

1. Configure Azure Storage Firewalls and Virtual Networks

Azure Storage firewalls and virtual networks provide network-level security for your storage accounts. This is the first line of defense in securing your data by controlling which networks can access your storage resources.

Storage Account Firewall Configuration

Storage account firewalls allow you to restrict access based on IP addresses and virtual networks. This is crucial for preventing unauthorized access from the internet.

Key Configuration Steps:

  1. Navigate to your storage account in the Azure portal
  2. Go to Security + networkingNetworking
  3. Select "Enabled from selected virtual networks and IP addresses"
  4. Add specific IP addresses or IP ranges
  5. Configure virtual network access rules
  6. Enable trusted Microsoft services if needed

Virtual Network Integration

When configuring virtual network access, you can specify which subnets within your virtual networks are allowed to access the storage account. This provides granular control over network access.

  • Service endpoints: Enable service endpoints for Azure Storage on your subnets
  • Private endpoints: Create private endpoints for private connectivity
  • Network rules: Define specific virtual networks and subnets
  • Exception rules: Allow trusted Microsoft services to bypass firewall rules

Important Security Considerations

  • • Always test firewall rules in a non-production environment first
  • • Ensure you have alternative access methods before enabling strict firewall rules
  • • Monitor storage access logs to identify blocked requests
  • • Consider using Azure Private Link for enhanced security

2. Create and Use Shared Access Signature (SAS) Tokens

Shared Access Signatures (SAS) provide secure, delegated access to Azure Storage resources without sharing your storage account keys. SAS tokens are essential for granting time-limited, permission-specific access to storage resources.

Types of SAS Tokens

Account SAS

  • • Delegates access to multiple services
  • • Can access blob, file, queue, and table services
  • • Signed with storage account key
  • • More powerful but less secure

Service SAS

  • • Delegates access to specific service
  • • Limited to one service (blob, file, queue, or table)
  • • Signed with storage account key
  • • More secure than account SAS

SAS Token Components

A SAS token contains several important components that define the permissions and constraints:

  • Permissions: Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u), Process (p)
  • Start time: When the SAS becomes valid
  • Expiry time: When the SAS expires
  • IP range: Allowed IP addresses for access
  • Protocol: HTTPS only or HTTP and HTTPS
  • Resource: Container, blob, or other storage resource

Creating SAS Tokens via Azure Portal

  1. Navigate to your storage account
  2. Go to Security + networkingShared access signature
  3. Configure allowed services (blob, file, queue, table)
  4. Set allowed resource types (service, container, object)
  5. Define permissions (read, write, delete, list, etc.)
  6. Set start and expiry times
  7. Configure allowed IP addresses (optional)
  8. Select protocol (HTTPS recommended)
  9. Generate SAS and connection string

Best Practices for SAS Tokens

Security Best Practices

  • • Use the principle of least privilege - grant minimum required permissions
  • • Set short expiration times (hours or days, not months)
  • • Use HTTPS only for SAS tokens
  • • Monitor SAS token usage through storage analytics
  • • Revoke SAS tokens immediately if compromised
  • • Use stored access policies for better management

3. Configure Stored Access Policies

Stored access policies provide a way to manage SAS tokens more effectively by defining reusable policy templates. This approach offers better security and easier management compared to ad-hoc SAS token generation.

Benefits of Stored Access Policies

  • Centralized management: Define policies once and reuse them
  • Revocation capability: Revoke all SAS tokens associated with a policy
  • Policy updates: Modify permissions without regenerating tokens
  • Audit trail: Better tracking of access patterns
  • Consistency: Standardized access patterns across applications

Creating Stored Access Policies

Policy Configuration Steps:

  1. Navigate to your storage container or file share
  2. Go to Access policy tab
  3. Click "Add policy"
  4. Define policy identifier (unique name)
  5. Set permissions (read, write, delete, list)
  6. Configure start and expiry times
  7. Save the policy
  8. Generate SAS tokens using the policy

Policy Management Scenarios

Read-Only Policy

For applications that only need to read data:

  • • Permissions: Read, List
  • • Use case: Reporting applications
  • • Security: Minimal exposure

Upload Policy

For applications that upload files:

  • • Permissions: Write, Add, Create
  • • Use case: File upload services
  • • Security: No read access

4. Manage Access Keys

Storage account access keys provide full access to your storage account and should be managed carefully. Proper key management is essential for maintaining security and ensuring business continuity.

Access Key Types

Key 1 (Primary)

  • • Default key used by most applications
  • • Can be regenerated without affecting Key 2
  • • Used for failover scenarios

Key 2 (Secondary)

  • • Backup key for high availability
  • • Used during key rotation
  • • Enables zero-downtime key updates

Key Rotation Best Practices

Rotation Process:

  1. Update applications to use Key 2
  2. Verify all applications are working with Key 2
  3. Regenerate Key 1
  4. Update applications to use the new Key 1
  5. Verify all applications are working with new Key 1
  6. Regenerate Key 2
  7. Document the rotation date and schedule next rotation

Critical Security Considerations

  • • Never hardcode access keys in application code
  • • Use Azure Key Vault to store and manage access keys
  • • Implement regular key rotation (every 90 days recommended)
  • • Monitor key usage through Azure Monitor and storage analytics
  • • Use Azure AD authentication when possible instead of access keys
  • • Implement least privilege access principles

5. Configure Identity-Based Access for Azure Files

Azure Files supports identity-based authentication using Azure Active Directory (Azure AD) and Active Directory Domain Services (AD DS). This provides seamless integration with existing identity systems and eliminates the need to manage storage account keys.

Authentication Methods

Azure AD Authentication

  • • Cloud-native authentication
  • • Works with Azure AD users and groups
  • • Supports RBAC permissions
  • • No on-premises infrastructure required

AD DS Authentication

  • • On-premises Active Directory integration
  • • Seamless single sign-on experience
  • • Supports existing AD groups and permissions
  • • Requires domain controller connectivity

Enabling Identity-Based Access

Configuration Steps:

  1. Navigate to your storage account
  2. Go to Data managementFile shares
  3. Select your file share
  4. Go to Access control (IAM)
  5. Click "Add role assignment"
  6. Select appropriate role (Storage File Data SMB Share Reader/Contributor/Elevated Contributor)
  7. Assign to user, group, or service principal
  8. Save the configuration

Role-Based Access Control (RBAC) Roles

RolePermissionsUse Case
Storage File Data SMB Share ReaderRead files and directoriesRead-only access for reports
Storage File Data SMB Share ContributorRead, write, delete filesGeneral file operations
Storage File Data SMB Share Elevated ContributorFull control including permissionsAdministrative access

Network Access Requirements

For identity-based access to work properly, ensure proper network connectivity:

  • Port 445: SMB protocol must be accessible
  • Azure AD connectivity: For Azure AD authentication
  • Domain controller access: For AD DS authentication
  • DNS resolution: Proper name resolution for authentication
  • Firewall rules: Allow SMB traffic through firewalls

Study Tips and Exam Preparation

Key Concepts to Remember

  • Storage firewalls: First line of defense for network-level security
  • SAS tokens: Time-limited, permission-specific access without sharing keys
  • Stored access policies: Better management and revocation capabilities
  • Access keys: Full account access requiring careful management
  • Identity-based access: Modern approach using Azure AD/AD DS

Common Exam Scenarios

  • • Configure storage account to allow access only from specific virtual networks
  • • Create SAS tokens with specific permissions and expiration times
  • • Implement stored access policies for better SAS management
  • • Rotate storage account access keys with zero downtime
  • • Enable Azure AD authentication for Azure Files
  • • Troubleshoot access issues with different authentication methods

Practice Recommendations

  • • Create a test storage account and practice all configuration options
  • • Test SAS token generation with different permissions and constraints
  • • Practice key rotation procedures in a non-production environment
  • • Configure identity-based access for Azure Files
  • • Use Azure CLI and PowerShell commands for automation scenarios
  • • Review Azure Storage security documentation and best practices

Additional Resources

Ready to Test Your Knowledge?

Take our comprehensive Azure Administrator practice quiz to test your understanding of storage access configuration and other AZ-104 objectives.

Take AZ-104 Practice QuizView All Azure Admin Posts

Last updated: 10/28/2025 | Exam: Azure Administrator Associate (AZ-104) | Objective: 2.1 Configure access to storage