Cyber Intelligence
PROTEGO
Cloud Security6 min read

Storage Account Security: AZ-500 Exam Guide

Storage Account security covers SAS tokens, the storage firewall, encryption at rest, and Defender for Storage. The AZ-500 tests all four areas: know the SAS types, what the firewall does and does not block, and how CMK differs from Microsoft-managed keys.

I
Idan Ohayon
Microsoft Cloud Solution Architect
AZ-500Storage AccountSASCMKDefender for StorageCertification

Shared Access Signatures (SAS)

A SAS token grants time-limited, scoped access to storage resources without sharing the account key.

SAS TypeScopeRevocation
Account SASEntire storage accountDelete/rotate account key
Service SASSpecific service (Blob, Queue, etc.)Delete/rotate account key
User Delegation SASBlob/Data LakeRevoke the Entra user's key via API
Exam tip: User Delegation SAS is signed with an Entra ID credential, not the storage account key. It is the most secure SAS type and can be revoked independently of the account key.

Storage Firewall

The storage firewall restricts access to specific VNets (via Service Endpoints) and IP ranges. Key behaviours:

  • "Allow trusted Microsoft services" exception: Enables Azure services like Backup, Event Grid, and Azure Monitor to bypass the firewall even when all public access is restricted.
  • Setting "Disable public network access" blocks everything including Service Endpoint traffic: only Private Endpoint traffic is allowed.

Encryption

All data in Azure Storage is encrypted at rest using AES-256 by default (Microsoft-managed keys). For regulatory requirements:

  • Customer-Managed Keys (CMK): Your key in Key Vault encrypts the storage account's data encryption key. You control rotation and can revoke access.
  • Customer-Provided Keys: You send an encryption key on each request: the key is not stored by Azure.
Exam tip: Revoking a CMK by deleting the Key Vault key renders the storage account inaccessible. This is intentional for data sovereignty scenarios.

Defender for Storage

Defender for Storage detects: unusual access patterns, anonymous access to containers, hash reputation analysis for uploaded files, malware scanning (preview). Enable per storage account or per subscription.

N

Recommended tool: Nordpass

Up to 40% commission

Try for free

Get weekly security insights

Cloud security, zero trust, and identity guides — straight to your inbox.

I

Idan Ohayon

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.

Share this article

TwitterLinkedIn

Questions & Answers

Related Articles

☁️
Cloud Security

Azure Firewall Premium vs Standard: When the Upgrade Is Worth It

16 min read

☁️
Cloud Security

Microsoft Security Score: How to Actually Improve It (Not Just Game It)

17 min read

☁️
Cloud Security

Microsoft Defender for Identity vs Defender for Endpoint: What They Actually Cover

16 min read

Need Help with Your Security?

Our team of security experts can help you implement the strategies discussed in this article.

Contact Us