Cyber Intelligence
Compute, Storage & Data · 25% of exam

L13. Storage Account Security

Course outlineLesson 13 of 18

Storage Account security covers SAS tokens, the storage firewall, encryption at rest, and Defender for Storage. The AZ-500 tests all four areas: know the SAS types, what the firewall does and does not block, and how CMK differs from Microsoft-managed keys.

Shared Access Signatures (SAS)

A SAS token grants time-limited, scoped access to storage resources without sharing the account key.

SAS TypeScopeRevocation
Account SASEntire storage accountDelete/rotate account key
Service SASSpecific service (Blob, Queue, etc.)Delete/rotate account key
User Delegation SASBlob/Data LakeRevoke the Entra user's key via API
Exam tip: User Delegation SAS is signed with an Entra ID credential, not the storage account key. It is the most secure SAS type and can be revoked independently of the account key.

Storage Firewall

The storage firewall restricts access to specific VNets (via Service Endpoints) and IP ranges. Key behaviours:

  • "Allow trusted Microsoft services" exception: Enables Azure services like Backup, Event Grid, and Azure Monitor to bypass the firewall even when all public access is restricted.
  • Setting "Disable public network access" blocks everything including Service Endpoint traffic: only Private Endpoint traffic is allowed.

Encryption

All data in Azure Storage is encrypted at rest using AES-256 by default (Microsoft-managed keys). For regulatory requirements:

  • Customer-Managed Keys (CMK): Your key in Key Vault encrypts the storage account's data encryption key. You control rotation and can revoke access.
  • Customer-Provided Keys: You send an encryption key on each request: the key is not stored by Azure.
Exam tip: Revoking a CMK by deleting the Key Vault key renders the storage account inaccessible. This is intentional for data sovereignty scenarios.

Defender for Storage

Defender for Storage detects: unusual access patterns, anonymous access to containers, hash reputation analysis for uploaded files, malware scanning (preview). Enable per storage account or per subscription.

Exam Focus Points
  • User Delegation SAS is signed with Entra credentials: most secure, revocable without rotating the account key
  • "Allow trusted Microsoft services" exception lets Azure Monitor, Backup, and Event Grid bypass the firewall
  • "Disable public network access" blocks even Service Endpoint traffic: only Private Endpoints bypass it
  • CMK: your Key Vault key encrypts the storage encryption key. Revoking the key makes data inaccessible
  • Defender for Storage detects unusual access patterns, anonymous container access, and malware in uploads
Knowledge Check

1. Which SAS token type provides the most granular, revocable access control for a storage account?

2. Microsoft Defender for Storage detects which of the following threats?

3. A storage account has 'Allow storage account key access' disabled. What is the impact?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available