Storage Firewalls and Virtual Networks
By default, Azure Storage accounts accept connections from any network. The Azure Storage firewallA network access control on a storage account that restricts the public endpoint to specific sources. When firewall rules are enabled, all traffic not explicitly permitted is denied. lets you restrict the public endpoint.
You can allow traffic from:
- Specific virtual network subnets (using a VNet service endpoint)
- Specific public IP address ranges (in CIDR notation)
- Resource instances (named Azure service resources)
- Via trusted Azure service exceptions
| Rule type | What it covers |
|---|---|
| Virtual network rule | Traffic from subnets in Azure VNets (same or cross-region) |
| IP network rule | Traffic from specific public IP ranges (CIDR) |
| Resource instance rule | Named Azure resource instances that cannot use VNet rules |
| Trusted service exception | Azure services (e.g., Azure Backup, Azure Monitor) that need to bypass the firewall |
Enabling a virtual network rule requires the target subnet to have the Microsoft.Storage service endpoint configured.
Shared Access Signatures (SAS)
A Shared Access Signature (SAS)A URI that grants time-limited, scoped access to storage resources without sharing the account key. Comes in three types: User delegation SAS (most secure), Service SAS, and Account SAS.
| SAS type | Signed with | Scope | Notes |
|---|---|---|---|
| User delegation SAS | Microsoft Entra credentials | Blob, Queue, Table, Files | Most secure; recommended by Microsoft |
| Service SAS | Storage account key | One service only | Can be backed by a stored access policy |
| Account SAS | Storage account key | One or more services | Broadest scope |
Stored Access Policies
A stored access policyA server-side policy that backs a service SAS, defining start time, expiry time, and permissions. Up to five stored access policies per container, queue, table, or file share. Allows revoking or extending access without regenerating the key.
Stored access policies are not supported for account SAS or user delegation SAS.
Access Keys
Every storage account has two 512-bit access keys (key1 and key2) that grant unrestricted access to all data. Microsoft recommends storing them in Azure Key Vault and rotating them regularly.
Key rotation invalidates all service SAS and account SAS tokens signed with the old key. User delegation SASA SAS token signed with Microsoft Entra credentials rather than the account key — unaffected by access key rotation. tokens are unaffected.
Identity-Based Access for Azure Files
Azure Files supports identity-based authentication over SMB using one of three directory services (only one can be active per storage account):
| Method | Best for |
|---|---|
| On-premises AD DS | Hybrid environments where clients are domain-joined to on-premises Active Directory |
| Microsoft Entra Domain Services | Cloud-only managed domain scenarios |
| Microsoft Entra Kerberos | Cloud-native and hybrid identities; supports cloud-only Entra ID accounts |
After enabling an identity source, assign Azure RBAC roles at the share level (e.g., Storage File Data SMB Share Contributor) and optionally configure NTFS ACLs at the directory/file level.
SAS Type Deep Dive
Must Memorize
User delegation SAS is the most secure SAS type because it is signed with Microsoft Entra credentials, not the account key. Key rotation has no effect on user delegation SAS tokens.
Exam Trap
Stored access policies only back service SAS tokens. They are not supported for account SAS or user delegation SAS. This is a frequently tested constraint.
Ad Hoc SAS vs. Policy-Backed SAS
| Feature | Ad Hoc SAS | Policy-Backed Service SAS |
|---|---|---|
| Revocable before expiry? | No — only by rotating the key | Yes — delete or modify the stored policy |
| Expiry set | In the token URI | In the stored access policy |
| Maximum per container | N/A | 5 stored access policies |
Exam Trap
An ad hoc SAS cannot be revoked before its expiry. The only mitigation is to rotate the signing key — which also revokes all other SAS tokens signed with that key. Only a policy-backed service SAS can be revoked selectively.
VNet Rules and Default Action
Exam Trap
Adding a VNet rule is NOT enough to restrict network access. VNet rules have no effect unless you first set the storage account's default action to Deny. Until the default action is Deny, rules are not enforced and all traffic continues to flow.
Azure Files Identity Constraints
Must Memorize
Only one Active Directory method (AD DS, Entra Domain Services, or Entra Kerberos) can be enabled per storage account at a time. Microsoft Entra Kerberos MFA is not supported for Azure Files — Conditional Access policies enforcing MFA must exclude the storage account application.
Configure Storage Firewall and VNet Rules
Portal → Storage account → Security + networking → Networking
- Under Public network access, select Enabled from selected virtual networks and IP addresses.
- Under Virtual networks, select Add existing virtual network, pick the VNet and subnet. (The portal automatically enables the service endpoint on the subnet.)
- Under Firewall, enter allowed IP address ranges in CIDR format.
- Under Exceptions, check services that need bypass access (e.g., Allow Azure services on the trusted services list).
- Select Save.
Generate a SAS Token
Portal → Storage account → Security + networking → Shared access signature
- Select the Allowed services, Allowed resource types, and Allowed permissions.
- Set the Start and Expiry date/time.
- Optionally restrict to allowed IP ranges or HTTPS only.
- Select Generate SAS and connection string. Copy the SAS token value.
Configure a Stored Access Policy
Portal → Storage account → Data storage → Containers → (select container) → Access policy
- Under Stored access policies, select + Add policy.
- Enter an Identifier, set the start/expiry times, and choose permissions.
- Select OK then Save.
Rotate Access Keys
Portal → Storage account → Security + networking → Access keys
- Select Show keys to view key1 and key2.
- Select Rotate key next to key1. Confirm the rotation.
- Update any application connection strings to use key2, then rotate key1.
Enable Identity-Based Access for Azure Files
Portal → Storage account → Data storage → File shares → Identity-based access
- Select Set up under the desired authentication method (e.g., Microsoft Entra Kerberos).
- Enable the checkbox and optionally enter domain name and GUID.
- Select Save.
- Assign a share-level RBAC role: Portal → Storage account → File shares → (share) → Access Control (IAM) → Add role assignment.
AZ-104 Exam Focus
Exam Trap
"Stored access policies work with all SAS types." → Stored access policies only back service SAS tokens. They are not supported for account SAS or user delegation SAS.
Exam Trap
"Rotating an access key invalidates user delegation SAS tokens." → Only service SAS and account SAS tokens signed with the rotated key are invalidated. User delegation SAS tokens are signed with Entra credentials and are unaffected by key rotation.
Exam Trap
"Adding a VNet rule is enough to restrict network access." → VNet rules have no effect unless you first set the storage account's default action to Deny. Until the default action is Deny, rules are not enforced.
Exam Trap
"You can enable multiple identity methods for Azure Files at the same time." → Only one Active Directory method can be enabled per storage account at a time.
Exam Trap
"An ad hoc SAS can be revoked before its expiry." → An ad hoc SAS cannot be revoked selectively; the only mitigation is to rotate the signing key. Only a policy-backed service SAS can be revoked by deleting the stored access policy.
Exam Tip
When the exam asks for the "most secure" way to grant temporary access to blobs, always choose user delegation SAS — it does not use the account key and cannot be compromised by key rotation.
Question — click to flip
Q: Which SAS type is signed with Microsoft Entra credentials rather than the storage account key?
Question — click to flip
Q: How do you revoke a service SAS that is backed by a stored access policy?
Question — click to flip
Q: What must be set on the storage account BEFORE VNet firewall rules take effect?
Question — click to flip
Q: What happens to service SAS and account SAS tokens when the signing key is rotated?
Question — click to flip
Q: Which Azure Files identity method supports cloud-only Entra ID accounts in a fully cloud-native environment?
Question — click to flip
Q: How many stored access policies can a single container support?