AZ-104 Microsoft Azure Administrator Exam

Configure Azure Storage firewalls and virtual networks

Azure Storage includes a built-in firewall that lets you control network access to your storage account. A storage firewall uses rule sets to determine which IP addresses or subnets can reach your data. By default, all requests are denied until you explicitly allow them, helping you keep your data safe.

You can integrate Azure Storage with virtual networks (VNets) using two main methods:

• Service Endpoints: extend your VNet identity to Azure Storage.
• Private Endpoints: map your storage account to a private IP in your VNet.
  Underline: Private Endpoints offer the highest level of isolation by keeping traffic off the public internet.

Best practices include:

• Restricting access to only the VNets and IP ranges you need.
• Combining firewall rules with Azure Active Directory for user-based access.
• Regularly reviewing your firewall and VNet configurations to ensure compliance.

Create and use shared access signature tokens

A Shared Access Signature (SAS) is a URI that grants limited access rights to Azure Storage resources without exposing your account keys. SAS tokens include information about permissions, start and expiry times, and the resource being accessed. This makes them ideal for granting temporary or scoped access.

There are two main types of SAS:

• Account SAS: grants access to multiple services (Blob, File, Queue, Table).
• User Delegation SAS: uses Azure AD credentials and is signed with a user’s key.
  Underline: User Delegation SAS is more secure because it ties permissions to a specific identity.

When creating SAS tokens, follow these guidelines:

• Use the principle of least privilege by granting only the permissions that are needed.
• Set short expiry times to limit risk if a token is compromised.
• Always use HTTPS to protect tokens in transit.

Configure stored access policies

Stored access policies let you group and manage SAS settings at the container or share level. A stored access policy defines a reusable set of permissions, a start time, and an expiry time. You then link one or more SAS tokens to this policy.

To configure a stored access policy:

• Create the policy on a container or file share with a unique name.
• Specify permissions (read, write, delete, list) and time window.
• Associate your SAS tokens with the policy by referencing its name.
  Underline: Any SAS linked to this policy inherits its rules automatically.

Using stored access policies provides key benefits:

• You can revoke or update permissions for multiple SAS tokens at once.
• It improves governance by centralizing permission management.
• It makes audits easier because policies track who has access and when.

Manage access keys

Azure Storage accounts have two access keys that act like root passwords for your data. Access keys grant full permissions to all data in the storage account. Keeping these keys secure is critical to prevent unauthorized access.

Key management best practices include:

• Regenerating your keys regularly to reduce the risk of compromise.
• Storing keys in Azure Key Vault rather than in code or configuration files.
• Automating key rotation with scripts or Azure Automation.
  Underline: Always rotate one key at a time to avoid service disruption.

For higher security, consider using Azure AD and role-based access instead of access keys. This allows you to grant permissions at a finer granularity without sharing root credentials.

Configure identity-based access for Azure Files

Azure Files supports identity-based access by integrating with Azure AD and Active Directory Domain Services. Identity-based authentication lets users sign in with their organizational credentials to access file shares over SMB or REST APIs. This removes the need for shared keys or SAS tokens.

To set up identity-based access:

• Join your storage account to an Azure AD Kerberos realm or on-premises AD via Azure AD DS.
• Assign users or groups Azure RBAC roles like Storage File Data SMB Share Contributor.
• Configure NTFS permissions on file shares to match your security requirements.
  Underline: Kerberos tickets ensure secure, single-sign-on access.

Using identity-based access improves security by:

• Enforcing centralized policy and multi-factor authentication.
• Simplifying credential management for your team.
• Auditing access through Azure Monitor and Azure AD logs.

Conclusion

In this section, you learned how to secure Azure Storage at multiple layers. Network controls with firewalls and VNets keep traffic protected, while SAS tokens and stored access policies let you grant and manage limited access.

Managing access keys safely and using Azure AD-based authentication for Azure Files help you reduce the risk of credential leakage. Together, these practices ensure that only the right users and applications can read, write, or delete your storage data.