AZ-104 Microsoft Azure Administrator Exam

You're a great admin... on-prem. Now, become a great admin in the cloud and prove it by passing the Microsoft Certified: Azure Administrator Associate exam!

Practice Test

Exam

Configure stored access policies

Configure access to storage

Define and Implement Stored Access Policies

Overview of Stored Access Policies

Stored access policies are a powerful tool used in Microsoft Azure to manage permissions for different storage resources. These policies add an extra layer of security to your data by grouping together Shared Access Signatures (SAS) and allowing modifications to parameters like start and expiry times, permissions, and even revoking them after creation. Stored access policies are particularly useful when handling service-level shared access signatures rather than account or user delegation SAS.

They ensure secure and efficient data management by providing a mechanism through which you can control who accesses the storage resources and for how long. In essence, stored access policies allow you to granulate access by specifying precise permissions and access durations.

Supported Azure Storage Resources

Stored access policies can be applied to various Azure Storage resources, offering flexibility in managing and securing your data:

  • Blob containers: Large collections of binary data, important for many cloud-based applications.
  • File shares: Azure files that need shared access across multiple users or applications.
  • Queues: Useful for asynchronous storage and messaging between application components.
  • Tables: Structured storage that supports NoSQL databases.

Each resource type has unique use cases but can all benefit from the added security and control that stored access policies provide.

Creating a Stored Access Policy

To create a stored access policy, one must use the Set Container ACL operation. This is typically authorized via a Shared Key that's part of the connection string linked to your Azure Storage account. It's important to note that Microsoft Entra credentials are not supported for this operation; thus, ensuring proper authorization is critical.

With Azure SDKs, such as the .NET client library, creating a stored access policy involves invoking methods like BlobContainerClient.SetAccessPolicy. This operation lets you define identifiers for policies and set specific access details such as permissions and effective durations.

Example Code

Creating stored access policies can be done programmatically. Below is an example using C# to demonstrate how you could set up a policy with read/write permissions that last for one day:

async static Task CreateStoredAccessPolicyAsync(string containerName)
{
    string connectionString = "";

    BlobContainerClient containerClient = new BlobContainerClient(connectionString, containerName);

    try
    {
        await containerClient.CreateIfNotExistsAsync();

        List<BlobSignedIdentifier> signedIdentifiers = new List<BlobSignedIdentifier>
        {
            new BlobSignedIdentifier
            {
                Id = "mysignedidentifier",
                AccessPolicy = new BlobAccessPolicy
                {
                    StartsOn = DateTimeOffset.UtcNow.AddHours(-1),
                    ExpiresOn = DateTimeOffset.UtcNow.AddDays(1),
                    Permissions = "rw"
                }
            }
        };
        await containerClient.SetAccessPolicyAsync(permissions: signedIdentifiers);
    }
    catch (RequestFailedException e)
    {
        Console.WriteLine(e.ErrorCode);
        Console.WriteLine(e.Message);
    }
    finally
    {
        await containerClient.DeleteAsync();
    }
}

This script demonstrates the essential steps for configuring a stored access policy, including setting up multiple identifiers and handling potential errors during the operation.

Key Points

  • Stored access policies offer a way to fine-tune data security in Azure by defining strict permissions and access terms.
  • They are specifically used for service-level SAS, providing a strategic method to manage who has access to Azure Storage resources.
  • By adjusting policies to the particular needs of your organization, you can optimize resource security and control, ultimately ensuring reliable data management strategies.

Conclusion

In conclusion, stored access policies contribute significantly to managing secure access controls in Azure. They allow precise permissions settings and enable dynamic control over who can interact with various storage locations within your cloud infrastructure. These policies enhance security measures while providing you with the tools needed to efficiently administer storage resources within Microsoft Azure. Understanding how to properly define and implement these policies will help ensure your organizational data remains protected and managed effectively through thoughtful governance strategies.

Create and use shared access signaturetokensManage access keys