AZ-104 Microsoft Azure Administrator Exam

You're a great admin... on-prem. Now, become a great admin in the cloud and prove it by passing the Microsoft Certified: Azure Administrator Associate exam!

Practice Test

Exam

Manage access keys

Configure access to storage

Rotate and Regenerate Access Keys

Importance of Access Key Management

Managing access keys for Azure storage accounts is crucial for maintaining both security and service continuity. Each Azure storage account is equipped with two main keys: Key1 and Key2. The presence of these two keys allows users to rotate one key while the other remains active, ensuring smooth operation. Implementing a key expiration policy is recommended to remind you to rotate keys regularly, which helps reduce the risk of compromised credentials and aligns with security best practices.

Methods for Regenerating Access Keys

Azure provides multiple methods for regenerating access keys without causing downtime:

  • Portal: Access the Azure portal and navigate to the Access keys blade under Security & networking.
  • PowerShell: Execute the New-AzStorageAccountKey cmdlet with -KeyName set to either key1 or key2.
  • Azure CLI: Use az storage account keys renew with the --key primary or --key secondary option.

These options ensure that your applications continue to function while keys are being rotated. It's important to follow this sequence diligently to avoid any service interruptions.

Step-by-Step Key Rotation Process

To rotate keys safely, adhere to this sequence:

  1. Update connection strings in your application to use the secondary access key.
  2. Regenerate the primary key and wait until your application commonly uses the new key.
  3. Update connection strings once more to point to the refreshed primary key.
  4. Afterward, regenerate the secondary key to complete the rotation process for both keys.

For enforcing rotation reminders, create a key expiration policy and monitor compliance using Azure Policy. This setup will prompt you whenever the specified interval lapses, helping maintain continuous compliance with your organization's rotation standards.

Permissions and Best Practices

Only users who possess the Microsoft.Storage/storageAccounts/regeneratekey/action permission are authorized to rotate keys. Roles such as Owner, Contributor, or Storage Account Key Operator Service Role typically include this permission. It is advised by Microsoft that only one key should be active across all applications at a time to prevent access complications during key rotation. By following these guidelines, you ensure that your storage remains both secure and accessible, maintaining streamlined operations throughout key changes.

Configure stored access policiesConfigure identity-based access for Azure Files