Storage Account Configuration — Tiers, Redundancy & Account Kind Capabilities
Azure Storage accounts come in several kinds, and each kind determines which services are available, which redundancy options are supported, and whether features like lifecycle management or archive tiering are accessible. Choosing the wrong account kind at creation time can permanently lock you out of certain capabilities, so understanding these boundaries is essential.
For Azure Data Lake Storage Gen2, enable the hierarchical namespace option on a StorageV2 account at creation time. This transforms the account into a filesystem-like structure with true directory semantics, which is required for analytics workloads such as Azure Synapse and HDInsight.
| Feature | StorageV2 | BlobStorage | BlockBlobStorage (Premium) | FileStorage (Premium) |
|---|---|---|---|---|
| Archive tier | Yes (Standard) | Yes (Standard) | No (Premium) | No |
| Lifecycle management (tiering) | Yes | Yes | No tiering | No |
| ZRS conversion | Yes (Standard) | No | No | Yes (Premium) |
| Blob storage | Yes | Yes (blobs only) | Yes (block + append blobs) | No |
| Azure Files | Yes | No | No | Yes |
| Queue / Table | Yes | No | No | No |
BlobStorage accounts only support LRS, GRS, and RA-GRS redundancy. ZRS is not available for BlobStorage accounts. To use ZRS, the account must be StorageV2 (general purpose v2). BlobStorage is also a legacy account type scheduled for retirement — new deployments should use StorageV2.
BlockBlobStorage accounts use Premium storage, which has no concept of Hot/Cool/Archive access tiers. Because of this, lifecycle management rules that tier blobs are not supported. However, delete-based lifecycle rules do work — you can still automatically delete blobs after a number of days. Only the tier-transition actions are unavailable.
Different account kinds also determine which storage workloads — blob containers versus file shares — you can create within them. StorageV2 is the most versatile, supporting all services. FileStorage and BlobStorage are specialised accounts designed for a single workload type.
| Account Kind | Blob Container | Azure File Share (SMB) | Queue / Table |
|---|---|---|---|
| StorageV2 (general purpose v2) | Yes | Yes | Yes |
| BlobStorage | Yes (blobs only) | No | No |
| BlockBlobStorage (Premium) | Yes (block + append blobs) | No | No |
| FileStorage (Premium) | No | Yes | No |
If you need to create an Azure File share (SMB), the storage account must be either StorageV2 or FileStorage. BlobStorage and BlockBlobStorage accounts do not support Azure Files at all. StorageV2 is the most flexible choice, supporting both blobs and file shares within a single account.
When configuring diagnostic settings for a Recovery Services vault — for example, to send Azure Backup report logs to a storage account — both the storage account and any Log Analytics workspace must be in the same Azure region as the vault. A vault in West Europe can only send diagnostics to destinations also located in West Europe. This is a per-resource constraint on diagnostic settings, not a subscription-wide limitation.
Storage Account Key Management & Data Plane Roles
Access to an Azure Storage account can be controlled through management-plane RBAC roles or through data-plane roles. Management-plane roles govern the ability to administer the storage account itself — including listing or regenerating its access keys. Data-plane roles govern the ability to read or write the actual stored data. Understanding the distinction is important because some roles give key access without data access, and vice versa.
| Role | List Keys | Regen Keys | Read Blob Data |
|---|---|---|---|
| Storage Account Key Operator Service Role | Yes | Yes | No |
| Storage Account Contributor | Yes | Yes | No (via keys indirectly) |
| Reader and Data Access | Yes | Yes | Yes (via keys) |
| Storage Account Encryption Scope Contributor | No | No | No |
| Storage Blob Data Reader | No | No | Yes (blobs only, via Entra) |
| Storage Blob Data Contributor | No | No | Yes (read + write blobs) |
Three roles have the ability to both list and regenerate storage account keys: Storage Account Key Operator Service Role, Storage Account Contributor, and Reader and Data Access. The Storage Account Encryption Scope Contributor role specifically grants management of encryption scopes only — it does not grant key management capabilities.
When a user needs to upload files to blob storage through the Azure portal using their Entra ID credentials, two roles are required together. The Reader role provides visibility into the storage account within the portal (management plane). The Storage Blob Data Contributor role grants the actual ability to write blob data (data plane). Neither role alone is sufficient — Reader without Storage Blob Data Contributor gives portal access but no write permission; Storage Blob Data Contributor alone may not provide portal navigation.
When building a custom role to allow users to view storage account configuration without touching data or keys, the correct permission to include in the role definition is "Microsoft.Storage/storageAccounts/read". This grants read-only access to the storage account's configuration properties. The broader wildcard "Microsoft.Storage/storageAccounts/*" would also grant write and delete operations, violating least privilege. Data-plane paths like blobServices/containers/blobs/read refer to blob data access, not account configuration.
Storage Account Network Access, Private Endpoints & Trusted Services Bypass
By default, Azure Storage accounts accept connections from all networks over the public internet. When you need to restrict access — for example, limiting which virtual networks or IP addresses can reach the storage account — you work with the Firewalls and virtual networks settings in the portal. The first action when restricting public access is modifying the Public network access setting, not adding private endpoints or changing IAM settings.
Two approaches exist for giving VNet-based resources access to storage without routing traffic over the public internet: service endpoints keep the storage account publicly addressable but route VNet traffic through the Azure backbone; private endpoints assign the storage account a private IP address inside the VNet, removing its public-internet exposure entirely.
| Service Endpoint | Private Endpoint | |
|---|---|---|
| Traffic path | Azure backbone, but storage still has a public IP | Private IP inside the VNet; fully off the public internet |
| DNS | No change — uses same public FQDN | Private DNS zone maps FQDN to private IP |
| Cross-region | Supported via Microsoft.Storage.Global service endpoint | Supported; private IP is region-local but accessible cross-region |
| Public access after setup | Storage can still be accessed publicly unless firewall also restricts it | Public access must be separately disabled via firewall — private endpoint alone does not block public access |
Creating a private endpoint does not remove the storage account from the public internet on its own. Public access remains available unless you also configure the storage account's firewall to deny public network access. The two steps are separate: add private endpoint, then set Public network access to "Disabled" or restrict it to selected networks.
When a storage account has firewall rules that restrict access to specific VNets or IP ranges, certain first-party Microsoft services can still reach the account through a bypass mechanism. This is configured in ARM templates as "bypass": "AzureServices" in the networkAcls section. Services that benefit from this bypass include Azure Backup, Azure Site Recovery, Azure Event Grid, Azure Event Hubs, and Azure IoT Hub, among others. The complete list of trusted services is available in the Azure Storage firewall documentation.
When a storage account has VNet firewall rules that block traffic from unlisted subnets, Azure Backup can still back up unmanaged VM disks stored in that account. Azure Backup is a trusted first-party service and is automatically permitted via the AzureServices bypass. Regular VM traffic from non-whitelisted subnets is still blocked — only Azure Backup's own service operations are permitted through the bypass.
A VM running in Azure is not automatically considered a "trusted service" just because it is hosted in Azure. The bypass applies only to specific Microsoft platform services (like Azure Backup, Event Grid, etc.), not to arbitrary Azure-hosted virtual machines or applications. A VM on a subnet not explicitly whitelisted in the firewall is still blocked, even if it is an Azure resource in the same subscription.
Service Endpoints & Service Endpoint Policies
A virtual network service endpoint extends the VNet's identity into the Azure service's network, so that traffic from a subnet reaches the storage service over the Azure backbone rather than the public internet. The storage account can then be configured to allow traffic only from that specific subnet — effectively creating a network-layer whitelist without needing a private endpoint or VPN.
- A service endpoint is enabled on a subnet (e.g., Microsoft.Storage).
- The storage account's firewall is then configured to allow that specific subnet.
- Traffic from the subnet reaches storage via the Azure backbone — the subnet's private IP becomes the source IP at the storage level.
- The storage account still has a public DNS name and public IP; the firewall is what restricts who can reach it.
- The Microsoft.Storage.Global endpoint variant extends this to cross-region storage access over the backbone.
Without a service endpoint policy, a subnet with a Microsoft.Storage service endpoint can reach any storage account in Azure. A service endpoint policy narrows this down so that the subnet can only communicate with specific, explicitly named storage accounts. This prevents lateral movement — for example, a compromised VM cannot exfiltrate data to an attacker's storage account even though the storage service endpoint is enabled.
A service endpoint policy can only be applied to subnets in the same Azure region as the policy itself. A policy created in South Central US cannot be applied to a subnet in East US. Additionally, before a service endpoint policy can be applied to a subnet, that subnet must already have the Microsoft.Storage service endpoint enabled. The policy refines which storage accounts are reachable — it does not replace the need for the service endpoint itself.
When you need to ensure that VM traffic to a storage account travels over the Microsoft backbone network rather than the public internet, the correct Azure feature to configure on the VNet is a service endpoint (not Azure Peering Service, not Application Proxy, not Application Gateway). The number of service endpoints needed depends on how many distinct Azure services need backbone connectivity — for example, if VMs need backbone access to both storage and Azure Active Directory, that is two separate service endpoints to add to the VNet.
Blob Inventory Rules
Blob inventory is a feature that generates a scheduled report — in CSV or Apache Parquet format — listing all blobs or containers in a storage account along with their properties and metadata. It is useful for auditing, cost analysis, and compliance tracking at scale. Inventory rules are defined in ARM templates or through the portal, and each rule specifies exactly what to capture and how often.
blobTypes— specifies which blob subtypes to include in the report. Valid values areblockBlob,appendBlob, andpageBlob. Note thatpageBlobis not available for accounts with hierarchical namespace (Data Lake Gen2) enabled.prefixMatch— filters the report to include only blobs whose names begin with a specified prefix. The prefix is matched against the container name portion of the path. For example, to capture only blobs in containers whose names start with "finance", setprefixMatchto"finance"— not the full path, just the prefix string.schedule— controls how frequently the inventory report is generated. The two options areDailyandWeekly.objectType— determines whether the report inventories individualblobobjects orcontainerobjects.format— the output can beCsvorParquet. The report is always saved to a blob container within the same storage account.
The prefixMatch field filters by the beginning of the container name (or a container-and-path prefix). To match only blobs in containers whose names start with "finance", the value should be "finance". It is not a full path like "container1/finance" — the prefix is matched starting from the container name. The destination container for the inventory output report is configured separately and is not affected by the prefix filter.
Azure Blob Object Replication
Object replication asynchronously copies block blobs from a source storage account to a destination storage account. It is designed for cross-region redundancy, data locality, and reducing read latencies by keeping a copy of data closer to consumers. The replication is asynchronous — there is no guaranteed recovery point objective (RPO), meaning there is always some potential lag between source writes and destination availability.
- Both the source and destination accounts must be general-purpose v2 (StorageV2) or Premium Block Blob accounts. BlobStorage accounts are not supported.
- Blob versioning must be enabled on both the source and destination accounts.
- Change feed must be enabled on the source account so that Azure can track which blobs have changed and need to be replicated.
- Object replication is not supported on accounts with hierarchical namespace (Data Lake Gen2) enabled.
- Archive-tier blobs cannot be replicated — only Hot and Cool blobs are replicated.
When setting up object replication, you configure a replication policy that maps source containers to destination containers. The destination account needs a container to receive the replicated blobs. File shares, queues, and tables are not part of object replication — only blob containers participate. The replication policy is defined on the source, and the destination container must already exist before replication can begin.
Object replication works cross-region and cross-subscription, as long as both subscriptions are within the same Azure Active Directory tenant. It is unidirectional — blobs replicate from source to destination, not both ways. If bidirectional replication is needed, two separate replication policies must be configured (one in each direction).
Stored Access Policies & Immutable Blob Storage
Azure Storage provides two mechanisms for controlling how long data can be accessed or retained. Stored access policies attach constraints to SAS tokens at the container level. Immutable blob storage enforces a write-once, read-many (WORM) model at the blob or container level, ensuring data cannot be modified or deleted for a defined period.
- Stored Access Policies: a maximum of 5 stored access policies can be defined per container. This limit also applies to queues, tables, and file shares. For example, if a container already has 2 stored access policies, you can create up to 3 more — not 4 or 5 additional ones.
- Immutable time-based retention policy: a maximum of 1 time-based retention policy per container. If a container already has one time-based retention policy locked or unlocked, no additional time-based retention policies can be created for that container. A separate legal hold can coexist alongside the single time-based policy.
- Time-based retention policy: blobs are protected from modification and deletion for a fixed interval. The policy can be in an unlocked state (configurable) or a locked state (permanent — interval can only be increased, never shortened or deleted). Once locked, the policy cannot be removed until all blobs within it have outlived the retention period.
- Legal hold: blobs are protected indefinitely until the legal hold tag is explicitly cleared. There is no time period — it holds as long as the tag exists. Multiple legal hold tags can be applied to a single container simultaneously.
To prevent new content added to a container from being modified for a specific duration — for example, one year — configure an immutable time-based retention policy on the container and set the retention interval to 365 days. This is done through the container's Access policy settings in the portal. It is not an IAM role assignment, an access policy, or an access tier change — those do not impose write protection on existing or future blob content.
Storage Encryption Scopes
By default, all data in a storage account is encrypted using a single account-wide key — either Microsoft-managed or a customer-managed key from Azure Key Vault. Encryption scopes allow you to go one level deeper by assigning a different encryption key to a specific container or individual blob, all within the same storage account. This is useful when different containers hold data from different clients or tenants, each requiring separate key management.
To encrypt one container with a key that is different from the rest of the storage account, first create an encryption scope in the storage account and associate it with the desired key from Key Vault. Then, when creating the container, assign that encryption scope to it. The scope must exist before the container is created. Other operations such as rotating access keys, modifying the TLS version, or generating SAS tokens have no bearing on per-container encryption key selection.
Encryption scopes can only be applied to blob containers and the blobs within them. They do not extend to Azure Files (file shares), Azure Tables, or Azure Queues. Those services are encrypted using the account-wide encryption key and do not support per-container encryption scope assignment. An encryption scope created in one storage account also cannot be used by a different storage account — it is bounded to the account where it was created.
A common scenario presents a case study where an encryption scope is created in storage account A but the question asks whether it can encrypt content in storage account B. The answer is no — scopes are account-bounded. Similarly, a scope can encrypt containers and blobs, but not file shares or tables, even if those services exist in the same account.
SAS Tokens — Expiry, IP Restrictions & Scope
A Shared Access Signature (SAS) is a URI that grants time-limited, permission-scoped access to Azure Storage resources. It encodes constraints — allowed services, resource types, permissions, start and expiry times, and permitted IP ranges — directly into the token. All constraints are evaluated together: access is denied if any single constraint is not satisfied.
- If the client's IP address falls outside the allowed IP range specified in the SAS, all requests are denied regardless of permissions or timing.
- If the current time is past the SAS expiry date, the token is no longer valid and all requests are denied.
- If the client's IP is within range and the request is within the validity window, the client receives exactly the permissions encoded in the SAS — no more, no less.
- A SAS token cannot grant permissions that exceed those held by the user or key used to generate it.
| SAS Type | Signed With | Scope | Notes |
|---|---|---|---|
| Account SAS | Storage account key | Entire account, multiple services | Broadest scope; grants access across services, resource types, and operations as configured |
| Service SAS | Storage account key | Single service (Blob, File, Queue, or Table) | More targeted than Account SAS; scoped to one service type |
| User Delegation SAS | Microsoft Entra credentials | Blob service only | Does not use the storage account key; works even when key access is disabled on the account |
A SAS token cannot grant rights that the person or service generating it does not already possess. If a user assigned Storage Blob Data Reader generates a SAS, the SAS cannot write or delete blobs — even if those permissions are selected during generation. The effective permissions are the intersection of what the SAS specifies and what the signing identity is authorised to do.
SAS Expiry Policy & Warning Threshold
Azure Storage provides a built-in mechanism to enforce recommended expiry boundaries on SAS tokens generated for an account. This helps prevent the creation of overly long-lived SAS tokens that would represent a security risk if the token were leaked or misused.
- The setting is called Shared access signature (SAS) expiration policy and is configured in the storage account under Settings → Configuration.
- You set a maximum allowed SAS interval in days. When a user generates a SAS with a duration that exceeds this interval, a warning message is displayed in the Azure portal at the time of generation.
- This is a storage account-level configuration — not an Azure Policy, not a lifecycle management rule, and not a resource lock.
- In addition to the warning, you can configure the policy to block the generation of SAS tokens whose duration exceeds the threshold, actively denying out-of-policy requests rather than just warning.
The SAS expiry warning is not an Azure Policy definition, not an alert rule, and not a lifecycle management rule. It is a dedicated storage account configuration that governs SAS generation behaviour. If users are generating overly long SAS tokens and you need to surface a warning or block those tokens, this is the correct setting to enable — configured directly on the storage account.
Azure Files — Identity-Based Access & AD DS Integration
Azure Files supports identity-based authentication for SMB file shares, which allows users to access shares using their existing directory credentials rather than a storage account key. This is the same experience as accessing a traditional on-premises file server using Windows credentials. Three identity source options are available, each suited to a different hybrid or cloud-only topology.
| Identity Source | User Type Supported | Requires |
|---|---|---|
| On-premises AD DS | Hybrid users synced from AD DS to Entra ID via Entra Connect | Domain join of the storage account to the AD DS domain; users must exist in AD DS and be synced |
| Microsoft Entra Domain Services | Entra ID users, including cloud-only users, if the managed domain is set up | An Entra Domain Services managed domain must be provisioned in the same tenant |
| Microsoft Entra Kerberos | Hybrid and cloud-only Entra ID users directly | No on-premises infrastructure required; supports modern authentication for cloud-native scenarios |
When the identity source is set to on-premises AD DS, only users who exist in AD DS and have been synchronised to Entra ID via Entra Connect can authenticate. A user created directly in the Entra ID portal (a cloud-only user) has no corresponding AD DS account and therefore cannot authenticate to the file share using Kerberos — access will be denied. For cloud-only users, the identity source must be Entra Domain Services or Entra Kerberos.
Before assigning Azure RBAC roles such as Storage File Data SMB Share Contributor, Reader, or Elevated Contributor to users for a specific file share, identity-based data access must first be enabled at the storage account level. This means configuring an authentication source (AD DS, Entra Domain Services, or Entra Kerberos) on the storage account. Without this configuration, the SMB RBAC role assignments exist in IAM but have no functional effect when users attempt to connect via SMB.
When identity source is configured and the Default share-level permissions setting is set to "Enable permissions for all authenticated users and groups", any user who successfully authenticates can access the share with the default permission level. Individual users or groups can then be given elevated or restricted access via explicit role assignments on the share. In a scenario where only OU1 is synced from AD DS, users in OU1 can access the share but cloud-only users or users from unsynced OUs cannot.
AzCopy — Commands, Platform Support & Authentication Methods
AzCopy is a command-line utility for moving data to and from Azure Storage. It runs on Windows, Linux, and macOS. Understanding which command to use for which operation, and how authentication differs between Blob and File services, is frequently tested.
azcopy make <URL>— creates a new blob container, file share, queue, or Data Lake filesystem. The URL must use the correct service endpoint. For a blob container:https://account.blob.core.windows.net/containername. For a file share:https://account.file.core.windows.net/sharename. For a Data Lake filesystem:https://account.dfs.core.windows.net/filesystemname. There is noimagesendpoint — it does not exist.azcopy copy <source> <destination> --recursive— copies a local folder and all its contents to a destination blob container (or file share). The--recursiveflag is required to include subdirectories.azcopy sync <source> <destination>— compares source and destination and transfers only files that have changed. This is for synchronisation, not initial bulk copy. The--snapshotflag is not a valid AzCopy sync option.- The Azure CLI commands
az storage blob copy startandaz storage blob copy start-batchare for server-side blob copies within or between Azure storage accounts — they do not support copying from a local path likeD:\Folder1.
| Storage Type | OAuth (Entra ID) | SAS Token | Account Key |
|---|---|---|---|
| Blob storage | Yes — recommended | Yes | Yes |
| Azure Files | Yes (newer capability) | Yes | Yes |
AzCopy v10 (the current supported version) supports copying data to and from Blob and File storage only. Table storage was supported in the legacy v7.3 but is not available in v10. Queue storage is not supported in any version of AzCopy. This is relevant when asked which services in a storage account AzCopy can target.
CMK Encryption — RSA Key Type & Supported Key Sizes
Azure Storage encrypts all data at rest by default using Microsoft-managed keys. For greater control over the encryption key lifecycle, you can configure customer-managed keys (CMK) stored in Azure Key Vault. CMK lets you control key rotation, revocation, and auditing. The choice of key type and size is constrained by what Azure Storage supports.
| Key Type | Supported Sizes | Notes |
|---|---|---|
| RSA | 2048, 3072, or 4096 bits | Software-protected key in Key Vault. All three sizes are valid — 8192 is not supported. |
| RSA-HSM | 2048, 3072, or 4096 bits | Hardware Security Module-backed RSA key in a Managed HSM or Key Vault Premium. Same size options as RSA. |
| EC / EC-HSM | Not supported | Elliptic curve keys (P-256, P-384, P-521) cannot be used for Azure Storage CMK encryption. |
| 3DES / AES | Not applicable | Not valid key types for CMK in Azure Key Vault for this purpose. |
The supported key type for Azure Storage customer-managed encryption is RSA (or RSA-HSM). EC (Elliptic Curve), 3DES, and AES are all wrong answers. The maximum supported bit length is 4096, but 2048 and 3072 are also valid. When a question specifies "maximum supported bit length," the answer is 4096 bits.
The Azure Key Vault used to store the CMK must have both soft delete and purge protection enabled. These settings prevent the accidental or malicious deletion of the key, which would render the storage account's data permanently inaccessible. Without these protections, Azure will not allow the storage account to be linked to that Key Vault for CMK purposes.
Azure Files — SMB Port 445 & UNC Path Format
Azure Files uses the SMB protocol to serve file shares over the network. SMB operates on TCP port 445, which must be open outbound from any client machine that maps a drive to an Azure Files share. This port is frequently blocked by home ISPs and some corporate firewalls, which is the most common reason drive mapping to Azure Files fails from off-premises networks.
- Port 445 (TCP) — SMB. Required for Azure Files drive mapping.
- Port 443 (TCP) — HTTPS. Used for Azure portal, REST APIs, and Azure Bastion.
- Port 3389 (TCP) — RDP. Used for Windows Remote Desktop connections.
- Port 22 (TCP) — SSH. Used for Linux remote access.
- Port 80 (TCP) — HTTP. Web traffic; not used for Azure Files.
To map a drive or reference an Azure file share in a script, the UNC path follows this format:
\\storageaccountname.file.core.windows.net\sharename
For example, a storage account named contosostorage with a share named data is referenced as \\contosostorage.file.core.windows.net\data. The account name appears first, followed by the fixed endpoint domain file.core.windows.net, and then the share name — not the other way around.
Azure Files is accessed via the file.core.windows.net endpoint. The blob endpoint (blob.core.windows.net) is for Blob storage only. These endpoints are different services — a path like \\contosostorage.blob.core.windows.net\data would not work for file share access.
SAS Token vs Storage Account Key — Access Model
Both SAS tokens and storage account keys can grant access to Azure Storage, but they operate at fundamentally different levels of control and scope. Understanding their differences — and when one is preferred over the other — is important for access design and security.
| SAS Token | Storage Account Key | |
|---|---|---|
| Scope | Constrained — specific services, resource types, and permissions encoded at generation | Full access to all services and operations in the account |
| Expiry | Built-in expiry; access automatically ends at the specified time | No expiry — valid until manually rotated or disabled |
| RBAC interaction | Cannot escalate beyond the generating user's permissions | Bypasses RBAC entirely — grants full account-level access |
| Revocation | Revocable via stored access policy or by disabling key access | Revoked by rotating or disabling the key |
A storage account key is a master credential. Anyone who possesses a storage account key can perform any operation on any data in that account — reading blobs, writing files, modifying queues — regardless of what RBAC roles they have been assigned. This is why key access should be tightly controlled and why managed identity with RBAC roles is the preferred access method for applications.
Storage Account Routing Preference
Routing preference controls how inbound data traffic travels from the public internet to an Azure Storage account. It is relevant when a storage account is accessed by clients in multiple geographies and you want to control the balance between performance and egress cost.
- Microsoft network routing (default) — traffic enters the Microsoft global WAN at the point of presence closest to the client's location and travels entirely over Microsoft's private backbone to reach the storage account. This minimises latency for the end user because the data traverses the internet for the shortest possible distance before entering Microsoft's fast private network.
- Internet routing — traffic travels over the public internet until it reaches the Azure region where the storage account is located, then enters Microsoft's network at the region edge. This can reduce Microsoft's egress costs and may be preferred for cost-sensitive workloads where latency is less critical.
Routing preference controls the path that public traffic takes to reach the storage account. It does not restrict which clients can connect (that is the firewall), does not distribute load across multiple accounts (that is load balancing), and does not remove the account from the public internet (that is private endpoints). When the requirement is to minimise network costs for a storage account accessed from many regions, modifying the routing preference to internet routing is the relevant setting.
SAS Token — Resource Types & Permissions for Blob Access
When generating an Account-level SAS token, you independently select the allowed services, resource types, and permissions. Getting this combination right is critical for applying least-privilege access. Selecting too many resource types or permissions grants broader access than required; selecting too few makes the SAS non-functional for its intended purpose.
| Resource Type | What It Covers | When Required |
|---|---|---|
| Service (s) | Service-level operations such as listing all containers in the account | When listing containers across the entire account is needed |
| Container (c) | Container-level operations — listing blobs within a specific container | When enumerating (listing) the blobs inside a container |
| Object (o) | Individual object operations — reading, writing, or deleting specific blobs | When downloading or reading individual blob files |
To allow a SAS token to list blobs and download their contents from a specific container, the minimum required combination is:
- Container (resource type) — to list blobs within the container
- Object (resource type) — to read/download individual blobs
- Read (permission) — to read the content of blob objects
- List (permission) — to enumerate blobs within the container
The File resource type is for Azure Files (SMB), not Blob storage. The Filter permission is for blob index tag queries and is not needed for enumerate-and-download scenarios. When a question presents a set of six options and asks for the minimum three, the answer is Container, Object, and Read (with List implied by Container for enumeration).
When you need users to see only specific blobs based on their blob index tags — for example, restricting visibility to blobs tagged with a certain department — the correct solution is a role assignment condition (Azure ABAC), not a SAS token and not a stored access policy. A role assignment condition allows you to filter which blobs a user with, say, Storage Blob Data Reader can actually see, based on tag values.
Blob Access Tier — Early Deletion Penalties
Azure Blob Storage applies a minimum storage duration requirement to the Cool, Cold, and Archive tiers. If a blob is deleted from, or moved out of, one of these tiers before the minimum period has elapsed, an early deletion charge is applied for the remaining days. This is important to account for when designing lifecycle management rules or planning manual tier changes.
| Tier | Minimum Duration | Early Deletion Penalty? |
|---|---|---|
| Hot | None | No — can delete or move at any time |
| Cool | 30 days | Yes — if moved or deleted within 30 days of entering Cool |
| Cold | 90 days | Yes — if moved or deleted within 90 days of entering Cold |
| Archive | 180 days | Yes — if rehydrated (moved to Hot/Cool) or deleted within 180 days of entering Archive |
An early deletion charge is triggered any time a blob leaves a tier before the minimum duration — this includes both direct deletion and moving the blob to a different tier. Moving a blob from Cool to Archive after only 14 days in Cool incurs an early deletion charge for the remaining 16 days of the Cool minimum. Rehydrating a blob from Archive after only 90 days incurs an early deletion charge for the remaining 90 days of the Archive minimum.
Blobs are created on January 1 in the default Hot tier (no minimum — no penalty clock running).
File1 is moved to the Archive tier on January 1 (same day as creation). On April 5 (day 94), it is rehydrated to Cool. Archive minimum is 180 days. File1 has only been in Archive for 94 days, so an early deletion penalty applies for the remaining 86 days. Yes, penalty.
File2 is created directly in the Cool tier. On January 15 (day 14), it is moved to Archive. Cool minimum is 30 days — File2 has only been in Cool for 14 days, so an early deletion penalty for 16 days applies. Yes, penalty.
File3 is created in the Hot tier and deleted on January 5 (day 4). Hot has no minimum duration. No penalty.
VM Backup Policy Types — Standard vs Enhanced
Within a Recovery Services vault, Azure Backup offers two backup policy types for virtual machines. The policy type must match the VM's security configuration — specifically, whether the VM uses standard security features or Trusted launch (which includes Secure Boot and vTPM). Selecting the wrong policy type results in a failed backup job.
| VM Configuration | Standard Policy | Enhanced Policy |
|---|---|---|
| Standard Windows or Linux VM | Yes | Yes |
| VM with Azure Disk Encryption (ADE) | Yes | Yes |
| Trusted launch VM (Secure Boot + vTPM) | No — not supported | Yes — required |
| Confidential VM | No | Yes |
VMs configured with Trusted launch security — which enables Secure Boot and a virtual Trusted Platform Module (vTPM) — cannot be protected using a Standard backup policy. An Enhanced backup policy is required. If you assign a Standard policy to a Trusted launch VM and attempt a backup, it will fail. Always check the VM's security type before selecting a backup policy in the vault.
VM backup always uses a Recovery Services vault. Azure Backup vault is a newer vault type designed for managed disks, blobs, PostgreSQL, and AKS backup — not for virtual machines. A backup policy created in an Azure Backup vault has no option for VM protection. When asked which vault to use for VM backup, the answer is always Recovery Services vault.
Blob Lifecycle Management — Automated Tier Transitions and Deletion
Lifecycle management policies let you define rules that automatically move or delete blobs based on how old they are or when they were last accessed. This removes the need to manually manage blob tiers as data ages, and significantly reduces storage costs for data that becomes infrequently accessed over time. Lifecycle management is available on StorageV2 and BlobStorage accounts only — not on BlockBlobStorage or FileStorage accounts.
Each rule has two sections: actions (what happens to matching blobs) and filters (which blobs the rule applies to).
"actions": {
"baseBlob": {
"tierToCool": { "daysAfterModificationGreaterThan": 45 }
}
},
"filters": {
"blobTypes": ["blockBlob"],
"prefixMatch": ["container1/"]
}
| Condition | Triggers Based On | Use When Requirement Says |
|---|---|---|
daysAfterModificationGreaterThan | Days since the blob was last written to or modified | Blob has not been updated for N days |
daysAfterCreationGreaterThan | Days since the blob was first created | Blob is older than N days regardless of access or updates |
daysAfterLastAccessTimeGreaterThan | Days since the blob was last read or written | Blob has not been accessed (requires last access time tracking to be enabled on the account) |
The phrase "blobs that were not updated for 45 days" refers to modification time — the last write. The correct condition is daysAfterModificationGreaterThan: 45. "Not accessed" (including reads) requires daysAfterLastAccessTimeGreaterThan with last-access-time tracking enabled. "Older than N days" from creation uses daysAfterCreationGreaterThan. These are three distinct conditions that are easy to confuse in exam scenarios.
Lifecycle management tier-transition actions — tierToCool, tierToCold, and tierToArchive — only work on blockBlob type blobs. Append blobs and page blobs do not support access tier changes. However, delete actions in lifecycle rules can apply to all three blob types. When the action is tiering, the blobTypes filter must be set to ["blockBlob"].
- Action:
tierToArchive— Archive is the lowest-cost blob storage tier - Condition:
daysAfterModificationGreaterThan: 90 - Blob type filter:
"blockBlob"
If multiple lifecycle rules match a blob simultaneously (due to overlapping prefix filters), Azure applies the rule that results in the most cost-effective outcome — typically the most aggressive tier change or deletion. Rules are not applied in order of definition. Once a blob is deleted by a delete rule, no subsequent tier-change rules can act on it because the blob no longer exists.
Storage Account — Settings That Cannot Be Changed After Creation
Several storage account properties are permanently fixed at creation time and cannot be modified on an existing account. Understanding which settings are immutable versus mutable is important for planning — and for recognising what can and cannot be reconfigured in post-deployment scenarios.
- Performance tier (Standard vs Premium) — determined by the underlying storage hardware; Standard and Premium use different backends that cannot be switched.
- Account kind (StorageV2, BlobStorage, FileStorage, BlockBlobStorage) — the account type defines which services and features are available and is set permanently at creation.
- Infrastructure encryption — an additional layer of encryption applied at the hardware level. Must be enabled at creation time and cannot be enabled or disabled on an existing account.
- Premium account sub-type (Block Blobs, File Shares, or Page Blobs) — for Premium accounts, the storage sub-type is fixed at creation.
- Encryption key source — can switch between Microsoft-managed keys and customer-managed keys at any time after creation.
- Redundancy (replication) — LRS, GRS, ZRS, and GZRS can generally be changed after creation, subject to account kind and tier constraints.
- Default access tier (Hot vs Cool) — can be updated post-creation.
- Blob public access, HTTPS-only, TLS version — all mutable post-creation.
- Network rules and firewall settings — VNet rules and IP allowlists can be added, modified, or removed at any time.
Encryption key source (whether the key is Microsoft-managed or customer-managed) can be changed after creation. Infrastructure encryption (a second layer of hardware-level encryption) cannot be changed after creation — it must be enabled at the time the account is first created. These two settings are distinct and frequently appear together in exam options designed to test whether you know which one is immutable.
Storage Account Key Access Disabled — Impact on SAS Token Types
Azure Storage accounts have a configuration option called Allow storage account key access. When this is disabled, the account's access keys are invalidated — they cannot be used to authenticate any requests. This has a cascading impact on which SAS token types remain functional, since two of the three SAS types are generated using the storage account key.
| SAS Type | Signed With | Works When Key Disabled? |
|---|---|---|
| Account SAS | Storage account key | No — key required for generation and validation |
| Service SAS | Storage account key | No — key required for generation and validation |
| User Delegation SAS | Microsoft Entra credentials (OAuth) | Yes — does not use the storage key at all |
A User Delegation SAS is signed using the generating user's Entra ID token rather than the storage account key. It is scoped to Blob storage only (not Azure Files, not Queues). When key access is disabled on the account, User Delegation SAS is the only SAS mechanism that continues to function for blob access. Existing Account SAS and Service SAS tokens that were previously generated become immediately invalid when key access is disabled.
Azure Files traditionally uses the storage account key to broker SMB Kerberos authentication. If key access is disabled and identity-based authentication (AD DS, Entra Kerberos, or Entra Domain Services) is not configured on the account, SMB access to file shares becomes inaccessible. Re-enabling key access or configuring identity-based auth are the remediation paths.
If a user has a copy of the storage account key (as a string), but the account's "Allow storage account key access" setting is Disabled, that key string cannot authenticate any request. The setting takes precedence over the key's existence. Any SAS tokens previously generated from that key are also immediately invalidated — they stop working the moment the setting is disabled.
Blob Access Tiers — Instant Access vs Archive Rehydration
Not all Azure Blob storage tiers are immediately readable after being set. Hot, Cool, and Cold tiers provide millisecond-level read latency with no waiting period. Archive is fundamentally different — blobs in Archive are stored offline and must be rehydrated (moved to Hot or Cool) before they can be read. This difference matters significantly when designing lifecycle policies or assessing data availability timelines.
| Tier | Read Latency | Immediately Readable? |
|---|---|---|
| Hot | Milliseconds | Yes |
| Cool | Milliseconds | Yes |
| Cold | Milliseconds | Yes |
| Archive | Hours (Standard: up to 15 hrs; High Priority: up to 1 hr) | No — requires rehydration first |
A blob in the Archive tier is stored offline. To read it, the blob's tier must first be changed to Hot or Cool — a process called rehydration. Standard rehydration takes up to 15 hours; High Priority rehydration can complete in under 1 hour at higher cost. Until rehydration completes, any attempt to read the blob returns an error. In scenarios involving lifecycle rules that move blobs to Archive, factor in the rehydration delay before those blobs can be served.
Blob Storage — Data Protection Feature Comparison
Azure Blob Storage offers several data protection features, each addressing a different risk. Choosing the right one depends on what you are trying to protect against — accidental deletion, accidental overwrite, or a need to freeze data in a compliance-friendly way.
| Feature | Purpose | Restore Method |
|---|---|---|
| Blob Soft Delete | Retains deleted blobs for a configurable retention window (1–365 days) before permanent deletion | Undelete within the retention window |
| Blob Versioning | Automatically saves a prior version each time a blob is modified or overwritten | Promote a specific prior version back to the current version |
| Blob Snapshots | A manual, read-only point-in-time copy of a blob at a specific moment | Copy the snapshot back over the base blob |
| Immutable Blob Storage | WORM protection — blobs cannot be modified or deleted for a defined retention period or until a legal hold is cleared | Not applicable — data is protected from modification, not recoverable from modification |
| Blob Lifecycle Management | Automatically tiers or deletes blobs based on age or access patterns to reduce costs | Not a recovery tool — manages cost, not data integrity |
- Blobs accidentally deleted → Blob Soft Delete (configure a retention period)
- Previous version of an overwritten file needed → Blob Versioning
- Manual checkpoint before a risky deployment → Blob Snapshots
- Regulatory requirement — data must not be modified for a period → Immutable Blob Storage (time-based retention)
- Move blobs to cheaper storage automatically after 90 days → Blob Lifecycle Management
Lifecycle management automates tiering and deletion — it does not protect data from loss or allow recovery. When a requirement involves recovering deleted or overwritten blobs, lifecycle management is not the answer. Soft delete and versioning are the data recovery tools; lifecycle management is the cost optimisation tool.
RBAC Conditions (ABAC) for Storage Services
Azure attribute-based access control (ABAC) allows you to add conditions to RBAC role assignments for storage, so that a role only applies when certain conditions about the target resource are met. For example, you can restrict a user's Storage Blob Data Contributor role to only affect blobs with a specific blob index tag, rather than all blobs in the account. This provides fine-grained access control without requiring separate containers or storage accounts for each permission boundary.
| Storage Service | RBAC Conditions Supported? |
|---|---|
| Blob containers (Blob storage) | Yes |
| Azure Data Lake Storage Gen2 (hierarchical namespace) | Yes |
| Azure Queues | Yes |
| Azure Files (file shares) | No |
| Azure Tables | No |
RBAC role assignment conditions are available for Blob storage (including Data Lake Gen2) and Queues. They are not supported for Azure Files (file shares) or Azure Tables. When a question asks "which storage services support conditions when assigning RBAC roles?", the answer is containers and queues only.
Managed Identity vs SAS Access — Choosing the Right Method
When an application needs access to Azure Storage, there are two primary approaches: assigning an RBAC role to the app's managed identity (which uses Entra ID credentials with no secrets), or generating a SAS token (a signed URL that encodes permissions and an expiry). The right choice depends on whether access needs to be permanent or time-limited, and on whether secret minimisation is a priority.
| Requirement | Correct Method | Reason |
|---|---|---|
| App needs permanent blob access, no secrets to manage | Access Control (IAM) — assign a Storage Blob Data role to the app's managed identity | Managed identity uses Entra credentials; no key or token to store, rotate, or expire |
| App needs time-limited access (e.g., only for the next 30 days) | Shared Access Signature (SAS) with an expiry date set accordingly | SAS has a built-in expiry; access is automatically revoked when it expires with no further action needed |
| Both conditions: minimise secrets AND one app has a time limit | Managed identity (IAM) for the permanent-access app; SAS for the time-limited app | Managed identity satisfies secret minimisation; SAS satisfies the time-bound constraint |
When a requirement explicitly states "minimise the number of secrets used," the answer for persistent access is always managed identity + IAM role assignment. Storage account access keys are static secrets stored in application configuration — the opposite of minimising secrets. A SAS token is also a form of secret (a signed URL string), but it is appropriate for time-limited scenarios even when secret minimisation is a goal, because the time-limited constraint takes precedence for that specific use case.
Storage Account Key Auto-Rotation via Azure Key Vault
Storage account access keys are long-lived static credentials that should be rotated regularly to reduce security exposure. Azure Key Vault can manage this rotation automatically by storing the storage account key as a Key Vault-managed secret and periodically regenerating it according to a configured schedule. This eliminates the need for manual rotation and reduces the risk of key exposure from keys that have been in use for extended periods.
- The storage account is registered with Azure Key Vault as a managed storage account. Key Vault is granted the Storage Account Key Operator Service Role on the storage account.
- Key Vault stores the active key as a managed secret and regenerates it according to the configured regeneration period (e.g., every 90 days).
- Applications retrieve the current key from Key Vault using the secret name — they always get the latest active key without needing to be updated when rotation occurs.
- This configuration is done in Key Vault, not in the storage account's settings directly.
The storage account itself does not have a built-in "auto-rotate keys" toggle. The auto-rotation capability comes from registering the storage account with Azure Key Vault and letting Key Vault manage the key lifecycle. When a question asks "what should you configure to ensure access keys rotate automatically?", the answer is an Azure Key Vault — not a backup vault, not redundancy settings, not lifecycle management.
Backup Vault vs Recovery Services Vault — What Each Protects
Azure Backup uses two types of vaults depending on what is being protected. The Recovery Services vault is the older, more established vault type and handles VM, file share, and SQL workloads. The Azure Backup vault is a newer vault type designed for newer data sources like managed disks, blob containers, and Azure Database for PostgreSQL. The two vault types are not interchangeable — each data source maps to exactly one vault type.
| Data Source | Recovery Services Vault | Azure Backup Vault |
|---|---|---|
| Azure Virtual Machines | Yes | No |
| Azure Files (file shares) | Yes | No |
| SQL Server in Azure VMs | Yes | No |
| SAP HANA in Azure VMs | Yes | No |
| Azure Blob containers (operational backup) | No | Yes |
| Azure Managed Disks | No | Yes |
| Azure Database for PostgreSQL | No | Yes |
| Azure Kubernetes Service (AKS) | No | Yes |
This is the most common source of confusion: Azure Files (file shares) are backed up to a Recovery Services vault. Azure Blob containers (operational blob backup) are backed up to an Azure Backup vault. They use different vault types. If a question presents a storage account with both a file share and a blob container and asks which vault each can be backed up to, they map to different vault types.
Azure App Service web app backups are not stored in a Recovery Services vault or a Backup vault. App Service backups are stored directly in an Azure Storage account. The storage account must be in the same subscription as the app, and the backup configuration is set within the App Service, not within Azure Backup.
ZRS Conversion Eligibility
Zone-redundant storage (ZRS) replicates data synchronously across three availability zones within a single region, protecting against zone-level failures. Not all storage account types support live conversion to ZRS — the eligibility depends on the account's performance tier and kind. Understanding which accounts can be converted is important for redundancy planning.
| Account Kind | Performance Tier | ZRS Conversion Supported? |
|---|---|---|
| StorageV2 (general purpose v2) | Standard | Yes — live migration supported |
| BlobStorage | Standard | No — ZRS is not available for BlobStorage accounts at all |
| BlockBlobStorage | Premium | No live migration — manual migration required |
| FileStorage | Premium | Yes — ZRS is available for FileStorage |
BlobStorage accounts are limited to LRS, GRS, and RA-GRS redundancy options. ZRS is simply not an available option for BlobStorage — it is not a matter of needing a manual migration, it is not supported at all. To use ZRS with blob storage, the account must be StorageV2. BlobStorage is also a legacy account type scheduled for retirement in September 2026.
When setting up a new Recovery Services vault for VM backup and the requirement is to store backups across three availability zones, the correct sequence is: (1) create the Recovery Services vault, (2) set the vault's storage replication to Zone-redundant storage (ZRS), then (3) configure the backup policy and enable backup for the VM. The ZRS replication setting is applied to the vault at creation, before backups are configured.
Azure Files as Persistent Storage for Azure Container Instances
Containers are inherently stateless — when a container is stopped or restarted, any data written inside the container's filesystem is lost. For containerised applications that require persistent storage — such as a SQL Server instance inside a container — an external storage volume must be mounted. Azure Container Instances (ACI) supports mounting Azure Files shares as persistent volumes, providing durable storage that survives container restarts.
- Azure Files (SMB) — the primary and most common persistent volume type for ACI. Mounts an Azure file share into the container's file system path.
- Azure Files (NFS) — available for Linux containers using the NFS protocol.
- gitRepo volumes — mounts a Git repository as a volume at container startup (read-only).
- emptyDir volumes — temporary in-memory storage shared between containers in the same container group; does not persist beyond the container group's lifetime.
For stateful workloads in ACI — such as a SQL Server instance that needs to write to a persistent path — the correct storage service is Azure Files, not Azure Blob Storage. Blob storage uses a REST API and cannot be mounted as a filesystem path inside an ACI container. Azure Queue storage and Table storage similarly cannot be mounted. When the requirement is to provide persistent, file-system-accessible storage to a container, Azure Files is always the answer.
Azure Files volume mounts in ACI are supported for Linux containers. Windows containers in ACI can also mount Azure Files shares, but the mount path format differs (Windows drive letter vs Linux filesystem path). The storage account and the ACI container group must be accessible to each other — if the storage account has firewall restrictions, the ACI service's outbound IPs or the VNet integration must be accounted for.
RA-GRS & Storage Account Failover
Read-access geo-redundant storage (RA-GRS) replicates data to a secondary Azure region and allows read access to the secondary copy at all times, even while the primary region is healthy. This is useful for disaster recovery architectures and read-heavy workloads that can tolerate slight replication lag. When the primary region becomes unavailable, failover can be initiated to promote the secondary as the new primary.
- Data is replicated asynchronously to a secondary paired region. The secondary endpoint is always readable (unlike standard GRS, where the secondary is only accessible after failover).
- The secondary endpoint URL follows the format:
accountname-secondary.blob.core.windows.net. - Because replication is asynchronous, there is always the possibility of some data loss (RPO > 0) in a failover scenario.
- Both IAM permissions and SAS tokens generated against the primary endpoint also work against the secondary endpoint — they are the same account.
To fail over an RA-GRS storage account so that the secondary region becomes the new primary, you initiate a storage account failover from the Redundancy blade in the Azure portal (via the "Prepare for failover" button), or by running Invoke-AzStorageAccountFailover in PowerShell. This is a distinct operation — it is not a redundancy setting change in the dropdown and it cannot be triggered via IAM, access keys, or SAS configuration. After failover, the account becomes LRS at the secondary location; geo-redundancy must be re-configured if needed.
Changing the redundancy dropdown (e.g., from GRS to LRS) does not initiate a geo-failover — it changes the replication configuration but does not promote the secondary to primary. Failover is a separate, explicit operation initiated from the Redundancy blade. It is also irreversible in the short term — once failed over, the account becomes LRS and must be reconfigured for geo-redundancy.
Storage Account Role Definitions — Custom and Built-In
Azure RBAC offers a range of built-in roles for storage, ranging from account-level management to data-plane access for specific storage services. In some scenarios, built-in roles provide more permission than required, making it necessary to create custom role definitions that target a specific set of actions. Understanding the permission action strings used in role definitions is important for building least-privilege access models.
| Role | Scope | Key Capabilities |
|---|---|---|
| Owner | Any | Full control including role assignment; can assign Contributor to others |
| User Access Administrator | Any | Can assign roles to others; no read/write rights to resources themselves |
| Reader and Data Access | Storage account | Lists and reads storage account keys; provides indirect data access via those keys |
| Storage Account Contributor | Storage account | Full management of storage account; can list/regen keys; does not grant direct data plane access via Entra |
| Storage Blob Data Owner | Container / account | Full data access to blobs; supports RBAC conditions (ABAC) |
| Storage Blob Data Contributor | Container / account | Read, write, delete blobs; supports RBAC conditions; cannot assign roles |
| Storage Blob Data Reader | Container / account | Read blobs only; supports RBAC conditions |
| Storage Blob Delegator | Storage account | Can generate User Delegation SAS tokens; no direct read/write blob data access |
| Storage File Data SMB Share Contributor | File share | Read, write, delete on file share via SMB; requires identity-based access to be enabled |
| Storage Table Data Contributor | Table | Read, write, delete on Azure Table storage |
"Microsoft.Storage/storageAccounts/read"— allows viewing the storage account's configuration properties only (least privilege for config viewing)."Microsoft.Storage/storageAccounts/*"— allows all actions on storage accounts including write and delete (not least privilege)."Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"— data-plane permission for reading individual blob data (not a management-plane permission for account configuration).
There is an important distinction: some roles grant access to the storage account's keys, which in turn provide indirect access to all data. Other roles grant direct Entra-ID-based data access without touching keys. Storage Blob Data Contributor and Storage Blob Data Reader use Entra ID directly — they do not require key access and do not expose keys to the user. Storage Account Contributor can list and regenerate keys but does not itself grant Entra-based read access to blob data.