Flash sale is here! Get Extra 25% off on ALL COURSES! Use coupon code FLASH25. Ends today.
Domain 02 · Revision Notes

Implement and manage storage

Blob Storage, Azure Files, AzCopy, Lifecycle Management & Encryption

01

Storage Account Configuration — Tiers, Redundancy & Account Kind Capabilities

Azure Storage accounts come in several kinds, and each kind determines which services are available, which redundancy options are supported, and whether features like lifecycle management or archive tiering are accessible. Choosing the wrong account kind at creation time can permanently lock you out of certain capabilities, so understanding these boundaries is essential.

For Azure Data Lake Storage Gen2, enable the hierarchical namespace option on a StorageV2 account at creation time. This transforms the account into a filesystem-like structure with true directory semantics, which is required for analytics workloads such as Azure Synapse and HDInsight.

FeatureStorageV2BlobStorageBlockBlobStorage (Premium)FileStorage (Premium)
Archive tierYes (Standard)Yes (Standard)No (Premium)No
Lifecycle management (tiering)YesYesNo tieringNo
ZRS conversionYes (Standard)NoNoYes (Premium)
Blob storageYesYes (blobs only)Yes (block + append blobs)No
Azure FilesYesNoNoYes
Queue / TableYesNoNoNo
⚠ BlobStorage Does Not Support ZRS

BlobStorage accounts only support LRS, GRS, and RA-GRS redundancy. ZRS is not available for BlobStorage accounts. To use ZRS, the account must be StorageV2 (general purpose v2). BlobStorage is also a legacy account type scheduled for retirement — new deployments should use StorageV2.

⚠ BlockBlobStorage Lifecycle Tiering Limitation

BlockBlobStorage accounts use Premium storage, which has no concept of Hot/Cool/Archive access tiers. Because of this, lifecycle management rules that tier blobs are not supported. However, delete-based lifecycle rules do work — you can still automatically delete blobs after a number of days. Only the tier-transition actions are unavailable.


Different account kinds also determine which storage workloads — blob containers versus file shares — you can create within them. StorageV2 is the most versatile, supporting all services. FileStorage and BlobStorage are specialised accounts designed for a single workload type.

Account Kind — Blob Containers vs File Shares
Account KindBlob ContainerAzure File Share (SMB)Queue / Table
StorageV2 (general purpose v2)YesYesYes
BlobStorageYes (blobs only)NoNo
BlockBlobStorage (Premium)Yes (block + append blobs)NoNo
FileStorage (Premium)NoYesNo
⚠ Azure File Shares Require StorageV2 or FileStorage

If you need to create an Azure File share (SMB), the storage account must be either StorageV2 or FileStorage. BlobStorage and BlockBlobStorage accounts do not support Azure Files at all. StorageV2 is the most flexible choice, supporting both blobs and file shares within a single account.

Backup Diagnostic Settings — Same Region Required

When configuring diagnostic settings for a Recovery Services vault — for example, to send Azure Backup report logs to a storage account — both the storage account and any Log Analytics workspace must be in the same Azure region as the vault. A vault in West Europe can only send diagnostics to destinations also located in West Europe. This is a per-resource constraint on diagnostic settings, not a subscription-wide limitation.


02

Storage Account Key Management & Data Plane Roles

Access to an Azure Storage account can be controlled through management-plane RBAC roles or through data-plane roles. Management-plane roles govern the ability to administer the storage account itself — including listing or regenerating its access keys. Data-plane roles govern the ability to read or write the actual stored data. Understanding the distinction is important because some roles give key access without data access, and vice versa.

RoleList KeysRegen KeysRead Blob Data
Storage Account Key Operator Service RoleYesYesNo
Storage Account ContributorYesYesNo (via keys indirectly)
Reader and Data AccessYesYesYes (via keys)
Storage Account Encryption Scope ContributorNoNoNo
Storage Blob Data ReaderNoNoYes (blobs only, via Entra)
Storage Blob Data ContributorNoNoYes (read + write blobs)
Roles That Can List and Regenerate Storage Account Keys

Three roles have the ability to both list and regenerate storage account keys: Storage Account Key Operator Service Role, Storage Account Contributor, and Reader and Data Access. The Storage Account Encryption Scope Contributor role specifically grants management of encryption scopes only — it does not grant key management capabilities.

Least Privilege for Portal Blob Upload via Microsoft Entra

When a user needs to upload files to blob storage through the Azure portal using their Entra ID credentials, two roles are required together. The Reader role provides visibility into the storage account within the portal (management plane). The Storage Blob Data Contributor role grants the actual ability to write blob data (data plane). Neither role alone is sufficient — Reader without Storage Blob Data Contributor gives portal access but no write permission; Storage Blob Data Contributor alone may not provide portal navigation.

Custom Role Definition — Principle of Least Privilege

When building a custom role to allow users to view storage account configuration without touching data or keys, the correct permission to include in the role definition is "Microsoft.Storage/storageAccounts/read". This grants read-only access to the storage account's configuration properties. The broader wildcard "Microsoft.Storage/storageAccounts/*" would also grant write and delete operations, violating least privilege. Data-plane paths like blobServices/containers/blobs/read refer to blob data access, not account configuration.


03

Storage Account Network Access, Private Endpoints & Trusted Services Bypass

By default, Azure Storage accounts accept connections from all networks over the public internet. When you need to restrict access — for example, limiting which virtual networks or IP addresses can reach the storage account — you work with the Firewalls and virtual networks settings in the portal. The first action when restricting public access is modifying the Public network access setting, not adding private endpoints or changing IAM settings.

Two approaches exist for giving VNet-based resources access to storage without routing traffic over the public internet: service endpoints keep the storage account publicly addressable but route VNet traffic through the Azure backbone; private endpoints assign the storage account a private IP address inside the VNet, removing its public-internet exposure entirely.

Service Endpoints vs Private Endpoints
Service EndpointPrivate Endpoint
Traffic pathAzure backbone, but storage still has a public IPPrivate IP inside the VNet; fully off the public internet
DNSNo change — uses same public FQDNPrivate DNS zone maps FQDN to private IP
Cross-regionSupported via Microsoft.Storage.Global service endpointSupported; private IP is region-local but accessible cross-region
Public access after setupStorage can still be accessed publicly unless firewall also restricts itPublic access must be separately disabled via firewall — private endpoint alone does not block public access
⚠ Private Endpoint Does Not Automatically Block Public Access

Creating a private endpoint does not remove the storage account from the public internet on its own. Public access remains available unless you also configure the storage account's firewall to deny public network access. The two steps are separate: add private endpoint, then set Public network access to "Disabled" or restrict it to selected networks.

AzureServices Bypass — Trusted Microsoft Services

When a storage account has firewall rules that restrict access to specific VNets or IP ranges, certain first-party Microsoft services can still reach the account through a bypass mechanism. This is configured in ARM templates as "bypass": "AzureServices" in the networkAcls section. Services that benefit from this bypass include Azure Backup, Azure Site Recovery, Azure Event Grid, Azure Event Hubs, and Azure IoT Hub, among others. The complete list of trusted services is available in the Azure Storage firewall documentation.

Azure Backup Through a Firewall-Restricted Storage Account

When a storage account has VNet firewall rules that block traffic from unlisted subnets, Azure Backup can still back up unmanaged VM disks stored in that account. Azure Backup is a trusted first-party service and is automatically permitted via the AzureServices bypass. Regular VM traffic from non-whitelisted subnets is still blocked — only Azure Backup's own service operations are permitted through the bypass.

⚠ AzureServices Bypass Applies to Trusted Microsoft Services Only

A VM running in Azure is not automatically considered a "trusted service" just because it is hosted in Azure. The bypass applies only to specific Microsoft platform services (like Azure Backup, Event Grid, etc.), not to arbitrary Azure-hosted virtual machines or applications. A VM on a subnet not explicitly whitelisted in the firewall is still blocked, even if it is an Azure resource in the same subscription.


04

Service Endpoints & Service Endpoint Policies

A virtual network service endpoint extends the VNet's identity into the Azure service's network, so that traffic from a subnet reaches the storage service over the Azure backbone rather than the public internet. The storage account can then be configured to allow traffic only from that specific subnet — effectively creating a network-layer whitelist without needing a private endpoint or VPN.

How Service Endpoints Work for Storage
  • A service endpoint is enabled on a subnet (e.g., Microsoft.Storage).
  • The storage account's firewall is then configured to allow that specific subnet.
  • Traffic from the subnet reaches storage via the Azure backbone — the subnet's private IP becomes the source IP at the storage level.
  • The storage account still has a public DNS name and public IP; the firewall is what restricts who can reach it.
  • The Microsoft.Storage.Global endpoint variant extends this to cross-region storage access over the backbone.
Service Endpoint Policies — Restricting Which Storage Accounts a Subnet Can Reach

Without a service endpoint policy, a subnet with a Microsoft.Storage service endpoint can reach any storage account in Azure. A service endpoint policy narrows this down so that the subnet can only communicate with specific, explicitly named storage accounts. This prevents lateral movement — for example, a compromised VM cannot exfiltrate data to an attacker's storage account even though the storage service endpoint is enabled.

⚠ Service Endpoint Policies Are Regional

A service endpoint policy can only be applied to subnets in the same Azure region as the policy itself. A policy created in South Central US cannot be applied to a subnet in East US. Additionally, before a service endpoint policy can be applied to a subnet, that subnet must already have the Microsoft.Storage service endpoint enabled. The policy refines which storage accounts are reachable — it does not replace the need for the service endpoint itself.

Traffic Analysis Service Endpoints

When you need to ensure that VM traffic to a storage account travels over the Microsoft backbone network rather than the public internet, the correct Azure feature to configure on the VNet is a service endpoint (not Azure Peering Service, not Application Proxy, not Application Gateway). The number of service endpoints needed depends on how many distinct Azure services need backbone connectivity — for example, if VMs need backbone access to both storage and Azure Active Directory, that is two separate service endpoints to add to the VNet.


05

Blob Inventory Rules

Blob inventory is a feature that generates a scheduled report — in CSV or Apache Parquet format — listing all blobs or containers in a storage account along with their properties and metadata. It is useful for auditing, cost analysis, and compliance tracking at scale. Inventory rules are defined in ARM templates or through the portal, and each rule specifies exactly what to capture and how often.

Key Fields in a Blob Inventory Rule
  • blobTypes — specifies which blob subtypes to include in the report. Valid values are blockBlob, appendBlob, and pageBlob. Note that pageBlob is not available for accounts with hierarchical namespace (Data Lake Gen2) enabled.
  • prefixMatch — filters the report to include only blobs whose names begin with a specified prefix. The prefix is matched against the container name portion of the path. For example, to capture only blobs in containers whose names start with "finance", set prefixMatch to "finance" — not the full path, just the prefix string.
  • schedule — controls how frequently the inventory report is generated. The two options are Daily and Weekly.
  • objectType — determines whether the report inventories individual blob objects or container objects.
  • format — the output can be Csv or Parquet. The report is always saved to a blob container within the same storage account.
⚠ prefixMatch Targets Container Name Prefixes, Not Blob Paths

The prefixMatch field filters by the beginning of the container name (or a container-and-path prefix). To match only blobs in containers whose names start with "finance", the value should be "finance". It is not a full path like "container1/finance" — the prefix is matched starting from the container name. The destination container for the inventory output report is configured separately and is not affected by the prefix filter.


06

Azure Blob Object Replication

Object replication asynchronously copies block blobs from a source storage account to a destination storage account. It is designed for cross-region redundancy, data locality, and reducing read latencies by keeping a copy of data closer to consumers. The replication is asynchronous — there is no guaranteed recovery point objective (RPO), meaning there is always some potential lag between source writes and destination availability.

Prerequisites for Object Replication
  • Both the source and destination accounts must be general-purpose v2 (StorageV2) or Premium Block Blob accounts. BlobStorage accounts are not supported.
  • Blob versioning must be enabled on both the source and destination accounts.
  • Change feed must be enabled on the source account so that Azure can track which blobs have changed and need to be replicated.
  • Object replication is not supported on accounts with hierarchical namespace (Data Lake Gen2) enabled.
  • Archive-tier blobs cannot be replicated — only Hot and Cool blobs are replicated.
What to Create in the Destination Account

When setting up object replication, you configure a replication policy that maps source containers to destination containers. The destination account needs a container to receive the replicated blobs. File shares, queues, and tables are not part of object replication — only blob containers participate. The replication policy is defined on the source, and the destination container must already exist before replication can begin.

Scope and Direction

Object replication works cross-region and cross-subscription, as long as both subscriptions are within the same Azure Active Directory tenant. It is unidirectional — blobs replicate from source to destination, not both ways. If bidirectional replication is needed, two separate replication policies must be configured (one in each direction).


07

Stored Access Policies & Immutable Blob Storage

Azure Storage provides two mechanisms for controlling how long data can be accessed or retained. Stored access policies attach constraints to SAS tokens at the container level. Immutable blob storage enforces a write-once, read-many (WORM) model at the blob or container level, ensuring data cannot be modified or deleted for a defined period.

Limits to Know
  • Stored Access Policies: a maximum of 5 stored access policies can be defined per container. This limit also applies to queues, tables, and file shares. For example, if a container already has 2 stored access policies, you can create up to 3 more — not 4 or 5 additional ones.
  • Immutable time-based retention policy: a maximum of 1 time-based retention policy per container. If a container already has one time-based retention policy locked or unlocked, no additional time-based retention policies can be created for that container. A separate legal hold can coexist alongside the single time-based policy.
WORM — Time-Based Retention vs Legal Hold
  • Time-based retention policy: blobs are protected from modification and deletion for a fixed interval. The policy can be in an unlocked state (configurable) or a locked state (permanent — interval can only be increased, never shortened or deleted). Once locked, the policy cannot be removed until all blobs within it have outlived the retention period.
  • Legal hold: blobs are protected indefinitely until the legal hold tag is explicitly cleared. There is no time period — it holds as long as the tag exists. Multiple legal hold tags can be applied to a single container simultaneously.
Preventing New Content from Being Modified for a Defined Period

To prevent new content added to a container from being modified for a specific duration — for example, one year — configure an immutable time-based retention policy on the container and set the retention interval to 365 days. This is done through the container's Access policy settings in the portal. It is not an IAM role assignment, an access policy, or an access tier change — those do not impose write protection on existing or future blob content.


08

Storage Encryption Scopes

By default, all data in a storage account is encrypted using a single account-wide key — either Microsoft-managed or a customer-managed key from Azure Key Vault. Encryption scopes allow you to go one level deeper by assigning a different encryption key to a specific container or individual blob, all within the same storage account. This is useful when different containers hold data from different clients or tenants, each requiring separate key management.

Using a Different Encryption Key for a Specific Container

To encrypt one container with a key that is different from the rest of the storage account, first create an encryption scope in the storage account and associate it with the desired key from Key Vault. Then, when creating the container, assign that encryption scope to it. The scope must exist before the container is created. Other operations such as rotating access keys, modifying the TLS version, or generating SAS tokens have no bearing on per-container encryption key selection.

Encryption Scopes Apply to Blob Containers Only

Encryption scopes can only be applied to blob containers and the blobs within them. They do not extend to Azure Files (file shares), Azure Tables, or Azure Queues. Those services are encrypted using the account-wide encryption key and do not support per-container encryption scope assignment. An encryption scope created in one storage account also cannot be used by a different storage account — it is bounded to the account where it was created.

What a Case Study Scope Question Is Testing

A common scenario presents a case study where an encryption scope is created in storage account A but the question asks whether it can encrypt content in storage account B. The answer is no — scopes are account-bounded. Similarly, a scope can encrypt containers and blobs, but not file shares or tables, even if those services exist in the same account.


09

SAS Tokens — Expiry, IP Restrictions & Scope

A Shared Access Signature (SAS) is a URI that grants time-limited, permission-scoped access to Azure Storage resources. It encodes constraints — allowed services, resource types, permissions, start and expiry times, and permitted IP ranges — directly into the token. All constraints are evaluated together: access is denied if any single constraint is not satisfied.

SAS Access Evaluation Rules
  • If the client's IP address falls outside the allowed IP range specified in the SAS, all requests are denied regardless of permissions or timing.
  • If the current time is past the SAS expiry date, the token is no longer valid and all requests are denied.
  • If the client's IP is within range and the request is within the validity window, the client receives exactly the permissions encoded in the SAS — no more, no less.
  • A SAS token cannot grant permissions that exceed those held by the user or key used to generate it.
Three Types of SAS Tokens
SAS TypeSigned WithScopeNotes
Account SASStorage account keyEntire account, multiple servicesBroadest scope; grants access across services, resource types, and operations as configured
Service SASStorage account keySingle service (Blob, File, Queue, or Table)More targeted than Account SAS; scoped to one service type
User Delegation SASMicrosoft Entra credentialsBlob service onlyDoes not use the storage account key; works even when key access is disabled on the account
⚠ SAS Token Scope Is Capped by the Generator's Permissions

A SAS token cannot grant rights that the person or service generating it does not already possess. If a user assigned Storage Blob Data Reader generates a SAS, the SAS cannot write or delete blobs — even if those permissions are selected during generation. The effective permissions are the intersection of what the SAS specifies and what the signing identity is authorised to do.


10

SAS Expiry Policy & Warning Threshold

Azure Storage provides a built-in mechanism to enforce recommended expiry boundaries on SAS tokens generated for an account. This helps prevent the creation of overly long-lived SAS tokens that would represent a security risk if the token were leaked or misused.

SAS Expiration Policy — How It Works
  • The setting is called Shared access signature (SAS) expiration policy and is configured in the storage account under Settings → Configuration.
  • You set a maximum allowed SAS interval in days. When a user generates a SAS with a duration that exceeds this interval, a warning message is displayed in the Azure portal at the time of generation.
  • This is a storage account-level configuration — not an Azure Policy, not a lifecycle management rule, and not a resource lock.
  • In addition to the warning, you can configure the policy to block the generation of SAS tokens whose duration exceeds the threshold, actively denying out-of-policy requests rather than just warning.
⚠ This Setting Lives on the Storage Account, Not in Azure Policy

The SAS expiry warning is not an Azure Policy definition, not an alert rule, and not a lifecycle management rule. It is a dedicated storage account configuration that governs SAS generation behaviour. If users are generating overly long SAS tokens and you need to surface a warning or block those tokens, this is the correct setting to enable — configured directly on the storage account.


11

Azure Files — Identity-Based Access & AD DS Integration

Azure Files supports identity-based authentication for SMB file shares, which allows users to access shares using their existing directory credentials rather than a storage account key. This is the same experience as accessing a traditional on-premises file server using Windows credentials. Three identity source options are available, each suited to a different hybrid or cloud-only topology.

Three Identity Sources for Azure Files SMB
Identity SourceUser Type SupportedRequires
On-premises AD DSHybrid users synced from AD DS to Entra ID via Entra ConnectDomain join of the storage account to the AD DS domain; users must exist in AD DS and be synced
Microsoft Entra Domain ServicesEntra ID users, including cloud-only users, if the managed domain is set upAn Entra Domain Services managed domain must be provisioned in the same tenant
Microsoft Entra KerberosHybrid and cloud-only Entra ID users directlyNo on-premises infrastructure required; supports modern authentication for cloud-native scenarios
⚠ Cloud-Only Users Cannot Access AD DS-Configured File Shares

When the identity source is set to on-premises AD DS, only users who exist in AD DS and have been synchronised to Entra ID via Entra Connect can authenticate. A user created directly in the Entra ID portal (a cloud-only user) has no corresponding AD DS account and therefore cannot authenticate to the file share using Kerberos — access will be denied. For cloud-only users, the identity source must be Entra Domain Services or Entra Kerberos.

Prerequisite: Enable Identity-Based Access Before Assigning SMB Roles

Before assigning Azure RBAC roles such as Storage File Data SMB Share Contributor, Reader, or Elevated Contributor to users for a specific file share, identity-based data access must first be enabled at the storage account level. This means configuring an authentication source (AD DS, Entra Domain Services, or Entra Kerberos) on the storage account. Without this configuration, the SMB RBAC role assignments exist in IAM but have no functional effect when users attempt to connect via SMB.

Default Share-Level Permissions

When identity source is configured and the Default share-level permissions setting is set to "Enable permissions for all authenticated users and groups", any user who successfully authenticates can access the share with the default permission level. Individual users or groups can then be given elevated or restricted access via explicit role assignments on the share. In a scenario where only OU1 is synced from AD DS, users in OU1 can access the share but cloud-only users or users from unsynced OUs cannot.


12

AzCopy — Commands, Platform Support & Authentication Methods

AzCopy is a command-line utility for moving data to and from Azure Storage. It runs on Windows, Linux, and macOS. Understanding which command to use for which operation, and how authentication differs between Blob and File services, is frequently tested.

Key AzCopy Commands
  • azcopy make <URL> — creates a new blob container, file share, queue, or Data Lake filesystem. The URL must use the correct service endpoint. For a blob container: https://account.blob.core.windows.net/containername. For a file share: https://account.file.core.windows.net/sharename. For a Data Lake filesystem: https://account.dfs.core.windows.net/filesystemname. There is no images endpoint — it does not exist.
  • azcopy copy <source> <destination> --recursive — copies a local folder and all its contents to a destination blob container (or file share). The --recursive flag is required to include subdirectories.
  • azcopy sync <source> <destination> — compares source and destination and transfers only files that have changed. This is for synchronisation, not initial bulk copy. The --snapshot flag is not a valid AzCopy sync option.
  • The Azure CLI commands az storage blob copy start and az storage blob copy start-batch are for server-side blob copies within or between Azure storage accounts — they do not support copying from a local path like D:\Folder1.
Authentication Methods — Blob vs File Shares
Storage TypeOAuth (Entra ID)SAS TokenAccount Key
Blob storageYes — recommendedYesYes
Azure FilesYes (newer capability)YesYes
AzCopy-Supported Storage Services

AzCopy v10 (the current supported version) supports copying data to and from Blob and File storage only. Table storage was supported in the legacy v7.3 but is not available in v10. Queue storage is not supported in any version of AzCopy. This is relevant when asked which services in a storage account AzCopy can target.


13

CMK Encryption — RSA Key Type & Supported Key Sizes

Azure Storage encrypts all data at rest by default using Microsoft-managed keys. For greater control over the encryption key lifecycle, you can configure customer-managed keys (CMK) stored in Azure Key Vault. CMK lets you control key rotation, revocation, and auditing. The choice of key type and size is constrained by what Azure Storage supports.

Supported Key Types and Sizes for Azure Storage CMK
Key TypeSupported SizesNotes
RSA2048, 3072, or 4096 bitsSoftware-protected key in Key Vault. All three sizes are valid — 8192 is not supported.
RSA-HSM2048, 3072, or 4096 bitsHardware Security Module-backed RSA key in a Managed HSM or Key Vault Premium. Same size options as RSA.
EC / EC-HSMNot supportedElliptic curve keys (P-256, P-384, P-521) cannot be used for Azure Storage CMK encryption.
3DES / AESNot applicableNot valid key types for CMK in Azure Key Vault for this purpose.
⚠ RSA Is the Key Type; 4096 Is the Maximum Size, Not the Only Size

The supported key type for Azure Storage customer-managed encryption is RSA (or RSA-HSM). EC (Elliptic Curve), 3DES, and AES are all wrong answers. The maximum supported bit length is 4096, but 2048 and 3072 are also valid. When a question specifies "maximum supported bit length," the answer is 4096 bits.

Key Vault Requirements for CMK

The Azure Key Vault used to store the CMK must have both soft delete and purge protection enabled. These settings prevent the accidental or malicious deletion of the key, which would render the storage account's data permanently inaccessible. Without these protections, Azure will not allow the storage account to be linked to that Key Vault for CMK purposes.


14

Azure Files — SMB Port 445 & UNC Path Format

Azure Files uses the SMB protocol to serve file shares over the network. SMB operates on TCP port 445, which must be open outbound from any client machine that maps a drive to an Azure Files share. This port is frequently blocked by home ISPs and some corporate firewalls, which is the most common reason drive mapping to Azure Files fails from off-premises networks.

Common Port Reference
  • Port 445 (TCP) — SMB. Required for Azure Files drive mapping.
  • Port 443 (TCP) — HTTPS. Used for Azure portal, REST APIs, and Azure Bastion.
  • Port 3389 (TCP) — RDP. Used for Windows Remote Desktop connections.
  • Port 22 (TCP) — SSH. Used for Linux remote access.
  • Port 80 (TCP) — HTTP. Web traffic; not used for Azure Files.
UNC Path Format for Azure File Shares

To map a drive or reference an Azure file share in a script, the UNC path follows this format:

\\storageaccountname.file.core.windows.net\sharename

For example, a storage account named contosostorage with a share named data is referenced as \\contosostorage.file.core.windows.net\data. The account name appears first, followed by the fixed endpoint domain file.core.windows.net, and then the share name — not the other way around.

⚠ Azure Files Uses file.core.windows.net, Not blob.core.windows.net

Azure Files is accessed via the file.core.windows.net endpoint. The blob endpoint (blob.core.windows.net) is for Blob storage only. These endpoints are different services — a path like \\contosostorage.blob.core.windows.net\data would not work for file share access.


15

SAS Token vs Storage Account Key — Access Model

Both SAS tokens and storage account keys can grant access to Azure Storage, but they operate at fundamentally different levels of control and scope. Understanding their differences — and when one is preferred over the other — is important for access design and security.

SAS Token vs Account Key — Side by Side
SAS TokenStorage Account Key
ScopeConstrained — specific services, resource types, and permissions encoded at generationFull access to all services and operations in the account
ExpiryBuilt-in expiry; access automatically ends at the specified timeNo expiry — valid until manually rotated or disabled
RBAC interactionCannot escalate beyond the generating user's permissionsBypasses RBAC entirely — grants full account-level access
RevocationRevocable via stored access policy or by disabling key accessRevoked by rotating or disabling the key
⚠ Account Key Bypasses RBAC

A storage account key is a master credential. Anyone who possesses a storage account key can perform any operation on any data in that account — reading blobs, writing files, modifying queues — regardless of what RBAC roles they have been assigned. This is why key access should be tightly controlled and why managed identity with RBAC roles is the preferred access method for applications.


16

Storage Account Routing Preference

Routing preference controls how inbound data traffic travels from the public internet to an Azure Storage account. It is relevant when a storage account is accessed by clients in multiple geographies and you want to control the balance between performance and egress cost.

Two Routing Options
  • Microsoft network routing (default) — traffic enters the Microsoft global WAN at the point of presence closest to the client's location and travels entirely over Microsoft's private backbone to reach the storage account. This minimises latency for the end user because the data traverses the internet for the shortest possible distance before entering Microsoft's fast private network.
  • Internet routing — traffic travels over the public internet until it reaches the Azure region where the storage account is located, then enters Microsoft's network at the region edge. This can reduce Microsoft's egress costs and may be preferred for cost-sensitive workloads where latency is less critical.
⚠ Routing Preference Is Not About Security or Filtering

Routing preference controls the path that public traffic takes to reach the storage account. It does not restrict which clients can connect (that is the firewall), does not distribute load across multiple accounts (that is load balancing), and does not remove the account from the public internet (that is private endpoints). When the requirement is to minimise network costs for a storage account accessed from many regions, modifying the routing preference to internet routing is the relevant setting.


17

SAS Token — Resource Types & Permissions for Blob Access

When generating an Account-level SAS token, you independently select the allowed services, resource types, and permissions. Getting this combination right is critical for applying least-privilege access. Selecting too many resource types or permissions grants broader access than required; selecting too few makes the SAS non-functional for its intended purpose.

Resource Types — What Each Level Controls
Resource TypeWhat It CoversWhen Required
Service (s)Service-level operations such as listing all containers in the accountWhen listing containers across the entire account is needed
Container (c)Container-level operations — listing blobs within a specific containerWhen enumerating (listing) the blobs inside a container
Object (o)Individual object operations — reading, writing, or deleting specific blobsWhen downloading or reading individual blob files
Correct Settings — Enumerate and Download Blobs in a Specific Container

To allow a SAS token to list blobs and download their contents from a specific container, the minimum required combination is:

  • Container (resource type) — to list blobs within the container
  • Object (resource type) — to read/download individual blobs
  • Read (permission) — to read the content of blob objects
  • List (permission) — to enumerate blobs within the container

The File resource type is for Azure Files (SMB), not Blob storage. The Filter permission is for blob index tag queries and is not needed for enumerate-and-download scenarios. When a question presents a set of six options and asks for the minimum three, the answer is Container, Object, and Read (with List implied by Container for enumeration).

Blob Index Tags and RBAC Conditions

When you need users to see only specific blobs based on their blob index tags — for example, restricting visibility to blobs tagged with a certain department — the correct solution is a role assignment condition (Azure ABAC), not a SAS token and not a stored access policy. A role assignment condition allows you to filter which blobs a user with, say, Storage Blob Data Reader can actually see, based on tag values.


18

Blob Access Tier — Early Deletion Penalties

Azure Blob Storage applies a minimum storage duration requirement to the Cool, Cold, and Archive tiers. If a blob is deleted from, or moved out of, one of these tiers before the minimum period has elapsed, an early deletion charge is applied for the remaining days. This is important to account for when designing lifecycle management rules or planning manual tier changes.

Minimum Storage Duration by Tier
TierMinimum DurationEarly Deletion Penalty?
HotNoneNo — can delete or move at any time
Cool30 daysYes — if moved or deleted within 30 days of entering Cool
Cold90 daysYes — if moved or deleted within 90 days of entering Cold
Archive180 daysYes — if rehydrated (moved to Hot/Cool) or deleted within 180 days of entering Archive
⚠ Early Deletion Is Triggered by Leaving the Tier — Not Only by Deletion

An early deletion charge is triggered any time a blob leaves a tier before the minimum duration — this includes both direct deletion and moving the blob to a different tier. Moving a blob from Cool to Archive after only 14 days in Cool incurs an early deletion charge for the remaining 16 days of the Cool minimum. Rehydrating a blob from Archive after only 90 days incurs an early deletion charge for the remaining 90 days of the Archive minimum.

Worked Example

Blobs are created on January 1 in the default Hot tier (no minimum — no penalty clock running).

File1 is moved to the Archive tier on January 1 (same day as creation). On April 5 (day 94), it is rehydrated to Cool. Archive minimum is 180 days. File1 has only been in Archive for 94 days, so an early deletion penalty applies for the remaining 86 days. Yes, penalty.

File2 is created directly in the Cool tier. On January 15 (day 14), it is moved to Archive. Cool minimum is 30 days — File2 has only been in Cool for 14 days, so an early deletion penalty for 16 days applies. Yes, penalty.

File3 is created in the Hot tier and deleted on January 5 (day 4). Hot has no minimum duration. No penalty.


19

VM Backup Policy Types — Standard vs Enhanced

Within a Recovery Services vault, Azure Backup offers two backup policy types for virtual machines. The policy type must match the VM's security configuration — specifically, whether the VM uses standard security features or Trusted launch (which includes Secure Boot and vTPM). Selecting the wrong policy type results in a failed backup job.

Policy Type Compatibility
VM ConfigurationStandard PolicyEnhanced Policy
Standard Windows or Linux VMYesYes
VM with Azure Disk Encryption (ADE)YesYes
Trusted launch VM (Secure Boot + vTPM)No — not supportedYes — required
Confidential VMNoYes
⚠ Trusted Launch VMs Require Enhanced Policy

VMs configured with Trusted launch security — which enables Secure Boot and a virtual Trusted Platform Module (vTPM) — cannot be protected using a Standard backup policy. An Enhanced backup policy is required. If you assign a Standard policy to a Trusted launch VM and attempt a backup, it will fail. Always check the VM's security type before selecting a backup policy in the vault.

Recovery Services Vault vs Azure Backup Vault for VM Backup

VM backup always uses a Recovery Services vault. Azure Backup vault is a newer vault type designed for managed disks, blobs, PostgreSQL, and AKS backup — not for virtual machines. A backup policy created in an Azure Backup vault has no option for VM protection. When asked which vault to use for VM backup, the answer is always Recovery Services vault.


20

Blob Lifecycle Management — Automated Tier Transitions and Deletion

Lifecycle management policies let you define rules that automatically move or delete blobs based on how old they are or when they were last accessed. This removes the need to manually manage blob tiers as data ages, and significantly reduces storage costs for data that becomes infrequently accessed over time. Lifecycle management is available on StorageV2 and BlobStorage accounts only — not on BlockBlobStorage or FileStorage accounts.

Lifecycle Rule Structure

Each rule has two sections: actions (what happens to matching blobs) and filters (which blobs the rule applies to).

"actions": {
  "baseBlob": {
    "tierToCool": { "daysAfterModificationGreaterThan": 45 }
  }
},
"filters": {
  "blobTypes": ["blockBlob"],
  "prefixMatch": ["container1/"]
}
Condition Types — Choosing the Right "days" Field
ConditionTriggers Based OnUse When Requirement Says
daysAfterModificationGreaterThanDays since the blob was last written to or modifiedBlob has not been updated for N days
daysAfterCreationGreaterThanDays since the blob was first createdBlob is older than N days regardless of access or updates
daysAfterLastAccessTimeGreaterThanDays since the blob was last read or writtenBlob has not been accessed (requires last access time tracking to be enabled on the account)
⚠ "Not Updated" Maps to daysAfterModificationGreaterThan

The phrase "blobs that were not updated for 45 days" refers to modification time — the last write. The correct condition is daysAfterModificationGreaterThan: 45. "Not accessed" (including reads) requires daysAfterLastAccessTimeGreaterThan with last-access-time tracking enabled. "Older than N days" from creation uses daysAfterCreationGreaterThan. These are three distinct conditions that are easy to confuse in exam scenarios.

Only blockBlob Can Be Tiered; appendBlob and pageBlob Can Only Be Deleted

Lifecycle management tier-transition actions — tierToCool, tierToCold, and tierToArchive — only work on blockBlob type blobs. Append blobs and page blobs do not support access tier changes. However, delete actions in lifecycle rules can apply to all three blob types. When the action is tiering, the blobTypes filter must be set to ["blockBlob"].

Rule for "Move to Lowest-Cost Tier After 90 Days Without Update"
  • Action: tierToArchive — Archive is the lowest-cost blob storage tier
  • Condition: daysAfterModificationGreaterThan: 90
  • Blob type filter: "blockBlob"
⚠ When Multiple Rules Match the Same Blob

If multiple lifecycle rules match a blob simultaneously (due to overlapping prefix filters), Azure applies the rule that results in the most cost-effective outcome — typically the most aggressive tier change or deletion. Rules are not applied in order of definition. Once a blob is deleted by a delete rule, no subsequent tier-change rules can act on it because the blob no longer exists.


21

Storage Account — Settings That Cannot Be Changed After Creation

Several storage account properties are permanently fixed at creation time and cannot be modified on an existing account. Understanding which settings are immutable versus mutable is important for planning — and for recognising what can and cannot be reconfigured in post-deployment scenarios.

Settings That Cannot Be Changed After Creation
  • Performance tier (Standard vs Premium) — determined by the underlying storage hardware; Standard and Premium use different backends that cannot be switched.
  • Account kind (StorageV2, BlobStorage, FileStorage, BlockBlobStorage) — the account type defines which services and features are available and is set permanently at creation.
  • Infrastructure encryption — an additional layer of encryption applied at the hardware level. Must be enabled at creation time and cannot be enabled or disabled on an existing account.
  • Premium account sub-type (Block Blobs, File Shares, or Page Blobs) — for Premium accounts, the storage sub-type is fixed at creation.
Settings That Can Be Changed After Creation
  • Encryption key source — can switch between Microsoft-managed keys and customer-managed keys at any time after creation.
  • Redundancy (replication) — LRS, GRS, ZRS, and GZRS can generally be changed after creation, subject to account kind and tier constraints.
  • Default access tier (Hot vs Cool) — can be updated post-creation.
  • Blob public access, HTTPS-only, TLS version — all mutable post-creation.
  • Network rules and firewall settings — VNet rules and IP allowlists can be added, modified, or removed at any time.
⚠ Infrastructure Encryption vs Encryption Key Source — Two Different Settings

Encryption key source (whether the key is Microsoft-managed or customer-managed) can be changed after creation. Infrastructure encryption (a second layer of hardware-level encryption) cannot be changed after creation — it must be enabled at the time the account is first created. These two settings are distinct and frequently appear together in exam options designed to test whether you know which one is immutable.


22

Storage Account Key Access Disabled — Impact on SAS Token Types

Azure Storage accounts have a configuration option called Allow storage account key access. When this is disabled, the account's access keys are invalidated — they cannot be used to authenticate any requests. This has a cascading impact on which SAS token types remain functional, since two of the three SAS types are generated using the storage account key.

SAS Token Types and Their Dependency on the Account Key
SAS TypeSigned WithWorks When Key Disabled?
Account SASStorage account keyNo — key required for generation and validation
Service SASStorage account keyNo — key required for generation and validation
User Delegation SASMicrosoft Entra credentials (OAuth)Yes — does not use the storage key at all
User Delegation SAS — The Only SAS That Works Without Key Access

A User Delegation SAS is signed using the generating user's Entra ID token rather than the storage account key. It is scoped to Blob storage only (not Azure Files, not Queues). When key access is disabled on the account, User Delegation SAS is the only SAS mechanism that continues to function for blob access. Existing Account SAS and Service SAS tokens that were previously generated become immediately invalid when key access is disabled.

Azure Files Access When Key Is Disabled and No Identity Auth Is Configured

Azure Files traditionally uses the storage account key to broker SMB Kerberos authentication. If key access is disabled and identity-based authentication (AD DS, Entra Kerberos, or Entra Domain Services) is not configured on the account, SMB access to file shares becomes inaccessible. Re-enabling key access or configuring identity-based auth are the remediation paths.

⚠ Possessing the Key String Does Not Help If Key Access Is Disabled

If a user has a copy of the storage account key (as a string), but the account's "Allow storage account key access" setting is Disabled, that key string cannot authenticate any request. The setting takes precedence over the key's existence. Any SAS tokens previously generated from that key are also immediately invalidated — they stop working the moment the setting is disabled.


23

Blob Access Tiers — Instant Access vs Archive Rehydration

Not all Azure Blob storage tiers are immediately readable after being set. Hot, Cool, and Cold tiers provide millisecond-level read latency with no waiting period. Archive is fundamentally different — blobs in Archive are stored offline and must be rehydrated (moved to Hot or Cool) before they can be read. This difference matters significantly when designing lifecycle policies or assessing data availability timelines.

Read Availability by Tier
TierRead LatencyImmediately Readable?
HotMillisecondsYes
CoolMillisecondsYes
ColdMillisecondsYes
ArchiveHours (Standard: up to 15 hrs; High Priority: up to 1 hr)No — requires rehydration first
⚠ Archive Blobs Cannot Be Read Directly

A blob in the Archive tier is stored offline. To read it, the blob's tier must first be changed to Hot or Cool — a process called rehydration. Standard rehydration takes up to 15 hours; High Priority rehydration can complete in under 1 hour at higher cost. Until rehydration completes, any attempt to read the blob returns an error. In scenarios involving lifecycle rules that move blobs to Archive, factor in the rehydration delay before those blobs can be served.


24

Blob Storage — Data Protection Feature Comparison

Azure Blob Storage offers several data protection features, each addressing a different risk. Choosing the right one depends on what you are trying to protect against — accidental deletion, accidental overwrite, or a need to freeze data in a compliance-friendly way.

Feature Comparison
FeaturePurposeRestore Method
Blob Soft DeleteRetains deleted blobs for a configurable retention window (1–365 days) before permanent deletionUndelete within the retention window
Blob VersioningAutomatically saves a prior version each time a blob is modified or overwrittenPromote a specific prior version back to the current version
Blob SnapshotsA manual, read-only point-in-time copy of a blob at a specific momentCopy the snapshot back over the base blob
Immutable Blob StorageWORM protection — blobs cannot be modified or deleted for a defined retention period or until a legal hold is clearedNot applicable — data is protected from modification, not recoverable from modification
Blob Lifecycle ManagementAutomatically tiers or deletes blobs based on age or access patterns to reduce costsNot a recovery tool — manages cost, not data integrity
Choosing the Right Feature
  • Blobs accidentally deleted → Blob Soft Delete (configure a retention period)
  • Previous version of an overwritten file needed → Blob Versioning
  • Manual checkpoint before a risky deployment → Blob Snapshots
  • Regulatory requirement — data must not be modified for a period → Immutable Blob Storage (time-based retention)
  • Move blobs to cheaper storage automatically after 90 days → Blob Lifecycle Management
⚠ Lifecycle Management Is a Cost Tool, Not a Recovery Tool

Lifecycle management automates tiering and deletion — it does not protect data from loss or allow recovery. When a requirement involves recovering deleted or overwritten blobs, lifecycle management is not the answer. Soft delete and versioning are the data recovery tools; lifecycle management is the cost optimisation tool.


25

RBAC Conditions (ABAC) for Storage Services

Azure attribute-based access control (ABAC) allows you to add conditions to RBAC role assignments for storage, so that a role only applies when certain conditions about the target resource are met. For example, you can restrict a user's Storage Blob Data Contributor role to only affect blobs with a specific blob index tag, rather than all blobs in the account. This provides fine-grained access control without requiring separate containers or storage accounts for each permission boundary.

Which Storage Services Support RBAC Conditions
Storage ServiceRBAC Conditions Supported?
Blob containers (Blob storage)Yes
Azure Data Lake Storage Gen2 (hierarchical namespace)Yes
Azure QueuesYes
Azure Files (file shares)No
Azure TablesNo
⚠ Conditions Are Supported on Containers and Queues, Not Files or Tables

RBAC role assignment conditions are available for Blob storage (including Data Lake Gen2) and Queues. They are not supported for Azure Files (file shares) or Azure Tables. When a question asks "which storage services support conditions when assigning RBAC roles?", the answer is containers and queues only.


26

Managed Identity vs SAS Access — Choosing the Right Method

When an application needs access to Azure Storage, there are two primary approaches: assigning an RBAC role to the app's managed identity (which uses Entra ID credentials with no secrets), or generating a SAS token (a signed URL that encodes permissions and an expiry). The right choice depends on whether access needs to be permanent or time-limited, and on whether secret minimisation is a priority.

When to Use Each Method
RequirementCorrect MethodReason
App needs permanent blob access, no secrets to manageAccess Control (IAM) — assign a Storage Blob Data role to the app's managed identityManaged identity uses Entra credentials; no key or token to store, rotate, or expire
App needs time-limited access (e.g., only for the next 30 days)Shared Access Signature (SAS) with an expiry date set accordinglySAS has a built-in expiry; access is automatically revoked when it expires with no further action needed
Both conditions: minimise secrets AND one app has a time limitManaged identity (IAM) for the permanent-access app; SAS for the time-limited appManaged identity satisfies secret minimisation; SAS satisfies the time-bound constraint
⚠ "Minimise Secrets" Points to Managed Identity, Not Access Keys

When a requirement explicitly states "minimise the number of secrets used," the answer for persistent access is always managed identity + IAM role assignment. Storage account access keys are static secrets stored in application configuration — the opposite of minimising secrets. A SAS token is also a form of secret (a signed URL string), but it is appropriate for time-limited scenarios even when secret minimisation is a goal, because the time-limited constraint takes precedence for that specific use case.


27

Storage Account Key Auto-Rotation via Azure Key Vault

Storage account access keys are long-lived static credentials that should be rotated regularly to reduce security exposure. Azure Key Vault can manage this rotation automatically by storing the storage account key as a Key Vault-managed secret and periodically regenerating it according to a configured schedule. This eliminates the need for manual rotation and reduces the risk of key exposure from keys that have been in use for extended periods.

How Storage Key Auto-Rotation Works
  • The storage account is registered with Azure Key Vault as a managed storage account. Key Vault is granted the Storage Account Key Operator Service Role on the storage account.
  • Key Vault stores the active key as a managed secret and regenerates it according to the configured regeneration period (e.g., every 90 days).
  • Applications retrieve the current key from Key Vault using the secret name — they always get the latest active key without needing to be updated when rotation occurs.
  • This configuration is done in Key Vault, not in the storage account's settings directly.
⚠ Auto-Rotation Is Configured in Key Vault, Not the Storage Account

The storage account itself does not have a built-in "auto-rotate keys" toggle. The auto-rotation capability comes from registering the storage account with Azure Key Vault and letting Key Vault manage the key lifecycle. When a question asks "what should you configure to ensure access keys rotate automatically?", the answer is an Azure Key Vault — not a backup vault, not redundancy settings, not lifecycle management.


28

Backup Vault vs Recovery Services Vault — What Each Protects

Azure Backup uses two types of vaults depending on what is being protected. The Recovery Services vault is the older, more established vault type and handles VM, file share, and SQL workloads. The Azure Backup vault is a newer vault type designed for newer data sources like managed disks, blob containers, and Azure Database for PostgreSQL. The two vault types are not interchangeable — each data source maps to exactly one vault type.

What Each Vault Protects
Data SourceRecovery Services VaultAzure Backup Vault
Azure Virtual MachinesYesNo
Azure Files (file shares)YesNo
SQL Server in Azure VMsYesNo
SAP HANA in Azure VMsYesNo
Azure Blob containers (operational backup)NoYes
Azure Managed DisksNoYes
Azure Database for PostgreSQLNoYes
Azure Kubernetes Service (AKS)NoYes
⚠ File Shares Go to Recovery Services; Blob Containers Go to Backup Vault

This is the most common source of confusion: Azure Files (file shares) are backed up to a Recovery Services vault. Azure Blob containers (operational blob backup) are backed up to an Azure Backup vault. They use different vault types. If a question presents a storage account with both a file share and a blob container and asks which vault each can be backed up to, they map to different vault types.

Web App Backup Requires a Storage Account, Not a Vault

Azure App Service web app backups are not stored in a Recovery Services vault or a Backup vault. App Service backups are stored directly in an Azure Storage account. The storage account must be in the same subscription as the app, and the backup configuration is set within the App Service, not within Azure Backup.


29

ZRS Conversion Eligibility

Zone-redundant storage (ZRS) replicates data synchronously across three availability zones within a single region, protecting against zone-level failures. Not all storage account types support live conversion to ZRS — the eligibility depends on the account's performance tier and kind. Understanding which accounts can be converted is important for redundancy planning.

ZRS Conversion Support by Account Type
Account KindPerformance TierZRS Conversion Supported?
StorageV2 (general purpose v2)StandardYes — live migration supported
BlobStorageStandardNo — ZRS is not available for BlobStorage accounts at all
BlockBlobStoragePremiumNo live migration — manual migration required
FileStoragePremiumYes — ZRS is available for FileStorage
⚠ BlobStorage Does Not Support ZRS at All

BlobStorage accounts are limited to LRS, GRS, and RA-GRS redundancy options. ZRS is simply not an available option for BlobStorage — it is not a matter of needing a manual migration, it is not supported at all. To use ZRS with blob storage, the account must be StorageV2. BlobStorage is also a legacy account type scheduled for retirement in September 2026.

Converting a VM Backup to ZRS Within a Recovery Services Vault

When setting up a new Recovery Services vault for VM backup and the requirement is to store backups across three availability zones, the correct sequence is: (1) create the Recovery Services vault, (2) set the vault's storage replication to Zone-redundant storage (ZRS), then (3) configure the backup policy and enable backup for the VM. The ZRS replication setting is applied to the vault at creation, before backups are configured.


30

Azure Files as Persistent Storage for Azure Container Instances

Containers are inherently stateless — when a container is stopped or restarted, any data written inside the container's filesystem is lost. For containerised applications that require persistent storage — such as a SQL Server instance inside a container — an external storage volume must be mounted. Azure Container Instances (ACI) supports mounting Azure Files shares as persistent volumes, providing durable storage that survives container restarts.

Supported Persistent Volume Types for Azure Container Instances
  • Azure Files (SMB) — the primary and most common persistent volume type for ACI. Mounts an Azure file share into the container's file system path.
  • Azure Files (NFS) — available for Linux containers using the NFS protocol.
  • gitRepo volumes — mounts a Git repository as a volume at container startup (read-only).
  • emptyDir volumes — temporary in-memory storage shared between containers in the same container group; does not persist beyond the container group's lifetime.
⚠ Azure Blob Storage Cannot Be Mounted as a Container Volume in ACI

For stateful workloads in ACI — such as a SQL Server instance that needs to write to a persistent path — the correct storage service is Azure Files, not Azure Blob Storage. Blob storage uses a REST API and cannot be mounted as a filesystem path inside an ACI container. Azure Queue storage and Table storage similarly cannot be mounted. When the requirement is to provide persistent, file-system-accessible storage to a container, Azure Files is always the answer.

ACI Azure Files Volume Mounting — Key Constraint

Azure Files volume mounts in ACI are supported for Linux containers. Windows containers in ACI can also mount Azure Files shares, but the mount path format differs (Windows drive letter vs Linux filesystem path). The storage account and the ACI container group must be accessible to each other — if the storage account has firewall restrictions, the ACI service's outbound IPs or the VNet integration must be accounted for.


31

RA-GRS & Storage Account Failover

Read-access geo-redundant storage (RA-GRS) replicates data to a secondary Azure region and allows read access to the secondary copy at all times, even while the primary region is healthy. This is useful for disaster recovery architectures and read-heavy workloads that can tolerate slight replication lag. When the primary region becomes unavailable, failover can be initiated to promote the secondary as the new primary.

RA-GRS Key Characteristics
  • Data is replicated asynchronously to a secondary paired region. The secondary endpoint is always readable (unlike standard GRS, where the secondary is only accessible after failover).
  • The secondary endpoint URL follows the format: accountname-secondary.blob.core.windows.net.
  • Because replication is asynchronous, there is always the possibility of some data loss (RPO > 0) in a failover scenario.
  • Both IAM permissions and SAS tokens generated against the primary endpoint also work against the secondary endpoint — they are the same account.
Initiating a Storage Account Failover

To fail over an RA-GRS storage account so that the secondary region becomes the new primary, you initiate a storage account failover from the Redundancy blade in the Azure portal (via the "Prepare for failover" button), or by running Invoke-AzStorageAccountFailover in PowerShell. This is a distinct operation — it is not a redundancy setting change in the dropdown and it cannot be triggered via IAM, access keys, or SAS configuration. After failover, the account becomes LRS at the secondary location; geo-redundancy must be re-configured if needed.

⚠ Failover Is a Dedicated Operation, Not a Setting Change

Changing the redundancy dropdown (e.g., from GRS to LRS) does not initiate a geo-failover — it changes the replication configuration but does not promote the secondary to primary. Failover is a separate, explicit operation initiated from the Redundancy blade. It is also irreversible in the short term — once failed over, the account becomes LRS and must be reconfigured for geo-redundancy.


32

Storage Account Role Definitions — Custom and Built-In

Azure RBAC offers a range of built-in roles for storage, ranging from account-level management to data-plane access for specific storage services. In some scenarios, built-in roles provide more permission than required, making it necessary to create custom role definitions that target a specific set of actions. Understanding the permission action strings used in role definitions is important for building least-privilege access models.

Key Built-In Storage Roles and Their Capabilities
RoleScopeKey Capabilities
OwnerAnyFull control including role assignment; can assign Contributor to others
User Access AdministratorAnyCan assign roles to others; no read/write rights to resources themselves
Reader and Data AccessStorage accountLists and reads storage account keys; provides indirect data access via those keys
Storage Account ContributorStorage accountFull management of storage account; can list/regen keys; does not grant direct data plane access via Entra
Storage Blob Data OwnerContainer / accountFull data access to blobs; supports RBAC conditions (ABAC)
Storage Blob Data ContributorContainer / accountRead, write, delete blobs; supports RBAC conditions; cannot assign roles
Storage Blob Data ReaderContainer / accountRead blobs only; supports RBAC conditions
Storage Blob DelegatorStorage accountCan generate User Delegation SAS tokens; no direct read/write blob data access
Storage File Data SMB Share ContributorFile shareRead, write, delete on file share via SMB; requires identity-based access to be enabled
Storage Table Data ContributorTableRead, write, delete on Azure Table storage
Custom Role Definition — Permission Action Strings
  • "Microsoft.Storage/storageAccounts/read" — allows viewing the storage account's configuration properties only (least privilege for config viewing).
  • "Microsoft.Storage/storageAccounts/*" — allows all actions on storage accounts including write and delete (not least privilege).
  • "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" — data-plane permission for reading individual blob data (not a management-plane permission for account configuration).
⚠ Roles That Grant Key Access vs Roles That Grant Data Access

There is an important distinction: some roles grant access to the storage account's keys, which in turn provide indirect access to all data. Other roles grant direct Entra-ID-based data access without touching keys. Storage Blob Data Contributor and Storage Blob Data Reader use Entra ID directly — they do not require key access and do not expose keys to the user. Storage Account Contributor can list and regenerate keys but does not itself grant Entra-based read access to blob data.

📋 Want to know exactly how this domain is tested on the exam? See the Domain 02 Exam Guide — it maps every sub-topic to the type of question you'll face. You can also check the full AZ-104 Exam Syllabus for domain weightings.

Discussions (0)

Share how you reason through topics on this page. You can also share your feedback on this guide.

0 / 200 words
No comments yet — be the first to start the thread.