# Azure Storage Account

## Overview

* Azure Storage is a Microsoft-managed service providing cloud storage that is highly available, secure, durable, scalable, and redundant
* The service acts as a container for multiple data storage types e.g., Azure Blob Storage, Azure Files, and more

```
Azure Subscription
└── Storage Account(s)
    └── Azure Blob Storage Container(s)
        └── Blob(s) aka files
        
    └── Azure Files
        └── SMB File Share(s)
        └── NFS File Share(s)
        
    └── Azure Elastic SAN
        └── Volume Group(s)
            └── Storage Volume(s)
            
    └── Azure Queues
        └── Queue(s)
            └── Messages(s)
            
    └── Azure Tables
        └── Table(s)
            └── Entities
                └── Properties
                
    └── Azure Managed Disks
        └── Storage Volume(s)
        
    └── Azure Container Storage
        └── Storage Volume(s)
```

***

## Authentication Methods

{% hint style="info" %}
These authentication methods do not apply when the blob or container have been made publicly accessible
{% endhint %}

* There are three methods for obtaining access to Azure Storage

### Microsoft Entra Credentials

{% hint style="success" %}
This is the most secure and recommended approach
{% endhint %}

* Storage permissions can be assigned to an Entra security principal (user/group/app/managed identity)

### Account Access Key

{% hint style="warning" %}
These are highly sensitive and if exposed allow full access to all data in the storage account
{% endhint %}

* When an Azure Storage account gets created, two keys are generated which provides full access to all data in the storage account&#x20;
* Therefore these should be monitored and protected well

### SAS (Shared Access Signature) Token&#x20;

* A shareable link that enables granting limited access to containers in blobs within a storage account
* This is similar to AWS S3 PreSigned URLs
* Either an Azure Storage Account Access Key or Entra credentials can be used as the signing key to generate this token&#x20;

***

## CLI Cheat Sheet

{% embed url="<https://app.gitbook.com/o/jZWSDbhtOG1szHMuDH9S/s/8yu8YbDfwd1VqEdUxGyA/~/edit/~/changes/467/cloud-security/azure/azure-cli-cheat-sheet#storage-account>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/azure/azure-services-info/storage/azure-storage-account.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.