Configure and manage storage accounts
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
Overview
Azure Files allows you to create fully managed file shares in the cloud using SMB or NFS protocols. Access to Azure Files can be controlled in two major ways:
- Identity-based access
Using:- Azure AD (Microsoft Entra ID)
- On-premises Active Directory Domain Services (AD DS)
- Key-based access
Using:- Storage account access keys
- Shared access signatures (SAS)
In this section, we focus on:
✔ Identity-based access for Azure Files
✔ Managing storage account access keys
These topics often appear in the AZ-104 exam.
——————————————————
Part 1: Identity-Based Access for Azure Files
——————————————————
Azure Files supports identity-based authentication, allowing users and applications to access file shares using their directory identities rather than using storage account keys. This is more secure and provides more control for administrators.
Azure supports two identity-based methods:
1. Azure AD (Microsoft Entra ID) Kerberos Authentication (Recommended)
This method allows devices joined to Microsoft Entra ID (Azure AD) or hybrid-joined (Azure AD + on-prem AD) to authenticate to Azure Files using Kerberos.
✔ Why use Azure AD Kerberos?
- No need to store access keys
- Centralized RBAC permissions
- Works with Azure AD-joined VMs
- Best for cloud-first environments
✔ Requirements
To use Azure AD Kerberos with Azure Files:
- Storage account must use Azure Files (SMB)
(NFS is not supported for AD authentication) - Azure AD-joined or Hybrid-joined Windows clients
- Use SMB 3.0+ protocol
- Storage account must have “Azure AD Kerberos” enabled
✔ How it works (simple explanation)
When a user signs into a Windows machine with their Azure AD identity:
- The device gets a Kerberos ticket from Azure AD.
- When accessing the Azure file share, the client presents this ticket.
- Azure Files verifies the identity.
- Access is granted based on assigned RBAC permissions.
✔ RBAC roles used for Azure AD authentication
You assign users or groups one of these roles:
| Role Name | Permissions |
|---|---|
| Storage File Data SMB Share Reader | Read-only access to the file share |
| Storage File Data SMB Share Contributor | Read + Write (modify) |
| Storage File Data SMB Share Elevated Contributor | Read/Write + special permissions like deleting other users’ items |
| Storage File Data SMB Share Owner | Full control |
Assign these roles at either:
- Storage account level
- File share level
✔ Steps to configure Azure AD Kerberos (exam-relevant)
- Create a storage account with Azure Files SMB capability.
- Go to Azure Files Identity-based Access.
- Enable Azure AD Kerberos.
- Assign the RBAC roles to users.
- Access Azure file shares from an Azure AD-joined VM.
The exam expects you to know which roles provide which access level and where to assign them.
——————————————————
2. On-Premises Active Directory DS Authentication
——————————————————
Azure Files also supports authentication using traditional on-premises Active Directory Domain Services.
This method is used in hybrid corporate environments where:
- Windows Servers are joined to on-prem AD
- File access must use NTFS ACLs
- You want the same identity to work for on-prem and cloud file shares
✔ Requirements
- On-prem AD DS
- Azure Storage account synchronized with AD DS (using AD DS DS Service Principal)
- Domain-joined Windows clients
- SMB protocol enabled
- DNS resolution configured so clients can reach Azure Files
✔ How it works
- Azure Files is configured with an AD machine account in your domain.
- Clients authenticate to Azure Files using Kerberos from AD DS.
- NTFS permissions (ACLs) on the file share control access.
✔ Steps (exam-oriented)
- Enable Active Directory DS authentication in the storage account.
- Provide domain details:
- Domain name (FQDN)
- NetBIOS name
- AD credentials (for creating a computer account)
- Join the storage account’s identity to AD.
- Configure NTFS permissions using a Windows VM.
- Clients can now access with AD domain credentials.
——————————————————
Identity-Based Permissions: NTFS & RBAC
——————————————————
When using identity-based access with Azure Files:
Both RBAC and NTFS permissions must allow access.
✔ Example (IT environment)
If a user tries to access a shared folder:
- RBAC says: Allowed
- NTFS says: Denied
The user will be denied because NTFS enforces permissions at the file/folder level.
For exam:
Identity-based access requires RBAC for share-level permissions AND NTFS for file-level permissions.
——————————————————
Part 2: Manage Access Keys (AZ-104 Exam Topic)
——————————————————
Every Azure storage account has two access keys:
- Key1
- Key2
These keys provide full access (read, write, delete) to all data in the storage account.
Why are two keys provided?
To allow key rotation without downtime.
✔ If Key1 is in use → rotate Key2
✔ Update applications to use Key2
✔ Rotate Key1
Where access keys are used
- SMB access to Azure Files (when identity-based is NOT used)
- APIs / SDKs
- Storage Explorer
- Legacy applications
- Scripts and automation
Security Risks
Access keys are very powerful!
If someone has a key:
- They can access ANY data in the storage account
- They can modify or delete data
- You cannot restrict access using RBAC
Therefore, the exam emphasizes:
Use identity-based access whenever possible
Avoid key-based access for users
Rotate keys regularly
——————————————————
Rotating Access Keys (Important for AZ-104)
——————————————————
Key rotation is a high-priority security practice.
✔ Steps to Rotate Keys
- Check which key the applications are currently using.
- Regenerate the other key.
- Update applications to use the new key.
- Regenerate the old key.
Exam Tip:
If an application uses Key1, regenerate Key2 first.
Never regenerate a key that is currently in use — it will break applications.
——————————————————
Shared Access Signatures (SAS) vs Access Keys
——————————————————
You must understand the difference:
| Feature | Access Keys | SAS |
|---|---|---|
| Scope | Whole account | Limited resources (container, file, directory) |
| Control | No restriction | You can restrict time, permissions, IP |
| Security | High risk | More secure |
| Revocation | Rotate key | Revoke SAS token |
Identity-based access is still more secure than SAS.
——————————————————
Common AZ-104 Exam Questions for This Topic
——————————————————
Here are concepts the exam often tests:
✔ Identity-based access
- Which RBAC role provides read-only SMB share access?
→ Storage File Data SMB Share Reader - Which system is used for Azure AD authentication?
→ Azure AD Kerberos - What is required to use identity-based access?
→ SMB protocol, RBAC, NTFS permissions - What is needed for AD DS authentication?
→ Domain-joined client, AD DS configured in storage account
✔ Managing access keys
- Why two keys?
→ Key rotation - What happens if you regenerate a key that is in use?
→ Applications lose access - How do you reduce key exposure?
→ Use Azure AD authentication instead of keys - How to grant granular access?
→ Use SAS or identity-based access, not access keys
——————————————————
Final Summary for Students
——————————————————
Identity-Based Access
- More secure
- Uses Azure AD or on-prem AD DS
- Requires RBAC + NTFS
- Best for enterprise environments
- Supports Kerberos authentication
Access Keys
- Give full access to storage account
- Should not be used for users
- Must be rotated regularly
- Use SAS or identity-based access to reduce risk
