Configure access to storage
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. What Are Access Keys?
Every Azure Storage Account has two access keys:
- Key1
- Key2
These are root-level secrets that provide full administrative access to the entire storage account.
When you authenticate using an access key, you get complete control of:
- Blob Storage
- File Shares
- Queues
- Tables
Access keys never restrict you to a specific container or directory. Anyone who has an access key can perform any operation on that storage account (unless network rules block them).
This is why access keys must be treated as highly sensitive secrets.
2. Where Are Access Keys Used?
Access keys are commonly used by:
✔ Legacy applications
Older apps that don’t support Azure AD authentication or SAS tokens.
✔ Scripts and automation
PowerShell, CLI, or backend tools that were built before role-based access was introduced.
✔ Tools like Storage Explorer
You can connect by using a storage account name + access key.
✔ Programmatic access
Connection strings that include the access key are used in application configuration files.
3. Why Two Keys? (Key Rotation)
Azure provides two keys so that you can rotate them without downtime.
Example IT use case:
- Key1 is used by several applications.
- You regenerate Key2.
- Update all applications to use Key2.
- Regenerate Key1.
This rotation ensures the keys stay secure while keeping applications running.
Exam focuses heavily on this.
4. How to View and Manage Access Keys
You can view, copy, or regenerate access keys from:
Azure Portal
Storage account → Security + networking → Access keys
You will see:
- Key1
- Key2
- Connection strings for each key
Azure CLI
az storage account keys list --resource-group MyRG --account-name mystorageaccount
Regenerate a key
az storage account keys renew --resource-group MyRG --account-name mystorageaccount --key primary
PowerShell
Get-AzStorageAccountKey -ResourceGroupName "MyRG" -Name "mystorageaccount"
5. Regenerating Access Keys (Key Rotation)
When you regenerate (renew) a key:
- A new key is created.
- The old key stops working immediately.
- Every app, script, or service that uses that key must be updated.
Important exam fact:
🔹 Regenerating Key1 does not affect Key2, and vice versa.
🔹 Azure does not automatically update your applications—you must update them manually.
6. Securing Access Keys
Because access keys provide full admin access, securing them is critical.
Best Practices (Exam-focus):
- Do not embed access keys in code
Instead, use Azure Key Vault to store them securely. - Use Azure AD authentication whenever possible
Azure AD is more secure and supports granular permissions.
Access keys should be used only when absolutely necessary. - Use SAS tokens instead of keys when delegation is required
SAS allows limited access (time-based, permission-based). - Rotate access keys regularly
Part of security and compliance. - Monitor key usage with Azure Monitor logs
Check who accessed or changed keys. - Restrict access using storage firewalls and private endpoints
Even if someone has the key, they cannot access the storage account without correct network permissions.
7. Using Access Keys with Connection Strings
When connecting using an access key, you normally use a connection string:
Example:
DefaultEndpointsProtocol=https;
AccountName=mystorageaccount;
AccountKey=xxxxxxxxxxxxxxxxxxxxx;
EndpointSuffix=core.windows.net
This connection string is used in:
- Web applications
- Background services
- Database backup tools
- Storage Explorer
If the key is rotated, this connection string must be updated.
8. Access Keys vs. SAS Tokens vs. Azure AD (Exam Comparison)
| Feature | Access Keys | SAS Tokens | Azure AD |
|---|---|---|---|
| Access Type | Full admin access | Restricted access | Role-based access |
| Granular permissions? | ❌ No | ✔ Yes | ✔ Yes |
| Expiration | ❌ None | ✔ Yes | ✔ Token-based |
| Recommended for apps? | ❌ No | ✔ Yes | ✔ Best option |
| Risk Level | High | Medium | Low |
Exam Tip:
Microsoft recommends using Azure AD for most modern applications and avoiding access keys whenever possible.
9. Locking Access Keys Using Azure Resource Locks
You can prevent accidental deletion or regeneration by using Resource Locks (CanNotDelete or ReadOnly) at:
- Storage account level
- Resource group level
- Subscription level
Exam wants you to know:
🔹 A ReadOnly lock prevents key regeneration.
🔹 A Delete lock does not prevent key regeneration.
10. Monitoring Access Key Usage
Azure provides:
Activity Log
Shows who regenerated a key.
Azure Monitor / Log Analytics
Tracks authentication attempts and key usage.
For exams:
Remember you must enable Storage Logging or Diagnostic Settings to send logs to:
- Log Analytics workspace
- Storage Account (archive)
- Event Hub
11. What You Should NOT Do (Common Exam Traps)
❌ Do not store access keys in plain-text configuration files
❌ Do not hardcode them in scripts
❌ Do not use access keys for giving limited access → Use SAS
❌ Do not leave both keys active forever without rotation
❌ Do not regenerate keys without planning downtime or updates for apps that use them
❌ Do not store access keys in source code repositories (GitHub, etc.)
12. Key Rotation Strategy (Expected in Exam Scenarios)
A safe rotation process in IT:
- Check which key is currently in use by applications.
- Regenerate the other key (e.g., Key2).
- Update all applications to use Key2.
- Regenerate Key1.
- Store the new keys securely in Key Vault.
- Confirm that apps are working correctly.
This ensures zero downtime.
13. Exam-Style Notes / Important Points
- Access keys grant full access → no granular control.
- They must be rotated regularly.
- Store them in Azure Key Vault.
- Prefer Azure AD authentication for new applications.
- SAS tokens are the recommended way to delegate limited access.
- Regenerating a key immediately invalidates the old one.
- Two keys exist to support uninterrupted key rotation.
- Access keys can be managed via Portal, CLI, PowerShell, ARM, Bicep, and REST API.
- Key rotation can be automated using Azure Functions or Automation Runbooks.
Conclusion
Managing Access Keys is an essential skill for the Azure Administrator role and a frequent topic in the AZ-104 exam. The keys offer full control of a storage account but must be protected, stored securely, and rotated correctly.
Understanding how to:
- View keys
- Regenerate keys
- Secure them
- Replace them with Azure AD or SAS where possible
…will help you answer exam scenario questions confidently and manage Azure Storage securely in real environments.
