FixMyCloud
Start free
← Back to blog
🔷
Azure Security
Azure Security

Azure Storage Security: Complete Configuration Guide 2024

18 May 2026·5 min read·FixMyCloud Team

Azure storage accounts are fundamental to most cloud architectures, but their default configurations often fall short of enterprise security requirements. This guide covers essential azure storage security configurations that protect your data from unauthorized access, ensure compliance, and maintain operational integrity.

Storage Account Security Fundamentals

Azure storage security operates on multiple layers: identity and access management, network controls, encryption, and monitoring. Each layer requires specific configuration to create a robust security posture.

Secure Transfer Requirements

Always enforce HTTPS for storage account access. This prevents man-in-the-middle attacks and ensures data transmission encryption.

# Azure CLI
az storage account update \
  --name mystorageaccount \
  --resource-group myresourcegroup \
  --https-only true

# PowerShell
Set-AzStorageAccount \
  -ResourceGroupName "myresourcegroup" \
  -AccountName "mystorageaccount" \
  -EnableHttpsTrafficOnly $true

For ARM templates, include this configuration:

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "properties": {
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2"
  }
}

TLS Version Management

Enforce minimum TLS 1.2 to protect against protocol-level vulnerabilities:

az storage account update \
  --name mystorageaccount \
  --resource-group myresourcegroup \
  --min-tls-version TLS1_2

Access Control Configuration

Disable Shared Key Authorization

Shared keys represent a significant security risk. Disable them in favor of Azure AD authentication:

az storage account update \
  --name mystorageaccount \
  --resource-group myresourcegroup \
  --allow-shared-key-access false

Important: Ensure Azure AD authentication is properly configured before disabling shared key access, or you'll lose connectivity.

Azure AD Integration

Configure Azure AD authentication for storage account access:

# Assign Storage Blob Data Reader role
az role assignment create \
  --role "Storage Blob Data Reader" \
  --assignee user@company.com \
  --scope "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-account}"

Managed Identity Configuration

Use managed identities for service-to-service authentication:

# Create system-assigned managed identity for VM
az vm identity assign \
  --name myvm \
  --resource-group myresourcegroup

# Assign storage permissions to managed identity
az role assignment create \
  --role "Storage Blob Data Contributor" \
  --assignee-object-id {managed-identity-object-id} \
  --scope {storage-account-resource-id}

Network Security Controls

Private Endpoints

Private endpoints provide secure, direct connectivity to storage accounts without internet exposure:

az network private-endpoint create \
  --name storage-private-endpoint \
  --resource-group myresourcegroup \
  --vnet-name myvnet \
  --subnet mysubnet \
  --private-connection-resource-id {storage-account-resource-id} \
  --group-id blob \
  --connection-name storage-connection

Network Access Rules

Restrict storage account access to specific networks:

# Deny all network access by default
az storage account update \
  --name mystorageaccount \
  --resource-group myresourcegroup \
  --default-action Deny

# Allow specific virtual network
az storage account network-rule add \
  --account-name mystorageaccount \
  --resource-group myresourcegroup \
  --vnet-name myvnet \
  --subnet mysubnet

# Allow specific IP ranges
az storage account network-rule add \
  --account-name mystorageaccount \
  --resource-group myresourcegroup \
  --ip-address 203.0.113.0/24

Service Endpoint Configuration

Configure service endpoints for secure VNet connectivity:

az network vnet subnet update \
  --name mysubnet \
  --vnet-name myvnet \
  --resource-group myresourcegroup \
  --service-endpoints Microsoft.Storage

Encryption Configuration

Customer-Managed Keys (CMK)

Implement customer-managed keys for enhanced encryption control:

# Create Key Vault key
az keyvault key create \
  --vault-name mykeyvault \
  --name storage-key \
  --protection software

# Configure storage account to use CMK
az storage account update \
  --name mystorageaccount \
  --resource-group myresourcegroup \
  --encryption-key-name storage-key \
  --encryption-key-vault https://mykeyvault.vault.azure.net \
  --encryption-key-source Microsoft.Keyvault

Infrastructure Encryption

Enable infrastructure encryption for double encryption:

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "properties": {
    "encryption": {
      "requireInfrastructureEncryption": true,
      "services": {
        "blob": {
          "enabled": true,
          "keyType": "Account"
        },
        "file": {
          "enabled": true,
          "keyType": "Account"
        }
      }
    }
  }
}

Monitoring and Auditing

Storage Analytics Logging

Enable comprehensive logging for security monitoring:

az storage logging update \
  --account-name mystorageaccount \
  --account-key {account-key} \
  --services b \
  --log rwd \
  --retention 90

Azure Monitor Integration

Configure diagnostic settings for centralized monitoring:

az monitor diagnostic-settings create \
  --name storage-diagnostics \
  --resource {storage-account-resource-id} \
  --logs '[{"category":"StorageRead","enabled":true},{"category":"StorageWrite","enabled":true},{"category":"StorageDelete","enabled":true}]' \
  --metrics '[{"category":"Transaction","enabled":true}]' \
  --workspace {log-analytics-workspace-id}

Security Alerts

Create alerts for suspicious activities:

  • Unusual access patterns
  • Failed authentication attempts
  • Configuration changes
  • Large data transfers

Container and Blob Security

Public Access Prevention

Disable public blob access at the account level:

az storage account update \
  --name mystorageaccount \
  --resource-group myresourcegroup \
  --allow-blob-public-access false

Container-Level Security

Configure appropriate access levels for containers:

# Private container (no anonymous access)
az storage container create \
  --name privatecontainer \
  --account-name mystorageaccount \
  --public-access off

Immutable Storage

Implement immutable storage for compliance requirements:

az storage container immutability-policy create \
  --account-name mystorageaccount \
  --container-name compliancecontainer \
  --period 2555 \
  --type TimeBasedRetention

Advanced Security Features

Soft Delete Configuration

Enable soft delete for data protection:

az storage blob service-properties delete-policy update \
  --account-name mystorageaccount \
  --enable true \
  --days-retained 30

Versioning and Point-in-Time Restore

Configure versioning for data recovery:

az storage account blob-service-properties update \
  --account-name mystorageaccount \
  --resource-group myresourcegroup \
  --enable-versioning true \
  --enable-restore-policy true \
  --restore-days 30

Compliance and Governance

Azure Policy Implementation

Use Azure Policy to enforce security standards:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
        "notEquals": "true"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

Resource Tags for Security

Implement consistent tagging for security governance:

az storage account update \
  --name mystorageaccount \
  --resource-group myresourcegroup \
  --tags Environment=Production \
         SecurityLevel=High \
         DataClassification=Confidential \
         Owner=security@company.com

Automated Security Validation

Manual configuration is error-prone and doesn't scale. Tools like FixMyCloud automatically scan Azure storage accounts for security misconfigurations, providing continuous compliance monitoring and detailed remediation guidance. This includes checking for disabled HTTPS enforcement, public access permissions, weak encryption settings, and network exposure risks.

Security Checklist

Essential azure storage security configurations to validate:

  • ✓ HTTPS-only access enabled
  • ✓ Minimum TLS 1.2 enforced
  • ✓ Shared key access disabled
  • ✓ Azure AD authentication configured
  • ✓ Network access restricted
  • ✓ Private endpoints implemented
  • ✓ Customer-managed keys configured
  • ✓ Public blob access disabled
  • ✓ Diagnostic logging enabled
  • ✓ Soft delete configured

Conclusion

Securing Azure storage accounts requires comprehensive configuration across multiple security domains. The configurations outlined in this guide provide a strong foundation for protecting your data assets. Remember that security is an ongoing process—regularly review and update your configurations as Azure introduces new features and your security requirements evolve.

Implement these controls systematically, test thoroughly in non-production environments, and consider automated compliance scanning to maintain security standards at scale.

#azure#storage#encryption

Scan your Azure environment automatically

FixMyCloud runs 49 Azure security checks across storage, identity, networking and more — mapped to ISO 27001, CIS, and NIST 800-53.

Start a free scan →
← Back to all posts