Storage account access keys are enabled
October 4, 2025 ยท View on GitHub
SYNOPSIS
Access keys allow depersonalized access to Storage Accounts using a shared secret.
DESCRIPTION
Every request to a Storage Account resource must be authenticated. Storage Accounts support authenticating requests using either Entra ID (previously Azure AD) identities or local authentication. Local authentication uses access keys and SAS tokens that are granted permissions to the entire Storage Account.
Using Entra ID provides consistency as a single authoritative source which:
- Increases clarity and reduces security risks from human errors and configuration complexity.
- Allows granting of permissions using role-based access control (RBAC).
- Provides support for advanced identity security and governance features.
Disabling local authentication ensures that Entra ID is used exclusively for authentication. Any subsequent requests to the resource using access keys or SAS tokens will be rejected.
RECOMMENDATION
Consider disabling local authentication on Storage Accounts and instead use Entra ID.
EXAMPLES
Configure with Bicep
To deploy Storage Accounts that pass this rule:
- Set the
properties.allowSharedKeyAccessproperty tofalse.
For example:
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: name
location: location
sku: {
name: 'Standard_GRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
accessTier: 'Hot'
allowSharedKeyAccess: false
networkAcls: {
defaultAction: 'Deny'
}
}
}
Configure with Azure template
To deploy Storage Accounts that pass this rule:
- Set the
properties.allowSharedKeyAccessproperty tofalse.
For example:
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": false,
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"accessTier": "Hot",
"allowSharedKeyAccess": false,
"networkAcls": {
"defaultAction": "Deny"
}
}
}