Several months ago I published this article which discusses the problem of Azure services that use a public endpoint together with its available authentication options. If companies do not understand these mechanics, they put their environment at risk. For Azure Storage Accounts a new feature is now in preview that allows you to address this problem even better.

Companies can now disable access keys for storage accounts. For many cases where storage accounts are publicly exposed this might be a good option because it forces consumers to properly authenticate with Azure AD accounts to get access to the data. The accounts can be centrally managed in Azure AD. Rogue admins that left a company but still have the access keys at hand cannot use them for inappropriate authentication against public exposed storage accounts after their Azure AD accounts have been disabled.

Keep in mind that disabling the access keys are make Shared Access Signatures (SAS) unusable – because they are signed with access keys. It’s therefore important to first analyze the exact requirements before the access keys are being disabled.

Using the Azure Resource Graph you can easily find out the current settings of your storage accounts. The value is either null, true or false.

The feature is still in preview – do not use this in production until it is generally available. More details are available from the Azure Docs.

Cheers
Marcel