Hello Xindi Li,
Thank you for posting your query here!
Yes, you can disable the access key for an Azure storage account, even if it’s used for archiving diagnostic logs. However, you need to ensure that the diagnostic settings are properly configured to send the logs to the appropriate destinations.
Please note that disabling an access key will break any applications or services that are currently using it. Therefore, it’s recommended to update these applications or services to use the other key before disabling the current one.
Please refer to the following articles for further details:
Prevent authorization with Shared Key - Azure Storage | Microsoft Learn
https://blog.hametbenoit.info/2021/02/01/azure-you-can-now-disable-storage-account-access-keys-preview/
First, how do I choose the authentication method? The portal only asks me to select a storage account, but not whether to use access key or managed identity.
If you want to access your storage account and your diagnostic logs from the Azure portal, you don't need to choose the authentication method, as the portal will use your Azure AD credentials to access your storage account.
When you sign in to the Azure portal, you provide your Azure AD credentials (username and password) or use another authentication method like multi-factor authentication (MFA) if enabled. Once authenticated, your permissions to access and manage Azure resources, including storage accounts and diagnostic logs, are determined by the role assignments assigned to your Azure AD account. These role assignments are managed through RBAC in Azure.
When you navigate to a storage account in the Azure portal, you can view various settings and manage resources within the storage account based on your permissions. If you have appropriate permissions (such as Storage Account Contributor or higher), you can view and manage diagnostic logs and other resources within the storage account.
To access diagnostic logs within a storage account, you navigate to the "Monitoring" or "Diagnostic settings" section of the storage account in the Azure portal. From there, you can configure diagnostic settings, view logs, and perform other monitoring-related tasks based on your permissions.
However, if you want to access your storage account and your diagnostic logs from other tools or applications, such as Azure PowerShell, Azure CLI, or Azure Storage Explorer, you will need to choose the authentication method that suits your needs. You can use Azure AD or SAS tokens to access your storage account and your diagnostic logs.
Second, what does the "EntityGroupTransaction" API mean in the storage account metrics? It seems to be the only API that uses AccountKey. Will disabling access key affect this API?
The “EntityGroupTransaction” API is related to performing batch transactions on entities that are in the same table and belong to the same partition group in Azure Table Storage. Multiple Insert Entity, Update Entity, Merge Entity, Delete Entity, Insert Or Replace Entity, and Insert Or Merge Entity operations are supported within a single transaction. If you disable the access key for the storage account, Azure Storage will reject all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. Therefore, if the “EntityGroupTransaction” API is using the AccountKey for authorization, disabling the access key would affect this API.
Do let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.