Manage storage account settings in the Azure portal
A variety of settings for your storage account are available in the Azure portal. This article describes some of these settings and how to use them.
Azure Storage supports authorization with Azure Active Directory for Blob storage and Queue storage via role-based access control (RBAC). For more information about authorization with Azure AD, see Authorize access to Azure blobs and queues using Azure Active Directory.
The Access control settings in the Azure portal offer a simple way to assign RBAC roles to users, groups, service principals, and managed identities. For more information about assigning RBAC roles, see Manage access rights to blob and queue data with RBAC.
Azure Storage supports Azure Resource Manager tags for organizing your Azure resources with a customized taxonomy. You can apply tags to your storage accounts so that you can group them within your subscription in a logical manner.
For storage accounts, a tag name is limited to 128 characters, and a tag value is limited to 256 characters.
For more information, see Use tags to organize your Azure resources.
When you create a storage account, Azure generates two 512-bit storage account access keys. These keys can be used to authorize access to your storage account via Shared Key. You can rotate and regenerate the keys without interruption to your applications, and Microsoft recommends that you do so regularly.
Your storage account key is similar to the root password for your storage account. Always be careful to protect your account key. Avoid distributing it to other users, hard-coding it, or saving it anywhere in plaintext that is accessible to others. Regenerate your account key using the Azure portal if you believe it may have been compromised.
SAS (Shared Access Signature) tokens are critical to protect just like the account access keys. While providing granularity SAS grants clients access to the resources in your storage account and should not be shared publicly. When sharing is required for troubleshooting reasons consider using a redacted version of any log files or deleting the SAS tokens (if present) from the log files, and make sure the screenshots don't contain the SAS information either.
Azure Storage supports authorizing requests to Blob and Queue storage using Azure Active Directory (Azure AD). Authorizing users or applications using an OAuth 2.0 token returned by Azure AD provides superior security and ease of use over Shared Key authorization. With Azure AD, there is no need to store the account access key with your code and risk potential security vulnerabilities.
Additionally, Azure Storage supports the user delegation shared access signature (SAS) for Blob storage. The user delegation SAS is signed with Azure AD credentials. When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS for superior security.
Microsoft recommends using Azure AD with your Azure Storage applications when possible. For more information, see Authorize access to Azure blobs and queues using Azure Active Directory.
View account keys and connection string
To view and copy your storage account access keys or connection string from the Azure portal:
Navigate to the Azure portal.
Locate your storage account.
In the Settings section of the storage account overview, select Access keys. Your account access keys appear, as well as the complete connection string for each key.
Find the Key value under key1, and click the Copy button to copy the account key.
Alternately, you can copy the entire connection string. Find the Connection string value under key1, and click the Copy button to copy the connection string.
You can use either key to access Azure Storage, but in general it's a good practice to use the first key, and reserve the use of the second key for when you are rotating keys.
Regenerate access keys
Microsoft recommends that you regenerate your access keys periodically to help keep your storage account secure. Two access keys are assigned so that you can rotate your keys. When you rotate your keys, you ensure that your application maintains access to Azure Storage throughout the process.
Regenerating your access keys can affect any applications or Azure services that are dependent on the storage account key. Any clients that use the account key to access the storage account must be updated to use the new key, including media services, cloud, desktop and mobile applications, and graphical user interface applications for Azure Storage, such as Azure Storage Explorer.
Follow this process to rotate your storage account keys:
- Update the connection strings in your application code to use the secondary key.
- Regenerate the primary access key for your storage account. On the Access Keys blade in the Azure portal, click Regenerate Key1, and then click Yes to confirm that you want to generate a new key.
- Update the connection strings in your code to reference the new primary access key.
- Regenerate the secondary access key in the same manner.
After you create a storage account, you can modify its configuration. For example, you can change how your data is replicated, or change the account's access tier from Hot to Cool. In the Azure portal, navigate to your storage account, then find and click Configuration under Settings to view and/or change the account configuration.
Changing the storage account configuration may result in added costs. For more details, see the Azure Storage Pricing page.
Delete a storage account
To remove a storage account that you are no longer using, navigate to the storage account in the Azure portal, and click Delete. Deleting a storage account deletes the entire account, including all data in the account.
It's not possible to restore a deleted storage account or retrieve any of the content that it contained before deletion. Be sure to back up anything you want to save before you delete the account. This also holds true for any resources in the account—once you delete a blob, table, queue, or file, it is permanently deleted.
If you try to delete a storage account associated with an Azure virtual machine, you may get an error about the storage account still being in use. For help troubleshooting this error, please see Troubleshoot errors when you delete storage accounts.