Lab 01 – Storage Accounts

Objectives

Prerequisites

Estimated time

40 minutes

---

Part 1 – Create the resource group and storage account

Step 1: Create resource group

  1. Search for Resource groups > Create
  2. Name: rg-az104-lab04, Region: East US
  3. Review + create > Create

Step 2: Create storage account

  1. Search for Storage accounts > Create
  2. Basics tab:

- Resource group: rg-az104-lab04

- Storage account name: stoaz104lab (3–24 chars, lowercase + numbers only)

- Region: East US

- Performance: Standard

- Redundancy: Locally-redundant storage (LRS)

  1. Leave Advanced defaults (StorageV2, Hot tier)
  2. Review + create > Create

important

Storage account names must be GLOBALLY unique across all Azure customers. If your first choice is taken, add numbers until it's unique.

---

Part 2 – Explore redundancy & performance options

Understanding Redundancy

| Option | Copies | Locations | Cost | Best For |

|--------|--------|-----------|------|----------|

| LRS | 3 | 1 Datacenter | $$$ | Dev/Test |

| ZRS | 3 | 3 AZs (1 region) | $$$$ | Production (regional) |

| GRS | 6 | 2 Regions | $$$$$ | Disaster recovery |

Step 1: View redundancy options

  1. Open the storage account > Redundancy (under Data management)
  2. Note the options: LRS, ZRS, GRS, GZRS, RA-GRS, RA-GZRS
  3. Observe that changing redundancy is easy, but note the cost implications

Step 2: Understand performance tiers

  1. Go to Configuration > Access tier

- Hot: Frequent access (cheapest storage, expensive per-operation)

- Cool: Infrequent access (cheaper per-operation, expensive storage)

- Archive: Long-term (cheapest storage, slow retrieval)

ℹ️

tip

Changing access tier between Hot/Cool is free and instant. Archive requires rehydration (24-48 hours).

---

Part 3 – Containers, blobs, queues, tables, file shares

Step 1: Create and upload to blob container

  1. Open the storage account > Containers (under Data storage)
  2. Select + Container, name: demo-container, Public access level: Private
  3. Open demo-container > Upload
  4. Create a small text file locally (e.g., sample.txt with text "hello az104")
  5. Upload it to the container
⚠️

warning

Setting Public access to "Blob" or "Container" allows anonymous download. Only do this for non-sensitive data.

Step 2: Create queue and table

  1. Queues (under Data storage) > + Queue, name: demo-queue
  2. Tables (under Data storage) > + Table, name: demotable
ℹ️

tip

Queues = async messaging. Tables = NoSQL key-value store. File Shares = SMB protocol (like network drives).

Step 3: Create file share

  1. File shares (under Data storage) > + File share

- Name: demo-share

- Quota: 5 GiB

- Tier: Transaction optimized

  1. Create

---

Part 4 – Access keys vs SAS vs Microsoft Entra authorization

Access Patterns

| Method | Security | Use Case |

|--------|----------|----------|

| Access Keys | Full admin | Internal apps only |

| SAS | Time-limited | Temporary external access |

| Entra ID | Role-based | Production (recommended) |

Step 1: View Access Keys

  1. Access keys (under Security + networking)
  2. Note: two keys (key1, key2) for rotation without downtime

important

Never commit access keys to GitHub. Always rotate keys when they're exposed.

Step 2: Generate SAS token

  1. Shared Access Signature (under Security + networking)
  2. Allowed services: Blob
  3. Allowed resource types: Container, Object
  4. Allowed permissions: Read
  5. Start and expiry time: set expiry to 1 hour from now
  6. Allowed protocols: HTTPS only
  7. Select Generate SAS and connection string
  8. Copy the Blob SAS URL

Step 3: Test SAS access

  1. Construct the full URL: 
https://<account>.blob.core.windows.net/demo-container/sample.txt?<sas-token>

``


  1. Open in browser—you should download sample.txt

    2. 

  2. After 1 hour, this URL will expire and access will fail




> Tip: SAS tokens are great for temporary sharing. Generate new ones for each user/device to minimize blast radius if leaked.



<h3 id="step-4-test-entra-id-access-">Step 4: Test Entra ID access
</h3>



  1. Go to the storage account > <strong>Access control (IAM)</strong> > <strong>Add role assignment</strong>

    2. 

  2. <strong>Role</strong>: <strong>Storage Blob Data Reader</strong>

    3. 

  3. <strong>Assign to</strong>: your user account

    4. 

  4. Open <strong>Containers</strong> > demo-container

    5. 

  5. In the top toolbar, switch <strong>Authentication method</strong> from <strong>Access key</strong> to <strong>Microsoft Entra user account</strong>

    6. 

  6. Confirm you can still view sample.txt




> Important: This uses your Entra identity + RBAC instead of account keys. This is the most secure approach for production.



---



<h2 id="part-5-network-rules-">Part 5 – Network rules
</h2>



<h3 id="restricting-access-">Restricting Access
</h3>



> Warning: Network rules can lock you out if misconfigured. Always test before deploying to production.



<h3 id="step-1-enable-network-rules-">Step 1: Enable network rules
</h3>



  1. <strong>Networking</strong> (under <strong>Security + networking</strong>)

    2. 

  2. <strong>Public network access</strong>: select <strong>Enabled from selected virtual networks and IP addresses</strong>

    3. 

  3. Under <strong>Firewall</strong>, select <strong>Add your client IP address</strong> to allow-list your current IP

    4. 

  4. <strong>Save</strong>




<h3 id="step-2-test-the-restriction-">Step 2: Test the restriction
</h3>



  1. Confirm you can still access the storage account (you're on the allow-list)

    2. 

  2. Try accessing from a different network/VPN (should fail with 403 Forbidden)

    3. 

  3. Observe that having the access key alone is NOT enough—network rules now take precedence




> Tip: In production, use Service Endpoints or Private Endpoints instead of IP ranges for more security.



<h3 id="step-3-revert-for-simplicity-">Step 3: Revert for simplicity
</h3>



  1. Go back to <strong>Networking</strong> > <strong>Public network access</strong>: <strong>Enable from all networks</strong>

    2. 

  2. <strong>Save</strong> (to not interfere with other labs)




---



<h2 id="part-6-copy-data-with-storage-browser-">Part 6 – Copy data with Storage browser
</h2>



<h3 id="step-1-copy-blob-between-containers-">Step 1: Copy blob between containers
</h3>



  1. <strong>Storage browser</strong> > <strong>Blob containers</strong> > demo-container > select sample.txt

    2. 

  2. <strong>Copy</strong>

    3. 

  3. Create a new container demo-container-2 (or navigate to an existing empty one)

    4. 

  4. <strong>Paste</strong>—the blob is now copied




> Tip: This is the Portal equivalent of azcopy. For large data migrations, use AzCopy CLI for speed.



<h3 id="step-2-download-and-upload-">Step 2: Download and upload
</h3>



  1. Select sample.txt > <strong>Download</strong> (pulls to your local machine)

    2. 

  2. Modify the file locally

    3. 

  3. Go back to <strong>Upload</strong> > upload the modified file

    4. 

  4. Confirm the updated file is in the container




---



<h2 id="success-criteria-">Success Criteria
</h2>



✓ Storage account created with StorageV2, LRS, Hot tier


✓ Container, queue, table, and file share all exist


✓ SAS URL grants time-limited read access to blob


✓ Entra ID authentication works (view blob with your user account)


✓ Network rule restricts access to allow-listed IPs


✓ Blob successfully copied between containers



---



<h2 id="cleanup-if-needed-">Cleanup (If Needed)
</h2>
powershell

Delete storage account (includes all containers, blobs, queues, tables)

Remove-AzStorageAccount -ResourceGroupName "rg-az104-lab04" -Name "stoaz104lab" -Force

Delete resource group

Remove-AzResourceGroup -Name "rg-az104-lab04" -Force

``

---

Key Takeaways

---

Next Steps

Proceed to Lab 02 to learn about blob security and lifecycle management.