Storage account access keys are enabled

Security · Storage Account · Rule · 2025_09 · Important

Access keys allow depersonalized access to Storage Accounts using a shared secret.

Description

Every request to a Storage Account resource must be authenticated. Storage Accounts support authenticating requests using either Entra ID (previously Azure AD) identities or local authentication. Local authentication uses access keys and SAS tokens that are granted permissions to the entire Storage Account.

Using Entra ID provides consistency as a single authoritative source which:

• Increases clarity and reduces security risks from human errors and configuration complexity.
• Allows granting of permissions using role-based access control (RBAC).
• Provides support for advanced identity security and governance features.

Disabling local authentication ensures that Entra ID is used exclusively for authentication. Any subsequent requests to the resource using access keys or SAS tokens will be rejected.

Recommendation

Consider disabling local authentication on Storage Accounts and instead use Entra ID.

Examples

Configure with Bicep

To deploy Storage Accounts that pass this rule:

• Set the properties.allowSharedKeyAccess property to false.

For example:

Azure Bicep snippet

resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_GRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
    accessTier: 'Hot'
    allowSharedKeyAccess: false
    networkAcls: {
      defaultAction: 'Deny'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/storage/storage-account:<version>

To use the latest version:

br/public:avm/res/storage/storage-account:0.9.1

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure template

To deploy Storage Accounts that pass this rule:

• Set the properties.allowSharedKeyAccess property to false.

For example:

Azure Template snippet

{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_GRS"
  },
  "kind": "StorageV2",
  "properties": {
    "allowBlobPublicAccess": false,
    "supportsHttpsTrafficOnly": true,
    "minimumTlsVersion": "TLS1_2",
    "accessTier": "Hot",
    "allowSharedKeyAccess": false,
    "networkAcls": {
      "defaultAction": "Deny"
    }
  }
}

Links

• SE:05 Identity and access management
• Security: Level 1
• Prevent Shared Key authorization for an Azure Storage account
• Azure security baseline for Azure Storage
• IM-1: Use centralized identity and authentication system
• Azure deployment reference

Comments