How Do I Disable Azure Storage Shared Key?

You can disable Azure storage shared key access by navigating to the Configuration settings of your storage account in the Azure portal and setting Allow storage account key access toDisabled. This forces all requests to use more secure, identity-based authorization with Microsoft Entra ID (formerly Azure Active Directory).

Detailed steps to disable shared key access

Before you begin: Critical considerations

Disabling shared key access is a significant security enhancement, but it will break any applications or services that rely on the storage account's primary or secondary keys for authentication. Before proceeding, you must:

1. Migrate applications to Microsoft Entra ID: Identify all client applications, tools, and services that access the storage account. Update them to use a Microsoft Entra ID identity, such as a user account, service principal, or managed identity.
2. Use monitoring to confirm migration: Use Azure Metrics Explorer to track the authentication type of requests over a period of time. You can filter the Transactions metric by the Authentication property to see requests made with Account Key or SAS. Wait until these requests have stopped before disabling the keys.
3. Use Azure Policy to enforce the setting: For a comprehensive security strategy, assign the built-in policy Storage accounts should prevent shared key access. This can be set to Audit initially to find non-compliant accounts, and then to Deny to prevent new storage accounts from being created with shared key access enabled.

Method 1: Using the Azure portal

1. Navigate to your storage account: In the Azure portal, find and select the storage account you wish to configure.
2. Go to Configuration settings: In the left-hand navigation menu for the storage account, find and select Configuration under the Settings section.
3. Disable the access: Find the setting named Allow storage account key access and set it to Disabled.
4. Save your changes: Click Save at the top of the page to apply the setting. After this, any new requests using the shared key will fail with a 403 (Forbidden) error.

Method 2: Using Azure CLI

If you prefer to use the command line, you can update the storage account with the following command:

az storage account update --name <storage-account-name> --resource-group <resource-group-name> --allow-shared-key-access false

Use code with caution.

Method 3: Using Azure PowerShell

For PowerShell users, you can use the Set-AzStorageAccount command to update the property:

Set-AzStorageAccount -ResourceGroupName <resource-group-name> `
  -AccountName <storage-account-name> `
  -AllowSharedKeyAccess $false

Use code with caution.

Authorization after disabling shared keys

Once shared key access is disabled, all clients must use an identity-based authorization model. This shifts your security posture from a single, long-lived secret to a managed identity system that is far more granular and auditable.

Supported authorization methods:

• Microsoft Entra ID: Use Azure role-based access control (RBAC) to grant specific permissions to a user, group, service principal, or managed identity.
• User Delegation Shared Access Signatures (SAS): For scenarios that require temporary, scoped access, you can generate a User Delegation SAS. This token is signed with a Microsoft Entra ID credential, not the account keys, and has a maximum validity of 7 days for enhanced security.
• Storage Access Signatures (SAS) signed by a key vault key: While not a common option, it is possible to use a key from Azure Key Vault to sign SAS tokens.

Unauthorized methods:

• Shared Key Authorization: Any client that attempts to authenticate using the storage account's primary or secondary keys will be rejected.
• Account SAS and Service SAS tokens signed with account keys: All existing Shared Access Signature tokens that were signed with the storage account's primary or secondary keys will become invalid.

Managing exceptions with Azure Policy

In some cases, you may need a temporary exception for a specific storage account to allow shared key access.

1. Create a Policy Exemption: In the Azure portal, navigate to the policy assignment you created to enforce the disabling of shared key access.
2. Add Exemption: Under the Assignments blade of Azure Policy, select your policy and choose Exemptions.
3. Configure the Exemption: Provide a name, a scope (e.g., the specific resource group or storage account), and a justification for the exemption. This is a critical step for maintaining a secure and auditable record of exceptions to your security policies.