Learning Objectives
By the end of this chapter, you will be able to:
- Configure access to storage.
- Configure and manage storage accounts.
- Configure Azure Files and Azure Blob Storage.
Executive Summary
- Azure storage access is controlled through multiple independent mechanisms (account keys, shared access signatures, Azure RBAC, network rules, and encryption) that layer on top of each other; the exam tests whether you understand which mechanism to apply in a given scenario and how they interact.
- A storage account is the top-level container for all Azure storage services; its settings for redundancy, performance tier, and account kind constrain every service inside it and cannot always be changed after creation.
- Shared access signatures (SAS) come in three distinct types (account, service, and user delegation), and the exam expects you to know which type supports Azure AD-based authentication, which can be revoked, and which requires a stored access policy.
- Azure Files provides fully managed SMB and NFS file shares in the cloud, while Azure Blob Storage provides massively scalable object storage with three blob types (block, append, page) and four access tiers (Hot, Cool, Cold, Archive); understanding the specific capabilities and limits of each is essential for exam success.
Assumptions
- All examples use the Azure global cloud. Azure Government and Azure China may have different endpoint suffixes and feature availability.
- CLI examples assume Azure CLI version 2.x. PowerShell examples assume the Az module.
- When both classic and Azure Resource Manager deployment models exist for a feature, only the Resource Manager model is covered.
- Terms defined in Chapter 1 (such as Azure RBAC, role assignment, security principal, role definition, scope, managed identity, service principal, subscription, resource group, management plane, data plane, DataActions) are used here with the meanings established there.
