How to Safely Disable SAS Key Access in Azure Storage Accounts (Covering Real-World Scenarios)- Part 1
Learn how to safely disable SAS key access in Azure Storage Accounts using real-time scenarios. This guide explains risks, mitigation steps, Blob and File Share strategies, KQL analysis, and best practices aligned with Microsoft’s recommended security model.
Table of Contents
Introduction: Why Disable SAS Key Access in Azure Storage?
Shared Access Signatures (SAS) and storage account keys are high-risk authentication methods because:
- They can be leaked easily
- They provide broad or long-term access
- They bypass conditional access and identity-based governance
Microsoft recommends disabling SAS whenever possible and migrating resources to Microsoft Entra ID authentication.
Environment Overview
- Architecture: Hub and Spoke model deployed.
- Hub Services: Firewall (FW), VPN Gateway (GW), Application Gateway (APP GW), Load Balancer (LB) other security related services.
- Workload Location: Actual workloads run within the Spoke virtual networks.
- Storage: Storage accounts contain BLOBs and/or Files.
- Access: Users access storage from Cloud (AVD/Windows/Linux VMs) and on-premises environments.
- Current Configuration:
- File shares are mounted on Domain-joined Linux VMs (On-prem) using storage keys.
- Storage accounts are not domain-joined or identity-based enabled.
- The “Allow storage account key access” option, which needs to be disabled, is currently enabled.
Scenario 1: Storage Account Without Private Endpoint or Firewall Restrictions
Prerequisite Checks:
- Verify the type of data objects present (BLOB, Files, Queue, or Tables).
- Check the last accessed date for BLOB and Azure File shares.
- Identify required permissions for the change (e.g., Storage Blob Data Contributor for BLOBs and Storage File Data Privileged Contributor for File Shares).
Approach: Impact Assessment and Mitigation – Disable SAS Key Access in Azure Storage Accounts
1. Determine the Number and Frequency of Requests Authorised with Shared Key/SAS:
- Verify the storage account metrics.
- Analyse requests authorised with Shared Key or SAS tokens over a period (e.g., the last thirty days).
2. Determine Accessing Entities (Users/Applications):
- Utilise Azure Storage logs in Azure Monitor to identify the authorisation type used.
- Run the following Kusto query (KQL) for recent access (e.g., last 7 days):
StorageBlobLogs
| where AuthenticationType in ("AccountKey", "SAS") and TimeGenerated > ago(7d)
| summarize count() by CallerIpAddress, UserAgentHeader, AccountName
| top 10 by count_ desc- Confirmation: After the above verification, confirm if the storage account is being accessed by storage keys and SAS keys.
- Mitigation Strategy (BLOB Only): If the storage account only contains a BLOB container, first disable the SAS key at the BLOB container level. If no impact is identified, proceed to disable the SAS key option at the storage account level.
- Mitigation Strategy (Files Only): If the storage account’s contents are Azure File share, disabling the SAS key will result in the dismounting of the file shares. Consequently, this action requires careful planning. This scenario will be addressed in section 2.
3. Disable the SAS Key Option at the BLOB or File Share Level:
- BLOB Level: Navigate to the BLOB container and toggle the authentication option from SAS to Microsoft Entra ID (formerly Entra ID).
- File Share Level: Navigate to the File Share and toggle the authentication option from SAS to Microsoft Entra ID (formerly Entra ID).
Challenges Encountered During Step 3:
- Permission Error: An error will occur if the user lacks the required permissions (listed in the prerequisites).
- Authentication Reversion: The authentication setting may revert from Entra ID back to SAS after refreshing, potentially due to:
- An Azure Policy denying the change (check Activity logs for details).
- The storage account configuration setting “Default to Microsoft Entra authorization in the Azure portal” is being disabled.
4. Disable Shared Key Authorisation:
- Navigate to the storage account in the Azure portal.
- Under Settings, select Configuration.
- Set Allow storage account key access to Disabled.
Details on Scenario. 2
References:
- Prevent Shared Key authorization for an Azure Storage account
- Choose how to authorize access to file data in the Azure portal
- Mount Azure file share on Windows | Microsoft Learn
- On-Premises AD DS Authentication for Azure Files | Microsoft Learn
Given our storage account includes both BLOB and File shares, we must gradually disable the SAS key, as documented in MS articles (reference above). Disabling it at the storage account level will break everything. We tried to disable the SAS key for Entra ID at the file share level, but the setting reverts after refreshing the page. We need to find out why.
1. This is due to the configuration setting “Default to Microsoft Entra authorisation in the Azure Portal” as disabled. This setting has to be enabled.
2. Azure policy blocking the change