Prevent Shared Key Authorization for Storage Account

Hello vivek,

Thank you for your question!

To turn off shared key authorization in Azure Blob Storage, go to the settings of your storage account in the Azure portal and change the option for 'Allow shared key access' to disabled. It is important to ensure that Azure Active Directory (AD) authorization is correctly set up for your merchants to retain access.

Post which verifies that your storage account is set up to utilize Azure Active Directory (AD) for authentication purposes. This requires the assignment of suitable roles to the merchants requiring access to the storage account like Storage Blob Data Reader (For read-only access to blobs) Storage Blob Data Contributor (For read and write access to blobs). If merchants need temporary access, it is advisable to create SAS tokens that provide restricted access to designated resources within the storage account. This enables the preservation of security while facilitating essential access.

Later monitor access logs and adjust permissions as necessary to ensure that merchants have the access they need while maintaining security.

References: https://learn.microsoft.com/en-us/azure/machine-learning/how-to-disable-local-auth-storage?view=azureml-api-2&tabs=portal

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

Dear Vivek Singh,

Thank you for reaching out with your question on the Q&A portal! The community is always happy to help, and together, we’ll find the best solution for your scenario.

Understanding the Issue, you want to disable Shared Key authorization for your Azure Storage Account to improve security (as recommended by CSPM), but your merchants rely on shared key URLs (SAS tokens) to access periodic reports. Disabling Shared Key authorization would block their access. If so...

So, use Azure AD or alternative Secure Methods, to maintain security while ensuring merchants can still access reports, consider these approaches:

Replace Shared Key URLs with Azure AD-based SAS (Recommended)

User Delegation SAS: Generate SAS tokens using Azure AD credentials instead of the storage account key. This is more secure and allows granular control (Microsoft Docs: Create a User Delegation SAS)

Merchants must authenticate via Azure AD (if they’re part of your tenant or as guest users).

Use Azure AD for Direct Access (If its possible of coz)

Assign merchants RBAC roles (e.g., Storage Blob Data Reader) if they can sign in via Azure AD (Microsoft Docs: Assign Azure Roles for Storage)

Migrate to Secure Alternatives. Azure Storage Firewalls + Private Links: Restrict access to specific IPs/VNets and use private endpoints. Managed SaaS Solutions: If reports are static, consider Azure Blob Storage static websites (anonymous read) or Azure API Management with authentication.

To disable Shared Key Auth, once you’ve migrated to a secure method, disable Shared Key authorization:

az storage account update --name <StorageAccountName> --resource-group <ResourceGroup> --allow-shared-key-access false

(Microsoft Docs: Disable Shared Key Authorization)

And if merchants cannot use Azure AD, temporary workarounds include:

Time-bound SAS tokens (minimize exposure) with strict network/IP restrictions.

• Hybrid approach: Keep Shared Key enabled for a subset of storage accounts while migrating.

    Best regards,
    Alex
    P.S. If my answer help to you, please Accept my answer (that is my Answer, but not a comment!)
  

Hello Vivek,

Thank you for pointing out this crucial detail. I understand that the user delegation SAS tokens have a significant limitation in that they only support Blob storage. They cannot be used to authorize access to Azure Files, Azure Queues, or Azure Tables.
However, By Invite merchants as guest users to your Azure AD tenant. you establish a unified and coherent method for managing access across all Azure Storage services, which offers improved security and audit capabilities in comparison to shared keys. Although it may necessitate additional initial configuration and onboarding for your merchants, it represents a more resilient and forward-looking solution.

• Invite merchants to your Azure Active Directory tenant as guest users. Establish custom roles that grant specific read-only permissions for the Blob containers, and possibly for additional services in the future, which house their reports.
• Allocate these custom roles to the corresponding Azure AD guest user accounts at the designated scope. Instruct merchants on how to retrieve their reports utilizing Azure Storage Explorer (by authenticating with their Azure AD credentials) or through other approved methods.
• Perform comprehensive testing with your pilot merchants to confirm their ability to access reports as anticipated through the new authentication method. Implement multi-factor authentication or other security protocols for merchant access.
• Inform all merchants about the changes and offer assistance throughout the transition. After all merchants have successfully adopted Azure AD authentication, proceed to disable shared key access on your storage account.

References:

1. Documentation on set up access reviews to manage and audit guest user access to groups and applications, which can be helpful for maintaining security: https://docs.azure.cn/en-us/entra/id-governance/manage-guest-access-with-access-reviews
2. Documentation on restricted permission levels for guest users in Azure AD. https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.