Storage Accounts
Azure Storage Accounts provide scalable, durable cloud storage for blobs, queues, tables, and file shares. A single storage account can host multiple storage services and acts as the top-level namespace for data access, billing, and access control.
Account Types
- Standard general-purpose v2 (
StorageV2) — The recommended default; supports all storage services and tiers - Premium block blobs — Low-latency blob storage backed by SSDs; suited for high-transaction workloads
- Premium file shares — SSD-backed Azure Files; required for NFS shares and latency-sensitive SMB workloads
- Premium page blobs — SSD-backed page blob storage; used primarily for Azure VM unmanaged disks
For most workloads, use Standard general-purpose v2.
Storage Services
- Blob Storage — Object storage for unstructured data (documents, images, backups, logs). Supports block blobs, append blobs, and page blobs
- Azure Files — Fully managed SMB and NFS file shares mountable by Windows, Linux, and macOS
- Queue Storage — Simple message queuing for decoupling application components; messages up to 64 KB
- Table Storage — NoSQL key-attribute store for structured, schema-less data (consider Cosmos DB for new workloads)
Redundancy Options
- LRS (Locally Redundant Storage) — 3 synchronous copies within a single datacenter; lowest cost
- ZRS (Zone-Redundant Storage) — 3 synchronous copies across availability zones in one region
- GRS (Geo-Redundant Storage) — LRS in primary region plus async replication to a paired region
- GZRS (Geo-Zone-Redundant Storage) — ZRS in primary region plus async replication to a paired region; highest durability
- RA-GRS / RA-GZRS — GRS or GZRS with read access to the secondary region
For production workloads, prefer ZRS or GZRS. Use RA-GZRS where secondary read access is required for DR.
Common Built-in RBAC Roles
| Role | Role Definition ID | Scope | Description |
|---|---|---|---|
Storage Account Contributor | 17d1049b-9a84-46fb-8f53-869881c3d3ab | Account | Manage storage account configuration; no access to data plane |
Storage Blob Data Owner | b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Blobs | Full access to blob containers and data, including POSIX ACL management |
Storage Blob Data Contributor | ba92f5b4-2d11-453d-a403-e96b0029c9fe | Blobs | Read, write, and delete blob containers and data |
Storage Blob Data Reader | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Blobs | Read and list blob containers and data |
Storage Blob Delegator | db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Blobs | Obtain a user delegation key for generating SAS tokens scoped to Blob storage |
Storage Queue Data Contributor | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Queues | Read, write, and delete queues and queue messages |
Storage Queue Data Reader | 19e7f393-937e-4f77-808e-94535e297925 | Queues | Read and list queues and queue messages |
Storage Queue Data Message Sender | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Queues | Post messages to a storage queue |
Storage Queue Data Message Processor | 8a0f0c08-91a1-4084-bc3d-661d67233fed | Queues | Peek, receive, and delete messages from a storage queue |
Storage Table Data Contributor | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | Tables | Read, write, and delete tables and table entities |
Storage Table Data Reader | 76199698-9eea-4c19-bc75-cec21354c6b6 | Tables | Read and list tables and table entities |
Storage File Data SMB Share Contributor | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Files | Read, write, and delete files and directories over SMB |
Storage File Data SMB Share Reader | aba4ae5f-2193-4029-9191-0cb91df5e314 | Files | Read and list files and directories over SMB |
Storage File Data SMB Share Elevated Contributor | a7264617-510b-434b-a828-9731dc254ea7 | Files | Read, write, delete, and modify NTFS ACLs on files and directories over SMB |
Blob Access Tiers
Access tiers apply to block blobs in general-purpose v2 and blob storage accounts:
- Hot — Frequently accessed data; higher storage cost, lower access cost
- Cool — Infrequently accessed data stored for at least 30 days; lower storage cost, higher access cost
- Cold — Rarely accessed data stored for at least 90 days; lower storage cost than Cool, higher access cost
- Archive — Offline tier for rarely accessed data stored for at least 180 days; lowest storage cost, highest retrieval cost and latency (rehydration required)
Usage
PowerShell
# Create a storage account
New-AzStorageAccount `
-ResourceGroupName "rg-myapp-prod-uks-01" `
-Name "stmyappprodukss01" `
-Location "uksouth" `
-SkuName "Standard_ZRS" `
-Kind "StorageV2" `
-EnableHttpsTrafficOnly $true `
-MinimumTlsVersion "TLS1_2" `
-AllowBlobPublicAccess $false
# Get storage account context
$ctx = (Get-AzStorageAccount -ResourceGroupName "rg-myapp-prod-uks-01" -Name "stmyappprodukss01").Context
# Create a blob container
New-AzStorageContainer -Name "mycontainer" -Context $ctx -Permission Off
# Upload a blob
Set-AzStorageBlobContent -Container "mycontainer" -File ".\data.json" -Blob "data.json" -Context $ctx
# Assign Blob Data Contributor to a managed identity
New-AzRoleAssignment `
-ObjectId <identity-object-id> `
-RoleDefinitionName "Storage Blob Data Contributor" `
-Scope "/subscriptions/<sub-id>/resourceGroups/rg-myapp-prod-uks-01/providers/Microsoft.Storage/storageAccounts/stmyappprodukss01"Best Practices
- Disable public blob access on all storage accounts unless explicitly required; grant access via RBAC or SAS tokens instead
- Enforce HTTPS-only traffic and a minimum TLS version of TLS 1.2
- Use managed identities and RBAC for application access—avoid shared access keys where possible; consider disabling key access entirely
- Prefer ZRS or GZRS over LRS for production accounts to protect against zone failures
- Enable soft delete for blobs, containers, and file shares to protect against accidental deletion
- Enable versioning for blob containers that hold critical or frequently overwritten data
- Use lifecycle management policies to automatically transition blobs to cooler tiers or delete them after a defined retention period
- Restrict network access using firewall rules or private endpoints; avoid leaving storage accounts open to all public networks
- Enable diagnostic logging and route to a Log Analytics workspace for audit trails
- Follow the naming convention:
st<app><environment><location><instance>(e.g.stmyappprodukss01); names must be 3–24 lowercase alphanumeric characters with no hyphens
Last updated on