Instructor: So let's go back to talking about security.
Up till now, we've been working with access keys,
which means that if you have the key,
then you pretty much have full access to the contents
of a storage account,
depending on the network settings, of course.
The other type of access is called Entra ID,
which is identity-based access control.
This shifts the authentication from what you have in terms
of the secret key into who you are.
And once you've authenticated with Azure,
then you would be given the appropriate permissions,
which may or may not include access to the storage account
or to the container or to a file share.
So this is also called role-based access control
within Azure.
So for general-purpose v2 storage accounts,
this is available by default.
You don't have to do anything in order
to enable access control.
What you may wanna do is disable the account key.
So if we go down into this overview screen,
we can see under security,
it has storage account key access enabled.
If I click this, it takes me into the configuration
and I can go down to allow storage account key access.
If I set this to disabled,
well, suddenly all of the keys no longer work.
All of the SAS tokens
and the shared access policies no longer work.
So I'm gonna do that.
And Entra ID has, again, for general-purpose v2,
I don't have to do anything to enable it.
Now, there is the concept of defaulting to this.
So there are ways of accessing your storage account
in the portal, including a storage browser
and when you use the portal to navigate into a container
and into the files, do we switch over to Entra authorization
for the portal?
Actually, I have to enable this
'cause I've disabled the storage account key,
so I'm going to save that.
Okay, I'm gonna go back to the overview screen here.
So there's a couple of different levels
in which you can assign authentication using Entra ID.
First is at the account level,
and right from this overview screen,
we see the menu says access control.
We can click onto that,
and let's look at the roles.
So if we go under access control in roles,
we can scroll down and we can see
that there's a number of roles and what we're looking for,
I'm gonna actually search instead of scrolling,
we're looking for the word storage, let's say to start with.
And we're looking for, for instance,
Storage Blob Data Contributor.
Allows for read, write, delete access
to Azure Storage Blob containers and data.
So if you assign this access to someone,
then they're going to be able to add files and read files
and delete files inside
of a blob container in this storage account.
So azsjdnewstoragedemo.
Assign someone this permission,
they will have access to that container,
all the containers in the storage account.
You can also go down to this individual container.
And under properties,
there is this access control on the left.
And again, we can go to the storage account,
Storage Account Contributor role
as an example,
and then they would only have access to this container.
So those are, in terms of blob storage,
the two levels of access that you have the ability
to assign people.
Of course, that's not the only role
that may have access to this.
There are other roles,
like Reader and Data Access lets you view everything,
but not lets you delete
or create a storage account or any of the resources.
It gives you access to all data.
So this isn't the only role that you can assign,
but some of these roles
are gonna have storage account access built into it.
So even though I created this account
and I created this container, if I go to the overview,
it's gonna tell me I do not have permissions to this
because I've turned off key permission.
I've turned on the default for Entra ID permissions,
and I have not assigned myself permissions to this.
So if I go under access control for the container,
and then I can add a role assignment,
I can choose the Storage Blob Data Contributor role
as an example.
I can choose myself
and I say review and assign,
and say review and assign.
Now when I go under view my access,
I can see that I'm not only administrator
in this management group,
but I'm a Blob Data Contributor for this resource.
Now, this could take a few seconds to propagate,
but eventually when you go back to the overview screen,
you'll see that you do have access to list the contents
and even to view the contents of this.0
you'll see the authentication method
has been set to Microsoft Entra.
So as we've seen,
using the access key is definitely the easier way
of getting access to a storage account.
It used to be historically the way that it was done,
but there is some pitfalls.
If you lose this access key that allows other people
to have full control over your storage account,
you do not have really good ways
of controlling the access key.
You can use the shared access signature
or stored access policies, but that is not perfect.
Changing the key can be a little bit of a hassle sometimes.
So moving to a Microsoft Entra for authentication
and control of your storage account, while more difficult
to implement initially, does give you finer grain control
and maybe better long-term control over the contents
of your storage accounts and your containers.
So this is the lesson on Microsoft Entra.