Prevent Shared Key Authorization for Storage Account

Hello vivek,

Thank you for your question!

To turn off shared key authorization in Azure Blob Storage, go to the settings of your storage account in the Azure portal and change the option for 'Allow shared key access' to disabled. It is important to ensure that Azure Active Directory (AD) authorization is correctly set up for your merchants to retain access.

Post which verifies that your storage account is set up to utilize Azure Active Directory (AD) for authentication purposes. This requires the assignment of suitable roles to the merchants requiring access to the storage account like Storage Blob Data Reader (For read-only access to blobs) Storage Blob Data Contributor (For read and write access to blobs). If merchants need temporary access, it is advisable to create SAS tokens that provide restricted access to designated resources within the storage account. This enables the preservation of security while facilitating essential access.

Later monitor access logs and adjust permissions as necessary to ensure that merchants have the access they need while maintaining security.

References: https://learn.microsoft.com/en-us/azure/machine-learning/how-to-disable-local-auth-storage?view=azureml-api-2&tabs=portal

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

Dear Vivek Singh,

Thank you for reaching out with your question on the Q&A portal! The community is always happy to help, and together, we’ll find the best solution for your scenario.

Understanding the Issue, you want to disable Shared Key authorization for your Azure Storage Account to improve security (as recommended by CSPM), but your merchants rely on shared key URLs (SAS tokens) to access periodic reports. Disabling Shared Key authorization would block their access. If so...

So, use Azure AD or alternative Secure Methods, to maintain security while ensuring merchants can still access reports, consider these approaches:

Replace Shared Key URLs with Azure AD-based SAS (Recommended)

User Delegation SAS: Generate SAS tokens using Azure AD credentials instead of the storage account key. This is more secure and allows granular control (Microsoft Docs: Create a User Delegation SAS)

Merchants must authenticate via Azure AD (if they’re part of your tenant or as guest users).

Use Azure AD for Direct Access (If its possible of coz)

Assign merchants RBAC roles (e.g., Storage Blob Data Reader) if they can sign in via Azure AD (Microsoft Docs: Assign Azure Roles for Storage)

Migrate to Secure Alternatives. Azure Storage Firewalls + Private Links: Restrict access to specific IPs/VNets and use private endpoints. Managed SaaS Solutions: If reports are static, consider Azure Blob Storage static websites (anonymous read) or Azure API Management with authentication.

To disable Shared Key Auth, once you’ve migrated to a secure method, disable Shared Key authorization:

az storage account update --name <StorageAccountName> --resource-group <ResourceGroup> --allow-shared-key-access false

(Microsoft Docs: Disable Shared Key Authorization)

And if merchants cannot use Azure AD, temporary workarounds include:

Time-bound SAS tokens (minimize exposure) with strict network/IP restrictions.

• Hybrid approach: Keep Shared Key enabled for a subset of storage accounts while migrating.

    Best regards,
    Alex
    P.S. If my answer help to you, please Accept my answer (that is my Answer, but not a comment!)