Secure Data Management in Azure Storage with SAS

Use a temporary, permission‑limited Azure SAS token to securely manage data without exposing credentials.

Azure Azure Exam AZ-104

Scenario

A business is migrating its legacy application to the vendor’s new Azure SaaS platform. As part of the move, sensitive data must be transferred securely to Azure Storage. To achieve this, a Shared Access Signature (SAS) will be used to provide temporary, permission limited access.

  • Enable secure, controlled access to cloud storage during migration
  • Successfully transfer sensitive data without exposing credentials

Lab Objectives

  • Create and configure an Azure Storage account
  • Generate a SAS token to provide secure, temporary access
  • Transfer and validate sensitive data using Azure Storage Explorer

This lab is also available on YouTube.

Prerequisites

  • Active Azure subscription with permissions to create resources.
  • Azure Storage Explorer installed locally.

Create Azure Storage Account

Provision a new storage account in Azure.

  1. In Azure Portal, go to Storage Accounts > Create.
  2. Select subscription, resource group, and region.
  3. Choose performance tier (Standard) and redundancy (LRS).
  4. Click Review + Create.
Verification: The storage account should now appear in the resource group.

Create a Blob Container

Add a container to store files.

  1. Navigate to the Storage Account > Data Storage > Containers > + Container.
  2. Name the container.
  3. Set public access level to Private.
Verification: Container is listed under the storage account.

Generate SAS Token

Create a SAS token for secure access, it provides temporary, permission‑limited access without exposing account keys.

  1. Go to the storage Storage Account > Data Storage > Containers > [blobcontainer] > Settings > Shared Access Tokens.
  2. Signing Method: Account Key
  3. Select permissions (Read, Write, List, Add).
  4. Set start and expiry time (for testing use a short interval like 10 minutes).
  5. Click Generate SAS and connection string.
Verification: Copy the SAS URL and test access using Storage Explorer in the next step.

Transfer Data Using Storage Explorer

Upload data to Azure Blob storage using Storage Explorer which provides a GUI for secure transfer using SAS.

  1. Open Azure Storage Explorer.
  2. Select Connect to Azure Resources > Blob Container or Directory > Shared Access Signature URL (SAS)
  3. Paste the SAS URL generated earlier.
  4. Navigate to the container.
  5. Upload files from local machine.
Verification: The files should appear in the container via Storage Explorer and in Storage Browser in the Azure Portal. Also wait for the SAS token to expire and try to connect to the container again, access will be denied.

Conclusion

This lab demonstrated how to set up an Azure Storage account, generate a SAS token and securely transfer sensitive data using Azure Storage Explorer. By following these steps, you learn the mechanics of SAS and Storage Explorer.

The key takeaway is that SAS tokens provide a secure, time‑bound way to enable data migration without exposing permanent credentials.

Using a VPN is a secure and simple way to protect your data.

Get NordVPN