In this lab, I explored how to provide secure, controlled, and compliant Azure storage for a new company application. The devs needed full control over how the storage was accessed — only via keys and managed identities, with role-based access control (RBAC), customer-managed encryption, and immutable blob retention policies for compliance and testing.

Let’s get into the details.

🔍 Scenario

The company is developing a new app and wanted the backing storage to be secure and compliant:

  • 🔑 Access only via keys and user-assigned managed identities
  • 🔐 Encryption must use a customer-managed key (CMK) stored in Key Vault
  • 🔒 Test files need to be locked down with time-based retention
  • 🧱 Files should be stored under an encryption scope with infrastructure encryption

🛠️ Skilling Tasks

  • ✅ Create a storage account with infrastructure encryption
  • ✅ Create a user-assigned managed identity and assign RBAC
  • ✅ Secure access with Azure Key Vault and a customer-managed key
  • ✅ Enable immutable blob policies for file retention
  • ✅ Create an encryption scope with infrastructure encryption

🔹 Step 1: Create the Storage Account and Managed Identity

I started by creating a new resource group: storagerg2.

Then, I created a Storage Account named az104bobstg2 with:

  • Infrastructure encryption enabled (extra layer of encryption)
  • Review + Create > ✅ Passed validation > Created successfully

Next, I needed a user-assigned managed identity for the app:

  • Searched for Managed identities
  • Created one named managedbob in storagerg2

🔐 After that, I granted the identity Storage Blob Data Reader permissions:

  1. Went to the IAM tab of my storage account
  2. Added the role to managedbob
  3. Verified RBAC was assigned correctly

🔒 Step 2: Secure Access with Azure Key Vault and CMK

I needed a Key Vault to store the customer-managed encryption key:

  1. Created a Key Vault called keyvaultbob in the same RG
  2. Ensured Azure RBAC was selected
  3. Ensured Purge protection was enabled (critical for CMK use)

Got an error initially:

“Operation not allowed by RBAC”

✅ Fixed it by assigning myself the Key Vault Administrator role in IAM.

Then, I generated a key named bobkey.

💡 Note: You must enable Soft Delete and Purge Protection on the vault for customer-managed keys to work — I hit this roadblock too!

🔐 Step 3: Configure the Storage Account to Use the Customer-Managed Key

Before assigning the key:

  • I assigned the Key Vault Crypto Service Encryption User role to managedbob (via IAM in the RG).

Then, back in the Encryption blade of the storage account:

  1. Selected Customer-managed keys
  2. Pointed to my Key Vault and selected bobkey
  3. Set the identity type to User-assigned, and selected managedbob
  4. Saved changes — success!

🔑 Now my storage account uses my Key Vault key to encrypt its contents.

🧷 Step 4: Configure Time-Based Retention (Immutable Blob Policy)

To lock files for compliance testing, I enabled time-based immutability:

  1. Created a new container called hold
  2. Uploaded a test file
  3. Opened the Access policy blade and added a Time-based retention policy for 5 days
  4. Saved the policy

Then, I tested it by trying to delete the file...

❌ Result: “Failed to delete blobs due to policy” — exactly what I wanted!

🧊 Step 5: Create an Encryption Scope with Infrastructure Encryption

For more control, I created a scoped encryption option:

  1. In Encryption > Encryption scopes, I clicked Add
  2. Named it encryptionbob
  3. Set the encryption type to Microsoft-managed key
  4. Enabled Infrastructure encryption
  5. Created the scope

When creating a new container, I could now assign encryptionbob as the encryption scope under the Advanced section.

✅ This means files in this container get encrypted using a defined scope, while the overall account still uses CMK.

🧹 Cleanup Tip

If you're doing this in your own subscription, remember to delete the resource group to avoid unwanted costs:

az group delete --name storagerg2

🧠 Key Takeaways

This was a super valuable exercise in securing and customizing storage for enterprise-grade apps.

Here’s what I walked away with:

  • RBAC + Managed Identities gives granular, secure access control
  • Customer-Managed Keys (CMK) lets me bring my own encryption keys using Key Vault
  • Immutable blob policies ensure compliance and protect against tampering or deletion
  • Encryption scopes offer scoped, fine-grained encryption with optional infrastructure encryption

🎯 If you're building apps that need serious compliance, this setup is exactly how you'd secure your storage. The combo of encryption, role-based access, and immutability covers all the bases.

On to the next one! 💪