Azure Storage Accounts contain four key services:

  • Blobs provides scalable storage for unstructured data.
  • Files provides scalable file shares via SMB (Private) and NFS.
  • Queues provide ordered message storage and retrieval for decoupling operations from their input.
  • Tables provide NoSQL/unstructured document storage for large volumes of data.

Account types

Storage account types dictate available features and costs.

Standard storage accounts:

  • General Purpose V1 is largely obsolete, offering all of the features (blob, file, table, queue) and support for the classic (SM) deployment model.
  • Blob Storage accounts provide only blob storage with support for access tiers.
  • General Purpose V2 combine both GPv1 Blob Storage with lower storage costs than V1.

Premium storage accounts:

  • Block Blob Storage offer block and append blob on premium storage for higher transaction rates and lower latency, but no support for access tiers.
  • File Storage hosts file shares on premium storage for lower latency with burstable IOPS limits.


In ascending order of redundancy:

  • LRS replicates data synchronously three times in the primary location.
  • ZRS replicates data synchronously across availability zones in the primary region.
  • GRS replicates data via LRS in the primary location and asynchronously to a single location in the paired location.
  • RA-GRS is GRS with persistent read access to the secondary location.
  • GZRS replicates data synchronously across three availability zones in the primary region using ZRS, then asynchronously to a single location in the secondary location.
  • RA-GZRS is GZRS with persistent read access to the secondary location.


There are three modes of authentication with the storage account data plane:

  • SAK allows access via one of the two keys provisioned and with the storage account. Direct use of these is discouraged as they can only be rotated manually and doing so is often difficult, requiring identification of all clients using the key, migrating them to the other, then rotating it.
  • SAS signatures can be derived from and signed by a SAK and can have constrained permissions and given a validity period. They're expressed as a query string which can be appended to the end of any URL below the storage account. Stored access policies allow server-side management of permissions assigned to these signatures.
  • RBAC via Azure AD allows access by user, group, application or managed identities.


Encryption at rest can be managed either via:

  • PMK where generation, storage and maintenance of access keys is performed by the Azure platform.
  • CMK allows customers to generate, store and maintain keys stored in Key Vault which the platform can then fetch.

Encryption scopes

Encryption is usually managed at the storage account and storage container level. Encryption scopes allow configuration of per-container and per-blob keys, allowing separation of customer data for multitenancy.


When pairing blob containers or static websites with external services it may be necessary to set a CORS policy allowing access from alternative domains.

Storage Analytics

Storage Analytics provides auditing events on blob, table and queue services. It can record reads, updates, deletes and failed requests to CSV files placed into the $logs container.

  1. Blob
  2. Disk
  3. Explorer
  4. Files
  5. Queues
  6. Tables