AZ-104 Lab 3: Create, Secure, and Manage Azure Storage (Step-by-Step)
I've been working professionally in IT since 2021, with hands-on experience in endpoint management, desktop support, SaaS administration, and hybrid cloud environments. I started jmcnairtech to document what I learn along my journey and share practical solutions with others. This blog is about breaking down real-world troubleshooting with clear, actionable steps. Whether you're just starting out or refining your skills, I share what works, what breaks, and how to fix it.
Series: Week 3 of the AZ-104 Learning Labs on jmcnairtech.com
Goal: learn how to create an Azure Storage Account, create and secure blob containers, use SAS, — all things that show up on the AZ-104 exam and in real Azure admin jobs.
What you’ll learn
What You’ll Learn
How to create and configure an Azure Storage Account
The difference between redundancy types (LRS, GRS, ZRS)
How to secure access using SAS tokens
How to upload and manage Blob Containers
How to revoke access by rotating keys
Best practices for network security and HTTPS-only connections
Prerequisites
Azure subscription
Portal access
We’ll use East US for the lab (you can change it based on your location)
Step 1 — Create a resource group
Why: keeps everything in one place so you can delete it later.
1.1
In the Azure Portal search bar, type Resource groups and select it.
1.2
Click + Create.
1.3
Fill in:
Subscription: your default
Resource group:
rg-lab3-storageRegion: East US
Click Review + create → Create.
Step 2 — Create an Azure Storage Account (Updated for new 2025 portal)
Goal: create a storage account that will hold your blob containers, files, and other data types — while learning the different redundancy and performance options.
2.1 — Open the Storage Account creation wizard
In the Azure Portal search bar, type Storage accounts.
Click + Create.
The new “Storage Center | Blob Storage” interface opens.
2.2 — Basics tab
Project details
Subscription: your active Azure subscription
Resource group:
rg-lab3-storage(Create it first if you haven’t already.)
Instance details
Storage account name:
storlab3mcnair- must be all lowercase, 3–24 characters, globally unique.
Region:
(US) East USPreferred storage type: Azure Blob Storage or Azure Data Lake Storage Gen 2
Microsoft recently updated this field. Choose “Azure Blob Storage” because this lab focuses on blob containers, SAS, and lifecycle management (all AZ-104 exam topics).
Performance: Standard (General-purpose v2)
Premium is for high-throughput or low-latency scenarios; Standard keeps costs low.
Redundancy = LRS
LRS stores three copies of your data within one datacenter. It’s low-cost and perfect for lab work or testing.
Click Next: Advanced → at the bottom.
2.3 — Advanced tab
Leave defaults for now, but confirm:
Minimum TLS version: TLS 1.2
Allow large file shares: Disabled
Enable hierarchical namespace (Data Lake Gen2): Leave unchecked (not needed for this lab)
Click Next: Networking →
2.4 — Networking tab
The Networking tab controls how your Storage Account is accessed — publicly, privately, or only from specific networks.
For this lab, we’ll keep it open so you can test uploads, SAS links, and RBAC access later.
Public network access
Select:
Enable
This allows inbound and outbound traffic to your Storage Account over the public Azure network.
Explanation:
Azure gives you three levels here:
Enable → open access (best for labs and learning)
Disable → blocks all network traffic except private endpoints
Secure by perimeter → used in enterprise networks with perimeter controls
Public network access scope
Select:
Enable from all networks
Explanation:
This makes the Storage Account reachable from any public IP address or Azure service (perfect for practicing SAS and RBAC access).
Later, in production or advanced labs, you’d restrict this to specific virtual networks or IP ranges.
Private endpoint
Leave this section empty for now.
Private endpoints let you connect privately to your Storage Account inside a VNet — you’ll explore that later in your AZ-104 journey (network security and hybrid connectivity modules).
Result:
Your Storage Account is configured for public access — allowing you to easily upload blobs, generate SAS tokens, and test access controls during this lab.
Later on in the series, you’ll learn how to restrict access securely using Azure RBAC and private endpoints.
2.5 — Data protection tab
Enable:
Select Soft delete for blobs (7 days)
Leave everything else default.
Click Next: Encryption →
2.6 — Encryption tab
Keep defaults:
Encryption type: Microsoft-managed keys
Infrastructure encryption: Off
Click Review + Create →
Step 3 — Create a Blob Container & Upload Files (2025 Portal Layout)
Goal:
Create a private blob container, upload a test file, and verify access before adding SAS.
3.1 Open your new Storage Account
After deployment, click Go to resource.
In the left-side menu, under Data storage, click Containers.
3.2 Create a new Blob Container
Click + Add Container.
Fill in the fields:
| Field | Value | Notes |
| Name | lab3-files | lowercase, short |
| Public access level | Private (no anonymous access) | keeps data secure |
| Advanced options | default | — |
3.3 Upload a test file
Select
lab3-files.Click Upload → Browse for files.
Pick a small file (e.g.,
test.txtorphoto.jpg).Click Upload.
3.4 Verify access behavior
Click your uploaded blob.
Copy the Blob URL.
Paste it into a new browser tab (not signed in).
You should see a “PublicAccessNotPermitted” message.
That’s expected—your container is private. Private containers reject anonymous requests; you need an auth token or SAS to access them.
Result:
You’ve successfully created a private blob container and uploaded data securely.
Next, you’ll generate a Shared Access Signature (SAS) to grant temporary access without making the container public.
Step 4 — Step 4 — Generate a Shared Access Signature (SAS) in Azure (2025 Portal UI)
Goal:
Grant temporary, permission-based access to your private blob data without exposing your storage account keys.
4.1 — Open the Shared Access Signature settings
In the Azure portal, open your storage account (mine is storlab3mcnair.)
In the left-hand menu, scroll to Security + networking → Shared access signature.
Do not select Access keys — those are full-control root credentials.
4.2 Configure your SAS parameters
| Section | Setting | Description |
| Allowed services | Blob | Only generate SAS for Blob Storage. |
| Allowed resource types | Service, Container, Object | Grants access at every blob level. |
| Allowed permissions | Read, List | Lets users read and list files (add Write/Delete only for testing). |
| Blob versioning permissions | Enable deletion of versions | Safe default; controls old version cleanup. |
| Allowed blob index permissions | Read/Write, Filter | Enables metadata queries (new 2025 feature). |
| Start date/time | Today (e.g., 11/2/2025 2:41 PM) | Optional; blank = now. |
| End date/time | + 1 hour (e.g., 11/2/2025 3:41 PM) | Sets expiry window. |
| Time zone | (UTC-05:00) Eastern Time (US & Canada) | Adjust to your local zone. |
| Allowed IP addresses | (leave blank) | Allows all IPs for this lab. |
| Allowed protocols | HTTPS only | Secures all traffic in transit. |
| Preferred routing tier | Basic (default) | Uses standard routing tier (Microsoft network routing is disabled until published). |
| Signing key | key1 | Key used to sign the token; key rotation will revoke SAS. |
Click Generate SAS and connection string. Azure will display two outputs:
SAS token: the long string starting with
?sv=...Blob service SAS URL: your blob endpoint + token
4.3 Copy your SAS and test it
Copy the Blob service SAS URL.
Paste it into a browser’s address bar.
You’ll see an XML-style listing error or empty page → That’s expected!
This SAS works at the account level; it isn’t pointing to your file yet.
You may want to keep this SAS token handy if you plan to use it later in Azure CLI or automation.
4.4 — Generate a SAS for a specific blob (to actually view the file)
Navigate to Data storage → Containers → lab3-files.
Click your uploaded blob (e.g.,
photo.jpg).Click the link on the file and choose select Generate SAS or Generate SAS token and URL.
Click Generate → Copy the Blob SAS URL which should look similar to the example link below.
https://storlab3mcnair.blob.core.windows.net/lab3-files/photo.jpg?sv=...
Open a Private/Incognito browser window and paste the URL.
Your image or file should open or download instantly.4.5 – (Optional) Revoke the SAS
If you accidentally shared a SAS link or just want to demonstrate revocation, you can instantly invalidate it by rotating the key it was signed with.
In the Azure Portal, go to Security + networking → Access keys
Find the key used for your SAS (for example key1)
Click Rotate key → then Regenerate
Every SAS signed with that key immediately becomes invalid.
This is a powerful security feature for when credentials are exposed, or a link was shared publicly.
Lab 3 Complete — Secure Azure Storage with SAS Tokens
You’ve now:
Built an Azure Storage Account from scratch
Created a private blob container
Uploaded and verified data access
Generated time-limited SAS tokens for secure sharing
Learned how to revoke access instantly by rotating keys
These are core AZ-104 administrator skills — you can now explain and demonstrate how Azure protects data at rest and in transit.
