AZ-104 Lab 4 — Week 4: Connect an Azure VM to Azure Storage Using Managed Identity (2025 Portal UI)
Series: Week 4 of the AZ-104 Learning Labs on jmcnairtech.com
Goal: Learn how to connect an Azure Virtual Machine to Azure Storage securely using Managed Identities and RBAC — no access keys, no SAS tokens, no secrets.
This is an important task as a real-world Azure Administrator skill and a key part of the AZ-104 exam.
What You’ll Learn This Week
create a new Azure Storage Account using the 2025 portal interface
create a private Blob container and upload a file
deploy a Virtual Machine using the modern VM creation UI
enable a System-Assigned Managed Identity on a VM
assign RBAC permissions such as Storage Blob Data Reader
access Blob Storage from inside the VM using identity-based authentication
download blobs inside the VM with Azure CLI or PowerShell using
Prerequisites
Active Azure subscription
Basic familiarity with the Azure Portal
We’ll use East US as the region (you can choose your own)
Lab Scenario (Real Azure Admin Task)
You are an Azure Administrator responsible for supporting a line-of-business application that processes files uploaded by employees.
These files—images, PDFs, and documents—are stored in an Azure Blob Storage container.
Your application server runs on a Virtual Machine, and the VM needs to:
download files from the Blob container
process or analyze those files (for example: resize images, scan PDFs, extract text, run scripts, etc.)
upload results or processed outputs back to storage
Instead of using storage account keys or SAS tokens (which are hard to manage and insecure), you’ll give the VM a System-Assigned Managed Identity and assign it the Storage Blob Data Reader role.
This allows the VM to access Blob Storage securely using Azure AD authentication — no keys, no secrets, no passwords.
Step 1 — Create a Resource Group
Resource groups help you organize all related resources so you can clean up easily at the end.
1.1
In the Azure Portal search bar, type Resource groups and select it.
1.2
Click + Create.
1.3 Fill in:
Subscription: your default
Resource group name:
rg-week4-labRegion: East US
Click Review + create → Create.
Step 2 — Create a New Azure Storage Account
This storage account will hold the files that your Virtual Machine needs to access securely using its Managed Identity.
2.1 — Navigate to the Storage Center
In the Azure Portal search bar, type Storage accounts.
Select Storage accounts from the results.
You will now see the new Storage Center (with tiles for different storage types).
2.2 — Choose the Storage Type (Required in 2025 UI)
From the Storage Center categories, select Object storage.
Then select Blob Storage.
The Create button will now appear.
Click + Create to begin the Storage Account wizard.
2.3 — Basics tab
Project details
Subscription: your active subscription
Resource group: rg-week4-lab
Instance details
Storage account name: storweek4mcnair
Region: East US
Preferred storage type: Azure Blob Storage
Performance: Standard
Redundancy: LRS (Locally Redundant Storage)
Click Next: Advanced →
2.4 — Advanced tab
Minimum TLS version: TLS 1.2
Enable hierarchical namespace: Off
SFTP, NFS, and large file shares: Off
All other settings: leave defaults
Click Next: Networking →
2.5 — Networking tab (Updated for 2025 Portal)
Public network access
- Enable: Yes
Public access scope
- Enable from all networks
Routing preference
- Microsoft network routing (default)
Private endpoints
- Leave empty
Click Next: Data protection →
2.6 — Data protection tab
Enable soft delete for blobs: 7 days
Leave all other options at default
Click Next: Encryption →
2.7 — Encryption tab
Encryption type: Microsoft-managed keys
Enable support for customer-managed keys: Blobs and files only
Enable infrastructure encryption: Unchecked
Click Review + Create → Create
After deployment completes, your new Storage Account is ready to use.
Step 3 — Create a Blob Container & Upload a Test File (2025 UI)
In this step, you will create a secure container inside your Storage Account and upload a sample file that your VM will access later using its Managed Identity.
3.1 — Open your new Storage Account
After deployment finishes, click Go to resource
or search for your storage account name:storweek4mcnair
In the left-hand menu, scroll to the Data storage section.
Click Containers
This opens the Blob Containers page.
3.2 — Create a new Blob Container
Click + Add Container (top-left)
Fill in the container details:
Name:
lab4-fileslowercase
no spaces
Public access level: Private (no anonymous access)
- This ensures files can only be accessed through RBAC, identity, or SAS.
Click Create
3.3 — Upload a test file
Inside your container:
Click lab4-files
Click Upload at the top
Browse your computer for a small sample file, for example:
test.txtdocument.pdf
Click Upload
The file will now appear inside your container.
3.4 — Confirm the container is private
You can verify private access by:
Clicking the file you uploaded
Copying the Blob URL
Pasting it into a new browser tab
You should see: “Public access not permitted”
This is expected — the container is private and cannot be accessed without identity-based authentication or a SAS token.
Step 4 — Create a Virtual Machine with a System-Assigned Managed Identity
This VM will act as your application or processing server.
Later in the lab, it will authenticate to Blob Storage without keys or SAS tokens — using Azure AD and RBAC instead.
4.1 — Open the VM creation blade
In the Azure Portal search bar, type Virtual machines
Click Virtual machines
Click + Create → Azure virtual machine
This opens the modern VM creation wizard.
4.2 — Basics Tab
Fill out the fields as follows:
Instance details
Virtual machine name:
vm-week4-clientRegion:
(US) East USAvailability options:
- Select No infrastructure redundancy required
(This avoids zone restrictions and keeps the lab simple.)
- Select No infrastructure redundancy required
Security type
- Standard
(Trusted Launch is not needed for this scenario.)
Image
Click See all images
Search for and select:
Windows Server 2025 Datacenter: Azure Edition (Gen 2)
(Easier for RDP and PowerShell testing.)
VM architecture
- x64
Size
Click See all sizes
Choose:
Standard_B2s (recommended), or
Standard_B1s (cheapest option)
Administrator account
Username:
azureuserPassword: a strong password you will remember
Inbound port rules
Public inbound ports: Allow selected ports
Select inbound ports: RDP (3389)
Click Next: Disks
4.3 — Disks Tab
OS disk type: Standard SSD
Leave all other settings at default
Click Next: Networking
4.4 — Networking Tab
Virtual network: auto-created default VNet
Subnet: default
Public IP: Enabled
NIC network security group: Basic
Inbound port: RDP (3389)
Click Next: Management
4.5 — Management Tab (Enable Managed Identity)
Scroll to the Identity section:
- System-assigned managed identity: On
This identity allows the VM to authenticate to Azure Storage securely later in the lab.
Leave all other settings at default:
Click Review + Create
Then click Create
Deployment will complete in 1–3 minutes.
Your VM is now deployed and has a system-assigned managed identity enabled.
This identity is what will securely access the Blob Storage container in the next steps.
Step 5 — Assign the VM Access to Blob Storage (RBAC)
Now that your VM has a System-Assigned Managed Identity, you must grant that identity the correct permissions so it can access your Blob Storage.
Azure uses Role-Based Access Control (RBAC) for this.
You will assign the VM’s identity the Storage Blob Data Reader role.
5.1 — Open Your Storage Account
In the Azure Portal search bar, type Storage accounts
Select your storage account: storweek4mcnair
In the left-hand menu, click Access control (IAM)
5.2 — Add a Role Assignment
Click + Add → Add role assignment
Under Role, search for:
- Storage Blob Data Reader
Select the role and click Next
This role allows the VM to read blobs but not upload or delete.
5.3 — Assign Role to the VM’s Managed Identity
Under Assign access to, choose Managed identity
Click + Select members
In the identity browser:
Select Virtual machine
Choose vm-week4-client
Click Select
Click Review + assign
5.4 — Confirm Role Assignment
After the assignment completes:
You should now see Storage Blob Data Reader
Assigned to: vm-week4-client (Managed Identity)
Scope: This storage account
This means the VM can now authenticate to Blob Storage using its Azure AD identity.
If you want your VM to also upload files, you can assign Storage Blob Data Contributor
But for this lab, Reader is enough.
Step 6 — Connect to the VM and Access Blob Storage Using PowerShell (Data-Plane, Managed Identity)
In this step, you’ll RDP into the VM, sign in with its Managed Identity, create a data-plane storage context, list containers, and download a blob — all without keys or SAS.
6.1 — Connect to the Virtual Machine (RDP)
In the Azure Portal, go to Virtual machines
Click vm-week4-client
Click Connect → RDP
Click Download RDP file
Open the RDP file
Log in using:
Username:
azureuserPassword: the one you created
Once logged in, wait a moment for Windows Server to load.
6.2 — Open PowerShell on the VM
Click Start
Search for PowerShell
Right-click → Run as administrator
This ensures all commands run properly.
6.3 — Install the Az PowerShell Module (if needed)
If Connect-AzAccount is not recognized, install the module:
Install-Module -Name Az -Repository PSGallery -Force
Import-Module Az
6.4 — Authenticate Using the VM’s Managed Identity
Run this inside PowerShell: Connect-AzAccount -Identity
You should see output similar to:
This means the VM is now authenticated to Azure using its Managed Identity.
No passwords.
No keys.
No SAS tokens.
Modern Azure Admin technique.
6.5 — Build a data-plane Storage Context (no management rights needed)
# Replace with your storage account name
$accountName = "storweek4mcnair"
# Create a context that uses the current connected identity
$ctx = New-AzStorageContext -StorageAccountName $accountName -UseConnectedAccount
This avoids management-plane APIs (like Get-AzStorageAccount) and uses only the blob data plane, which your Storage Blob Data Reader role allows.
6.6 — List containers (data plane)
Get-AzStorageContainer -Context $ctx
6.7 — Download a blob (data plane)
Replace the blob name with the file you uploaded earlier (e.g., test.txt, photo.jpg)
$container = "lab4-files"
$blobName = "<yourfilename>"
$destPath = "C:\Users\azuser\Desktop\$blobName"
Get-AzStorageBlobContent -Container $container -Blob $blobName -Destination $destPath -Context $ctx
6.8 — Verify the Downloaded File on the VM
Now that you downloaded the blob onto your VM, let’s confirm it’s there and readable.
Get-Item "C:\Users\azuser\Desktop$blobName"
At this point, you have fully validated that:
The VM authenticated using Managed Identity
RBAC allowed access
Your Storage Blob Data Reader assignment is working
The VM downloaded the file through Azure AD (not keys or SAS)
Week 4 Summary — Azure VM to Blob Storage Access with Managed Identity
In this lab, you built a complete, real-world Azure scenario: a Virtual Machine securely accessing a Blob Storage container using a System-Assigned Managed Identity.
This is the modern, recommended way to authenticate Azure workloads — without keys, without SAS tokens, and without storing any secrets inside scripts.
By the end of the lab, you successfully:
created a new Storage Account using the updated 2025 Azure Portal
created a private Blob container and uploaded a test file
deployed a Windows Server VM with a System-Assigned Managed Identity
connected to the VM via RDP and installed the Az PowerShell modules
authenticated the VM using
Connect-AzAccount -Identitybuilt a data-plane storage context using the VM’s identity
listed containers and downloaded a blob directly to the VM desktop
accessed everything through Azure AD and RBAC only
This lab mirrors exactly how Azure administrators secure compute-to-storage communication in real enterprise environments. Please stay tuned for more labs if you’re interested in Azure or currently studying for the AZ-104 certification from Microsoft.
