1 of 7 sections visited
Azure storage account
Top-level container for all Azure storage services. Provides a globally unique namespace accessible via HTTP/HTTPS from anywhere. All data objects live inside a storage account. Default access is private.
Five Azure storage services
| Service | Data type | Primary use case |
|---|---|---|
| Blob Storage | Any (images, video, logs, backups) | Large-scale object storage, media serving, backups |
| Azure Files | Files in shared directories | Replace on-premises file servers, SMB/NFS shared access |
| Queue Storage | Text messages up to 64 KB | Async processing, decoupling app components |
| Table Storage | Structured NoSQL entities | User profiles, device metadata, flexible datasets |
| Disk Storage | Block-level volumes | OS and data disks for Azure VMs |
Key storage details
Blob Storage
Unstructured object storage in containers. Supports access tiers (Hot/Cool/Cold/Archive). Share blobs via SAS tokens (time-limited, permission-scoped URLs). Any file type — images, videos, logs, backups.
Azure Files
SMB: Windows/Linux/macOS. NFS: Linux/macOS. Mountable simultaneously from Azure VMs and on-premises. Integrates with Azure File Sync for hybrid scenarios.
Queue Storage
Millions of messages per queue. Messages persist until deleted by consumer. If consumer crashes, message becomes visible again for retry. Decouples producers and consumers.
Table Storage
Schemaless NoSQL — different rows can have different columns. Key-based lookups at massive scale. User profiles, IoT device data, flexible structured data.
Storage redundancy options
Azure always stores multiple copies of your data. You choose the level when creating a storage account.
Exam decision rule: Survive hardware failure only: LRS. Survive data center outage: ZRS. Survive region failure: GRS. Survive zone AND region failure: GZRS (Microsoft recommended highest durability).
LRS, ZRS, GRS, GZRS comparison
| Option | Copies | Location | Zone protection | Region protection |
|---|---|---|---|---|
| LRS | 3 | 1 data center, 1 region | No | No |
| ZRS | 3 | 3 availability zones, 1 region | Yes | No |
| GRS | 6 (3+3) | LRS in primary + secondary region | No | Yes |
| GZRS | 6 (3+3) | ZRS in primary + secondary region | Yes | Yes |
Blob storage access tiers
Lower storage cost = higher access cost. Hot costs more per GB stored but less per read. Archive costs almost nothing per GB but requires up to 15 hours to retrieve.
Four access tiers
| Tier | Access frequency | Min storage | Retrieval | Best for |
|---|---|---|---|---|
| Hot | Frequent | None | Instant | Active website images, daily reports |
| Cool | Infrequent | 30 days | Instant | Short-term backups, older invoices |
| Cold | Rare | 90 days | Instant | Long-term backups, compliance data |
| Archive | Almost never | 180 days | Up to 15 hours | 7-year audit records, regulatory archives |
Lifecycle management: Rules automatically move blobs between tiers as they age (e.g. move to Cool after 30 days, Archive after 180 days). Saves cost without manual work.
Migration and file management tools
| Tool | Type | Best for |
|---|---|---|
| Azure Migrate | Service hub | Discovering, assessing, and migrating on-premises infrastructure, data, and apps to Azure. Single unified portal. |
| Azure Data Box | Physical device (80 TB) | Transferring 40+ TB when network is too slow or unavailable. Encrypted device shipped to you; ship back after copying. Device wiped after upload. |
| AzCopy | CLI tool | High-performance blob/file transfers. Upload, download, copy between storage accounts, sync directories, cross-cloud copy. Supports scripted automation. |
| Azure Storage Explorer | GUI desktop app | Interactive ad-hoc storage management. Windows/macOS/Linux. Uses AzCopy under the hood. Browse containers, upload/download files, manage SAS tokens. |
| Azure File Sync | Service | Syncs on-premises Windows Server with Azure Files. Cloud tiering: frequently accessed files stay local, others stored in cloud. Multiple server caches for global distribution. |
Microsoft Entra ID (formerly Azure Active Directory)
Cloud-based identity and access management service. Manages user identities, credentials, and access to Azure, Microsoft 365, and thousands of SaaS applications.
Threat detection
Automatically detects suspicious logins at no extra cost. Flags logins from unexpected locations, unfamiliar devices, anonymous IPs, or impossible travel (New York then Paris in 30 minutes).
vs. on-premises AD
On-premises Active Directory manages domain-joined computers on a corporate network. Entra ID is cloud-native for cloud apps and remote workers. They can be synchronized for hybrid scenarios.
Authentication vs Authorization
Authentication (AuthN)
Proving WHO you are. Happens at login — you present credentials and the system validates them.
Airport analogy: Checking your passport at check-in. Confirms your identity.
Authorization (AuthZ)
Determining WHAT you can do. After authentication confirms identity, authorization decides which resources you can access.
Airport analogy: Checking your boarding pass at the gate. Confirms which seat you can sit in.
Exam trap: These are frequently confused and tested together. Authentication = WHO are you? Authorization = WHAT can you do?
Authentication methods
Password
Traditional method. Weakest alone — passwords can be stolen, guessed, or phished. Should always be combined with a second factor.
Single Sign-On (SSO)
Authenticate once, access multiple applications without re-entering credentials for each. Reduces friction and security risk (fewer passwords = fewer password-related breaches).
Multi-Factor Authentication
Requires 2+ factors from different categories: something you know (password, PIN), something you have (phone code, hardware token), something you are (fingerprint, face scan). Even if a password is stolen, the attacker cannot access the account without the second factor.
Passwordless
Removes the password entirely. Options: Windows Hello for Business (biometric/PIN on known device), Microsoft Authenticator app (approve push notification), FIDO2 security keys (hardware keys like YubiKey). More secure — no password to steal.
Conditional Access
Dynamic access policies based on signals: user identity, location, device compliance, app being accessed, and risk level. Can allow, require MFA, or block based on the combination. Enables "work from anywhere" while maintaining security — legitimate logins from trusted locations proceed with no friction; suspicious logins face extra barriers.
External Identities — B2B vs B2C
B2B (Business-to-Business)
Collaboration with partners, vendors, suppliers from other organizations. Admins invite specific guest users who authenticate with their own organization's identity provider. Used for joint projects and partner portals.
B2C (Business-to-Consumer)
A separate identity service for customer-facing apps. Customers register using social accounts (Google, Facebook, Apple), email/password, or enterprise accounts. Scales to millions of users. Handles DDoS and password spraying automatically. Used for public consumer apps.
Azure RBAC — the four fundamental roles
| Role | Can create/manage resources | Can manage access | Can view resources |
|---|---|---|---|
| Owner | Yes | Yes — full access management | Yes |
| Contributor | Yes | No — cannot assign roles | Yes |
| Reader | No | No | Yes (read-only) |
| User Access Administrator | No | Yes — access management only | Yes (like Reader) |
Exam tip: Owner can do everything including manage access. Contributor can do everything EXCEPT manage access. Reader = view only. User Access Administrator = access management only, no resource changes.
Defense in depth — 7 layers
Multi-layer security strategy. If one layer is breached, subsequent layers continue to protect data.
7
Data layer (innermost)
Controls who accesses business and customer data. Encryption at rest and in transit. Least-privilege data access even for authorized users.
6
Application layer
Security integrated into development. Input validation, output encoding, parameterized queries, security testing in CI/CD. Secure by design.
5
Compute layer
Close unnecessary ports, apply OS patches, install endpoint protection, disable unused services. Azure Defender monitors for misconfigurations.
4
Network layer
NSGs isolate resources and limit lateral movement. If an attacker gets in, the network layer contains the breach to the compromised resource.
3
Perimeter layer
DDoS Protection absorbs attacks before they reach apps. WAF filters malicious HTTP traffic. Alerts enable monitoring of potential attacks.
2
Identity and access layer
MFA, RBAC, Conditional Access, Privileged Identity Management. Only authorized identities interact with resources. All access events are audit-logged.
1
Physical security (outermost)
Secure building access, 24/7 security staff, biometrics, surveillance, mantraps. Only authorized Microsoft employees access physical infrastructure.
Zero Trust & Defender for Cloud
Zero Trust principles
1. Verify explicitly — always authenticate based on all available signals. 2. Use least privileged access — just-in-time, just-enough access. 3. Assume breach — segment access, encrypt everything, use analytics to detect threats. Never trust based on network location alone.
Defender for Cloud
Unified security posture management and threat protection. Monitors Azure, on-premises, hybrid, and multi-cloud environments. Generates a Secure Score measuring your security posture. Provides prioritized recommendations aligned with the Azure Security Benchmark. Triggers alerts when threats are detected.
Key terms — flash reference
Storage account
Top-level container for Azure storage. Globally unique namespace. All blobs, files, queues, tables live inside it.
Blob Storage
Unstructured object storage. Containers hold blobs. Access tiers: Hot/Cool/Cold/Archive. SAS tokens for sharing.
LRS
3 copies in 1 data center. Lowest cost. No zone or region protection.
ZRS
3 copies across 3 availability zones. Survives data center outage. No region protection.
GRS
LRS in primary + secondary region. Survives region failure. 16 nines durability.
GZRS
ZRS in primary + secondary region. Survives both zone AND region failure. Microsoft recommended highest durability.
Archive tier
Offline storage. Up to 15-hour rehydration. 180-day min retention. Lowest cost. For data almost never accessed.
SAS token
Shared Access Signature — time-limited, permission-scoped URL for accessing a specific blob securely.
Azure Migrate
Unified portal for discovering, assessing, and migrating on-premises workloads to Azure.
Azure Data Box
Physical 80 TB device for large data transfers (40+ TB) when network is impractical. Encrypted; wiped after use.
Entra ID
Cloud IAM. Manages users, credentials, and access to Azure, M365, SaaS apps. Formerly Azure Active Directory.
MFA
Multi-Factor Authentication. 2+ factors: something you know, have, or are. Protects against password theft.
Conditional Access
Dynamic policies based on identity, location, device, app, and risk signals. Allow, require MFA, or block.
RBAC Owner role
Full control including access management. Can assign roles to others.
RBAC Contributor
Create and manage resources. Cannot manage access or assign roles.
Defense in depth
7-layer security (physical through data). Each layer is an independent barrier.
Zero Trust
Assume breach. Verify explicitly. Least privilege. Never trust based on network location.
Defender for Cloud
Security posture management and threat protection. Secure Score + recommendations + threat alerts.
A company stores financial audit records for 7 years. These records are almost never accessed — only if an audit is triggered. They can wait up to 15 hours to access the data. Which access tier?
Archive tier. Archive offers the lowest storage cost and is designed for data with long retention that is almost never accessed. The 15-hour rehydration time is explicitly acceptable in the scenario.
A developer on your team needs to create and deploy Azure resources but should not be able to grant other users access. Which RBAC role?
Contributor. Contributor allows creating and managing all Azure resources but explicitly excludes access management — Contributors cannot assign roles or change permissions for others. Owner would be too permissive.
A company needs to protect Azure Blob Storage against a complete data center outage in their primary region, but does not need cross-region protection. Which redundancy option?
Zone Redundant Storage (ZRS). ZRS replicates data across three availability zones within the primary region. A complete data center outage in one zone leaves data accessible from the other two. GRS or GZRS would provide unnecessary and more expensive cross-region protection.
What is the difference between B2B and B2C in Entra ID?▼
B2B is for collaborating with people from other organizations (partners, vendors, contractors). Admins invite specific guest users who authenticate using their own organization's identity provider. Guests are added as guests to your tenant and access only the specific resources you grant. Use B2B for joint projects, partner portals, and shared internal tools. B2C is for public-facing applications that any customer can register for. It's a separate identity service where customers create accounts using social identities (Google, Facebook), email/password, or enterprise accounts. You don't manage individual customer accounts in your Azure tenant. Scales to millions of users with built-in protection against DDoS and password spraying. Use B2C for consumer apps, e-commerce, and public SaaS products.
What are the three Zero Trust principles?▼
1. Verify explicitly: always authenticate and authorize every request based on all available signals (identity, location, device health, data being accessed, risk level) — never assume trust based on network location. 2. Use least privileged access: grant minimum necessary permissions using just-in-time access, just-enough access, and risk-based adaptive policies. Reduce the blast radius of any individual account compromise. 3. Assume breach: design security as if attackers are already inside. Segment networks and access, encrypt everything, and use analytics to detect threats that slip through prevention. This differs from traditional "castle and moat" security which trusted everything inside the network perimeter.