John, I watched this video 4 months ago and I returned to it today. Each time I watch it I gain new insights to these important concepts regarding Azure Storage Accounts. Thank you for making this knowledge available for the tech community!!
Thank you for another instructive video John, I am enjoying watching them. Keep up the good work and I hope that you & your family are staying safe & healthy.
Big Thanks ! There were so many access options and so many trash guides that suggest you just use Access Key everywhere. And only there i could find very clear and explanation of all methods.
Excellent Video! I just learned about your channel today. Helped me a lot already! I love your teaching method of explaining the abstract logic and going into detail after that! Perfect lesson. Thanks!
Very well explained. After going through a few pluralsight courses on Azure Storage, I find this more explanatory. I feel the whiteboarding steals the show. John, can you please also share the whiteboard content to review more often? Thanks.
@@NTFAQGuy Thanks again John . this whiteboard help with concepts on azure storage in particular stored access policies and will add this to my Az104 study guide. Lol
Great tutorial. I was trying to use azcopy to copy data from my local machine (mac) to a container in Data Lake Gen2 but the authentication kept failing. Didnt find much help on the support forums or microsoft doc. John has done a great job explaining the authentication concepts and how to use SAS. Thank you John.
hey john thanks for another great video TY sir! . just one thing need to clarify.. the user delegation as mentioned happens automagically when storage access is switched to Azure AD, correct?
thanks John, it was a nice refresher. Could you please also make video on File Share and it's permission as it has grown alot since basic file share. File Share with Key File Share With Azure AD RBAC. (Azure AD domain Service and NTFS permission) File Share with Azure File sync ( also Ntfs) File Share with Active Directory Domain Join (NTFS)
@@NTFAQGuy Thanks it covered all the above points which i highlighted. File share used to be very simple earlier and this feature has grown alot when it comes to NTFS Permission and now with AD integration it is fully integrated and useful offering.
Great video! Very informative. I have a requirement to manage access via Azure AD and this explained that nicely. If I have users that are just connecting to download data (Azure AD Only, no on-prem AD or Azure AD DS) is the Azure Storage Explorer their best (or only) option for downloading data that needs to be secured? The SAS links seem nice, but prefer to enforce the MFA for users accessing the data.
Hello, John. How are you? I have a question and I would be very happy if you help me. Why, when I switch to Azure AD User Account, at the container level, I get the message that I don't have permissions to list the data, even being an owner at the Management Group level? Thank you!
Hi John - good session, just to confirm while user is logged in (to Storage Explorer) and using SAS key, if Administrator change Key1/2 that user will still have access to image until he/she logs out - right?
No, it does not work that way. You are not "logging on". Every action you perform is a separate REST call to the API using the signature. You connect it does a list, thats a call. You select a blob, thats a call. There is no session. So as soon as the key is regenerated that SAS you have is now invalid so while storage explorer is still showing the content of the container (since it has that cached from a previous list) the SAS is now invalid and any future calls using that SAS will fail including getting a blob, refreshing the listing etc. Hope that helps.
Thank you so much I learned a lot, but think I'm still a bit confused just not as bad as before: for the SAS and access keys, these are done at the account level where you can define access down to objects... and for specific assignment at the container\folder\object you can use access policy. In all cases you can assign access and permission using IAM?? do I have it correct?? is there a access configuration that would override/cancel out other access/ permissions?
@@NTFAQGuy I rewatched this session and it made better sense this morning. I really like the white-boarding and your presentation skills, please keep them coming!!
if you generate a new access key does it stop working for any SAS that was created using that key in the past. Sorry if you mentioned that in the video. Great videos btw.
Yes. That is what I demoed where the sas stopped working when I regenerated the key that signed it. That is the only way to revoke an adhoc sas (or it expires). Thanks for watching
Hi John, Am I correct dat you cannot generate a container SAS from the portal? It can be done from storage explorer but I don't have the option in the portal.
hi I have connected a pi camera to store the images to storage account it is storing perfectly with one of my wifi and it is not storing with other wifi or mobile hotspot what would be the problem Please try to help.
honestly could be a million things. Does the one that works still work on other wifi? If not look at network path. is storage account limited by source IP, are your wifis having different public IPs? If both using same key/SAS its going to be network most likely and nothing to do with permissions. Good luck
Hello John, I am watching so many videos but I am still not sure how to we utilize azure file shares with SAS. Lets say I have a server where I want to mount File Share, i know i can use access keys to mount but if i have generated SAS token, then Where do I use it for mounting file share? What is the benefit of generating SAS token for Azure file? I have seen we use storage explorer to access storage account and we configure SAS token there but usually we use SAS token for complete storage account and not particularly for single blob container or file share. It bugging me and I had this question in AZ104 exam and wanted to know what could be the answer for it. I had just guessed the answer for below Question ******************************************************************************** You need to use AzCopy to copy data to the blob storage and file storage in storage1. Which authentication method should you use for each type of storage? ********************************************************************************** Options: AzureAD, SAS, Access Keys. (multiple choice) - For Blob Storage Options: AzureAD, SAS, Access Keys. (multiple choice) - For File Storage ********************************************************************************** And I guessed, AzureAD+SAS for blob and SAS for file storage. ****************************** So why cannot we use access keys for azcopy for copy to file storage? I have raised multiple questions apologies for that. its just I am completely confused. I think my problem is I am not known to use cases of azure file shares with SAS.
you can't use SAS for azure files if using SMB. SAS would only be if accessing via REST API. if using Files with SMV you need to use AD or AADDS integration for data level permissions. for blob, SAS is best options, for file storage via SMB would be Azure AD :-) Watch my storage master class video.
How to restrict the users from copying data from blob container or file share.. they should be able to read and write but should not copy the data out of the storage to any physical system using any tool..
That is data exfiltration and you could use things like service endpoints policies or private endpoints to restrict to which accounts are available. Watch the video on service endpoints and private endpoints.
@@NTFAQGuy Thanks. So if I understand correctly. We can have: 1. Some kind of super user access that we can use to access all resources. 2. We can also create user specific access for each user (say if we use Azure B2C, we can leverage that here), so they see only their files. I would assume that in that case, each user would have dedicated container and access only to it and its files, correct? 3. Is this the same for azure media service? And of course, all above if feasible via code (ie. java, .net or javascript rest calls)
