How to Share Confidential Files in Azure Without Compromising Security

Imagine that you need to share a highly sensitive document with a colleague or client, but one wrong move could expose it to the wrong hands. Scary, right?

With cyber threats on the rise, you can’t afford to take security lightly. The good news is that Microsoft Azure has powerful tools that let you share files safely without losing control over your data.

In this guide, I’ll show you how to create a storage account, create a container in it, upload a blob and share your confidential files in Azure the smart way, with zero compromises on security. Let’s dive in!

Step 1:
The first thing you need to do is to create a storage account on Azure. Go to portal.azure.com and log into your account. From the search box, search for “Storage accounts“ and click on “Create” to create a new storage account.

Step 2:
From the first tab, “Basics“, select your current subscription, and a resource group you want to place the storage account in. You can always create a new resource group by clicking “create new“ just underneath the box. Type in your preferred storage account name (a globally unique name). Pick a region you want to place the storage account in, and a primary service. For this storage account, we’re picking “Azure Blob Storage or Azure Data Lake Gen 2“. For our redundancy strategy, we’re selecting the Geo-Redundant Storage(GRS). Checking the box underneath the redundant storage will make data access in the secondary region read-only(RA-GRS). Click on “Next“ to go to “Advanced”.

Step 3:
In the “Advanced” setting, make sure to allow enabling anonymous access on individual containers. You’d also have to pick your preferred “Access Tier“. It can be a Hot (frequently accessed), Cool, Cold, or Archived Access Tier. After that, click on next to go to “Networking“.

Step 4:
In “Networking“, you have to select your “network access“. We will enable public access from all networks for this storage account and also pick our “network routing“ to be “Microsoft network routing“. Click on “Next“ to go to the “Data Protection“ tab.

Step 5:
For “Data protection“, you can enable soft delete for blobs and enable soft delete for containers. You can also set the number of days to retain deleted blobs. For further clarification, please refer to the image below. Click on “Next“ to go to “Encryption“.

Step 6:
We are selecting “Microsoft-managed keys (MMK)“ for the storage account being created. It means Microsoft will manage this storage account keys(encryption). We will also enable support for customer-managed keys for “blobs and files only“. Go to “Next“, click on “Review and Create“ and then “Create“ to create your storage account.

Step 7:
As you can see in the images below, our storage account is being reviewed displaying the details and properties of the account. It is then deployed and we can go to our resource! Click on “Go to resource“.

Step 8:
Now lets create a container and upload a blob!
From the left pane in your storage account, go to “Data storage“, then click on “Containers“. When it’s opened, double-click on the “+container“ at the top left container. Fill in the details of the container you will like to create. For the purpose of this article, we will be creating a container named, “carewayprimary” in our storage account and also set the container anonymous access level to private(no anonymous access). Click on “Create“. Carewayprimary container will then be added to you list of containers. Please refer to the images below for more clarification.

Step 9:
Let’s upload a blob!
A Blob refers to a scalable storage solution for text, images, videos, and other file types. To upload a blob (Image/video/document) in your container, double click on the container, then click on “upload“ at the top left corner. Click on the “browse for files“ on the dialogue box that pops up, that will enable you select a file from anywhere on your pc. Click on “upload“ to upload the file. From the images attached below, you will notice that an image (first.png) was successfully uploaded to the container.

Step 10:
Remember that our container was set to private which means no anonymous access. To grant access to view the blob in this container, we are going to generate a Shared Access Signature (SAS), and also set a time range another person can view when given the URL. To generate a SAS, click on the three eclipses at the right end of the blob you’ll like to generate it for(Refer to first image below). It then allows you to fill in the details and even set a day and time that the blob can be viewed. Please refer to the images below for clarification on setting it. You can then click on, “Generate SAS token and URL“. Copy the URL and send to whoever you’d like. Note that the person will only be granted access for the particular time period as set in the SAS.

Step 11: Testing…
Lets check to see if our SAS set up works. Go to a new incognito windows and paste the Shared Access Signature (SAS) URL you copied. You will notice that within a particular time frame that you’ve set up when generating the SAS, another party can gain access to the blob. Once the time elapses, access will be denied. Please see the images below. Our blob is a picture, and users that have access to the link can view for a period of time set in the SAS.

Securing your confidential files in Azure is really a necessity in today’s digital world. By following these steps, you can confidently share sensitive data while maintaining full control over access and security. Now that you know how to do it the smart way, why not put it into practice?

Did you find this guide helpful? Drop a comment below, I’d love to hear your thoughts. You can also reach out to me if you have any questions, I’d be happy to help. Don’t forget to like, share, and save this article so others can benefit too. I have more Azure security insights coming your way soon. Stay tuned! Adios👋!