Designing a Secure File Storage Architecture in Azure
A complete architecture guide for securing Azure file storage — network isolation, identity-based authentication, encryption layers, RBAC, Key Vault integration, Defender for Storage, and continuous monitoring. Step-by-step implementation from scratch.
Why File Storage Security Fails in Azure
The default Azure storage account configuration is not secure enough for production workloads. That is not a criticism of Microsoft — it is a deliberate design choice. Azure's defaults prioritise ease of getting started over production security posture. Public network access is enabled by default. Storage account keys are active by default. Blob soft delete is not enabled by default. Diagnostic logging is not enabled by default. The distance between "a storage account you created" and "a secure storage account" is a sequence of deliberate configuration decisions — and most organisations skip most of them.
The consequence is real. 68% of cloud security incidents in 2025 were caused by customer misconfiguration, not platform vulnerabilities. The storage account that leaks corporate data was almost never breached through a vulnerability in Azure itself. It was left publicly accessible, or it used a storage account key that was copied into source code, or it had no audit logging, or it had no alert when someone downloaded ten gigabytes of files at 2am. This guide closes those gaps.
The architecture described here applies a Zero Trust model to Azure file storage: assume breach, verify explicitly, use least-privilege access. It is built around six security layers — network, identity, encryption, data protection, threat detection, and monitoring — each of which reinforces the others. A gap in any one layer does not create a catastrophic failure, because the adjacent layers constrain what an attacker can do. That is the definition of defence in depth, and it is the only model that works at scale.
The Six-Layer Security Architecture — Overview
Before implementation, the complete architecture must be understood. Each layer maps to a specific set of Azure services and configuration decisions. The diagram below shows all six layers and how they relate to each other in a production deployment.
Layer 1 — Network Isolation: Eliminate Public Access
The first and most impactful security control for Azure file storage is eliminating public network access entirely. A storage account firewall, Private Endpoints, and the 'Block public access' setting at the account level reduce the attack surface to traffic that can only originate from within your VNet or peered networks. This single configuration change eliminates an entire class of external attack vectors — scanning, credential stuffing, and exposure through a leaked storage account URL.
Private Endpoints work by assigning a private IP address from your VNet subnet to the storage account. DNS resolution for the storage account's FQDN — youraccount.file.core.windows.net — returns this private IP from within the VNet, and a public IP from outside it. Once public access is disabled, the public IP path stops accepting connections entirely. Every data path from that point forward traverses your VNet, your firewall, and your routing controls.
Create the Private Endpoint in the storage-dedicated subnet
Create a Private Endpoint specifically for the file sub-resource (not blob). Select the VNet and subnet where your workloads reside — or a dedicated PE subnet if your network design separates PE traffic. Use a naming convention that identifies the storage account and sub-resource: for example pe-storageacct-file-prod. The portal will automatically create a network interface card (NIC) in the selected subnet with a static private IP.
Configure the private DNS zone and disable public network access
During Private Endpoint creation, allow the portal to auto-create the private DNS zone privatelink.file.core.windows.net and link it to your VNet. After confirming the Private Endpoint is operational via Test-NetConnection -ComputerName <account>.file.core.windows.net -Port 445 from a VM inside the VNet, set Public network access to Disabled. Verify the storage account FQDN resolves to the private IP from within the VNet.
Enforce TLS 1.2 minimum for all in-transit connections
Set Minimum TLS version to TLS 1.2 on every storage account. TLS 1.2 provides strong authentication and message integrity, preventing interception during transmission. Enabling Secure transfer required forces HTTPS for all connections, rejecting any HTTP request before it reaches your data. These are two separate settings — configure both.
Layer 2 — Identity and Authentication: Replace Keys with Identity
The storage account key is the single most dangerous credential in an Azure file storage deployment. It grants complete, unconditional, time-unlimited read/write access to every file share in the storage account. It has no expiry. It has no per-user audit trail. If it appears in a GitHub repository, a developer laptop, a CI/CD pipeline environment variable, or a configuration file — the storage account is compromised. Azure Key Vault should be the only place where applications retrieve credentials, but secrets usually leak into the estate through convenience: an app setting added during deployment, a CI/CD variable created for a release, a local config file used for testing.
The replacement for storage account keys is identity-based authentication via Microsoft Entra ID. Azure Files supports managed identities for application and automation access and Entra-only identities for user access, which reduces credential sprawl and removes the need to extend hybrid Active Directory just to authorise file shares. Once identity-based authentication is confirmed working, the storage account keys should be disabled.
Layer 3 — RBAC: Apply Least-Privilege Role Assignments
Azure RBAC enforces least privilege by assigning roles such as Storage Blob Data Reader and Storage File Data SMB Share Contributor to individual users, groups, or applications to limit the actions a user can take. The goal is to eliminate overprivileged accounts. For file storage specifically, role assignments must be made at both the storage account level (for management plane operations) and at the share level (for data plane access). These are separate and independent — a user with Storage Account Contributor cannot read file data unless they also have a data plane role.
The four roles that matter for Azure Files
Assign management plane roles — storage account level
Assign Storage Account Contributor only to your storage infrastructure team, and only through Privileged Identity Management (PIM) with just-in-time activation. Regular users should never hold a management plane role. Avoid widely assigning built-in roles like Owner, and get a list of role assignments for users or applications that have not logged in recently for audit. Review all management plane assignments quarterly.
Assign data plane roles at the share level
Assign Storage File Data SMB Share Reader and Storage File Data SMB Share Contributor at the individual file share level — not at the storage account level. Assigning data plane roles at the storage account level grants the same access to every share in the account. Use security groups, not individual user assignments, so membership changes are auditable and manageable at scale.
Disable storage account key access after identity-based auth is confirmed
Once identity-based authentication is confirmed working for all workloads, disable storage account key access: Set-AzStorageAccount -DisableLocalUser $true -AllowSharedKeyAccess $false. This prevents any application or user from authenticating with the static key — even if the key is obtained. Test in a non-production environment first. Verify all workloads use managed identities or Entra ID authentication before disabling keys.
Layer 4 — Encryption: At Rest, In Transit, and Customer-Managed Keys
Azure Files encrypts all data at rest automatically using AES-256. This is always on and cannot be disabled. In transit, encryption is enforced by requiring HTTPS. For regulated industries or high-sensitivity workloads, customer-managed keys (CMK) via Azure Key Vault provide an additional layer of control — the storage account encryption key is wrapped with your key in Key Vault, and access to that key can be revoked to make the entire storage account unreadable instantly.
Create the Key Encryption Key in Azure Key Vault
Create an Azure Key Vault with Purge protection enabled — this prevents deletion of the vault or keys during a retention period. Generate an RSA 2048-bit or RSA 4096-bit key for use as the Key Encryption Key. Enable soft delete with at least 90 days retention. Assign the storage account's managed identity the Key Vault Crypto Service Encryption User role — this is the only role required for CMK operations.
Enable customer-managed keys on the storage account
Navigate to Storage account → Encryption. Change the encryption type to Customer-managed keys. Select the Key Vault and key created in the previous step. Assign the storage account's system-assigned managed identity to the encryption key operation — do not use a user account. The storage account will now wrap its Data Encryption Key with your KEK on every write.
Enable infrastructure encryption for double-encryption at rest
For highly regulated workloads (financial services, healthcare, government), enable infrastructure encryption on the storage account. This applies a second independent AES-256 encryption layer at the infrastructure level, separate from the service-level encryption. Infrastructure encryption must be enabled at storage account creation — it cannot be enabled on an existing account. Budget an additional deployment for accounts that require it.
Layer 5 — Data Protection: Survive Accidental Deletion and Ransomware
Network isolation, identity controls, and encryption prevent external attackers from reaching your data. Data protection controls protect against the scenarios they do not cover: accidental deletion by a legitimate user, ransomware that encrypts files through a compromised account, and hardware failure or regional outage. The Azure file storage data protection stack has three components that must all be configured.
Enable soft delete with at least 14 days retention
Soft delete retains deleted file shares for a configurable period before permanent deletion. Set the retention to a minimum of 14 days — 30 days for production financial or HR shares. A soft-deleted share can be recovered from the Azure portal or via PowerShell without a support ticket. Soft delete does not protect against ransomware encrypting files in place — that requires Azure Backup with vaulted snapshots.
Configure Azure Backup with vaulted snapshots
Create a Recovery Services vault in a different resource group from the storage account. Configure Azure Backup for each file share with a daily snapshot schedule and at least 30 days of daily retention. Enable Enhanced policy for vaulted backup — this stores backup data in the vault rather than in the storage account itself, protecting against ransomware that targets storage accounts directly. Vaulted backup is the only protection that survives a compromised storage account.
Set redundancy appropriate to your RPO and RTO requirements
For production enterprise file shares: use ZRS (Zone-Redundant Storage) — 99.99% SLA, survives a full availability zone failure without manual failover or data loss. For compliance-driven DR requirements: use GRS or GZRS — geo-replication to a secondary region, 16 nines durability. Set redundancy at account creation — changing later requires data migration for some transitions. ZRS is the correct default for most production workloads.
Layer 6 — Threat Detection and Monitoring: See What is Happening
Securing storage is not a one-time setup but an ongoing process tied to visibility, validation, and governance. Regular auditing, logging, and threat detection are essential to catch misconfigurations before they lead to breaches. The monitoring layer connects Microsoft Defender for Storage (threat detection), Azure Monitor (performance and access alerts), and Log Analytics (sign-in and operation logs) into a unified observability stack. Without this layer, the other five layers may be correctly configured — but you will not know when they are being circumvented.
Enable Microsoft Defender for Storage
Enable Microsoft Defender for Storage at the subscription level — this covers all storage accounts in the subscription without per-account configuration. Defender for Storage uses machine learning to detect anomalous access patterns including mass downloads, impossible-travel access (simultaneous access from geographically distant locations), access from Tor exit nodes, and suspicious public exposure of private data. It generates security alerts routed to Microsoft Defender for Cloud and optionally to Microsoft Sentinel.
Enable diagnostic logging to Log Analytics
Create a diagnostic setting on each storage account for the file service. Enable StorageRead, StorageWrite, and StorageDelete log categories. Send logs to a Log Analytics workspace with at least 90 days retention. This provides the per-user, per-file audit trail that storage account key authentication cannot. Set retention to at least 365 days for regulated workloads — audit logs for Azure Files are needed for security incident investigation and compliance evidence.
Create the critical alert rules
Configure the following alert rules using KQL queries against the Log Analytics workspace. Set severity appropriately — Sev 1 for active security events, Sev 2 for anomalies requiring investigation within 4 hours. Route alerts to an action group that triggers both an email notification and a Logic App or Microsoft Sentinel playbook for automated initial response.
| where TimeGenerated > ago(1h)
| where OperationName == "GetFile"
| summarize TotalBytes = sum(ResponseBodySize) by CallerIpAddress, AuthenticationType
| where TotalBytes > 10737418240 // 10GB
| project CallerIpAddress, AuthenticationType, TotalGB = TotalBytes / 1073741824
// Alert 2: Authentication failures — more than 10 failures in 5 minutes (potential brute force) StorageFileLogs
| where TimeGenerated > ago(5m)
| where StatusCode in (401, 403)
| summarize FailureCount = count() by CallerIpAddress, AccountName
| where FailureCount > 10
// Alert 3: Storage account key used — keys should be disabled; any key auth is a security event StorageFileLogs
| where TimeGenerated > ago(1h)
| where AuthenticationType == "AccountKey"
| project TimeGenerated, CallerIpAddress, OperationName, AccountName
// Alert 4: Public access re-enabled on any storage account AzureActivity
| where OperationNameValue == "MICROSOFT.STORAGE/STORAGEACCOUNTS/WRITE"
| where Properties contains "allowBlobPublicAccess" and Properties contains "true"
| project TimeGenerated, Caller, ResourceGroup, ResourceId
Security Architecture Checklist — Implementation Verification
Use this checklist to verify all six layers are correctly configured before declaring a storage account production-ready. Every item must be green before the share serves live traffic.
- ✓Private Endpoint created for the file sub-resource · Verified with Test-NetConnection · Resolves to private IP from within VNet
- ✓Public network access disabled at storage account level · No IP ranges in firewall allowlist except explicitly approved
- ✓Private DNS zone configured and linked to all VNets that need access · Confirmed DNS resolution returns private IP
- ✓TLS 1.2 minimum enforced · Secure transfer required: Enabled · HTTPS-only access confirmed
- ✓Identity-based authentication configured · Entra ID Kerberos or AD DS · Tested with real user accounts from all client OS types
- ✓Storage account keys disabled · AllowSharedKeyAccess: false · No workload uses key-based auth
- ✓RBAC roles assigned at share level · No Owner/Contributor assigned to regular users · Management plane via PIM only
- ✓Encryption at rest: AES-256 confirmed · Customer-managed keys configured if compliance requires it · Infrastructure encryption enabled if double-encryption mandated
- ✓Soft delete enabled · 14 days minimum retention · 30 days for Finance/HR shares
- ✓Azure Backup configured with vaulted snapshots · Recovery Services vault in separate resource group · Daily policy with 30-day retention minimum
- ✓ZRS or GRS redundancy set at account creation · Appropriate to RPO/RTO requirements
- ✓Defender for Storage enabled at subscription level · Alerts routed to Defender for Cloud and action group
- ✓Diagnostic logging enabled · StorageRead/Write/Delete to Log Analytics · 90 days retention minimum
- ✓Alert rules configured · Mass download · Auth failures · Key access · Public access re-enable · All routed to an action group with a response workflow
Lessons Learned
- Configure Private Endpoints before AFS agent registration. If you register an Azure File Sync server endpoint before the Private Endpoint is configured, the agent registers against the public endpoint and requires re-registration after the Private Endpoint is added. The correct sequence is: Private Endpoint first, then authentication, then AFS agent.
- Test DNS resolution from each distinct network segment. Private DNS zone links are VNet-scoped. A VNet you add to peering after the initial DNS zone configuration may not resolve the storage account to the private IP. Verify resolution from every VNet, subnet, and on-premises network that needs access.
- Use separate storage accounts for separate trust boundaries. Finance data and general shared data should never reside in the same storage account. RBAC at the share level provides some isolation, but separate accounts provide a harder boundary — including separate encryption keys, separate Private Endpoints, separate diagnostic settings, and separate billing.
- Infrastructure encryption cannot be retrofitted. It must be enabled at storage account creation. If a production account needs it and does not have it, a new account must be created and data migrated. Include infrastructure encryption in your provisioning Terraform or Bicep from day one for regulated workloads.
- The Defender for Storage alert is only useful if someone acts on it. Configure alerts to route to an action group that triggers a Logic App or Microsoft Sentinel playbook — not just an email. An unread email alert provides zero security value at 2am on a Saturday.
Best Practices
- Provision all storage accounts using Infrastructure as Code (Terraform or Bicep) with security settings enforced at the module level — not configured post-deployment in the portal. This ensures every account created follows the security baseline without relying on manual steps.
- Use Azure Policy with deny effects to prevent creation of storage accounts without Private Endpoints, without secure transfer required, or without the storage account keys disabled. Policy prevents drift — configuration alone does not.
- Review RBAC role assignments quarterly. Remove users who no longer require access. Flag accounts that have not authenticated in 30 days for review. Use Access Reviews in Entra ID Governance to automate this process for large group memberships.
- Run the Microsoft Defender for Cloud Secure Score recommendations against your storage accounts monthly. Target a score above 85%. Each recommendation flagged is a specific misconfiguration with a guided remediation path.
- Test your recovery procedures annually — not just your backup configuration. Restore a file share from backup to a test environment. Verify the restored data is accessible and complete. A backup that has never been tested is not a backup — it is a hope.
Conclusion
A secure Azure file storage architecture is not a product you buy — it is a configuration you build and a posture you maintain. The six layers described in this guide — network isolation, identity-based authentication, least-privilege RBAC, encryption, data protection, and continuous monitoring — work together to create a defence-in-depth model where compromising any single control does not result in data loss or breach. Each layer takes one to four hours to configure correctly. All six layers together represent less than a day of implementation work for a single storage account. The audit and monitoring layer is the one most organisations skip, and it is the one that determines whether you find out about a problem before or after it becomes a breach.
Key Takeaways
Related FAVRITE Articles
- Understanding Azure File Shares for Enterprise Workloads
- Azure Files vs Azure NetApp Files: Which One Should You Choose?
- How to Configure Conditional Access for Approved Client Apps
- Choosing the Right Azure Storage Tier for Large File Migrations
- How to Plan a 15TB Migration from NAS to Azure Files.