Skip to content

Commit 206c9ab

Browse files
azarboonpauljewellmsft
azarboon
and
pauljewellmsft
authored
Update articles/storage/common/authorize-data-access.md
Co-authored-by: Paul Jewell <[email protected]>
1 parent cdd1d86 commit 206c9ab

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

articles/storage/common/authorize-data-access.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ The following section briefly describes the authorization options for Azure Stor
8080

8181
- **Shared Key authorization**: Applies to blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. Shared Key provides permanent access to resources, and revoking the access requires manual steps. For more information, see [Authorize with Shared Key](/rest/api/storageservices/authorize-with-shared-key/).
8282

83-
Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Microsoft Entra ID or a user delegation SAS to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md).
83+
The storage account access key should be used with caution. Anyone who has the access key is able to authorize requests against the storage account, and effectively has access to all the data. Microsoft recommends that you disallow Shared Key authorization for your storage account. When Shared Key authorization is disallowed, clients must use Microsoft Entra ID or a user delegation SAS to authorize requests for data in that storage account. For more information, see [Prevent Shared Key authorization for an Azure Storage account](shared-key-authorization-prevent.md).
8484

8585
- **Shared access signatures** for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account via a signed URL. The signed URL specifies the permissions granted to the resource and the interval over which the signature is valid. A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Microsoft Entra credentials and applies to blobs only. For more information, see [Using shared access signatures (SAS)](storage-sas-overview.md).
8686

0 commit comments

Comments
 (0)