What it is
A storage account whose allowSharedKeyAccess property is not set to false. Azure's default is enabled, so unless someone explicitly disabled it, the account's two access keys work as universal passwords: full read/write/delete across blobs, files, queues, and tables, with none of the identity controls your organization built applying to them.
Why it happens
Shared key authorization predates Entra ID integration for storage, and Azure kept it on by default for compatibility — an absent allowSharedKeyAccess means enabled. Every account gets two keys at creation whether you use them or not.
The keys have properties that make them a standing liability. They never expire unless someone rotates them. They grant everything: no scoping to a container, an operation, or a time window. They authenticate a request, not a person, so Conditional Access, MFA, and PIM never enter the picture, and the diagnostic logs record that a key was used but not who used it. And because SAS tokens are signed with these same keys, every account-level SAS you've ever issued inherits the same trust root — the mechanism behind the widely reported 2023 incident in which a misconfigured SAS URL exposed 38 TB of Microsoft's own internal data.
Meanwhile the keys sprawl. They land in connection strings, app settings, CI variables, and local dev configs, because a connection string is the path of least resistance for every tool and tutorial. Each copy is an unaudited credential to the whole account.
What it costs / blast radius
The blast radius is the full data plane of the account: one leaked key or key-signed SAS token, and everything the account holds is readable and writable by whoever has it, from anywhere the network path allows. (Azure behavior; authored assessment.) Because key auth carries no identity, you also lose the investigation: the access log can't tell you whether the requests were your app or an attacker holding a copied connection string. Rotating the keys is the only revocation, and it breaks every legitimate client at the same time.
See it
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata003'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
// allowSharedKeyAccess is not set, so it is Enabled.
// Both account keys are live universal credentials.
}
}resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: 'corpdata003'
location: location
sku: { name: 'Standard_LRS' }
kind: 'StorageV2'
properties: {
allowSharedKeyAccess: false // key and key-signed SAS requests are rejected
}
}
// Migrate clients to Entra auth FIRST (managed identity +
// DefaultAzureCredential, with data-plane RBAC roles such as
// 'Storage Blob Data Contributor'), then flip the switch.
// Anything still on a connection string breaks the moment you do.How StratoLens helps
StratoLens flags every storage account that still accepts shared key authorization, automatically and continuously across all your subscriptions, so the accounts everyone assumed were "on managed identity by now" stop hiding. The check runs inside your own tenant; your keys and data never leave it.