Skip to main content
Back to the Azure Footguns Database
SecurityGovernanceMediumCommonAZF-0060

Shared key authorization lets anyone holding a storage account key bypass Entra ID entirely

Every storage account is born with two account keys and shared key authorization enabled. Anyone holding a key gets full data-plane access — no Entra ID, no RBAC, no Conditional Access, no name in the logs.

Footgun ID
AZF-0060 (Azure Footgun No. 60)
Azure service
Azure Storage
Resource type
Microsoft.Storage/storageAccounts
Updated
July 9, 2026

What it is

A storage account whose allowSharedKeyAccess property is not set to false. Azure's default is enabled, so unless someone explicitly disabled it, the account's two access keys work as universal passwords: full read/write/delete across blobs, files, queues, and tables, with none of the identity controls your organization built applying to them.

Impact (security)
Either of two static account keys grants full data-plane access with no identity attached
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Shared key authorization predates Entra ID integration for storage, and Azure kept it on by default for compatibility — an absent allowSharedKeyAccess means enabled. Every account gets two keys at creation whether you use them or not.

The keys have properties that make them a standing liability. They never expire unless someone rotates them. They grant everything: no scoping to a container, an operation, or a time window. They authenticate a request, not a person, so Conditional Access, MFA, and PIM never enter the picture, and the diagnostic logs record that a key was used but not who used it. And because SAS tokens are signed with these same keys, every account-level SAS you've ever issued inherits the same trust root — the mechanism behind the widely reported 2023 incident in which a misconfigured SAS URL exposed 38 TB of Microsoft's own internal data.

Meanwhile the keys sprawl. They land in connection strings, app settings, CI variables, and local dev configs, because a connection string is the path of least resistance for every tool and tutorial. Each copy is an unaudited credential to the whole account.

What it costs / blast radius

The blast radius is the full data plane of the account: one leaked key or key-signed SAS token, and everything the account holds is readable and writable by whoever has it, from anywhere the network path allows. (Azure behavior; authored assessment.) Because key auth carries no identity, you also lose the investigation: the access log can't tell you whether the requests were your app or an attacker holding a copied connection string. Rotating the keys is the only revocation, and it breaks every legitimate client at the same time.

See it

Footgun: allowSharedKeyAccess left unset — Azure treats absent as enabled
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata003'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    // allowSharedKeyAccess is not set, so it is Enabled.
    // Both account keys are live universal credentials.
  }
}
Fix: disable shared key auth so every request must carry an Entra identity
resource sa 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: 'corpdata003'
  location: location
  sku: { name: 'Standard_LRS' }
  kind: 'StorageV2'
  properties: {
    allowSharedKeyAccess: false   // key and key-signed SAS requests are rejected
  }
}
// Migrate clients to Entra auth FIRST (managed identity +
// DefaultAzureCredential, with data-plane RBAC roles such as
// 'Storage Blob Data Contributor'), then flip the switch.
// Anything still on a connection string breaks the moment you do.

How StratoLens helps

StratoLens flags every storage account that still accepts shared key authorization, automatically and continuously across all your subscriptions, so the accounts everyone assumed were "on managed identity by now" stop hiding. The check runs inside your own tenant; your keys and data never leave it.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.