Revoke Access to Azure Storage Account | AZ-500 Exam Solution

Revoke Access to Azure Storage Account


Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure subscription named Sub1.

You have an Azure Storage account named sa1 in a resource group named RG1.

Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies.

You discover that unauthorized users accessed both the file service and the blob service.

You need to revoke all access to sa1.

Solution: You create a new stored access policy.

Does this meet the goal?



Click on the arrows to vote for the correct answer

A. B.


Creating a new (additional) stored access policy with have no effect on the existing policy or the SAS's linked to it.

To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it.

No, creating a new stored access policy does not meet the goal of revoking all access to the Azure Storage account (sa1).

Shared access signatures (SAS) and stored access policies are used to grant access to specific resources in an Azure Storage account. Creating a new stored access policy does not revoke any existing SAS tokens or access policies that are currently in use by authorized or unauthorized users. Therefore, unauthorized users who have already obtained a SAS token or access policy could continue to access the storage account.

To revoke all access to sa1, you need to delete all existing stored access policies and regenerate all existing SAS tokens. You can regenerate SAS tokens by updating their permissions or changing their keys.

In addition to revoking access, it is also important to investigate the unauthorized access to determine the cause and mitigate any potential security vulnerabilities in the future. This may involve analyzing audit logs and implementing additional security measures such as enabling network security groups or implementing role-based access control (RBAC) for the storage account.