An Azure geography is a defined area of the world that contains at least one Azure Region. An Azure region is an area within a geography, containing one or more datacenters.

• Azure AD/RBAC authorization is preferred over all other authorization storage options for Azure Storage.

• https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations

• Azure Active Directory (Azure AD) integration/RBAC
  • This is the generally recommend method to use
  • You can grant permissions that are scoped to the level of an individual container or queue.
• Shared Key for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key.
  • It is recommended to disable and not use this option.
  • MS recommends using Azure AD/RBAC instead of this option
  • If shared keys are used it is recommended to use Azure Key vault and to rotate keys periodically.
• Shared Access Signature (SAS)

• Can be created on container or blob level

• All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
• You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys.

• ACLs are preserved by default, you are not required to enable identity-based authentication on your storage account to preserve ACLs.
• Secure Transfer Required should be enabled for storage accounts.