An Azure geography is a defined area of the world that contains at least one Azure Region. An Azure region is an area within a geography, containing one or more datacenters.

• Azure AD/RBAC authorization is preferred over all other authorization storage options for Azure Storage.

• https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations

• Azure Active Directory (Azure AD) integration/RBAC
  • This is the generally recommend method to use
  • You can grant permissions that are scoped to the level of an individual container or queue.
• Shared Key for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key.
  • It is recommended to disable and not use this option.
  • MS recommends using Azure AD/RBAC instead of this option
  • If shared keys are used it is recommended to use Azure Key vault and to rotate keys periodically.
• Shared Access Signature (SAS)

• SAS is a string that contains a security token that can be attached to a URI that gives access to storage objects

• service-level, gives access at the storage account level
• account level
• user delegation SAS

A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.

* https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy

• All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
• You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys.

• ACLs are preserved by default, you are not required to enable identity-based authentication on your storage account to preserve ACLs.
• Secure Transfer Required should be enabled for storage accounts.