An Azure geography is a defined area of the world that contains at least one Azure Region. An Azure region is an area within a geography, containing one or more datacenters.

• Azure AD/RBAC authorization is preferred over all other authorization storage options for Azure Storage.

• https://docs.microsoft.com/en-us/azure/storage/common/authorize-data-access#understand-authorization-for-data-operations

• Azure Active Directory (Azure AD) integration/RBAC
  • This is the generally recommend method to use
  • You can grant permissions that are scoped to the level of an individual container or queue.
• Shared Key for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key.
  • It is recommended to disable and not use this option.
  • MS recommends using Azure AD/RBAC instead of this option
  • If shared keys are used it is recommended to use Azure Key vault and to rotate keys periodically.
• Shared Access Signature (SAS)

• SAS is a string that contains a security token that can be attached to a URI that gives access to storage objects
• https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
• There are two types of SAS. Ad hoc SAS where the expiry and permissions are part of the SAS URI and Service SAS with stored access policy where the SAS references the policy that defines the expiry and permissions.

• service-level, gives access at the storage account level
• account level
• user delegation SAS

A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side.

* https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy

• All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
• You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys.

• ACLs are preserved by default, you are not required to enable identity-based authentication on your storage account to preserve ACLs.
• Secure Transfer Required should be enabled for storage accounts.