Stored Access Policies

Lab Objective

In this hands-on lab, you will learn how to:

Understand Stored Access Policies and their relationship to SAS tokens
Create and manage stored access policies for containers and queues
Generate SAS tokens based on stored access policies for centralized control
Modify access policies to change permissions without regenerating SAS tokens
Revoke access by deleting stored access policies
Implement centralized access management for multiple SAS tokens

Scenario: Your organization needs to provide temporary access to storage resources for multiple external applications, but requires the ability to centrally manage and revoke access without invalidating individual SAS tokens. You’ll implement stored access policies to achieve centralized SAS token management.

Pre-Provisioned Environment

The following Azure resources have been pre-deployed in your environment:

Resource Overview

Resource Type	Resource Name	Configuration	Purpose
Resource Group	`AccessPolicies-Lab-RG`	Contains all lab resources	Logical container
Storage Account	`accesspolicylab[unique]`	General Purpose v2	Primary storage resource
Blob Container	`application-data`	Private access level	Application file storage
Blob Container	`user-uploads`	Private access level	User-generated content
Blob Container	`reports`	Private access level	Business reports
Queue	`processing-queue`	Standard queue	Message processing
Management VM	`ManagementVM`	Windows Server 2019	Policy management client
Sample Files	Various	Pre-uploaded content	Test data for policy operations

Storage Structure

accesspolicylab[unique] (Storage Account)
├── application-data (Container)
│   ├── config.json
│   ├── app-settings.xml
│   └── database-schema.sql
├── user-uploads (Container)
│   ├── document1.pdf
│   ├── image1.jpg
│   └── spreadsheet1.xlsx
├── reports (Container)
│   ├── monthly-report.pdf
│   ├── quarterly-summary.docx
│   └── annual-analysis.xlsx
└── processing-queue (Queue)
    └── [Message queue for background processing]

VM Details

VM	Private IP	Operating System	Purpose
ManagementVM	10.0.1.4	Windows Server 2019	Test stored access policy scenarios

Lab Exercises

Part 1: Explore Current Storage Configuration

Step 1: Navigate to Storage Account

Navigate to AccessPolicies-Lab-RG resource group
Click on the Storage Account (accesspolicylab[unique])
In the left menu, click Containers
Explore each container: application-data, user-uploads, reports

Step 2: Examine Container Access Policies

Click on application-data container
In the left menu, click Access policy
Observe: Currently no stored access policies exist
Note the Add policy button for later use

Step 3: Test Direct SAS Generation

Click on config.json file
Click Generate SAS
Configure a basic SAS token:

Setting	Value
Permissions	Read
Expiry time	+1 hour

Copy the SAS URL for comparison later
Test the URL in an incognito browser window

Part 2: Create Stored Access Policies

Step 1: Create Application Access Policy

Navigate to application-data container
Click Access policy in the left menu
Click + Add policy
Configure the policy:

Setting	Value	Purpose
Identifier	`app-read-policy`	Policy name
Permissions	Read, List	Application read access
Start time	Current time	Immediate activation
Expiry time	+30 days	Long-term access

Click OK
Click Save to apply the policy

Step 2: Create User Upload Policy

Navigate to user-uploads container
Click Access policy
Add two policies:

Policy 1 - Read Access:

Setting	Value
Identifier	`user-read-policy`
Permissions	Read, List
Start time	Current time
Expiry time	+7 days

Policy 2 - Write Access:

Setting	Value
Identifier	`user-write-policy`
Permissions	Read, Write, Create
Start time	Current time
Expiry time	+3 days

Click Save after adding both policies

Step 3: Create Reports Policy

Navigate to reports container
Click Access policy
Add policy:

Setting	Value	Purpose
Identifier	`reports-readonly`	Policy identifier
Permissions	Read	Read-only access
Start time	Current time	Immediate access
Expiry time	+14 days	Two-week access

Click Save

Part 3: Generate SAS Tokens Using Stored Access Policies

Step 1: Create Container SAS with Policy

Go to application-data container
Click Generate SAS
Configure SAS using stored policy:

Setting	Value	Notes
Permissions	Leave unchecked	Will inherit from policy
Start and expiry time	Leave default	Will inherit from policy
Stored access policy	`app-read-policy`	Select the created policy

Click Generate SAS token and URL
Copy the SAS URL

Step 2: Create Multiple SAS Tokens from Same Policy

Repeat the process to create 3 different SAS tokens using app-read-policy
Save all three URLs for testing:
- SAS Token 1: [URL]
- SAS Token 2: [URL]
- SAS Token 3: [URL]

Step 3: Create SAS for User Uploads

Navigate to user-uploads container
Generate two SAS tokens:

Read-only SAS:

Use stored access policy: user-read-policy
Generate and copy URL

Write SAS:

Use stored access policy: user-write-policy
Generate and copy URL

Part 4: Test Policy-Based SAS Tokens

Step 1: Connect to Management VM

Navigate to ManagementVM
Click Connect → RDP
Use credentials:
- Username: azureuser
- Password: LabPassword123!

Step 2: Test Application Data Access

From ManagementVM, open PowerShell and test:

# Test all three SAS tokens from app-read-policy
$sasUrls = @(
    "https://accesspolicylab[unique].blob.core.windows.net/application-data?[SAS-TOKEN-1]",
    "https://accesspolicylab[unique].blob.core.windows.net/application-data?[SAS-TOKEN-2]",
    "https://accesspolicylab[unique].blob.core.windows.net/application-data?[SAS-TOKEN-3]"
)

foreach ($i in 1..3) {
    try {
        $response = Invoke-WebRequest -Uri $sasUrls[$i-1]
        Write-Host "SAS Token $i: SUCCESS - Can list container contents"
    } catch {
        Write-Host "SAS Token $i: FAILED - $($_.Exception.Message)"
    }
}

Step 3: Test User Upload Policies

# Test read-only access
$readSAS = "https://accesspolicylab[unique].blob.core.windows.net/user-uploads/document1.pdf?[READ-SAS-TOKEN]"
try {
    Invoke-WebRequest -Uri $readSAS -OutFile "C:\temp\document1.pdf"
    Write-Host "Read access: SUCCESS - Downloaded document1.pdf"
} catch {
    Write-Host "Read access: FAILED - $($_.Exception.Message)"
}

# Test write access (upload new file)
$writeSAS = "https://accesspolicylab[unique].blob.core.windows.net/user-uploads/test-upload.txt?[WRITE-SAS-TOKEN]"
try {
    $headers = @{"x-ms-blob-type" = "BlockBlob"}
    Invoke-WebRequest -Uri $writeSAS -Method PUT -Body "Test content from PowerShell" -Headers $headers
    Write-Host "Write access: SUCCESS - Uploaded test-upload.txt"
} catch {
    Write-Host "Write access: FAILED - $($_.Exception.Message)"
}

Part 5: Modify Stored Access Policies

Step 1: Change Policy Permissions

Navigate to application-data container
Click Access policy
Click on app-read-policy
Modify the policy:

Setting	Old Value	New Value
Permissions	Read, List	Read, List, Write
Expiry time	+30 days	+60 days

Click OK and Save

Step 2: Test Updated Permissions

Return to ManagementVM and test the same SAS tokens:

# Test write access with previously read-only SAS tokens
$existingSAS = "https://accesspolicylab[unique].blob.core.windows.net/application-data/new-config.json?[EXISTING-SAS-TOKEN]"

try {
    $headers = @{"x-ms-blob-type" = "BlockBlob"}
    $content = '{"setting": "updated via SAS", "timestamp": "' + (Get-Date) + '"}'
    Invoke-WebRequest -Uri $existingSAS -Method PUT -Body $content -Headers $headers
    Write-Host "Updated policy: SUCCESS - Can now write with previously read-only SAS"
} catch {
    Write-Host "Updated policy: FAILED - $($_.Exception.Message)"
}

Expected Result: Previously read-only SAS tokens should now allow write operations

Part 6: Policy Management and Revocation

Step 1: Create Temporary Access Policy

Navigate to reports container
Click Access policy
Add new policy:

Setting	Value
Identifier	`temp-access`
Permissions	Read, List
Start time	Current time
Expiry time	+1 hour

Click Save

Step 2: Generate SAS Tokens for Temporary Policy

Generate 5 different SAS tokens using the temp-access policy
Test one token to confirm it works
Distribute the remaining tokens (simulate giving access to external users)

Step 3: Revoke Access by Deleting Policy

In reports container Access policy
Select the temp-access policy
Click Delete
Click Save

Step 4: Test Revoked Access

# Test previously working SAS token
$revokedSAS = "https://accesspolicylab[unique].blob.core.windows.net/reports?[REVOKED-SAS-TOKEN]"

try {
    Invoke-WebRequest -Uri $revokedSAS
    Write-Host "Revoked SAS: UNEXPECTED - Still working"
} catch {
    Write-Host "Revoked SAS: EXPECTED - Access denied after policy deletion"
}

Expected Result: All SAS tokens based on the deleted policy should fail

Part 7: Advanced Policy Scenarios

Step 1: Time-Based Policy Activation

Create a future-start policy:
- Navigate to user-uploads container
- Add policy with Start time = +10 minutes from now
- Test SAS token immediately (should fail)
- Wait and test again (should succeed after start time)

Step 2: Policy Limits Testing

Try to create 6 policies on the same container
Observe: Azure Storage allows maximum 5 stored access policies per container
Delete unused policies to make room for new ones

Step 3: Cross-Container Policy Testing

Try to use a policy from application-data container for user-uploads container
Expected Result: Policies are container-specific and cannot be shared

Troubleshooting Guide

Common Stored Access Policy Issues

Issue	Symptoms	Possible Cause	Solution
Policy limit exceeded	Cannot create new policy	5 policy limit reached	Delete unused policies
SAS token invalid	403 Forbidden immediately	Policy not saved properly	Re-save container policy
Policy changes not reflected	Permissions unchanged	Cache propagation delay	Wait 30-60 seconds
Start time issues	Access denied despite valid token	Policy start time in future	Check policy start time
Revocation not working	SAS still works after deletion	Policy deletion not saved	Confirm policy save operation

Policy Validation Checklist

Component	Check	Expected Result
Policy Identifier	Unique within container	No duplicate names
Permissions	Match intended access	Correct permission letters
Time Range	Start before expiry	Valid time window
Policy Count	Maximum 5 per container	Within Azure limits
SAS Reference	Policy name in SAS	Proper policy linkage

Additional Experiments

Try these optional exercises to deepen your understanding:

Queue Access Policies: Create stored access policies for Azure Storage Queues
Table Access Policies: Implement policies for Azure Table Storage
Policy Monitoring: Track policy usage through storage analytics
Automated Policy Management: Use PowerShell/CLI to manage policies programmatically
Policy Rotation: Implement regular policy rotation for enhanced security

Key Takeaways

After completing this lab, you should understand:

Stored Access Policies enable centralized SAS token management without regenerating tokens
Policy modifications immediately affect all associated SAS tokens providing flexible control
Policy deletion revokes all associated SAS tokens enabling instant access revocation
Maximum 5 policies per container is an Azure Storage limitation
Policies are container-specific and cannot be shared across containers
Time-based policies enable scheduled access activation and expiration
Stored policies simplify SAS token distribution while maintaining security control