Protecting access to storage account with backups and archived data
Hello experts, I've been trying to understand how to protect backups, and archived data stored in azure blob storage. What is the way to protect those data in case that a global admin rights got compromised? I understand that data are encrypted, etc... but in scenario above, what could be an additional level to make sure that even if global admin account got compromised, it will not be easy to access those critical data?
Azure Storage Container - Soft Delete Monitoring
Hi All, Can someone let me know if there is a way to export all the soft deleted items in my container on a daily basis into a csv or any file format I could connect PBI with? I want to monitor all Active and Soft Deleted items on a Power Bi report I have created and at this moment I can't seem to find a way to get a list of all the items that have been deleted.. ThanksCreate and use a SAS (Shared Access Signature) with the PowerShell in Azure!
Hi Azure friends, I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE Set-Location C:\Temp Clear-Host #So that you can carry out the configuration, you need the necessary cmdlets, these are contained in the module Az (is the higher-level module from a number of submodules) Install-Module -Name Az -Force -AllowClobber -Verbose #Log into Azure Connect-AzAccount #Select the correct subscription Get-AzContext Get-AzSubscription Get-AzSubscription -SubscriptionName "your subscription name" | Select-AzSubscription #Variables $location = "westeurope" $rgname = "twstoragedemo" #A file we use later $today = Get-Date New-Item -ItemType file -Path C:\Temp\test.txt -Force -value $today #Create a Resource Group New-AzResourceGroup -Name $rgname -Location $location #Create a Storage Account New-AzStorageAccount -Location $location -ResourceGroupName $rgname -Name twstorage75 -SkuName Standard_LRS #We need at least one Storage Account Key $keys = Get-AzStorageAccountKey -Name twstorage75 -ResourceGroupName $rgname #Now we need to create Storage context $context = New-AzStorageContext -StorageAccountName twstorage75 -StorageAccountKey $keys[0].Value #Once we have it, let’s create a storage container New-AzStorageContainer -Context $context -Name bilder #Now we have required pre-requisites to create an SAS $token = New-AzStorageContainerSASToken -Context $context -Name bilder -Permission rwd #Now we need to create Storage Container context $containercontext = New-AzStorageContext -SasToken $token -StorageAccountName twstorage75 #Let's upload a file to the Storage Container Set-AzStorageBlobContent -Context $containercontext -Container bilder -File C:\Temp\test.txt #List the blobs in the container Get-AzStorageBlob -Container bilder -Context $context | select Name, Blobtype, LastModified Now you have used the PowerShell to create an Azure Storage Account and an Shared Access Signature! Congratulations! #Delete all resources (when you no longer need it) Remove-AzResourceGroup -Name $rgname -Force I hope this article was useful. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
Status of uploading file
Hi, is it possible to get status of uploading file from blob storage? I have a case when user A is uploading large file to storage via SAS to myContainer/uploadingBlob. My server has information that someone wants to upload there but there is no way to directly tell that user is actually uploading anything there. Is it possible to get that information from storage? What if user cancels the upload?
Can an azure blob with malware infect other blobs in the storage account?
Hi, I need to know whether it can be infected to other blobs or files if I accidently uploaded a malware into azure storage account or all the blobs are isolated from each other. If it can be infected, does it infect the blob/files only within the container or to the entire storage account?Error : Azure Storage - SFTP(preview)
We are using Azure Storage - SFTP(preview) service to upload files to Azure Blob Containers, We are able to upload multiple files simultaneously using the SFTP client. But we are experiencing inconsistency in transferring files to SFTP account as some of these files are failing - we are getting ‘Invalid block size’ error from Azure blob storage. Please let us know what may be causing these issue as we have to manually copy/reinitiate upload to SFTP for the failed files.Control access to blobs with blob index tags and custom security attributes in Azure AD!
Dear Azure Friends, Imagine you want to control access to the blobs in an Azure Storage Account Blob Container using attributes. This is possible today with the combination of Blob Index Tags and Custom Security Attributes (a new preview feature) in Azure Active Directory. I have created a storage account with the setting "Default to Azure Active Directory authorization in the Azure portal". Before we get into the custom security attributes, let's first address the question of who can add index tags when uploading files to a blob container? The answer is that only the storage blob data owner can. Now let's talk about the custom security attributes. First, a few prerequisites! To assign custom security attributes and add role assignments conditions in your Azure AD tenant, you need: Azure AD Premium P1 or P2 license Attribute Definition Administrator and Attribute Assignment Administrator User Access Administrator or Owner https://docs.microsoft.com/en-us/azure/role-based-access-control/conditions-custom-security-attributes Note: By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. If you do not meet these prerequisites, you won't see the principal/user attributes in the condition builder. As an example, I have assigned myself the Role Attribute Definition Administrator. 1. Add a new custom security attribute To be able to assign the attributes to a user you need the Role Attribute Assignment Administrator. I have also assigned this to my account. In practice you would better use this role in a specific attribute set and not tenant wide (regarding security). In this example I keep it simple. 2. Assign the custom security attribute to a user 3. Create a security group in Azure Active Directory with the users in question 4. Assign Storage Blob Data Reader role with a condition (I configured this role on the storage account, but it can also be done directly on the container.) Important, Data Plane is not equal to Management Plane. This means that access to the blobs does not equal access to the storage account. For this reason, we give the just created security group the Reader Role. Now it's time for testing. I register with a Broweser as Jane Ford. We navigate directly to the storage account and the corresponding container. As a reminder, the Jane Ford has been configured with the attribute "Project Zodiac". Only the IT image has exactly the same Blob Index tag. This means that the Jane can only access this one image. The image Learn has no Blob Index Tag so Jane can't open this file and the file Me_Bike has the Blob Index Tag "Project Dedalus" configured so Jane can't open this file either. Perfect, the access to the blobs exactly as desired, really great! Important: I first did this test with a storage account which was created in "West Europe". This did not work. With a storage account in "East US" it worked fine. I assume that it will soon work in the "West Europe" region as well. I already realize that this wasn't super exciting, but I still wanted to share this experience with you. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerData Migration from OpenText Content Server to Azure Blob Storage or other services.
Hi all We want to migrate data (~40Terabyte) from OpenText Content Server to Azure Blog Storage or other similar/better services if any with a view to Archive (Closed Projects) about 80% of the data and other 20% (Active Projects) will be moved to SharePoint Online for business users to be able to access the data. Another business requirement is to be able to search data in Azure Blob Storage effectively & efficiently via Azure Cognitive Services or other similar/better services. I'd greatly appreciate any help or guidance or lessons learnt from anyone out there who have done similar migration of data from OpenText Content Server to Azure Blob Storage with any experiences to share. It would be great to hear what techniques were used and how successful were you in migrating the data and what reconciliations methods were used to ensure all the data (i.e. size & number of files/folders) to ensure all teh data was migrated successfully. Thanks for your time and effort in advance.Securely host files on Azure blob for Django/React app
I'm writing an app in Django/ React that needs access to large amounts of files (think file share). I am storing the metadata for the files in a database, and users will be able to select the file from the app to download it. I'd prefer to use App service, SQL DB, and storage separately. What is a secure approach to provide a download link without a public CDN (controlling the authorization through the app)? Just looking for high level architecture because I haven't found any approaches online.
