Skip to main content

Technical Lab: Manage Access Keys

Questions​

Question 1 β€” Multiple Choice​

A development team uses a storage account in Azure to store build artifacts. The CI/CD pipeline authenticates using the access key directly in the connection string. The security team requests an immediate key rotation without interrupting the production pipeline.

What is the correct sequence to perform this rotation with zero downtime?

A) Revoke key1, update the pipeline with key2, revoke key2 and generate a new key1.

B) Regenerate key1, update the pipeline with the regenerated key1 and monitor for failures.

C) Update the pipeline to use key2, regenerate key1 and, when necessary, migrate the pipeline to the regenerated key1.

D) Create a new storage account, migrate the data and update the pipeline with the new access key.

Question 2 β€” Technical Scenario​

An administrator needs to audit who accessed the access keys of a storage account in the last month. He navigates to the Azure portal, opens the storage account and clicks on "Access keys".

When trying to verify the access history to the keys, he notices that the portal doesn't display this record directly.

Which resource should he use to obtain this information?

A) Microsoft Entra ID > Sign-in logs, filtering by the storage account service principal.

B) Azure Monitor > Activity Log, filtering by the listKeys operation.

C) Storage account > Diagnostics settings, enabling authentication logging.

D) Microsoft Defender for Cloud > Security alerts, checking key access alerts.

Question 3 β€” True or False​

When regenerating an access key of a storage account, the other existing access key is automatically invalidated as a security measure, ensuring that only one active key exists at a time.

Question 4 β€” Technical Scenario​

An application uses the following connection string to access a storage account:

DefaultEndpointsProtocol=https;
AccountName=meuarmazenamento;
AccountKey=ABC123...;
EndpointSuffix=core.windows.net

The security team decides to revoke the use of access keys on the storage account, enabling the "Disable storage account key access" option in the portal.

What is the expected immediate impact on the application?

A) The application continues working because the key was already cached locally.

B) The application starts receiving authentication errors on requests to the storage account.

C) The connection string is invalidated, but ongoing requests are completed normally.

D) The application is automatically redirected to Microsoft Entra ID authentication.

Question 5 β€” Multiple Choice​

A company wants to eliminate the use of access keys in their storage accounts and adopt a more secure authentication approach. Which alternative represents the most appropriate replacement, aligned with current Microsoft best practices for workloads running on Azure?

A) Shared Access Signatures (SAS) with short-duration tokens generated from the access key.

B) Managed Identity with role assignment via RBAC on the storage account.

C) Connection via VNet Service Endpoint with IP restriction on the storage account firewall.

D) Keys stored in Azure Key Vault, with the application retrieving them at runtime.

Answer Key and Explanations​

Answer Key β€” Question 1​

Answer: C

Explanation:

  • The storage account always has two access keys (key1 and key2) precisely to enable rotation without downtime. The correct strategy is to migrate the active consumer to the secondary key, regenerate the primary one and, then, migrate back if desired.
  • Alternative B seems reasonable, but regenerating the key in use immediately causes failures on ongoing requests that still use the previous value.
  • Alternative A confuses "revoke" with "regenerate": there is no isolated revocation operation of a key without replacement.
  • Alternative D solves the problem, but it's a disproportionate approach and doesn't address the rotation need, only avoids it.

Answer Key β€” Question 2​

Answer: B

Explanation:

  • The Azure Monitor Activity Log records control plane (management plane) operations, including the Microsoft.Storage/storageAccounts/listKeys/action operation, which is triggered every time someone views or retrieves the access keys.
  • Microsoft Entra ID Sign-in logs track user and service principal authentications, not operations on Azure resources.
  • The storage account Diagnostics settings log data plane operations (reading/writing blobs, queues etc.), not access to the keys themselves.
  • Microsoft Defender for Cloud issues alerts based on threat heuristics, it doesn't provide auditable history of specific operations.

Answer Key β€” Question 3​

Answer: False

Explanation:

  • The two access keys are completely independent. Regenerating one key does not affect the other in any aspect. This is precisely the design that allows rotation without service interruption.
  • The belief that regenerating one key invalidates the other is a common misconception that, if accepted, would lead an administrator to avoid rotation for fear of causing downtime, or not understand why applications still work after a regeneration.

Answer Key β€” Question 4​

Answer: B

Explanation:

  • When the "Disable storage account key access" option is enabled, all requests authenticated via access key or SAS derived from access key are immediately rejected by the data plane. There is no grace period nor local cache that bypasses this.
  • Alternative A is incorrect: Azure validates the key on the server with each request; there is no credential cache mechanism on the client that bypasses this verification.
  • Alternative C is incorrect: there is no distinction between ongoing requests and new requests in this revocation context.
  • Alternative D is incorrect: Azure does not perform automatic authentication method redirection; the application would need to be explicitly reconfigured to use Microsoft Entra ID.

Answer Key β€” Question 5​

Answer: B

Explanation:

  • Managed Identity with RBAC is Microsoft's recommended approach to completely eliminate the use of secrets and keys in workloads running on Azure. The managed identity authenticates via Microsoft Entra ID without any explicit credential in the code or configuration.
  • Alternative A still depends on the access key to generate the SAS token, therefore doesn't eliminate the risk associated with keys.
  • Alternative C restricts access by network, but doesn't replace the authentication mechanism; access keys would still be necessary.
  • Alternative D reduces key exposure, but maintains dependency on them. Key Vault is a good secret management practice, not a replacement for the key-based authentication model.