Public vs Private Access in Azure Blob Storage
Understanding Access Levels
Azure Blob Storage provides granular control over who can access your data.
Access Level Options
1. Private (No Anonymous Access)
- Default and recommended
- Requires authentication (key or managed identity)
- Use for: sensitive data, private documents
2. Blob (Anonymous Read Access for Blobs)
- Blobs can be read without authentication
- Cannot list containers or access container metadata
- Use for: public assets (images, videos, static websites)
3. Container (Anonymous Read Access)
- Full read access to all blobs in container
- Can list blobs within the container
- Use for: sharing multiple public files
Setting Access Level
Via Portal
- Go to Storage Account → Containers
- Select container → Click Change access level
- Choose: Private, Blob, or Container
- Save
Via CLI
# Set container to public blob access
az storage container set-permission \
--name mycontainer \
--account-name mystorage001 \
--public-access blob
# Set container to private (no access)
az storage container set-permission \
--name mycontainer \
--account-name mystorage001 \
--public-access off
When to Use Each
| Scenario | Access Level | Example |
|---|---|---|
| Private documents | Private | Database backups, personal files |
| Public website images | Blob | Website assets |
| Shared download folder | Container | Public download section |
Security Best Practices
- Default to Private - Always start with private access
- Use Managed Identities - Avoid storing account keys in code
- Enable Azure Defender - Monitor for suspicious access
- Use SAS Tokens - Generate time-limited access for specific files
Next Steps
- Learn about Connection Strings & Keys
- Explore SAS Tokens
Azure Integration Hub - Beginner Level