azure-storage

---
name: azure-storage
description: "Use when designing or operating Azure Storage: picking between blobs, files, queues, and tables, then locking down access, tuning performance, and controlling cost."
source: https://github.com/microsoft/azure-skills/tree/main/skills/azure-storage
generated: 2026-05-25T02:43:57.540Z
category: platform
audience: devops
---

## When to use

- Choosing between Blob, Data Lake Gen2, Files, Queues, and Tables for a new workload instead of defaulting to blob for everything
- Locking a storage account down with private endpoints, network rules, and identity-based access instead of shared keys
- Tuning tiering, lifecycle, and redundancy to fit recovery objectives without overpaying for hot storage
- Tracking down a billing surprise by inspecting bandwidth, transaction, and operation costs

## Key concepts

### Account kinds and SKUs

StorageV2, BlockBlobStorage, and FileStorage have different performance tiers (Standard, Premium) and feature support. Picking the wrong kind locks out features like hierarchical namespace.

### Authentication ladder

Prefer Entra ID with RBAC over shared keys and shared access signatures. When SAS is required, prefer user-delegation SAS over account SAS so credentials are tied to an identity.

### Redundancy and recovery

LRS, ZRS, GRS, and GZRS trade cost for failure-domain coverage. Geo-redundant storage is asynchronous; do not assume RPO is zero.

### Lifecycle and access tiers

Hot, Cool, Cold, and Archive tiers reduce storage cost but increase retrieval cost and latency. Lifecycle management rules move blobs between tiers based on age and access patterns.

### Networking

Public endpoints, service endpoints, private endpoints, and firewall rules layer differently. Private endpoint + 'public network access: disabled' is the strict default for regulated data.

## API reference

```
npx skills add microsoft/azure-skills --skill azure-storage
```

Install the Azure Storage skill bundle.

```
npx skills add microsoft/azure-skills --skill azure-storage
```

```
az storage account create / az storage blob upload (with --auth-mode login)
```

Create a storage account and upload using Entra ID auth instead of shared keys.

```
az storage account create -n mystorage -g rg -l eastus2 --sku Standard_LRS --kind StorageV2
az storage blob upload --account-name mystorage --container-name uploads --name doc.pdf --file ./doc.pdf --auth-mode login
```

## Gotchas

- Disabling shared key access breaks tools and SDKs that quietly use account keys; migrate them to managed identity first
- Archive tier has a rehydration delay measured in hours; do not put hot-path data there for cost savings
- Lifecycle rules evaluate once per day, not in real time, so cost reductions show up the next billing cycle
- Cross-region copy for hierarchical-namespace accounts has different semantics than flat-namespace; check feature parity before relying on it
- Soft delete and versioning are separate features; enabling soft delete alone does not protect against overwrite of the same blob name

---
Generated by SkillMake from https://github.com/microsoft/azure-skills/tree/main/skills/azure-storage on 2026-05-25T02:43:57.540Z.
Verify against source before relying on details.

File: ~/.claude/skills/azure-storage/SKILL.md