Azure Storage Accounts Explained for AZ-104

Before you store anything in Azure, you create a storage account. That account is the container for everything: blobs, files, queues, tables. But the storage account itself is not a single choice. The account type determines what services are available, which performance tier you get, and what replication options you can configure. Get this decision wrong and you pay for capabilities you cannot use, or you discover mid-project that your account type does not support the redundancy level compliance requires. The AZ-104 exam focuses on account types, replication options, access tiers, and the different authorization methods available for storage accounts.

8 min

3 sections · 7 exam key points

Account types, performance, and redundancy

Standard general-purpose v2 is the default storage account type and supports all four storage services: blob, file, queue, and table. It uses magnetic hard disk storage and is appropriate for most workloads that do not require premium performance. Premium storage accounts use SSD storage for low latency and high I/O but are more specialized: Premium block blobs for blob workloads requiring sub-millisecond latency, Premium file shares for enterprise file workloads needing high IOPS, and Premium page blobs for high-performance virtual machine disk storage.

Redundancy determines how many copies Azure keeps of your data and where. Locally Redundant Storage (LRS) keeps three synchronous copies within a single datacenter in one region. Zone-Redundant Storage (ZRS) keeps three copies across three Availability Zones within one region, protecting against datacenter failure. Geo-Redundant Storage (GRS) replicates to a paired region asynchronously, protecting against regional disasters, but the secondary is readable only after Microsoft initiates a failover. Read-Access Geo-Redundant Storage (RA-GRS) makes the secondary readable at all times without waiting for a failover. Geo-Zone-Redundant Storage (GZRS) combines ZRS in the primary with geo-replication to the secondary.

Replication options affect your recovery point objective (RPO) and recovery time objective (RTO). ZRS and GZRS protect against zone failures with synchronous replication and zero data loss. GRS and RA-GRS protect against regional disasters but with asynchronous replication, so there is a small potential for data loss in an outage (the replication lag). For data that must survive any failure with zero loss, GZRS with read access is the highest protection tier.

Access authorization and lifecycle management

Storage accounts support several authorization methods. Storage account keys are 512-bit shared secrets that grant full access to the entire account. Anyone who has a storage account key can read, write, and delete everything in the account. Shared Access Signatures (SAS) are signed URLs that grant time-limited, scoped access to specific resources, specific operations, and specific IP ranges. A user delegation SAS is signed with Azure AD credentials rather than account keys, which is the preferred approach for user-facing access because it does not expose account keys.

Azure Active Directory (now Microsoft Entra ID) integration with RBAC (Role-Based Access Control) is the recommended approach for authorizing application and user access to storage. Instead of distributing account keys, you assign roles like Storage Blob Data Reader or Storage Blob Data Contributor to identities. This follows the principle of least privilege and integrates with Conditional Access, audit logs, and identity governance.

Lifecycle management policies automate tier transitions and deletion for blob data. A policy can move blobs that have not been accessed in 30 days from Hot to Cool, move blobs not accessed in 90 days to Cold, archive blobs after 180 days, and delete blobs after 365 days. Policies run daily, apply to all blobs or filtered subsets, and remove the manual overhead of managing data across tiers at scale.

How to choose the correct answer

LRS: three copies in one datacenter, lowest cost, no zone or region protection. Suitable for dev/test or data that can be reconstructed.

ZRS: three copies across three zones, same region, zero data loss on zone failure. No geo-protection.

GRS: copies to paired region, secondary readable only after failover. Protects against region disasters.

RA-GRS: same as GRS but secondary is always readable. Use for read access to replicated data without waiting for failover.

GZRS: ZRS in primary plus geo-replication. Highest protection for production workloads with compliance requirements.

SAS token: time-limited, scoped access. Prefer user delegation SAS over account-key-based SAS.

Account keys: full access to entire account. Rotate regularly, consider switching to Entra ID RBAC instead.

Premium block blob accounts: cannot be changed to general-purpose v2 after creation. Choose correctly upfront.

Azure Storage redundancy options

Option	Copies	Scope	Secondary readable?	Protects against
LRS	3	Single datacenter	No	Hardware failure within datacenter
ZRS	3	Three zones, one region	No (same region)	Zone/datacenter failure
GRS	6 (3+3)	Primary + paired region	Only after failover	Regional disaster
RA-GRS	6 (3+3)	Primary + paired region	Always	Regional disaster with read availability
GZRS	6 (ZRS+3)	Three zones + paired region	Only after failover	Zone and regional failure
RA-GZRS	6 (ZRS+3)	Three zones + paired region	Always	Maximum protection with read access

Key exam facts — AZ-104

General-purpose v2: supports all storage services (blob, file, queue, table). Standard default choice.

Premium accounts: SSD-based, specialized per workload (block blob, file shares, page blobs).

LRS: 3 copies, single datacenter. ZRS: 3 copies, 3 zones. GRS: 6 copies across 2 regions.

RA-GRS and RA-GZRS: secondary endpoint is always readable, use .secondary in URL.

Account keys grant full account access. SAS grants scoped, time-limited access.

User delegation SAS: signed with Entra ID credentials, more secure than account-key SAS.

Lifecycle management: automatically tier blobs from Hot to Cool to Cold to Archive based on age or last access.

Common exam traps

You can change a storage account's redundancy setting at any time without restrictions.

Some redundancy changes are straightforward (LRS to GRS for example), but converting between standard and premium accounts or between certain premium types is not supported. You cannot convert a premium block blob account to general-purpose v2. Plan the account type and redundancy carefully at creation time, especially for premium accounts.

Sharing a storage account key is fine if the recipient only needs read access.

Storage account keys grant full administrative access to the entire storage account, including the ability to delete all data, modify access policies, and generate SAS tokens. If you need to grant read-only access, use a SAS token scoped to read operations, or assign the Storage Blob Data Reader RBAC role via Entra ID. Never share account keys for limited access scenarios.

GRS means the secondary region is available for reads immediately during normal operation.

Standard GRS makes the secondary readable only after Microsoft initiates a failover, which happens only if Microsoft determines the primary region cannot be recovered. For read access to the secondary during normal operation, you need RA-GRS or RA-GZRS. The secondary endpoint URL uses a different hostname (accountname-secondary.blob.core.windows.net).