Microsoft recommends using Microsoft Entra ID to authorize requests against blob, queue, and table data if possible, rather than using the account keys (Shared Key authorization). Rotate your keys if you believe they might have been compromised.
Avoid hard-coding access keys or saving them anywhere in plain text that is accessible to others. Use SAS tokens with limited scope of access in scenarios where Microsoft Entra ID based authorization can't be used. Access to shared keys should be carefully limited and monitored. Access to the shared key grants a user full access to a storage account’s configuration and its data. Use Azure Key Vault to manage and rotate your keys securely. Always be careful to protect your access keys. Storage account access keys provide full access to the configuration of a storage account, as well as the data.
Using Azure Key Vault makes it easy to rotate your keys without interruption to your applications. Microsoft recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key. When you create a storage account, Azure generates two 512-bit storage account access keys for that account.
