Azure Data Explorer is a distributed database running on a cluster of compute nodes in Microsoft Azure. It is based on relational database management systems (RDBMS), supporting entities such as databases, tables, functions, and columns. The Microsoft Azure Storage Explorer app is used to easily and comfortably manage your Azure storage resources from a Microsoft Windows PC, an Apple Mac, or a Linux PC. All identities are in the same Azure Active Directory so it was easy to add him to the 'Reader' role in the Access Control blade of the Azure portal. When he opens Microsoft Azure Storage Explorer the subscription and storage account are visible but the node for Blob Containers can't be expanded.
-->Microsoft Azure Storage Explorer enables you to easily work with Azure Storage data safely and securely on Windows, macOS, and Linux. By following these guidelines, you can ensure your data stays protected.
General
- Always use the latest version of Storage Explorer. Storage Explorer releases may contain security updates. Staying up to date helps ensure general security.
- Only connect to resources you trust. Data that you download from untrusted sources could be malicious, and uploading data to an untrusted source may result in lost or stolen data.
- Use HTTPS whenever possible. Storage Explorer uses HTTPS by default. Some scenarios allow you to use HTTP, but HTTP should be used only as a last resort.
- Ensure only the needed permissions are given to the people who need them. Avoid being overly permissive when granting anyone access to your resources.
- Use caution when executing critical operations. Certain operations, such as delete and overwrite, are irreversible and may cause data loss. Make sure you're working with the correct resources before executing these operations.
Choosing the right authentication method
Storage Explorer provides various ways to access your Azure Storage resources. Whatever method you choose, here are our recommendations.
Azure AD authentication
The easiest and most secure way to access your Azure Storage resources is to sign in with your Azure account. Signing in uses Azure AD authentication, which allows you to:
- Give access to specific users and groups.
- Revoke access to specific users and groups at any time.
- Enforce access conditions, such as requiring multi-factor authentication.
We recommend using Azure AD authentication whenever possible.
This section describes the two Azure AD-based technologies that can be used to secure your storage resources.
Azure role-based access control (Azure RBAC)
Azure role-based access control (Azure RBAC) give you fine-grained access control over your Azure resources. Azure roles and permissions can be managed from the Azure portal.
Storage Explorer supports Azure RBAC access to Storage Accounts, Blobs, and Queues. If you need access to File Shares or Tables, you'll need to assign Azure roles that grant permission to list storage account keys.
Access control lists (ACLs)
Access control lists (ACLs) let you control file and folder level access in ADLS Gen2 blob containers. You can manage your ACLs using Storage Explorer.
![Microsoft azure storage explorer ubuntu Microsoft azure storage explorer ubuntu](/uploads/1/1/8/2/118217911/722756393.png)
Shared access signatures (SAS)
If you can't use Azure AD authentication, we recommend using shared access signatures. With shared access signatures, you can:
- Provide anonymous limited access to secure resources.
- Revoke a SAS immediately if generated from a shared access policy (SAP).
However, with shared access signatures, you can't:
- Restrict who can use a SAS. A valid SAS can be used by anyone who has it.
- Revoke a SAS if not generated from a shared access policy (SAP).
When using SAS in Storage Explorer, we recommend the following guidelines:
- Limit the distribution of SAS tokens and URIs. Only distribute SAS tokens and URIs to trusted individuals. Limiting SAS distribution reduces the chance a SAS could be misused.
- Only use SAS tokens and URIs from entities you trust.
- Use shared access policies (SAP) when generating SAS tokens and URIs if possible. A SAS based on a shared access policy is more secure than a bare SAS, because the SAS can be revoked by deleting the SAP.
- Generate tokens with minimal resource access and permissions. Minimal permissions limit the potential damage that could be done if a SAS is misused.
- Generate tokens that are only valid for as long as necessary. A short lifespan is especially important for bare SAS, because there's no way to revoke them once generated.
Important
When sharing SAS tokens and URIs for troubleshooting purposes, such as in service requests or bug reports, always redact at least the signature portion of the SAS.
Storage account keys
Storage account keys grant unrestricted access to the services and resources within a storage account. For this reason, we recommend limiting the use of keys to access resources in Storage Explorer. Use Azure RBAC features or SAS to provide access instead.
Some Azure roles grant permission to retrieve storage account keys. Individuals with these roles can effectively circumvent permissions granted or denied by Azure RBAC. We recommend not granting this permission unless it's necessary.
Storage Explorer will attempt to use storage account keys, if available, to authenticate requests. You can disable this feature in Settings (Services > Storage Accounts > Disable Usage of Keys). Some features don't support Azure RBAC, such as working with Classic storage accounts. Such features still require keys and are not affected by this setting.
If you must use keys to access your storage resources, we recommend the following guidelines:
- Don't share your account keys with anyone.
- Treat your storage account keys like passwords. If you must make your keys accessible, use secure storage solutions such as Azure Key Vault.
Note
If you believe a storage account key has been shared or distributed by mistake, you can generate new keys for your storage account from the Azure portal.
![Microsoft Storage Azure Explorer Microsoft Storage Azure Explorer](/uploads/1/1/8/2/118217911/789218253.jpg)
Public access to blob containers
Storage Explorer allows you to modify the access level of your Azure Blob Storage containers. Non-private blob containers allow anyone anonymous read access to data in those containers.
When enabling public access for a blob container, we recommend the following guidelines:
- Don't enable public access to a blob container that may contain any potentially sensitive data. Make sure your blob container is free of all private data.
- Don't upload any potentially sensitive data to a blob container with Blob or Container access.
Next steps
Storage accounts provide a flexible solution that keeps data as files, tables, and messages. With Azure Storage Explorer, it's easy to read and manipulate this data.
You want to enable your engineers to manage the data stored in Azure Storage, so they can maintain the data that your CRM application uses. You want to assess whether they can use Storage Explorer for this purpose.
Here, you'll learn about Storage Explorer, and how you can use it to manage data from multiple storage accounts and subscriptions. You'll learn different ways of using Storage Explorer to connect to your data, Azure Stack, and data held in Azure Cosmos DB and Azure Data Lake.
What is Storage Explorer?
Storage Explorer is a GUI application developed by Microsoft to simplify access to, and the management of, data stored in Azure storage accounts. Storage Explorer is available on Windows, macOS, and Linux.
Some of the benefits of using Storage Explorer are:
- It's easy to connect to and manage multiple storage accounts.
- The interface lets you connect to Azure Cosmos DB and Data Lake.
- You can also use the interface to update and view entities in your storage accounts.
- Storage Explorer is free to download and use.
With Storage Explorer, you can use a range of storage and data operation tasks on any of your Azure storage accounts. These tasks include edit, download, copy, and delete.
Supported software versions
The Azure Storage Explorer application runs on the following versions of these platforms:
Operating system | Version |
---|---|
Windows | Windows 10 (Recommended), Windows 8, or Windows 7 |
macOS | macOS 12.12 Sierra and later |
Linux | Ubuntu 18.04 x64, Ubuntu16.04 x64, or Ubuntu 14.04 x64 |
Azure Storage types
Azure Storage Explorer can access many different data types from services like these:
- Azure Blob storage. Blob storage is used to store unstructured data as a binary large object (blob).
- Azure Table storage. Table storage is used to store NoSQL, semi-structured data.
- Azure Files. Azure File is a file-sharing service that enables access through the Server Message Block protocol, similar to traditional file servers.
- Azure Data Lake Storage. Azure Data Lake, based on Apache Hadoop, is designed for large data volumes and can store unstructured and structured data.
Manage multiple storage accounts in multiple subscriptions
If you have multiple storage accounts across multiple subscriptions in your Azure tenant, managing them through the Azure portal can be time-consuming. Storage Explorer gives you the ability to manage the data stored in multiple Azure storage accounts and across Azure subscriptions.
Use local emulators
During the development phase of your project, you might not want developers to incur additional costs by using Azure storage accounts. In those cases, you can use a locally based emulator. Storage Explorer supports two emulators: Azure Storage Emulator and Azurite.
- Azure Storage Emulator uses a local instance of Microsoft SQL Server 2012 Express LocalDB. It emulates the Azure Table, Queue, and Blob storage.
- Azurite, which is based on Node.js, is an open-source emulator that supports most Azure Storage commands through an API.
Storage Explorer requires the emulator to be running before you open it. Connecting to your emulator is no different from connecting to Azure storage accounts. However, you'll choose the Attach to a local emulator connection type.
All locally emulated storage connection types appear in Local & Attached > Storage accounts.
Connecting Storage Explorer to Azure
There are several ways to connect your Storage Explorer application to your Azure storage accounts.
You need two permissions to access your Azure storage account: management and data. However, you can use Storage Explorer with only there prompted, provide the type of resource that you're connecting to.
It's crucial to select the correct resource type because it changes the information that you need to enter.
Any connections that you create through this approach will appear in the resource tree, in this branch: Local & attached > Storage Accounts > Attached Containers > Blob.
Connect by using a shared access signature URI
A shared access signature (SAS) URI is an unambiguous identifier that's used to access your Azure Storage resources.
With this connection method, you'll use a SAS URI for the required storage account. You'll need a SAS URI whether you want to use a file share, table, queue, or blob container. You can get a SAS URI either from the Azure portal or from Storage Explorer.
To add a SAS connection:
- Open Storage Explorer.
- Connect to your Azure storage account.
- Select the connection type: shared access signature (SAS) URI.
- Provide a meaningful name for the connection.
- When you're prompted, provide the SAS URI.
- Review and verify the connection details, and then select Connect.
When you've added a connection, it appears in the resource tree as a new node. You'll find the connection node in this branch: Local & attached > Storage Accounts > Attached Container > Service.
Connect by using a storage account name and key
To connect to a storage account on Azure quickly, you use the account key that's associated with the storage. To find the storage access keys from the Azure portal, go to the correct storage account page and select access keys.
To add a connection:
- Open Storage Explorer.
- Connect to your Azure storage account.
- Select the connection type: storage account name and key.
- Provide a meaningful name for the connection.
- When you're prompted, provide the name of the storage account and either of the account keys needed to access it.
- From the provided list, select the storage domain that you want to use.
- Review and verify the connection details, and then select Connect.
When the connection is added, it appears in the resource tree as a connection node. The connection node is in this branch: Local & attached > Storage Accounts.
Manage Azure Cosmos DB and Data Lake
You can use Storage Explorer to access and manage data stored in Azure Cosmos DB and Data Lake.
To connect to an Azure Cosmos DB service, you'll need to use a connection string. You get a connection string by accessing the Azure Cosmos DB configuration through the Azure portal.
Azure Storage Explorer Client Download
To connect to a Data Lake service, you'll need the URI associated with the data lake. Presently, Storage Explorer supports only Data Lake Storage Gen1. Data Lake Storage Gen2 is currently in preview, and support will be available through Storage Explorer. Using a URI allows you to access resources that aren't in your subscription. When you have the URI of the resource that you want to access, you connect to it by using the Data Lake Storage Gen1 option.