-->

• Azure Storage Explorer Sign Into Your Account Blank
• Azure Storage Account Explorer
• Azure Storage Account Explorer Download
• Windows Azure Storage Explorer Download

Microsoft Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux. Storage Explorer can connect to a storage account using the storage account's name and key. You can find your account keys in the Azure portal. Open your storage account page and select Settings Access keys. In the Select Resource panel of the Connect to Azure Storage dialog, select Storage account.

Microsoft Azure Storage Explorer enables you to easily work with Azure Storage data safely and securely on Windows, macOS, and Linux. By following these guidelines, you can ensure your data stays protected.

General

• Always use the latest version of Storage Explorer. Storage Explorer releases may contain security updates. Staying up to date helps ensure general security.
• Only connect to resources you trust. Data that you download from untrusted sources could be malicious, and uploading data to an untrusted source may result in lost or stolen data.
• Use HTTPS whenever possible. Storage Explorer uses HTTPS by default. Some scenarios allow you to use HTTP, but HTTP should be used only as a last resort.
• Ensure only the needed permissions are given to the people who need them. Avoid being overly permissive when granting anyone access to your resources.
• Use caution when executing critical operations. Certain operations, such as delete and overwrite, are irreversible and may cause data loss. Make sure you're working with the correct resources before executing these operations.

Choosing the right authentication method

Storage Explorer provides various ways to access your Azure Storage resources. Whatever method you choose, here are our recommendations.

Azure AD authentication

The easiest and most secure way to access your Azure Storage resources is to sign in with your Azure account. Signing in uses Azure AD authentication, which allows you to:

• Give access to specific users and groups.
• Revoke access to specific users and groups at any time.
• Enforce access conditions, such as requiring multi-factor authentication.

We recommend using Azure AD authentication whenever possible.

This section describes the two Azure AD-based technologies that can be used to secure your storage resources.

Azure role-based access control (Azure RBAC)

Azure role-based access control (Azure RBAC) give you fine-grained access control over your Azure resources. Azure roles and permissions can be managed from the Azure portal.

Storage Explorer supports Azure RBAC access to Storage Accounts, Blobs, and Queues. If you need access to File Shares or Tables, you'll need to assign Azure roles that grant permission to list storage account keys.

Access control lists (ACLs)

Access control lists (ACLs) let you control file and folder level access in ADLS Gen2 blob containers. You can manage your ACLs using Storage Explorer.

Shared access signatures (SAS)

If you can't use Azure AD authentication, we recommend using shared access signatures. With shared access signatures, you can:

• Provide anonymous limited access to secure resources.
• Revoke a SAS immediately if generated from a shared access policy (SAP).

However, with shared access signatures, you can't:

• Restrict who can use a SAS. A valid SAS can be used by anyone who has it.
• Revoke a SAS if not generated from a shared access policy (SAP).

When using SAS in Storage Explorer, we recommend the following guidelines:

• Limit the distribution of SAS tokens and URIs. Only distribute SAS tokens and URIs to trusted individuals. Limiting SAS distribution reduces the chance a SAS could be misused.
• Only use SAS tokens and URIs from entities you trust.
• Use shared access policies (SAP) when generating SAS tokens and URIs if possible. A SAS based on a shared access policy is more secure than a bare SAS, because the SAS can be revoked by deleting the SAP.
• Generate tokens with minimal resource access and permissions. Minimal permissions limit the potential damage that could be done if a SAS is misused.
• Generate tokens that are only valid for as long as necessary. A short lifespan is especially important for bare SAS, because there's no way to revoke them once generated.

Important

When sharing SAS tokens and URIs for troubleshooting purposes, such as in service requests or bug reports, always redact at least the signature portion of the SAS.

Storage account keys

Storage account keys grant unrestricted access to the services and resources within a storage account. For this reason, we recommend limiting the use of keys to access resources in Storage Explorer. Use Azure RBAC features or SAS to provide access instead.

Some Azure roles grant permission to retrieve storage account keys. Individuals with these roles can effectively circumvent permissions granted or denied by Azure RBAC. We recommend not granting this permission unless it's necessary.

Storage Explorer will attempt to use storage account keys, if available, to authenticate requests. You can disable this feature in Settings (Services > Storage Accounts > Disable Usage of Keys). Some features don't support Azure RBAC, such as working with Classic storage accounts. Such features still require keys and are not affected by this setting.

If you must use keys to access your storage resources, we recommend the following guidelines:

• Don't share your account keys with anyone.
• Treat your storage account keys like passwords. If you must make your keys accessible, use secure storage solutions such as Azure Key Vault.

Note

If you believe a storage account key has been shared or distributed by mistake, you can generate new keys for your storage account from the Azure portal.

Public access to blob containers

Storage Explorer allows you to modify the access level of your Azure Blob Storage containers. Non-private blob containers allow anyone anonymous read access to data in those containers.

When enabling public access for a blob container, we recommend the following guidelines:

• Don't enable public access to a blob container that may contain any potentially sensitive data. Make sure your blob container is free of all private data.
• Don't upload any potentially sensitive data to a blob container with Blob or Container access.

Next steps

Storage Explorer 1.10.0 enables users to upload, download, and copy managed disks, as well as create snapshots. Because of these additional capabilities, you can use Storage Explorer to migrate data from on-premises to Azure, and migrate data across Azure regions.

Prerequisites

To complete this article, you'll need the following:

• An Azure subscription
• One or more Azure managed disks
• The latest version of Azure Storage Explorer

Connect to an Azure subscription

If your Storage Explorer isn't connected to Azure, you will not be able to use it to manage resources. This section goes over connecting it to your Azure account so that you can manage resources using Storage Explorer.

1. Launch Azure Storage Explorer and click the plug-in icon on the left.

2. Select Add an Azure Account, and then click Next.

3. In the Azure Sign in dialog box, enter your Azure credentials.

4. Select your subscription from the list and then click Apply.

Upload a managed disk from an on-prem VHD

1. On the left pane, expand Disks and select the resource group that you want to upload your disk to.

2. Select Upload.

3. In Upload VHD specify your source VHD, the name of the disk, the OS type, the region you want to upload the disk to, as well as the account type. In some regions Availability zones are supported, for those regions you can select a zone of your choice.

4. Select Create to begin uploading your disk.

5. The status of the upload will now display in Activities.

6. If the upload has finished and you don't see the disk in the right pane, select Refresh.

Azure Storage Explorer Sign Into Your Account Blank

Download a managed disk

The following steps explain how to download a managed disk to an on-prem VHD. A disk's state must be Unattached in order to be downloaded, you cannot download an Attached disk.

1. On the left pane, if it isn't already expanded, expand Disks and select the resource group that you want to download your disk from.

2. On the right pane, select the disk you want to download.

3. Select Download and then choose where you would like to save the disk.

4. Select Save and your disk will begin downloading. The status of the download will display in Activities.

Copy a managed disk

With Storage Explorer, you can copy a manged disk within or across regions. To copy a disk:

1. From the Disks dropdown on the left, select the resource group that contains the disk you want to copy.

2. On the right pane, select the disk you'd like to copy and select Copy.

3. On the left pane, select the resource group you'd like to paste the disk in.

4. Select Paste on the right pane.

5. In the Paste Disk dialog, fill in the values. You can also specify an Availability zone in supported regions.

6. Select Paste and your disk will begin copying, the status is displayed in Activities.

Azure Storage Account Explorer

Create a snapshot

1. From the Disks dropdown on the left, select the resource group that contains the disk you want to snapshot.

2. On the right, select the disk you'd like to snapshot and select Create Snapshot.

3. In Create Snapshot, specify the name of the snapshot as well as the resource group you want to create it in. Then select Create.

4. Once the snapshot has been created, you can select Open in Portal in Activities to view the snapshot in the Azure portal.

Azure Storage Account Explorer Download

Next steps

Learn how to Create a VM from a VHD by using the Azure portal.

Windows Azure Storage Explorer Download

Learn how to Attach a managed data disk to a Windows VM by using the Azure portal.