Azure Storage Account Key

Detects Azure Storage account key patterns outside of full connection strings. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

low

Confidence justification

Low confidence: generic Base64 pattern that may match other encoded data. Corroborative evidence keywords are essential for reliable detection. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Mixed

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

wide

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible

Pattern

\b[A-Za-z0-9+/\s]{86,92}={0,2}\b

Corroborative evidence keywords

storage account, account key, storage key, Azure Storage, AccountKey, access key, blob, core.windows.net, api key, api_key, apikey, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential (+44 more)

Proximity: 300 characters

Should match

• AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== — Base64 string matching Azure Storage key length (88 chars)
• ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUV== — Mixed case Base64 storage key
• 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000== — Storage key with placeholder numeric value

Should not match

• AAAAAAAAAAAAAAAAAAAAAAAAA== — Base64 string too short (24 chars)
• not-base64-format!! — Invalid Base64 characters
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Other Base64-encoded data that happens to be 88 characters, such as cryptographic hashes or encoded binary data. Mitigation: Require proximity to Azure Storage specific keywords to confirm context.
• Azure Storage documentation with example key values. Mitigation: Check for common placeholder patterns and documentation file types.

References

• Azure Storage account key entity definition - Microsoft Learn