Access control with Azure Active Directory for Azure Storage is generally supported

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

We are happy to share that access control for Azure Storage Blobs and Queues is now generally available and based on Azure Active Directory (AD). Businesses may now leverage Azure’s role-based access control to give users and service identities from their Azure AD tenancy-specific data access permissions (RBAC). Storage Analytics logs can then be used by administrators to monitor specific user and service access to data. Storage accounts can be set up to be more secure by doing away with the requirement that the majority of users have access to strong storage account access keys.

Enterprises may utilize the entire range of capabilities offered by Azure AD, including features like two-factor authentication, conditional access, identity protection, and more, by utilizing Azure AD to authenticate users and services. Additionally, roles can be assigned “just-in-time” using Azure AD Privileged Identity Management (PIM), lowering the security risk associated with standing administrative access.

Additionally, developers don’t need to manage application secrets when deploying secure Azure Storage applications thanks to managed identities for Azure resources.

Users can benefit from granular file and folder access control utilizing POSIX-style access rights and access control lists (ACLs) when Azure AD authentication is paired with the brand-new features of Azure Data Lake Storage Gen 2.

For Azure Resources, RBAC can be used to allow access to sizable groups of resources throughout a subscription, a resource group, or to specific resources like a storage account and blob container. Role assignments can be accomplished via the Azure interface, Azure PowerShell, Azure CLI, or templates for Azure Resource Manager.

When using the normal Azure Storage tools, such as the Azure portal, Azure CLI, Azure PowerShell, Azure Storage Explorer, and AzCopy, Azure AD authentication is available.

 

$ az login

Note, we have launched a browser for you to login. For old experience with device code, use “az login –use-device-code”

You have logged in. Now let us find all the subscriptions to which you have access…

[

{

“cloudName”: “AzureCloud”,

“id”: “XXXXXXXX-YYYY-ZZZZ-AAAA-BBBBBBBBBBBB”,

“isDefault”: true,

“name”: “My Subscription”,

“state”: “Enabled”,

“tenantId”: “00000000-0000-0000-0000-000000000000”,

“user”: {

“name”: “cbrooks@microsoft.com”,

“type”: “user”

}

}

]

$ export AZURE_STORAGE_AUTH_MODE=”login”

$ az storage blob list –account-name mysalesdata –container-name mycontainer –query [].name

[

“salesdata.csv”

]​

 

In order to restrict user access to the storage account access keys and provide users access to data, we strongly advise using Azure AD. In a typical scenario, users would be given the “Reader” role to make the storage account available to them in the portal and the “Storage Blob Data Reader” role to provide read access to blob data. Users that require the ability to generate or modify blobs can be given the “Storage Blob Data Contributor” status instead.

To authenticate applications running on Azure resources or outside of Azure, developers are urged to test Managed Identities or Azure AD service principles.

Now ready for use in production across all Azure cloud environments, Azure AD access control for Azure Storage.