It’s been query for almost all the customers and others Azure community members, How to control the storage accounts from specific user ID but at that time there is limitation and “Azure AD Authentication for Azure Storage is not available.”
It’s most awaited features and improvements of MS azure team and now it’s available for azure Blob storage accounts and Azure queue storage accounts not for Azure File Server.
Recently Microsoft Azure has released the Ad authentication for Azure storage accounts which will help us to provide security and control more granular level.
We can enable the access using the RBAC Roles and can control the access using the azure AD users and can control for specific ID rather then earlier we do share the SAS and Storage accounts key where was the chances to misuse those credentials
Storage Accounts Authentication
- Please select the storage accounts you want to give the access to users.
- Select the IAM
- Click on Add
- Select the below Roles :
Storage Blob Data Contribute Roles: It will allow the read, write and delete access to azure storage blob containers and Data.
Storage Blob Data reader Roles: It will allow the read access to azure storage blob containers and Data.
Storage Queue Data Contribute Roles: It will allow the read, write and delete access to azure storage queue and queue message.
Storage Queue Data reader Roles: It will allow the read access to azure storage queue and message.
AD Authentication for Azure Storage:
- Azure AD integration is available for the Blob and Queue services only in the preview.
- Azure AD integration is available for GPv1, GPv2, and Blob storage accounts in all public regions.
- It will supports only storage accounts created with the Resource Manager deployment model .
- Support for caller identity information in Azure Storage Analytics logging is coming soon.
- Azure AD authorization of access to resources in standard storage accounts is currently supported. Authorization of access to page blobs in premium storage accounts will be supported soon.
- Azure Storage supports both built-in and custom RBAC roles. You can assign roles scoped to the subscription, the resource group, the storage account, or an individual container or queue.
- The Azure Storage client libraries that currently support Azure AD integration include:
Please refer the MS Docs:
Authenticate access to Azure Storage using Azure Active Directory