How To integrate An Azure Storage Account With Azure Active Directory

Introduction

Azure Storage leverages Azure Active Directory (AD) for client request authorization, offering the capability to employ role-based access control (RBAC) to confer permissions upon users, groups, or application service principals. These permissions can take on various roles, such as.

  • Storage Blob Data Owner
  • Storage Blob Data Contributor
  • Storage Blob Data Reader
  • Storage Blob Delegator

Upon successful client authentication, Entra ID furnishes an OAuth 2.0 token, which the client later employs to access Blob storage.

Opting for Microsoft Entra ID to authorize requests aimed at Azure Blob storage surpasses the use of access keys and Shared Access Signatures (SAS). It allows clients to utilize their existing accounts, ensuring that they access Blob storage with the least required privileges. Moreover, Azure AD serves as a safeguard against the inadvertent exposure of shared access keys and SAS URIs to unauthorized entities.

Step 1. Sign in to the Azure portal via https://portal.azure.com/.

Step 2. Navigate to your storage account in the Azure portal. In the storage account, navigate to Access Control (IAM).

navigate to Access Control

Step 3. In the Access Control (IAM) blade, select Add, then Add role assignment.

 Access Control (IAM)

Step 4. Select one of the Storage Blob roles in the Add role assignment section and click on the Next button.

 role assignment section

Step 5. In the Members blade, select a User group or service principal, search for the user account, and select it.

user account

Step 6. The selected user will be displayed under the Selected Member's section. Then click on the Select button to pick the user account.

Selected Member's section

Step 7. The selected user account will be displayed. Click on Review + Assign to assign the selected role.

assign the selected role

Summary

In this article, we learned how to integrate an Azure Storage Account with Azure Active Directory. Please use the comments section if you have any clarification.