Introduction
Azure Storage leverages Azure Active Directory (AD) for client request authorization, offering the capability to employ role-based access control (RBAC) to confer permissions upon users, groups, or application service principals. These permissions can take on various roles, such as.
- Storage Blob Data Owner
- Storage Blob Data Contributor
- Storage Blob Data Reader
- Storage Blob Delegator
Upon successful client authentication, Entra ID furnishes an OAuth 2.0 token, which the client later employs to access Blob storage.
Opting for Microsoft Entra ID to authorize requests aimed at Azure Blob storage surpasses the use of access keys and Shared Access Signatures (SAS). It allows clients to utilize their existing accounts, ensuring that they access Blob storage with the least required privileges. Moreover, Azure AD serves as a safeguard against the inadvertent exposure of shared access keys and SAS URIs to unauthorized entities.
Step 1. Sign in to the Azure portal via https://portal.azure.com/.
Step 2. Navigate to your storage account in the Azure portal. In the storage account, navigate to Access Control (IAM).
Step 3. In the Access Control (IAM) blade, select Add, then Add role assignment.
Step 4. Select one of the Storage Blob roles in the Add role assignment section and click on the Next button.
Step 5. In the Members blade, select a User group or service principal, search for the user account, and select it.
Step 6. The selected user will be displayed under the Selected Member's section. Then click on the Select button to pick the user account.
Step 7. The selected user account will be displayed. Click on Review + Assign to assign the selected role.
Summary
In this article, we learned how to integrate an Azure Storage Account with Azure Active Directory. Please use the comments section if you have any clarification.