Is cross tenant blob access possible in azure?

Alex, Alexon 71 Reputation points
2020-05-26T06:43:39.67+00:00

My customer has an azure bucket and we need to read/write to this bucket. They won't be sharing their storage account credentials either.

This can be achieved in AWS by following this: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ I have just created an IAM user and asked my customers to allow the necessary permissions in the bucket policy. Thus, with one IAM user and one set of credentials, I can write to multiple buckets belonging to multiple AWS accounts.

Is something like above also possible in Azure?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,608 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,368 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sumarigo-MSFT 43,001 Reputation points Microsoft Employee
    2020-06-08T07:35:52.56+00:00
    1. "Is it possible to cross tenant access WITHOUT using the customer credentials (even without shared access keys) ? Yes, this is possible : https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-customize-ui

    Note: User should have access to the Guest account.

    If user and you are in different tenant you need to invite as a Guest and add permission to storage account.

    1. Once you are invited in to the account(Guest) you don't need Shared Signature permission.
    2. You can provide access different level of access using IAM in Azure portal without storage account key. Additional information: Refer to this MSDN thread which provides detailed information, How RBAC works with AAD and more.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Sumarigo-MSFT 43,001 Reputation points Microsoft Employee
    2020-05-27T10:29:45.5+00:00

    In your scenario SAS would be the best option and could keep in both the sides to upload and download(Read,Write,delete and List) If so Delegate access with a shared access signature, Using SAS you can set expiry data and time for the Storage account and also specify the IP address.

    Please refer to this article and let me know you if you need any future assistance on this query.

    Hope this helps!

    ----------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

  2. Alex, Alexon 71 Reputation points
    2020-06-05T10:11:20.9+00:00

    I understood that we can use SAS for cross tenant access.

    My question is specific to,

    1. "Is it possible to cross tenant access WITHOUT using the customer credentials (even without shared access keys) ?
    2. Customer has given permission for my account in there service account as "Storage Admin", If i still need the shared access keys from customer, what is the meaning of this permission ?

    Why this question is

    1. In AWS, if the customer give permission for my IAM user, I can access there storage without any keys
    2. In GCP, if customer give permission for my IAM user, I can access there storage without any keys