Accessing blob item in Azure Storage using access token issued by Entra External ID

Question

Hi,

I'm attempting to access an item stored in Azure Blob storage via access token. The access token is sent in the Authorization header as a Bearer token. Public access and access keys have been disabled globally on the storage account, leaving Entra ID as the only means of authenticating requests against the storage account. I am able to access the document in question via the Azure Portal using my Entra ID account, so I have confirmed I have the relevant permissions necessary to perform the request.

The Vue application that I'm build uses the @azure/msal-browser package to request an access token from Entra ID before attempting to retrieve the document from Azure storage. Given the nature of the application, I prefer to avoid using SAS tokens. When requesting the access token for the request, I have tried every scope I can think of, and tinkered with the authority setting with little success. Every time I think I'm getting closer, I get one of the two following error messages:

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>AuthenticationFailed</Code>
    <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:1345cc3b-d01e-0039-275c-de966a000000
Time:2024-07-25T06:30:08.3540439Z</Message>
    <AuthenticationErrorDetail>Signature validation failed. Signature verification failed.</AuthenticationErrorDetail>
</Error>

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>AuthenticationFailed</Code>
    <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:5eeb5049-f01e-0011-125f-def7c2000000
Time:2024-07-25T06:55:14.2451440Z</Message>
    <AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail>
</Error>

I have also set the x-ms-version header to 2017-11-09 as outlined in some documentation to no avail. I have also set the www-authenticate header to Bearer authorization_uri=${authority} resource_id=https://{storage_account}.blob.core.windows.net (and tried the more generic resource_id=https://storage.azure.com). Authority in this instance refers to the authority set in the @azure/msal-browser configuration, but I also tried the Entra External ID's authorize endpoint too.

CORS is enabled on the storage account, but for testing purposes I have set it as permissive as possible. At any rate, the process fails whether I'm using a browser or Postman to initiate the request.

I'm at a loss on what to do - my understanding is that I should be able to access the resource if I present a valid access token generated by Entra ID for that tenant. Is it simply a case that Entra External ID cannot access Azure Storage using access tokens generated by @azure/msal-browser, or have I set a parameter wrong somewhere?

Answer 1

I've figured out the issue, thanks in part to Amrinder's post. It did turn out to be an issue with my @azure/msal-browser configuration, coupled with the wrong Azure Storage scope being requested (which Amrinder helpfully provided). Posting my solution for other's to try should they run into the same issue as me.

During my failed attempts to retrieve an access token for use with Azure Storage, the authority parameter in my @azure/msal-browser was set to my tenant specific url (i.e., https://{ENTRA_TENANT_NAME}.ciamlogin.com/{ENTRA_TENANT_ID}/v2.0. However, after I switched to the "generic" https://login.microsoftonline.com/{ENTRA_TENANT_NAME}.onmicrosoft.com authority, @azure/msal-browser retrieved the correct access token and I could access files stored on Azure Storage as expected.

Answer 2

Hi Swivel1660 - Thanks for reaching out over Q&A Forum

Based on the exception shared - <AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail> </Error>, on high level it appears that the tenant generating the token is probably different from that where the storage is residing and hence the exception. Please verify if that's the case.

Other possibility is regarding the scope while creating the token and should ideally be "**https://storage.azure.com/.default**" however I suspect the above one as primary issue.

Hope that helps!

Let me know if there are any queries/concerns, will be glad to assist.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 3

Hello Swivel1660, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: Customer unable to access an item stored in Azure Blob storage via access token.

Error Message:

<Error> <Code>AuthenticationFailed</Code> <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. 

Cause: Issue with @azure/msal-browser configuration, coupled with the wrong Azure Storage scope being requested.

Solution: Initially the access token for use with Azure Storage, the authority parameter used is @azure/msal-browser which was set to tenant specific url (i.e., https://{ENTRA_TENANT_NAME}.ciamlogin.com/{ENTRA_TENANT_ID}/v2.0. However, after switching to the "generic" https://login.microsoftonline.com/{ENTRA_TENANT_NAME}.onmicrosoft.com authority, @azure/msal-browser retrieved the correct access token and could able to access files stored on Azure Storage as expected., the issue got resolved.