This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 65%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN4%3C/text%3E%3C/svg%3E)
I have a server side application which receives a users access token from a front end application.
Both applications are registered in an azure entra external id tenant. The access tokens are issued using CIAM config from these apps.
I want to be able to authenticate users from the server side application with azure blob storage in another tenant (which i also own).
What is the recommended authentication flow for doing this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 64%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.
Hi, we hope the below answer helped if yes please accept the answer, else please let us know if you have any further queries.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 2%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMI%3C/text%3E%3C/svg%3E)
I think
Register service principal in Blob Storage tenant.
Hello ND-4812,
Greetings! Welcome to Microsoft Q&A Platform.
To authenticate users from your server-side application with Azure Blob Storage in another tenant using CIAM-configured access tokens, there are different types of authentication processes they are Azure AD B2C (Entra External ID), Azure AD app registrations, and Managed Identity or service principals.
Azure AD B2C collects information from a user during registration or profile editing, then hand that data off to an external system via API. Then, during future authentications, Azure AD B2C can retrieve that data from the external system and, if needed, include it as a part of the authentication token response it sends to your application. https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview.
Registering Applications in Azure AD B2C (Entra External ID Tenant) from frontend application it is already configured to get the access tokens using CIAM. Make sure backend application is also registered in the Azure AD B2C tenant. Configure with the necessary API permissions. From frontend application get an access token from Azure AD B2C and sends it to the backend application. The backend application validates the access token to check whether it is authentic and has the necessary permissions. Now connect the Azure AD B2C tenant and the Azure AD tenant where the blob storage will be present, Register and configure the application to accept tokens from your Azure AD B2C tenant. Grant the necessary permissions to the registered application in the Azure AD tenant to access Blob Storage.You require a permission like "Blob Storage Contributor".
In the Azure AD tenant, use Managed Identity, Assign the required roles like Storage Blob Data Contributor to the service principal for the Blob Storage.
Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
Managed Identities will allow to perform different operations Enable or disable managed identities at the resource level. Use role-based access control (RBAC) to grant permissions. View the create, read, update, and delete (CRUD) operations in Azure Activity logs. View sign in activity in Microsoft Entra ID sign in logs. https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview.
Then Configure your server-side application to use the client credentials to obtain an access token from the Azure AD tenant where Blob Storage is present.
A similar issue is discussed in the Answer section of the following SO thread: https://stackoverflow.com/questions/63206596/authenticate-to-blobserviceclient-using-clientsecretcredential-in-a-native-app
Here is the doc for your reference: https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Thanks for your response
Can you please explain this step Now connect the Azure AD B2C tenant and the Azure AD tenant where the blob storage will be present - how can i do this? My front and backend apps are configured in the external ID tenant - how do I connect them to the blob storage tenant?
To connect your Azure AD B2C tenant with your Azure AD tenant to access Azure Blob Storage, you need to set up "cross-tenant access" and configure your applications to authenticate and obtain access tokens for the Blob Storage.
Below is the process to Achieve this:
Firstly, register an Application in the Azure AD Tenant, Sign in to your Azure portal of your Azure AD tenant, then Navigate to Azure Active Directory > App registrations > New registration, then give name for your application, Set the "Supported account types" to "Accounts in any organizational directory like Azure AD directory - Multitenant then register.
Next in the registered application, go to Certificates & secrets > New client secret. Add a description and set an expiration period. Click Add and copy the client secret value. Then in the Azure portal, go to your Blob Storage account. Select Access control (IAM) > Add role assignment. Choose the Storage Blob Data Contributor role. In the Assign access to dropdown, select Azure AD user, group, or service principal. Search for the service principal (application) you registered and select it. then Save it. Next configure the cross-tenant access
To configure the Cross-Tenant Access:
In the Azure AD Tenant Navigate to Azure Active Directory > External Identities > Cross-tenant access settings. Under Inbound access settings, click Add organization. Enter the B2C tenant domain or tenant ID. Set the Inbound access to allow users from the B2C tenant to access your resources. Give the permissions to the B2C tenant application like read and write data to Blob Storage. Then assign the roles like Storage Blob Data Contributor or Storage Blob Data Reader to the Blob Storage account-based on your requirement. Then use your token to access your Blob storage.
Here is the doc for your reference: https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview. https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam.
Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Thanks for your reply.
Will this work for external tenants? Our tenants are not workforce tenants.
Thanks for your reply.
Does this apply to external tenants? Our tenants are not workforce tenants.
Yes, this setup can apply to external tenants as well. Azure AD B2C supports cross-tenant access, which allows you to manage collaboration with external Microsoft users via guest access.
Here are the key steps to ensure your external tenants can access Azure Blob Storage:
refer - https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview
,https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory.
Similar thread for reference - https://stackoverflow.com/questions/61714158/how-to-grant-azure-active-directory-b2c-users-permissions-on-storage-account-con, https://stackoverflow.com/questions/74043255/how-to-authorise-azure-b2c-users-to-read-azure-storage-blob.
Hope the above information helps!
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.