Azure Storage account private blob access possibilities?

Question

Hi,

I would like to know if it is possible to configure an Azure Storage account in such way, that only specific users that are logged in (via for example https://login.microsoftonline.com/common/login) can see the blob contents. Basically the same mechanism that is used to access Azure Devops, but then for a Blob Service endpoint.

So for example:

1. A user enters the url "https://my_storage_account.blob.core.windows.net/my_container/index.html"
2. If the user was already logged in with their e-mail (access given from the Azure Portal/Storage account settings) like they need to do for Azure Devops access, show blob content.
3. If not logged in, login first via https://login.microsoftonline.com to get read-only access.

I know I can use SAS tokens, and append it to the url for each single file. But this is not what I am looking for.

Answer 1

@Dio
You will want to use Azure Active Directory. Once you have this setup you can assign the proper role. In your case the Storage Blob Data Reader role might meet your needs.

Please try this out and let me know if it works for your use case.

--------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

If you want to be able to access the resource in the browser using a logged in Azure AD user I don't think that's possible. You will need to do it trough an application. Please follow steps detailed in Acquire a token from Azure AD for authorizing requests from a client application.

--
Please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

Answer 3

Hi,

thanks for the replies.
Can the application also be a vss extension in this case? An extension that runs in a DevOps environment?