Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,192 questions
Access Azure Blob using external access token with additional policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 93%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Amy Davies
0
Reputation points
I have a workload that is running outside of Azure. The workload requires a blob stored in Azure in order to run.
The workload can provide a custom token that follows OIDC Protocol (contains iss, sub, aud, exp etc.). The token also contains custom claims in the JWT.
I need to write policy in Azure to allow the workload access to the blob based on certain fields in the token (iss, aud etc.) as well as based on certain custom claims.
Where should I be looking to achieve this workflow? Are there any tutorials for me to look into. I’ve looked into Workload Identity Federation which seems to be a good fit but the policy piece from there is not obvious - https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation and user-assigned managed identity as well as Azure Policy.
Azure Blob Storage
Microsoft Security Microsoft Entra Microsoft Entra ID
25,081 questions
Microsoft Security Microsoft Identity Manager
882 questions
{count} votes
-
James Hamil 27,211 Reputation points Microsoft Employee Moderator2024-09-11T19:12:37.87+00:00 Hi @Amy Davies , you can define an OpenID Connect technical profile in a custom policy in Azure AD B2C. This lets you federate with an OpenID Connect-based identity provider and handle custom claims: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile
You could also add custom claims to an OIDC token by creating a custom policy in Azure AD B2C. For example.
If these aren't what you're looking for please let me know and I can help you further!
Best,
James
-
Amy Davies 0 Reputation points
2024-09-19T19:05:41.8933333+00:00 Hi @James Hamil , thank you for the answer!
I think what I'm looking for is actually policy on the Azure side.
Our workflow:
We have an OIDC token
{ "issuer": "someIssuer", "aud": "someAud", "customClaim1": "foo", "customClaim2": "bar" }I have already set up the Azure application using Workload Identity Federation that expects this issuer and audience and returns a bearer token to access Azure resources.
However the piece that I'm missing is writing policy that says if
"customClaim1" != "foo"or if"customClaim2" != "bar"don't provide an Azure bearer token. That policy evaluation should be done on the Azure side.Similar to how AWS does role trust policies https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required
-
Amy Davies 0 Reputation points
2024-09-19T19:55:00.7733333+00:00 [Redacted - duplicate comment]
Sign in to comment
Sign in to answer