Share via

Accessing blob item in Azure Storage using access token issued by Entra External ID

Swivel1660 40 Reputation points
2024-07-25T07:01:57.45+00:00

Hi,

I'm attempting to access an item stored in Azure Blob storage via access token. The access token is sent in the Authorization header as a Bearer token. Public access and access keys have been disabled globally on the storage account, leaving Entra ID as the only means of authenticating requests against the storage account. I am able to access the document in question via the Azure Portal using my Entra ID account, so I have confirmed I have the relevant permissions necessary to perform the request.

The Vue application that I'm build uses the @azure/msal-browser package to request an access token from Entra ID before attempting to retrieve the document from Azure storage. Given the nature of the application, I prefer to avoid using SAS tokens. When requesting the access token for the request, I have tried every scope I can think of, and tinkered with the authority setting with little success. Every time I think I'm getting closer, I get one of the two following error messages:

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>AuthenticationFailed</Code>
    <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:1345cc3b-d01e-0039-275c-de966a000000
Time:2024-07-25T06:30:08.3540439Z</Message>
    <AuthenticationErrorDetail>Signature validation failed. Signature verification failed.</AuthenticationErrorDetail>
</Error>

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>AuthenticationFailed</Code>
    <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:5eeb5049-f01e-0011-125f-def7c2000000
Time:2024-07-25T06:55:14.2451440Z</Message>
    <AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail>
</Error>

I have also set the x-ms-version header to 2017-11-09 as outlined in some documentation to no avail. I have also set the www-authenticate header to Bearer authorization_uri=${authority} resource_id=https://{storage_account}.blob.core.windows.net (and tried the more generic resource_id=https://storage.azure.com). Authority in this instance refers to the authority set in the @azure/msal-browser configuration, but I also tried the Entra External ID's authorize endpoint too.

CORS is enabled on the storage account, but for testing purposes I have set it as permissive as possible. At any rate, the process fails whether I'm using a browser or Postman to initiate the request.

I'm at a loss on what to do - my understanding is that I should be able to access the resource if I present a valid access token generated by Entra ID for that tenant. Is it simply a case that Entra External ID cannot access Azure Storage using access tokens generated by @azure/msal-browser, or have I set a parameter wrong somewhere?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,635 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,774 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 4,510 Reputation points Microsoft Employee
    2024-07-25T14:54:28.0333333+00:00

    Hi Swivel1660 - Thanks for reaching out over Q&A Forum

    Based on the exception shared - <AuthenticationErrorDetail>Issuer validation failed. Issuer did not match.</AuthenticationErrorDetail> </Error>, on high level it appears that the tenant generating the token is probably different from that where the storage is residing and hence the exception. Please verify if that's the case.

    Other possibility is regarding the scope while creating the token and should ideally be "**https://storage.azure.com/.default**" however I suspect the above one as primary issue.

    Hope that helps!

    Let me know if there are any queries/concerns, will be glad to assist.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Swivel1660 40 Reputation points
    2024-07-25T22:41:17.29+00:00

    I've figured out the issue, thanks in part to Amrinder's post. It did turn out to be an issue with my @azure/msal-browser configuration, coupled with the wrong Azure Storage scope being requested (which Amrinder helpfully provided). Posting my solution for other's to try should they run into the same issue as me.

    During my failed attempts to retrieve an access token for use with Azure Storage, the authority parameter in my @azure/msal-browser was set to my tenant specific url (i.e., https://{ENTRA_TENANT_NAME}.ciamlogin.com/{ENTRA_TENANT_ID}/v2.0. However, after I switched to the "generic" https://login.microsoftonline.com/{ENTRA_TENANT_NAME}.onmicrosoft.com authority, @azure/msal-browser retrieved the correct access token and I could access files stored on Azure Storage as expected.

    0 comments