Configure anonymous read access for containers and blobs
Azure Storage supports optional anonymous read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container's access level setting to permit anonymous access, clients can read data in that container without authorizing the request.
Warning
When a container is configured for anonymous access, any client can read data in that container. Anonymous access presents a potential security risk, so if your scenario does not require it, we recommend that you remediate anonymous access for the storage account.
This article describes how to configure anonymous read access for a container and its blobs. For information about how to remediate anonymous access for optimal security, see one of these articles:
- Remediate anonymous read access to blob data (Azure Resource Manager deployments)
- Remediate anonymous read access to blob data (classic deployments)
About anonymous read access
Anonymous access to your data is always prohibited by default. There are two separate settings that affect anonymous access:
Anonymous access setting for the storage account. An Azure Resource Manager storage account offers a setting to allow or disallow anonymous access for the account. Microsoft recommends disallowing anonymous access for your storage accounts for optimal security.
When anonymous access is permitted at the account level, blob data isn't available for anonymous read access unless the user takes the additional step to explicitly configure the container's anonymous access setting.
Configure the container's anonymous access setting. By default, a container's anonymous access setting is disabled, meaning that authorization is required for every request to the container or its data. A user with the appropriate permissions can modify a container's anonymous access setting to enable anonymous access only if anonymous access is allowed for the storage account.
The following table summarizes how the two settings together affect anonymous access for a container.
Anonymous access level for the container is set to Private (default setting) | Anonymous access level for the container is set to Container | Anonymous access level for the container is set to Blob | |
---|---|---|---|
Anonymous access is disallowed for the storage account | No anonymous access to any container in the storage account. | No anonymous access to any container in the storage account. The storage account setting overrides the container setting. | No anonymous access to any container in the storage account. The storage account setting overrides the container setting. |
Anonymous access is allowed for the storage account | No anonymous access to this container (default configuration). | Anonymous access is permitted to this container and its blobs. | Anonymous access is permitted to blobs in this container, but not to the container itself. |
When anonymous access is permitted for a storage account and configured for a specific container, then a request to read a blob in that container that is passed without an Authorization
header is accepted by the service, and the blob's data is returned in the response. However, if the request is passed with an Authorization
header, then anonymous access on the storage account is ignored, and the request is authorized based on the provided credentials.
Allow or disallow anonymous read access for a storage account
When anonymous access is allowed for a storage account, a user with the appropriate permissions can modify a container's anonymous access setting to enable anonymous access to the data in that container. Blob data is never available for anonymous access unless the user takes the additional step to explicitly configure the container's anonymous access setting.
Keep in mind that anonymous access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. Regardless of the setting on the storage account, your data will never be available for anonymous access unless a user with appropriate permissions takes this additional step to enable anonymous access on the container.
Disallowing anonymous access for the storage account overrides the access settings for all containers in that storage account, preventing anonymous access to blob data in that account. When anonymous access is disallowed for the account, it isn't possible to configure the access setting for a container to permit anonymous access, and any future anonymous requests to that account fail. Before changing this setting, be sure to understand the impact on client applications that might be accessing data in your storage account anonymously. For more information, see Prevent anonymous read access to containers and blobs.
Important
After anonymous access is disallowed for a storage account, clients that use the anonymous bearer challenge will find that Azure Storage returns a 403 error (Forbidden) rather than a 401 error (Unauthorized). We recommend that you make all containers private to mitigate this issue. For more information on modifying the anonymous access setting for containers, see Set the access level for a container.
Allowing or disallowing anonymous access requires version 2019-04-01 or later of the Azure Storage resource provider. For more information, see Azure Storage Resource Provider REST API.
Permissions for disallowing anonymous access
To set the AllowBlobAnonymousAccess property for the storage account, a user must have permissions to create and manage storage accounts. Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.Storage/storageAccounts/write action. Built-in roles with this action include:
- The Azure Resource Manager Owner role
- The Azure Resource Manager Contributor role
- The Storage Account Contributor role
Role assignments must be scoped to the level of the storage account or higher to permit a user to disallow anonymous access for the storage account. For more information about role scope, see Understand scope for Azure RBAC.
Be careful to restrict assignment of these roles only to those administrative users who require the ability to create a storage account or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see Best practices for Azure RBAC.
These roles don't provide access to data in a storage account via Microsoft Entra ID. However, they include the Microsoft.Storage/storageAccounts/listkeys/action, which grants access to the account access keys. With this permission, a user can use the account access keys to access all data in a storage account.
The Microsoft.Storage/storageAccounts/listkeys/action itself grants data access via the account keys, but doesn't grant a user the ability to change the AllowBlobPublicAccess property for a storage account. For users who need to access data in your storage account but shouldn't have the ability to change the storage account's configuration, consider assigning roles such as Storage Blob Data Contributor, Storage Blob Data Reader, or Reader and Data Access.
Note
The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager Owner role. The Owner role includes all actions, so a user with one of these administrative roles can also create storage accounts and manage account configuration. For more information, see Azure roles, Microsoft Entra roles, and classic subscription administrator roles.
Set the storage account's AllowBlobPublicAccess property
To allow or disallow anonymous access for a storage account, set the account's AllowBlobPublicAccess property. This property is available for all storage accounts that are created with the Azure Resource Manager deployment model. For more information, see Storage account overview.
To allow or disallow anonymous access for a storage account in the Azure portal, follow these steps:
Navigate to your storage account in the Azure portal.
Locate the Configuration setting under Settings.
Set Allow Blob anonymous access to Enabled or Disabled.
Note
Disallowing anonymous access for a storage account does not affect any static websites hosted in that storage account. The $web container is always publicly accessible.
After you update the anonymous access setting for the storage account, it may take up to 30 seconds before the change is fully propagated.
When a container is configured for anonymous access, requests to read blobs in that container don't need to be authorized. However, any firewall rules that are configured for the storage account remain in effect and block traffic inline with the configured ACLs.
Allowing or disallowing anonymous access requires version 2019-04-01 or later of the Azure Storage resource provider. For more information, see Azure Storage Resource Provider REST API.
The examples in this section showed how to read the AllowBlobPublicAccess property for the storage account to determine whether anonymous access is currently allowed or disallowed. To learn how to verify that an account's anonymous access setting is configured to prevent anonymous access, see Remediate anonymous access for the storage account.
Set the anonymous access level for a container
To grant anonymous users read access to a container and its blobs, first allow anonymous access for the storage account, then set the container's anonymous access level. If anonymous access is denied for the storage account, you won't be able to configure anonymous access for a container.
Caution
Microsoft recommends against permitting anonymous access to blob data in your storage account.
When anonymous access is allowed for a storage account, you can configure a container with the following permissions:
- No public read access: The container and its blobs can be accessed only with an authorized request. This option is the default for all new containers.
- Public read access for blobs only: Blobs within the container can be read by anonymous request, but container data isn't available anonymously. Anonymous clients can't enumerate the blobs within the container.
- Public read access for container and its blobs: Container and blob data can be read by anonymous request, except for container permission settings and container metadata. Clients can enumerate blobs within the container by anonymous request, but cannot enumerate containers within the storage account.
You can't change the anonymous access level for an individual blob. Anonymous access level is set only at the container level. You can set the container's anonymous access level when you create the container, or you can update the setting on an existing container.
To update the anonymous access level for one or more existing containers in the Azure portal, follow these steps:
Navigate to your storage account overview in the Azure portal.
Under Data storage on the menu blade, select Containers.
Select the containers for which you want to set the anonymous access level.
Use the Change access level button to display the anonymous access settings.
Select the desired anonymous access level from the Anonymous access level dropdown and select the OK button to apply the change to the selected containers.
When anonymous access is disallowed for the storage account, a container's anonymous access level can't be set. If you attempt to set the container's anonymous access level, the setting is disabled because anonymous access is disallowed for the account.
Check the anonymous access setting for a set of containers
It's possible to check which containers in one or more storage accounts are configured for anonymous access by listing the containers and checking the anonymous access setting. This approach is a practical option when a storage account doesn't contain a large number of containers, or when you're checking the setting across a small number of storage accounts. However, performance may suffer if you attempt to enumerate a large number of containers.
The following example uses PowerShell to get the anonymous access setting for all containers in a storage account. Remember to replace the placeholder values in brackets with your own values:
$rgName = "<resource-group>"
$accountName = "<storage-account>"
$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context
Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess
Feature support
Support for this feature might be impacted by enabling Data Lake Storage Gen2, Network File System (NFS) 3.0 protocol, or the SSH File Transfer Protocol (SFTP). If you've enabled any of these capabilities, see Blob Storage feature support in Azure Storage accounts to assess support for this feature.