How to define custom Azure AD Conditional Access policy for blob service on specific Storage Account?

Cat Mucius 71 Reputation points
2023-03-29T12:21:19.4566667+00:00

Good day,

Is it possible to define a Conditional Access policy regulating access to a blob service of a particular Storage Account?

Let's say, our general policy is too restrictive (say, it requires MFA or particular source IP ranges) - and we want to make exceptions for calls to <our-storage-account>.blob.core.windows.net. Is it possible?

I saw couple of mentions that it's possible to add an Azure Files service of a particular Storage Account to the list of Conditional Access policy exclusions (here and here):

Azure AD Kerberos doesn't support using MFA to access Azure file shares configured with Azure AD Kerberos. You must exclude the Azure AD app representing your storage account from your MFA conditional access policies if they apply to all apps. The storage account app should have the same name as the storage account in the conditional access exclusion list. When searching for the storage account app in the conditional access exclusion list, search for: [Storage Account] <your-storage-account-name>.file.core.windows.net

But when I tried to search the list of cloud apps for Conditional Access policy exclusions by [Storage Account] or by specific Account's name, I found no matches.

Will adding "managed identity" to the Storage Account help? As far as I understand, it's used for calls initiated by the Storage Account itself (to Key Vault, to obtain an encryption key) - not for clients traffic to its blob service.

Thanks,

Mucius.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,944 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,639 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,635 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2023-04-02T05:16:06.5033333+00:00

    Hello @Cat Mucius , you cannot set an exception for a specific Azure Storage account (ASA) trough Conditional Access. The [Storage Account] <your-storage-account-name>.file.core.windows.net application is a special application that exposes an API. You can duplicate this model creating an Azure AD app registration, a custom API that calls the blob service using client credentials (this is authenticating as the aforementioned application). By default and unless you've set workload identities, CA policies won't get fired since you're authenticating as a an application.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful