Issue with B2C Users Accessing Separate Containers for Storage Blob API

hampton123 1,055 Reputation points
2023-10-12T20:04:08.0333333+00:00

I've followed a tutorial to create an API that allows B2C users to sign in and upload/download files to specific Azure Storage Blob containers they are assigned to. However, I've encountered an issue. After logging into the single-page application (SPA) with one account, then allowing the B2C token to expire (the web app session is set to 15 minutes and is absolute) and then logging in with a different account in the same browser session, both accounts seem to have access to the same container. I want it so that each account would have access only to their designated container. How can I make sure that each account has separate access to different containers?

For reference, this forum post I made previously contains the code and explanation for how I'm assigning B2C users to specific Azure Storage Blob containers. Please let me know if any more information is needed or if anything I said needs clarification :)

Edit:

I checked the token claims and even after logging in with a different account, the "aud" and "name" values are set to the first account's values, rather than the newly logged in account's values. I also added more context to the B2C token's settings.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,672 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,769 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 16,436 Reputation points Microsoft Employee
    2023-11-03T06:08:24.3466667+00:00

    @hampton123

    This is more or less possible on with Entra ID non B2C tenant. You either need to make sure that the users are guest users in the xyz directory, or move the container to that directory. As long as they at least have guest access to tenant you can assign them permissions to use the storage container.

    Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue.

    Also in the above shared doc we have used Blob Storage's Static Website:

    Blob Storage's Static Website hosting feature gives us a default container to serve static web content / html / js / css from Azure Storage and will infer a default page for us for zero work.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.