Methods for assigning users to subfolders in Azure Storage containers

hampton123 1,165 Reputation points
2024-03-04T21:14:07.6766667+00:00

Hi, currently my API's architecture consists of users logging in via B2C, then once they login to my API my Azure Function checks the user's B2C object ID. This object ID correlates with a Azure Storage container subfolder in a SQL database. The Azure Function uses the SQL database to check which subfolder correlates with the current user's object id, then grants the user access to that corresponding subfolder. I was wondering if there was an alternate method of assigning B2C users to containers, because although this would be an okay method I wanted to see if there was an alternative that's easier to implement and possibly more secure. I was considering replacing the SQL database with an excel file within a container, however I wanted to get a professional opinion. Thank you.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,000 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,170 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,884 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. hossein jalilian 7,205 Reputation points
    2024-03-05T02:41:59.99+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Your current approach of using Azure B2C for user authentication is a common and reasonable solution. However, if you're considering alternatives, there are a few approaches you could explore:

    1. Azure Table Storage or Cosmos DB: Instead of using a SQL database, you might consider using Azure Table Storage or Cosmos DB. Both of these services are capable of storing large amounts of semi-structured data and can be easily integrated into your Azure Functions.
    2. Claims-Based Authorization: B2C supports custom policies, and you can use claims-based authorization to include user-specific information (like the target container) directly in the user's token. Your Azure Function can then extract this claim from the token, eliminating the need to query a separate database.
    3. Azure Key Vault: If your concerns include security, you might consider using Azure Key Vault to store sensitive information, such as the container information. This can help centralize and secure your secrets.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful


  2. KarishmaTiwari-MSFT 20,047 Reputation points Microsoft Employee
    2024-03-25T19:54:40.66+00:00

    @hampton123

    I wouldn't recommend using an Excel file within a container as a replacement for the SQL database as Excel files are not designed for large scale, concurrent access. Also, storing sensitive information like user access rights in an Excel file may not be as secure as using a database.

    Instead of using an Excel file, consider storing the mapping of B2C object IDs to container subfolders in a secure database like Azure Table Storage or Azure Cosmos DB. Use Azure Blob Storage for the actual file storage, and generate Shared Access Signature (SAS) tokens with limited permissions (e.g., read/write access only to specific containers) that are dynamically generated by your Azure Function when a user logs in.

    Implement Role-Based Access Control (RBAC) in Azure Blob Storage to restrict access to specific containers or blobs based on the user's role. This can help prevent unauthorized access to other customers' subfolders.

    Enable logging and monitoring for your Azure Function and Azure Storage to track access and detect any suspicious activity.

    Resources: https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring?tabs=v2

    Let me know if you have further questions, via comments.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.