Restrict access to a specific container in a Azure Storage BLOB to specific tenant (Azure AD)

Adit Shah 6 Reputation points
2020-11-18T12:54:58.563+00:00

We are thinking to create a web application which will allow login to multiple organizations users (multi-tenant)

Logged in users will be able to upload files, so we are going to upload those files to Azure blob storage.

We are planning to keep a separate container for each organization (tenant) in same storage account.

So is there any way to authenticate & restrict organization user to a specific container?

Any custom authentication/authorization? Please suggest.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,156 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,670 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,415 questions
Azure Disk Storage
Azure Disk Storage
A high-performance, durable block storage designed to be used with Azure Virtual Machines and Azure VMware Solution.
571 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 43,406 Reputation points Microsoft Employee
    2020-11-19T17:06:47.513+00:00

    @Adit Shah Not sure I understand the question: Are you referring to the azure blob container: Assign Azure roles for access rights? If I am wrong, please correct me

    Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob and queue data. You can also define custom roles for access to blob and queue data.|

    When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

    Azure storage supports Azure AD authentication and can be used for authentication instead of storage account name / key, SAS tokens or SAS policy. Azure Storage Explorer can also use Azure AD to authenticate to storage service. You can read more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad

    It does mean that the application that is accessing storage accounts needs to support ad auth method as well. Can you share what applications will be accessing the storage account? If they don’t support it then SAS tokens / policy can be used.

    Additional information: Prevent anonymous public read access to containers and blobs
    There is also a similar thread discussion in SO forum which can give some information on your query.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    --------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    2 people found this answer helpful.
    0 comments
  2. Adit Shah 6 Reputation points
    2020-11-20T13:25:10.223+00:00

    Thanks for the reply @Sumarigo-MSFT.

    Now we are using different mechanism.

    What we are trying to achieve is assign access particular AD user group to a particular container.

    i.e.

    Group 1 can access only container1, but not container2
    Group 2 can access only container2, but not container1

    To achieve this I have given IAM Role Permission on each container accordingly (assigned Storage Blob Data Contributor Role to group).

    Code Sample I used: https://github.com/Azure-Samples/storage-dotnet-azure-ad-msal

    But to upload/download any file on container I have to assign role of Storage Blob Data Contributor on Storage Account as well. If I give Storage Blob Data Contributor on Storage Account then that Group users can add files to any container.

    So is there any way to achieve like,
    Group 1 can access only container1, but not container2
    Group 2 can access only container2, but not container1

    1 person found this answer helpful.
  3. ashok gupta 16 Reputation points
    2022-02-20T16:17:16.897+00:00

    I had similar requirement and tried multiple different ways.

    1. Gave storage blob reader at container level to user1. user1 was not able to see the storage account also in portal so this did not work.
    2. secondly a gave access of reader at storage account level. After this change user was able to see the storage account in portal but it also gave access to all containers. so this was not right solution.
    3. tried giving only reader permission at storage level, still user1 got read permission in all the containers.

    Not sure what will be the right solution for this. may be some custom role can be build.

    1 person found this answer helpful.
    0 comments
  4. Sven 1 Reputation point
    2021-12-02T15:13:14.96+00:00

    Hello,
    Was this ever answered?

    0 comments
  5. Nemanja Jovic 20 Reputation points MVP
    2023-09-21T15:20:11.6+00:00

    Any answers ???

    0 comments