I'm getting Error Message: Key based authentication is not permitted on this storage account.

Question

I have this command in a powerShell script

$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccountName -SkuName Premium_LRS -location $location -Kind "FileStorage" -enableLargeFileShare -AllowBlobPublicAccess $false -AllowSharedKeyAccess $false -EnableAzureActiveDirectoryDomainServicesForFile $true 

For whatever reason, this storage account causes an error message when I try to create a file share using

$storageContext = $storageAccount.context
New-AzStorageShare -name $storageShareName -context $storageContext

This is the error message:

New-AzStorageShare : Key based authentication is not permitted on this storage account. HTTP Status Code: 403 - HTTP
Error Message: Key based authentication is not permitted on this storage account.
ErrorCode: KeyBasedAuthenticationNotPermitted
ErrorMessage: Key based authentication is not permitted on this storage account.
RequestId:f9294db8-301a-00e1-3dea-4c825b000000
Time:2021-05-19T20:05:56.8453700Z
At C:\tf\advantage\dev\deploy\scripts\azure-functions.ps1:2179 char:5
+     New-AzStorageShare -name $storageShareName -context $storageConte ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzStorageShare], StorageException
    + FullyQualifiedErrorId : StorageException,Microsoft.WindowsAzure.Commands.Storage.File.Cmdlet.NewAzureStorageShar
   e

I'm 99% sure it has something to do with the -AllowSharedKeyAccess $false because of the error message, and since when I take it out it works fine. But why is it breaking, I want to automate creation of File Shares with that setting toggled.

Answer 1

@Will Hasey Apologies for the delay response!

Note: If you disable account access keys, you will not be able to access Azure Files or Table storage as they do not support (yet?) Azure AD authentication.

Azure Storage supports Azure AD authorization for requests to Blob and Queue storage only. **

If you disallow authorization with Shared Key for a storage account, requests to Azure Files or Table storage that use Shared Key authorization will fail.

** Because the Azure portal always uses Shared Key authorization to access file and table data, if you disallow authorization with Shared Key for the storage account, you will not be able to access file or table data in the Azure portal.

Microsoft recommends that you either migrate any Azure Files or Table storage data to a separate storage account before you disallow access to the account via Shared Key, or that you do not apply this setting to storage accounts that support Azure Files or Table storage workloads.

Disallowing Shared Key access for a storage account does not affect SMB connections to Azure Files.

If you are looking for this specific feature, you can leave your feedback here, Please take a few minutes to submit your idea in the one of the forums available on the right or vote up an idea submitted by another Azure customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

@Will Hasey Welcome to Microsoft Q&A Forum! Thank you for posting your query here!
Based on the error message KeyBasedAuthenticationNotPermitted|Key based authentication is not permitted on this storage account.

AllowSharedKeyAccess is applied on storage account level. Storage account doesn’t support AAD(Oauth based) on Table storage and File storage.

If you co-host table data or file data in the same storage account, you need to migrate these data to different storage account. Thus you can enforce no key or SAS access on the storage account without breaking your workloads relying table or file data. AllowSharedKeyAccess is not applicable to File SMB connections as well.

For more information, refer to this article: https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

Tools such as AzCopy and Storage explorer wont work when you have shared-key based access disabled on their storage account.

This article describes how to detect requests sent with Shared Key authorization and how to remediate Shared Key authorization for your storage account. To learn how to register for the preview, > Prevent Shared Key authorization for an Azure Storage account (preview)

Additional information: A container level SAS only lets you work at the container level where you can perform operations on the blobs inside that container. Creation of a blob container is an account level activity and thus you would need to use an Account SAS. At this time, Account SAS do not have a concept of Shared Access Policy.

Azure Blob Storage support Azure AD based authentication/authorization and has support for Role-based Access Control (RBAC) available in Azure Subscription. You can assign granular RBAC roles to your users in Azure AD and they will be able to perform only the operations allowed by their roles. You can read more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad.

You can find more details about various authorization options available in Azure Storage here: https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage.

Each time you access data in your storage account, your client makes a request over HTTP/HTTPS to Azure Storage. Every request to a secure resource must be authorized, so that the service ensures that the client has the permissions required to access the data. Authorizing access to data in Azure Storage

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 3

Hello,

How would I go about creating a file share using PowerShell in this storage account? Do I need to create a new context?

Thanks for your help

Answer 4

@Will Hasey I was able to repro the issue in my lab and successfully create the File Share and enable the AADS authentication.

Can you please cross verify: Have provide access to the Storage account (Storage Contributor role) and for file share( Storage File data SMB Share Contributor)

    $ctx = New-AzStorageAccount -ResourceGroupName sumarigo -Name addstestsssdsubm  -SkuName Premium_LRS -Location 'East US' -Kind FileStorage -EnableLargeFileShare -AllowBlobPublicAccess $false -EnableAzureActiveDirectoryDomainServicesForFile $true  
        $fileshare = Get-AzStorageAccount -ResourceGroupName sumarigo -Name addstestsssdsubm  
        $file = New-AzStorageShare -Name testsubm -Context $fileshare.context   

]1

Let me explain what happens when Storage access key disabled.

• To enable "-EnableAzureActiveDirectoryDomainServicesForFile $true" Before you enable Active Directory Domain Services (AD DS) authentication, make sure you've read the overview article to understand the supported scenarios and requirements. We strongly recommend you to review the How it works section to select the right domain service for authentication. The setup is different depending on the domain service you choose. These series of articles focus on enabling and configuring on-premises AD DS for authentication with Azure file shares.

If you are new to Azure file shares, we recommend reading our planning guide before reading the following series of articles.

If you still find any difficulties, I wish to engage with you offline for a closer look and provide a quick and specialized assistance,

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 5

Hello @Sumarigo-MSFT ,

I am a Global Administrator in my tenant

I added -AllowSharedKeyAccess $false because that's how I want to create my storage account.

$ctx = New-AzStorageAccount -ResourceGroupName sumarigo -Name addstestsssdsubm  -SkuName Premium_LRS -Location 'East US' -Kind FileStorage -EnableLargeFileShare -AllowBlobPublicAccess $false -AllowSharedKeyAccess $false -EnableAzureActiveDirectoryDomainServicesForFile $true
$fileshare = Get-AzStorageAccount -ResourceGroupName sumarigo -Name addstestsssdsubm
$file = New-AzStorageShare -Name testsubm -Context $fileshare.context

This is the same error I got. I don't think you are understanding, why can't you create a file share when SharedKeyAccess is disabled and how exactly do I make it so I can create a fileshare when SharedKeyAccess is disabled? It seems to me based off the article you linked that I need to set up AD DS authentication?

New-AzStorageShare : Key based authentication is not permitted on this storage account. HTTP Status Code: 403 - HTTP
Error Message: Key based authentication is not permitted on this storage account.
ErrorCode: KeyBasedAuthenticationNotPermitted
ErrorMessage: Key based authentication is not permitted on this storage account.
RequestId:8ebb7466-a01a-004b-490c-53879c000000
Time:2021-05-27T15:23:30.7579551Z
At line:3 char:18
+ ...     $file = New-AzStorageShare -Name testsubm -Context $fileshare.con ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzStorageShare], StorageException
    + FullyQualifiedErrorId : StorageException,Microsoft.WindowsAzure.Commands.Storage.File.Cmdlet.NewAzureStorageShar
   e

Thanks for the help