Require login when accessing BLOB storage URL

Roshan Mehta 16 Reputation points
2021-06-15T03:08:22.6+00:00

I have files that are currently stored in SharePoint. Some of these are large video and audio files that contain confidential information. The entire SharePoint capacity is used up due to these large files.

I want to move files over a certain size to Azure BLOB storage to reduce the capacity in SharePoint. Users will click on a .URL file in SharePoint which will take them to the URL of the BLOB.

I don't want users to be able to share the URL with other people as these video and audio files contain confidential information.

Is there a way to only allow the BLOB URL to be accessed by users authenticated via Azure AD? E.g., if the user is already logged into SharePoint and they click the link to the BLOB, they can download the video or audio file. If the users shares the URL with someone outside the organisation, that user will be prompted to log in to Azure AD before being able to access the file.

Is this possible?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,032 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. deherman-MSFT 37,836 Reputation points Microsoft Employee
    2021-06-15T22:53:27.24+00:00

    @Roshan Mehta

    Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob and queue data. You can also define custom roles for access to blob and queue data.|

    When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

    Azure storage supports Azure AD authentication and can be used for authentication instead of storage account name / key, SAS tokens or SAS policy. You can read more about it here: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad

    Hope this helps. Let us know if you have further questions and we will be happy to assist.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  2. danbert1973 1 Reputation point
    2021-10-08T15:39:53.45+00:00

    I know this is an old thread but I revisited this recently without success as I'd hoped, although I have a workaround which might help others.

    I have an archiving process in Power Automate that moves files from SharePoint into blob storage. Once the file has been moved to blob storage, the flow then creates an html stub in it's place with the same file name in the original document library (it could be a text file, basically just an empty file). I then get the blob url and store it as metadata against the html stub file.

    I have another flow which is run directly from each stub item in the document library which performs the 'Create SAS URI by path' action on the blob file. This basically generates a working url to the blob file with a new SAS token. Obviously, this SAS token will still work for anyone, so what you need to do is set a short expiry on it (i.e. a few minutes).

    The flow then adds this url and expiry date as metadata to the stub left back in the document library, and also sends the link to the requestor in an email. They then have a short time in which to view the file, and they can of course save a local copy if they wish. If the token expires they can just run the flow again to generate a new one.

    This is only really useful in read only/archiving scenarios, but it is proving an effective way of me maintaining a file structure in SharePoint, but having the files stored in Azure instead.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.