Azure Table Storage - Allow Read Only Access To Single Table For External User To Consume Using PowerBi

Question

Azure Table Storage - Allow Read Only Access To Single Table For External User To Consume Using PowerBi

Hi,

I'm trying to give a partner of ours access to a single table within one of our Azure storage accounts with read only permissions so that they can generate reports using PowerBi. However there seems to be no way to do this. I don't want to give them an access key for obvious reasons. As for a SAS, this still gives them access to every table and is incompatable with PowerBI. The best thing I can think of is to replicate on a daily basis the table to another storage account and give them the access key to that storage account, but even that doesn't seem possible.

Does anyone have any solutions?

Thanks in advance.

Chris

Answer 1

Oury Ba-MSFT 10,331 Microsoft Employee

Hi @Chris Middleton Thank you for posting your Question on Microsoft Q&A and sorry for the delay in replying to your question.

You can use Azure Active directory to achieve this. Authorization with Azure AD is available for all general-purpose in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization.

Regards,
Oury

Chris Middleton 1 Reputation point

2021-11-22T18:21:38.487+00:00

Thanks @Oury Ba-MSFT

This is an existing production storage account to which we're using the primary access key. If I click the button to switch to AAD will this affect any production service using the access key?
sadomovalex 3,601 Reputation points

2021-11-23T14:32:18.647+00:00

it is quite easy to test: create new storage account with test tables (table1 and table2) and try to connect to it (e.g. from PowerShell) via connection string. After that switch to AAD, grant permissions for table2 only and check will the same PowerShell still work with both tables.

Answer 2

Hi @Chris Middleton

Before you assign an Azure RBAC role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope. Azure RBAC roles defined at a broader scope are inherited by the resources beneath them.
You can scope access to Azure table resources at the following levels, beginning with the narrowest scope:
An individual table. ** At this scope, a role assignment applies to the specified table.
**The storage account. At this scope, a role assignment applies to all tables in the account.
The resource groups. ** At this scope, a role assignment applies to all of the tables in all of the storage accounts in the resource group.
**The subscription. At this scope, a role assignment applies to all of the tables in all of the storage accounts in all of the resource groups in the subscription.
A management group. At this scope, a role assignment applies to all of the tables in all of the storage accounts in all of the resource groups in all of the subscriptions in the management group.
For more information about scope for Azure RBAC role assignments, see Understand Scope for Azure RBAC.

You can't do it in the portal, but you should be able to do it with PowerShell or CLI - Assign an Azure role for access to table data (preview) - Azure Storage | Microsoft Learn

Regards,
Oury

Azure Table Storage - Allow Read Only Access To Single Table For External User To Consume Using PowerBi

2 answers

Activity