Manage Blob Containers from dotnet app

Isobel Cullen 21 Reputation points


I have a Storage Account that I want to access from an company internal Enterprise Application. I intend the application to create and update it's own Blob Containers. The application will not be using impersonation or delegation to access the containers, as a major source of blobs will be CI events (our app has an alternative authentication mechanism for this purpose).

I want the application to be able to create a blob container and then set an Immutability Policy on this container.

Can I set an Immutability Policy on a Blob Container using the C# BlobContainerClient class? I believe the answer to this is No.

However, I cannot see how to authenticate the StorageManagementClient using the Account Name / Access Key mechanism, nor can I see a way to pre-authorize the appropriate permissions to the App Registration.

This is my current code:

var resourceGroup = "resourceGroup";
var subscriptionId = "subscription_guid";

var accountName = "storageAccountName";

var clientId = "app_registration_client_id";
var clientSecret = "app_registration_client_secret";
var tenantId = "tenant_guid";

var applicationClient = ConfidentialClientApplicationBuilder
    .WithAuthority(AzureCloudInstance.AzurePublic, tenantId)

var tokenRequest = applicationClient.AcquireTokenForClient(
    new string[] { "", });

var result = await tokenRequest.ExecuteAsync();
var credentials = new TokenCredentials(result.AccessToken);
var client = new StorageManagementClient(credentials);
client.SubscriptionId = subscriptionId;

// this line throws an exception as expected, because I can't assign a role
// or application-level permission that would allow this to my AppRegistration.
var clients = client.BlobContainers.GetImmutabilityPolicy(

So how can I either

  • authenticate my StorageManagementClient using the StorageAccount key
  • generate an access token from the Account Key?
  • set the appropriate permissions on my App Registration

Thanks for your time.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,664 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,415 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,377 questions
{count} votes

Accepted answer
  1. Sumarigo-MSFT 43,401 Reputation points Microsoft Employee

    @Isobel Cullen It is only possible to set Immutability Policies on Containers via the Management Plane REST APIs -

    This is what the StorageManagementClient is calling into. My understanding is that it is only possible to authenticate with the Management Plane via Token Authentication, which is why StorageManagementClient does not have constructions taking shared key.

    Please let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to 167075-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful