Azure Blob Storage Read Access - Restrict to only specified person

Taranjeet Malik 301 Reputation points


We have a requirement to give Read access to the Azure blobs (say via SAS tokens) to external partners, where in the the link has to be available only to the provided partner contact. No one except the intended person can access the blobs even if the link is copied and shared with outsiders.

Is this possible using SAS tokens? If not, what else could be a feasible solution in this case?

Taranjeet Singh

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,138 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
1,963 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 39,046 Reputation points Microsoft Employee

    @Taranjeet Malik Are you referring to specific blob? Are you using Azure Active Directory authentication for azure blob container?

    Not sure I understand the question: Are you referring to the azure blob container: Assign Azure roles for access rights? If I am wrong, please correct me

    There is a inbuilt role can been assigned to user

    Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob and queue data. You can also define custom roles for access to blob and queue data.|

    When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

    Azure storage supports Azure AD authentication and can be used for authentication instead of storage account name / key, SAS tokens or SAS policy. Azure Storage Explorer can also use Azure AD to authenticate to storage service. You can read more about it here:

    Additional information: Prevent anonymous public read access to containers and blobs
    There is also a similar thread discussion in SO forum which can give some information on your query.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please don’t forget to 174187-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Sumarigo-MSFT 39,046 Reputation points Microsoft Employee

    @Taranjeet Malik Shared Access Signature is the best method for your requirements. A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid. Both a service SAS and an account SAS are signed with the storage account key. To create a SAS that is signed with the account key, an application must have access to the account key.

    When a request includes a SAS token, that request is authorized based on how that SAS token is signed. The access key or credentials that you use to create a SAS token are also used by Azure Storage to grant access to a client that possesses the SAS.

    You can generate SAS token through storage explorer and provide the access and once you

    174898-image.png 174836-image.png

    Use near-term expiration times on an ad hoc SAS service SAS or account SAS. In this way, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it

    Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. This might be unnecessary in some cases. For example, you might intend for the SAS to be used for a small number of immediate, short-lived operations. These operations are expected to be completed within the expiration period. As a result, you are not expecting the SAS to be renewed. However, if you have a client that is routinely making requests via SAS, then the possibility of expiration comes into play.

    Security recommendations for Blob storage

    Please let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to 174837-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.