Share via

Azure file URL options

JAS HS 31 Reputation points
2022-03-09T11:19:45.8+00:00

I have ASP.Net Core in-house/corporate site hosted on Azure, with numerous Azure functions and which uses Azure AD authentication. Part of the functionality is to send an e-mail to a member of staff which allows clicking on approve/reject links (with authentication). This e-mail should contain links for optional viewing of a number of possible related files.

This is already working, and uses an SAS Token. Unless I misunderstand, this token makes the resulting URL entirely public and it also times out.
What I would prefer is a link which, when clicked, opens a browser and, via authentication, the file is visible in the browser.

The file storage link gives the InvalidHeaderValue response - as expected, and this route is a dead-end, I believe, for this purpose.
A blob storage link gives PublicAccessNotPermitted (in the unrendered XML)

What are my options for achieving what I want?
Do I create a viewer page, with authentication, in the application (or another application) and show the file there?
Should I simply attach the file to the e-mail? (this is not ideal)
If I have to use an SAS Token, how can I avoid the management problem of the timeout - can it be set to not timeout, or auto renew? But, I, and the client, are not keen on having any public URLs e.g. if the e-mail gets forwarded to any random address, the recipient can view the files.

Related links:
https://stackoverflow.com/questions/39720453/azure-file-storage-access-document-with-direct-link
https://stackoverflow.com/questions/60583797/how-to-get-download-url-of-a-digital-file-stored-in-an-azure-storage-account

Thank you
James.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,420 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 38,021 Reputation points Microsoft Employee Moderator
    2022-03-11T19:15:07.547+00:00

    @JAS HS I understand you are currently sharing a blob via SAS token and viewing it in the browser. You are wanting to make this solution more secure, as SAS urls cannot be securely shared. Please correct me if I am misunderstanding the issue.

    Since you are using Azure AD already you should be able to integrate it for use with storage. Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob and queue data. You can also define custom roles for access to blob and queue data.|

    When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

    Azure storage supports Azure AD authentication and can be used for authentication instead of storage account name / key, SAS tokens or SAS policy. You can read more about it here.

    Hope this helps. Let us know if you have any further questions or issues.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.