Differences between Shared Key and Azure AD Storage Account access

Question

I'm referencing this docs page: https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage. Based on this link both Shared Key and Azure AD auth are "Supported" but will there be any special cases where one may have more access than the other? I'm assuming two access scenarios:

Scenario 1:
A Security Principal that has been granted Storage Account Contributor role for Storage Account "foo" uses Shared Key auth to read storage blobs in "foo".

Scenario 2:
A Security Principal that has been granted Storage Blob Data Reader role for Storage Account "foo" uses Azure AD auth to read storage blobs in "foo".

I would expect both auth types to not be able to access a storage account that has a network ACL defined that blocks access from the IP address the service principal is making the request from.

I would also expect any Storage Account w/ an IAM Deny Assignment that blocks access for all Service Principals to block access regardless of auth type (e.x. Storage Accounts created for Azure Databricks).

Are those two statements true? Am I missing any scenarios where the auth types do not have equivalent access?

Answer 1

@Matthew Kracht
Since both are using RBAC for permissions they would function the same in these scenarios. You might find the documentation here helpful. That being said, authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your blob and queue applications when possible to minimize potential security vulnerabilities inherent in Shared Key. More information about using Azure AD can be found on this page.

Hope this helps! Let us know if you have further questions or issues.

--------------

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.