question

JoeH-0944 avatar image
0 Votes"
JoeH-0944 asked SumanthMarigowda-MSFT rolled back

Azure AD auth for storage blob

Is it possible to access an item in a blob directly when the container is configured to use Azure AD auth? I'm trying to figure out if I can configure Intune to set a user's wallpaper by just entering the URL of the image in the blob (https://mysa.blob.core.windows.net/container/image.jpg), instead of having to mess with SAS keys. I've enabled Azure AD auth on the container and given the Storage Blob Data Reader role to a security group the user is a member of. I'm getting a "resource does not exist" error when I try that URL from Edge with the account, and errors in Intune about not being able to access the file.

azure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered

@JoeH-0944 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

When they say they have enabled azure AD auth, what do they mean? Do they mean they have disabled access key auth disabled?

If they want to just browse the blob directly by entering the URL of the blob, having Azure AD auth is not possible. because when it’s Azure AD, the auth details are passed as request header and not as URI parameter - which we cannot do in a browser. The only option is using SAS in that case Or else you have to change the access level of the blob as Blob or container and then access the blob directly, but that would compromise the security

Firstly, Let me explain How RBAC works in Azure.

When a security principal (a user, group, or application) attempts to access a blob resource, the request must be authorized, unless it is a blob available for anonymous access. With Azure AD, access to a resource is a two-step process. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. Next, the token is passed as part of a request to the Blob service and used by the service to authorize access to the specified resource.

The authentication step requires that an application request an OAuth 2.0 access token at runtime. If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a managed identity to access blob data. To learn how to authorize requests made by a managed identity to the Azure Blob service, see Authorize access to blob data with managed identities for Azure resources.

The authorization step requires that one or more Azure RBAC roles be assigned to the security principal making the request. For more information, see Assign Azure roles for access rights.


Please let us know if you have any further queries. I’m happy to assist you further.


Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.