Del via


Authorize with Microsoft Entra ID

Azure Storage provides integration with Microsoft Entra ID for identity-based authorization of requests to the Blob, File, Queue and Table services. With Microsoft Entra ID, you can use role-based access control (RBAC) to grant access to blob, file, queue and table resources to users, groups, or applications. You can grant permissions that are scoped to the level of an individual container, share, queue or table.

To learn more about Microsoft Entra ID integration in Azure Storage, see Authorize access to Azure blobs and queues using Microsoft Entra ID.

For more information on the advantages of using Microsoft Entra ID in your application, see Integrating with the Microsoft identity platform.

Important

For optimal security, Microsoft recommends using Microsoft Entra ID with managed identities to authorize requests against blob, queue, and table data, whenever possible. Authorization with Microsoft Entra ID and managed identities provides superior security and ease of use over Shared Key authorization. To learn more about managed identities, see What are managed identities for Azure resources.

For resources hosted outside of Azure, such as on-premises applications, you can use managed identities through Azure Arc. For example, apps running on Azure Arc-enabled servers can use managed identities to connect to Azure services. To learn more, see Authenticate against Azure resources with Azure Arc-enabled servers.

For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn about shared access signatures, see Create a user delegation SAS.

Use OAuth access tokens for authentication

Azure Storage accepts OAuth 2.0 access tokens from the Microsoft Entra tenant associated with the subscription that contains the storage account. Azure Storage accepts access tokens for:

  • Users and groups
  • Service principals
  • Managed identities for Azure resources
  • Applications using permissions delegated by users

Azure Storage exposes a single delegation scope named user_impersonation that permits applications to take any action allowed by the user.

To request tokens for Azure Storage, specify the value https://storage.azure.com/ for the resource ID. For more information about the resource ID, see Microsoft identity platform scopes, permissions, & consent.

For more information on requesting access tokens from Microsoft Entra ID for users and service principals, see Authentication flows and application scenarios.

For more information about requesting access tokens for resources configured with managed identities, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

Call storage operations with OAuth tokens

To call Blob, File, Queue and Table service operations using OAuth access tokens, pass the access token in the Authorization header using the Bearer scheme, and specify a service version of 2017-11-09 (2022-11-02 for operations on File resource and Directory resource or 2024-11-04 for operations on FileService resource and FileShare resource) or higher, as shown in the following example:

Request:
GET /container/file.txt
x-ms-version: 2017-11-09
Authorization: Bearer eyJ0eXAiO...V09ccgQ
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: sampleoautheast2.blob.core.windows.net
accept-encoding: gzip, deflate

Response:
HTTP/1.1 200
status: 200
Content-Length: 28
Content-Type: text/plain
Content-MD5: dxG7IgOBzApXPcGHxGg5SA==
Last-Modified: Wed, 30 Jan 2019 07:21:32 GMT
Accept-Ranges: bytes
ETag: "0x8D686838F9E8BA7"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 09f31964-e01e-00a3-8066-d4e6c2000000
x-ms-version: 2017-11-09
x-ms-creation-time: Wed, 29 Aug 2018 04:22:47 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Date: Wed, 06 Mar 2019 21:50:50 GMT
Welcome to Azure Storage!!

Bearer Challenge

Bearer challenge is part of the OAuth protocol RFC 6750 and is used for authority discovery. For anonymous requests to the Blob service, or for requests made with an invalid OAuth bearer token, the server will return status code 401 (Unauthorized) with identity provider and resource information. Refer to link for how to use these values during authentication with Microsoft Entra ID.

Azure Storage Blob and Queue services return a bearer challenge for version 2019-12-12 and newer. Azure Storage Table service returns a bearer challenge for version 2020-12-06 and newer. Azure Data Lake Storage Gen2 returns a bearer challenge for version 2017-11-09 and newer. Azure File service returns a bearer challenge from version 2022-11-02 and newer.

Responses to anonymous read requests

When Blob Storage receives an anonymous request, that request will succeed if all of the following conditions are true:

  • Anonymous public access is allowed for the storage account.
  • The container is configured to allow anonymous public access.
  • The request is for read access.

If any of those conditions are not true, then the request will fail. The response code on failure depends on whether the anonymous request was made with a version of the service that supports the bearer challenge. The bearer challenge is supported with service versions 2019-12-12 and newer:

  • If the anonymous request was made with a service version that supports the bearer challenge, then the service returns error code 401 (Unauthorized).
  • If the anonymous request was made with a service version that does not support the bearer challenge and anonymous public access is disallowed for the storage account, then the service returns error code 409 (Conflict).
  • If the anonymous request was made with a service version that does not support the bearer challenge and anonymous public access is allowed for the storage account, then the service returns error code 404 (Not Found).

For more information about the bearer challenge, see Bearer challenge.

Sample response to bearer challenge

The following is an example of a bearer challenge response when the client request does not include the bearer token in the anonymous download blob request:

Request:
GET /container/file.txt
x-ms-version: 2019-12-12
Host: sampleoautheast2.blob.core.windows.net

Response:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer authorization_uri=https://login.microsoftonline.com/<tenant_id>/oauth2/authorize resource_id=https://storage.azure.com

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>NoAuthenticationInformation</Code>
    <Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:ec4f02d7-1003-0006-21f9-c55bc8000000
Time:2020-01-08T08:01:46.2063459Z</Message>
</Error>
Parameter Description
authorization_uri The URI (physical endpoint) of the authorization server. This value is also used as a lookup key to get more information about the server from a discovery endpoint. The client must validate that the authorization server is trusted. When the resource is protected by Microsoft Entra ID, it is sufficient to verify that the URL begins with https://login.microsoftonline.com or other hostname that Microsoft Entra ID supports. A tenant-specific resource should always return a tenant-specific authorization URI.
resource_id Returns the unique identifier of the resource. The client application can use this identifier as the value of the resource parameter when it requests an access token for the resource. It is important for the client application to verify this value, otherwise a malicious service might be able to induce an elevation-of-privileges attack. The recommended strategy for preventing an attack is to verify that the resource_id matches the base of the web API URL that being accessed. The Azure Storage resource ID is https://storage.azure.com.

Manage access rights with RBAC

Microsoft Entra ID handles the authorization of access to secured resources through RBAC. Using RBAC, you can assign roles to users, groups, or service principals. Each role encompasses a set of permissions for a resource. Once the role is assigned to the user, group, or service principal, they have access to that resource. You can assign access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. For more information on RBAC, see Get started with Role-Based Access Control.

For Azure Storage, you can grant access to data in a container or queue in the storage account. Azure Storage offers these built-in RBAC roles for use with Microsoft Entra ID:

For more information about how built-in roles are defined for Azure Storage, see Understand role definitions for Azure resources.

You can also define custom roles for use with Blob storage and Azure Queues. For more information, see Create custom roles for Azure Role-Based Access Control.

Permissions for calling data operations

The following tables describe the permissions necessary for a Microsoft Entra user, group, managed identity, or service principal to call specific Azure Storage operations. To enable a client to call a particular operation, ensure that the client's assigned RBAC role offers sufficient permissions for that operation.

Permissions for Blob service operations

Blob service operation RBAC action
List Containers Microsoft.Storage/storageAccounts/blobServices/containers/read (scoped to the storage account or above)
Set Blob Service Properties Microsoft.Storage/storageAccounts/blobServices/write
Get Blob Service Properties Microsoft.Storage/storageAccounts/blobServices/read
Preflight Blob Request Anonymous
Get Blob Service Stats Microsoft.Storage/storageAccounts/blobServices/read
Get Account Information Not supported
Get User Delegation Key Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Create Container Microsoft.Storage/storageAccounts/blobServices/containers/write
Get Container Properties Microsoft.Storage/storageAccounts/blobServices/containers/read
Get Container Metadata Microsoft.Storage/storageAccounts/blobServices/containers/read
Set Container Metadata Microsoft.Storage/storageAccounts/blobServices/containers/write
Get Container ACL Not supported
Set Container ACL Not supported
Lease Container Microsoft.Storage/storageAccounts/blobServices/containers/write
Delete Container Microsoft.Storage/storageAccounts/blobServices/containers/delete
Restore Container Microsoft.Storage/storageAccounts/blobServices/containers/write
List Blobs Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Find Blobs by Tags in Container Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action
Put Blob For create or replace: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
To create new blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Put Blob from URL For create or replace: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
To create new blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Get Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Get Blob Properties Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Set Blob Properties Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Get Blob Metadata Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Set Blob Metadata Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Get Blob Tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
Set Blob Tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
Find Blob by Tags Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action
Lease Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Snapshot Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write or
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Copy Blob For destination blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write or Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action (when writing a new blob to the destination)
For source blob in the same storage account: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
For source blob in a different storage account: Available as anonymous, or include valid SAS token
Copy Blob from URL For destination blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write or Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action (when writing a new blob to the destination)
For source blob in the same storage account: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
For source blob in a different storage account: Available as anonymous, or include valid SAS token
Abort Copy Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Delete Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Undelete Blob Microsoft.Storage/storageAccounts/blobServices/containers/write
Set Blob Tier Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Blob Batch Parent request: Microsoft.Storage/storageAccounts/blobServices/containers/write
Sub-requests: See permissions for that request type.
Set Immutability Policy Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
Delete Immutability Policy Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
Set Blob Legal Hold Microsoft.Storage/storageAccounts/blobServices/containers/write
Put Block Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Put Block from URL Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Put Block List Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Get Block List Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Query Blob Contents Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Put Page Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Put Page from URL Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Get Page Ranges Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Incremental Copy Blob For destination blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
For source blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
For new blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Append Block Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write or Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Append Block from URL Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write or Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Set Blob Expiry Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write

Permissions for Queue service operations

Queue service operation RBAC action
List Queues Microsoft.Storage/storageAccounts/queueServices/queues/read (scoped to the storage account or above)
Set Queue Service Properties Microsoft.Storage/storageAccounts/queueServices/read
Get Queue Service Properties Microsoft.Storage/storageAccounts/queueServices/read
Preflight Queue Request Anonymous
Get Queue Service Stats Microsoft.Storage/storageAccounts/queueServices/read
Create Queue Microsoft.Storage/storageAccounts/queueServices/queues/write
Delete Queue Microsoft.Storage/storageAccounts/queueServices/queues/delete
Get Queue Metadata Microsoft.Storage/storageAccounts/queueServices/queues/read
Set Queue Metadata Microsoft.Storage/storageAccounts/queueServices/queues/write
Get Queue ACL Not available via OAuth
Set Queue ACL Not available via OAuth
Put Message Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action or Microsoft.Storage/storageAccounts/queueServices/queues/messages/write
Get Messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action or (Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete and Microsoft.Storage/storageAccounts/queueServices/queues/messages/read)
Peek Messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
Delete Message Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action or Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
Clear Messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
Update Message Microsoft.Storage/storageAccounts/queueServices/queues/messages/write

Permissions for Table service operations

Table service operation RBAC action
Set Table Service Properties Microsoft.Storage/storageAccounts/tableServices/write
Get Table Service Properties Microsoft.Storage/storageAccounts/tableServices/read
Preflight Table Request Anonymous
Get Table Service Stats Microsoft.Storage/storageAccounts/tableServices/read
Performing Entity Group Transactions Sub-operation authorizes separately
Query Tables Microsoft.Storage/storageAccounts/tableServices/tables/read (scoped to the storage account or above)
Create Table Microsoft.Storage/storageAccounts/tableServices/tables/write
Delete Table Microsoft.Storage/storageAccounts/tableServices/tables/delete
Get Table ACL Not available via OAuth
Set Table ACL Not available via OAuth
Query Entities Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
Insert Entity Microsoft.Storage/storageAccounts/tableServices/tables/entities/write or Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action
Insert Or Merge Entity Microsoft.Storage/storageAccounts/tableServices/tables/entities/write or (Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action and Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action)
Insert Or Replace Entity Microsoft.Storage/storageAccounts/tableServices/tables/entities/write or (Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action and Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action)
Update Entity Microsoft.Storage/storageAccounts/tableServices/tables/entities/write or Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action
Merge Entity Microsoft.Storage/storageAccounts/tableServices/tables/entities/write or Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action
Delete Entity Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete

Permissions for File service operations

File service operation RBAC action
Get File Service Properties Microsoft.Storage/storageAccounts/fileServices/read
Set File Service Properties Microsoft.Storage/storageAccounts/fileServices/write
Preflight File Request Anonymous
List Shares Microsoft.Storage/storageAccounts/fileServices/shares/read
Create Share Microsoft.Storage/storageAccounts/fileServices/shares/write
Snapshot Share Microsoft.Storage/storageAccounts/fileServices/shares/write
Get Share Properties Microsoft.Storage/storageAccounts/fileServices/shares/read
Set Share Properties Microsoft.Storage/storageAccounts/fileServices/shares/write
Get Share Metadata Microsoft.Storage/storageAccounts/fileServices/shares/read
Set Share Metadata Microsoft.Storage/storageAccounts/fileServices/shares/write
Delete Share Microsoft.Storage/storageAccounts/fileServices/shares/delete
Restore Share Microsoft.Storage/storageAccounts/fileServices/shares/restore/action
Get Share ACL Microsoft.Storage/storageAccounts/fileServices/shares/read
Set Share ACL Microsoft.Storage/storageAccounts/fileServices/shares/write
Get Share Stats Microsoft.Storage/storageAccounts/fileServices/shares/read
Lease Share Microsoft.Storage/storageAccounts/fileServices/shares/lease/action
Create Permission Microsoft.Storage/storageAccounts/fileServices/fileShares/files/modifypermissions/action and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Get Permission Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
List Directories and Files Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Create Directory Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Get Directory Properties Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Set Directory Properties Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action, and Microsoft.Storage/storageAccounts/fileServices/fileShares/files/modifypermissions/action if x-ms-file-permission or x-ms-file-permission-key is included in HTTP request header.
Delete Directory Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Get Directory Metadata Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Set Directory Metadata Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Rename Directory Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Create File Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Get File Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Get File Properties Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Set File Properties Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action, and Microsoft.Storage/storageAccounts/fileServices/fileShares/files/modifypermissions/action if x-ms-file-permission or x-ms-file-permission-key is included in HTTP request header.
Put Range Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Put Range from URL Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
List Ranges Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Get File Metadata Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Set File Metadata Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Delete File Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Copy File Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action, and Microsoft.Storage/storageAccounts/fileServices/fileShares/files/modifypermissions/action if x-ms-file-permission or x-ms-file-permission-key is included in HTTP request header.
Abort Copy File Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
List Handles Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read and Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Force Close Handles Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Lease File Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Rename File Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write and Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action

See also