Configuring access to storage container

Prem Sundaram 21 Reputation points
2020-07-20T23:18:57.253+00:00

Hi, this might be a simple question (I hope!)

we are trying to configure a storage container for our Azure B2C AD users to access through our app.

I have created this storage container in my primary directory (lets call it abc.com). in this main account we have our app services/db etc.

we have our users directory and app registration in a separate directory (xyz.onmicrosoft.com) - and this is currently working fine -our users can login to the app and access data in the database.

What we now want to do is to configure a container so that we can store images - and we plan to use the SAS tokens / user delegation method to ensure users can only read/write their images (blob) in the container.

The problem we are having is how to give the permissions to the container and/or app registration so we can limit the access permissions for our users in the xyz directory to just that storage container in the abc directory?

For app registrations in our main directory i can give 'user delegation/storage' api permission and we can go to the container and set the AD users group permission to the group related to that app registration and it all seems logical but we need to do the same between the 2 directories.

but when we try to give the app registration in our xyz directory the storage permissions we only get the 'microsoft graph' api option. it seems that because we have the app registration in the xyz directory, we can't access the resources in the abc directory - yet we are able to handle the users just fine.

do we need to put the container in the xyz directory? then it would not be with our other services. any thoughts on what concept we are missing here?

Any help appreciated, we're a bit stumped! thanks!
Prem

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,447 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,662 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 34,066 Reputation points Microsoft Employee
    2020-08-04T22:40:02.703+00:00

    Hi @Prem Sundaram ,

    You either need to make sure that the users are guest users in the xyz directory, or move the container to that directory. As long as they at least have guest access to tenant you can assign them permissions to use the storage container.

    Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue.

    As you mentioned, you just need to set the access control to those users and set the scope so that they can only access that container.

    As long as the resource either exists in the same tenant OR the users are added as guest users you'll be able to do this.

    First, select the container and go to Access Control:

    15642-image.png

    Then, add the role assignment for those users:

    15661-image.png

    As long as the resource either exists in the same tenant OR the users are added as guest users you'll be able to do this.

    https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest