Share via

How to use a microsoft personal email with DefaultAzureCredential from python sdk to download/upload files in azure storage blob account?

Alberto Porro 20 Reputation points
2024-05-09T14:38:27.34+00:00

I'm developing a system in which a user from a simple python application can download/upload files from azure blob storage.

I'm using python sdk and VS code as IDE (without the azure extension activated) and I'm stuck with microsoft personal account used for authentication.

this is wha tI've done so far:

in the portal I invite, in the Micorsoft Entra ID section, as external user(first as member, than as guest but the result is the same), my personal microsoft account as well my organizational account. For both of them I accepted the invitation and set as 'storage blob collaborator' and 'Reader' role for the storage account

then in python code, I use

credential = DefaultAzureCredential(exclude_interactive_browser_credential=False)

BlobServiceClient("https://%s.blob.core.windows.net" % storageName, credential=self.credential)

as starting point; then, after a request starts to the storage, it opens the browser to ask for the authorization, as expected

If I use the email within my organization, it works like a charm.

when I use the microsoft personal account, it says "Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application <tenant code>. the account has to be first of all added as external user in the tenant".

What am I doing wrong? Is not possible to invite an external user(with a personal email)? where can I add a specific user to the specific tenant?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,509 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,687 questions
Accepted answer
  1. Nehruji R 3,121 Reputation points Microsoft Vendor
    2024-05-15T08:59:58.56+00:00

    Hello Alberto, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    User's image

    Issue: Customer is unable to add their Microsoft personal account as guest user to their tenant.

    Error Message:

    "Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application <tenant code>.

    Solution: Adding the tenant id holding the storage account that want to connect, gaining in that way the authorization even for Microsoft user invited as external.

    Putting the tenant in the constructor - DefaultAzureCredential() solved the problem.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 3,121 Reputation points Microsoft Vendor
    2024-05-10T06:43:50.3833333+00:00

    Hello Alberto Porro,

    Greetings! Welcome to Micrsoft Q&A Platform.

    Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal.

    the error message “Selected user account does not exist in tenant ‘Microsoft Services’ and cannot access the application,” it suggests that the Microsoft personal account is not recognized within the specified tenant. Verify that the tenant configuration allows external users to be added and confirm that the Microsoft personal account is indeed added as an external user in the tenant.

    Also add the user to the application that they trying to access- https://learn.microsoft.com/en-us/entra/external-id/add-users-administrator#add-guest-users-to-a-group After a guest user has been added to the directory in Microsoft Entra ID, an application owner can send the guest user a direct link to the app they want to share.

    This guide provides the basic steps to invite an external user. To learn about all of the properties and settings that you can include when you invite an external user, see How to create and delete a user.

    Once your Guest account has accepted the invite (through Azure AD Users), and once you granted access to this Guest to your desired application, you will receive an email with a link in it that will bring the user to myapps.microsoft.com once you accept the terms by looking at the top right corner of the screen, you will see a button that looks like this:

    245191-2022-09-27-10-31-40-window.png

    Ensure that once you received the email to your Guest account you need to click on the organization that you want to a view with the apps shared from. Also, once you grant access to an application it can take some time to show for your users.

    Alternatively, If the user account is created for only accessing storage account then you try to Create SAS tokens for your storage containers with desired permissions and share it with your users and User should install the Storage Explorer and connect to the Blob container with provided SAS tokens to upload the files.

    Step:1 Create SAS tokens in the Azure portal.

    Go to the Azure portal and navigate to your container (Your storage accountcontainersyour container)

    1. Generate SAS from the drop-down menu.
    2. Define Permissions by checking and/or clearing the appropriate check box:
      • Your target container or file must have designated read, create, write and list access to upload the files to the container.
      1. Specify the signed key Start and Expiry times.
      2. Review then select Generate SAS token and URL.
      3. The Blob SAS token query string and Blob SAS URL will be displayed in the lower area of window.
      4. Copy and paste the Blob SAS token and URL values in a secure location. They'll only be displayed once and cannot be retrieved once the window is closed.

    Step:2 Connect to the blob container using the SAS url using Storage Explorer

    1. In the Select Resource panel of the Connect to Azure Storage dialog, select the blob Container.
    2. Select Shared access signature (SAS) and select Next.
    3. Enter a display name for your connection and the SAS URI for the resource. Select Next.
    4. Review your connection information in the Summary panel. If the connection information is correct, select Connect.Better way is to Create SAS tokens for your storage containers with desired permissions and share it with your users and User should install the Storage Explorer and connect to the Blob container with provided SAS tokens to upload the files. Step:1 Create SAS tokens in the Azure portal. Go to the Azure portal and navigate to your container (Your storage account → containers → your container)
      1. Generate SAS from the drop-down menu.
      2. Define Permissions by checking and/or clearing the appropriate check box:
        • Your target container or file must have designated read, create, write and list access to upload the files to the container.
      3. Specify the signed key Start and Expiry times.
      4. Review then select Generate SAS token and URL.
      5. The Blob SAS token query string and Blob SAS URL will be displayed in the lower area of window.
      6. Copy and paste the Blob SAS token and URL values in a secure location. They'll only be displayed once and cannot be retrieved once the window is closed.
      Step:2 Connect to the blob container using the SAS url using Storage Explorer
      1. In the Select Resource panel of the Connect to Azure Storage dialog, select the blob Container.
      2. Select Shared access signature (SAS) and select Next.
      3. Enter a display name for your connection and the SAS URI for the resource. Select Next.
      4. Review your connection information in the Summary panel. If the connection information is correct, select Connect.

    Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/1339578/guest-access-for-azure-data-lake-gen-2

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Alberto Porro 20 Reputation points
    2024-05-15T08:34:08.6366667+00:00

    Sorry for the delay answer, but I managed to solve my problem anyway.

    I was developing a desktop app, not an app hosted in azure, so thanks to @Shweta Mathur for the comment but that wasn't my case.

    Thanks to @Nehruji R for your answer, I try to log in and press the specified button in order to change the organization I belong but I don't know why, the box you specify was dimmed.

    After many tries I solved adding the tenant id holding the storage account I want to connect to, gaining in that way the authorization even for microsoft user invited as external.

    Putting the tenant in the constructor

    DefaultAzureCredential()

    solved my problem.

    0 comments