question

AlexAlexon-4788 avatar image
0 Votes"
AlexAlexon-4788 asked MariuszBorys-1907 commented

Is cross tenant blob access possible in azure?

My customer has an azure bucket and we need to read/write to this bucket. They won't be sharing their storage account credentials either.

This can be achieved in AWS by following this: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ I have just created an IAM user and asked my customers to allow the necessary permissions in the bucket policy. Thus, with one IAM user and one set of credentials, I can write to multiple buckets belonging to multiple AWS accounts.

Is something like above also possible in Azure?

azure-storage-accountsazure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered AlexAlexon-4788 commented
  1. "Is it possible to cross tenant access WITHOUT using the customer credentials (even without shared access keys) ?

Yes, this is possible : https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-customize-ui

Note: User should have access to the Guest account.

If user and you are in different tenant you need to invite as a Guest and add permission to storage account.

  1. Once you are invited in to the account(Guest) you don't need Shared Signature permission.


  2. You can provide access different level of access using IAM in Azure portal without storage account key.

Additional information: Refer to this MSDN thread which provides detailed information, How RBAC works with AAD and more.


Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.



Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.





· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AlexAlexon-4788 Just checking in to see if the above answer helped. If this answers your query, Please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

Since my service is a backend service, I have used the client credential flow

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

0 Votes 0 ·
Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered Sumarigo-MSFT edited

In your scenario SAS would be the best option and could keep in both the sides to upload and download(Read,Write,delete and List) If so Delegate access with a shared access signature, Using SAS you can set expiry data and time for the Storage account and also specify the IP address.

Please refer to this article and let me know you if you need any future assistance on this query.

Hope this helps!


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexAlexon-4788 avatar image
0 Votes"
AlexAlexon-4788 answered MariuszBorys-1907 commented

I understood that we can use SAS for cross tenant access.

My question is specific to,
1. "Is it possible to cross tenant access WITHOUT using the customer credentials (even without shared access keys) ?
2. Customer has given permission for my account in there service account as "Storage Admin", If i still need the shared access keys from customer, what is the meaning of this permission ?

Why this question is
1. In AWS, if the customer give permission for my IAM user, I can access there storage without any keys
2. In GCP, if customer give permission for my IAM user, I can access there storage without any keys



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AlexAlexon-4788 did you find a solution for the scenario you described?

0 Votes 0 ·
AlexAlexon-4788 avatar image AlexAlexon-4788 MariuszBorys-1907 ·

no, didn't find any elegant way of doing it ....

0 Votes 0 ·
MariuszBorys-1907 avatar image MariuszBorys-1907 AlexAlexon-4788 ·

hm ok thank you for the answer

0 Votes 0 ·