You can setup CDN with App Serviceas backend with AAD and for that the given link can be used as reference architecture as it uses a similar setup. Regarding access to particular content paths, it is done at the code level. You can enable AAD authorization/authentication on the app service and from inside your code, examine the claims of the principal logged in and determine which group has access to which paths.
However, if you do not have App Service as backend then you can go with token authentication for CDN as given in the link. Token authentication when used with rules engine should be able to deliver your requirement for particular content paths etc..,
"Token authentication verifies that requests are generated by a trusted site by requiring requests to contain a token value that holds encoded information about the requester. Content is served to a requester only if the encoded information meets the requirements; otherwise, requests are denied. You can set up the requirements by using one or more of the following parameters:
Country/Region: Allow or deny requests that originate from the countries/regions specified by their country/region code.
URL: Allow only requests that match the specified asset or path.
Host: Allow or deny requests that use the specified hosts in the request header.
Referrer: Allow or deny request from the specified referrer.
IP address: Allow only requests that originated from specific IP address or IP subnet.
Protocol: Allow or deny requests based on the protocol used to request the content.
Expiration time: Assign a date and time period to ensure that a link remains valid only for a limited time period."
Please let us know if you have any further questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.