Tip of the Day: Azure AD access control for Azure Storage

Today’s Tip… Azure AD access control for Azure Storage

Azure AD access control for Azure Storage has been released as General Availability. Organizations can now grant specific data access permissions for Azure Storage Blob and Queue services to their work or school and service principal identities from their Azure AD tenant using Azure’s Role-based access control (RBAC).

The following are only snippets of the official announcement here…


Administrators can then track individual user and service access to data using Storage Analytics logs. Storage accounts can be configured to be more secure by removing the need for most users to have access to powerful storage account access keys.

By leveraging Azure AD to authenticate users and services, enterprises gain access to the full array of capabilities that Azure AD provides, including features like two-factor authentication, conditional access, identity protection, and more. Azure AD Privileged Identity Management (PIM) can also be used to assign roles “just-in-time” and reduce the security risk of standing administrative access.

RBAC for Azure Resources can be used to grant access to broad sets of resources across a subscription, a resource group, or to individual resources like a storage account and blob container. Role assignments can be made through the Azure portal or through tools like Azure PowerShell, Azure CLI, or Azure Resource Manager templates.