Authorizing access to data in Azure Storage
Each time you access data in your storage account, your client makes a request over HTTP/HTTPS to Azure Storage. Every request to a secure resource must be authorized, so that the service ensures that the client has the permissions required to access the data.
The following table describes the options that Azure Storage offers for authorizing access to resources:
|Azure artifact||Shared Key (storage account key)||Shared access signature (SAS)||Azure Active Directory (Azure AD)||On-premises Active Directory Domain Services (preview)||Anonymous public read access|
|Azure Blobs||Supported||Supported||Supported||Not supported||Supported|
|Azure Files (SMB)||Supported||Not supported||Supported, only with AAD Domain Services||Supported, credentials must be synced to Azure AD||Not supported|
|Azure Files (REST)||Supported||Supported||Not supported||Not supported||Not supported|
|Azure Queues||Supported||Supported||Supported||Not Supported||Not supported|
|Azure Tables||Supported||Supported||Not supported||Not supported||Not supported|
Each authorization option is briefly described below:
Azure Active Directory (Azure AD) integration for blobs, and queues. Azure provides Azure role-based access control (Azure RBAC) for control over a client's access to resources in a storage account. For more information regarding Azure AD integration for blobs and queues, see Authorize access to Azure blobs and queues using Azure Active Directory.
Azure Active Directory Domain Services (Azure AD DS) authentication for Azure Files. Azure Files supports identity-based authorization over Server Message Block (SMB) through Azure AD DS. You can use Azure RBAC for fine-grained control over a client's access to Azure Files resources in a storage account. For more information regarding Azure Files authentication using domain services, refer to the overview.
On-premises Active Directory Domain Services (AD DS, or on-premises AD DS) authentication (preview) for Azure Files. Azure Files supports identity-based authorization over SMB through AD DS. Your AD DS environment can be hosted in on-premises machines or in Azure VMs. SMB access to Files is supported using AD DS credentials from domain joined machines, either on-premises or in Azure. You can use a combination of Azure RBAC for share level access control and NTFS DACLs for directory/file level permission enforcement. For more information regarding Azure Files authentication using domain services, refer to the overview.
Shared Key authorization for blobs, files, queues, and tables. A client using Shared Key passes a header with every request that is signed using the storage account access key. For more information, see Authorize with Shared Key.
Shared access signatures for blobs, files, queues, and tables. Shared access signatures (SAS) provide limited delegated access to resources in a storage account. Adding constraints on the time interval for which the signature is valid or on permissions it grants provides flexibility in managing access. For more information, see Using shared access signatures (SAS).
Anonymous public read access for containers and blobs. Authorization is not required. For more information, see Manage anonymous read access to containers and blobs.
By default, all resources in Azure Storage are secured, and are available only to the account owner. Although you can use any of the authorization strategies outlined above to grant clients access to resources in your storage account, Microsoft recommends using Azure AD when possible for maximum security and ease of use.