Authenticate access to Azure blobs and queues using Azure Active Directory (Preview)
Azure Storage supports authentication and authorization with Azure Active Directory (AD) for the Blob and Queue services. With Azure AD, you can use role-based access control (RBAC) to grant access to users, groups, or application service principals.
Authenticating users or applications using Azure AD credentials provides superior security and ease of use over other means of authorization. While you can continue to use Shared Key authorization with your applications, using Azure AD circumvents the need to store your account access key with your code. You can also continue to use shared access signatures (SAS) to grant fine-grained access to resources in your storage account, but Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS. Microsoft recommends using Azure AD authentication for your Azure Storage applications when possible.
The preview of Azure AD authentication for blobs and queues is intended for non-production use only. Production service-level agreements (SLAs) are not currently available. If Azure AD authentication is not yet supported for your scenario, continue to use Shared Key authorization or SAS tokens in your applications.
During the preview, RBAC role assignments may take up to five minutes to propagate.
You must use HTTPS to authenticate with Azure AD when calling blob and queue operations.
The Azure portal now supports using Azure AD credentials to read and write blob data as part of the preview release.
The Azure portal does not currently support using Azure AD credentials to read and write queue data. Queue data is accessed via your storage account keys.
Azure Storage Explorer currently uses your storage account key to access blob and queue data.
Azure Files supports authentication with Azure AD over SMB for domain-joined VMs only (preview). To learn about using Azure AD over SMB for Azure Files, see Overview of Azure Active Directory authentication over SMB for Azure Files (preview).
About the preview
Keep in mind the following points about the preview:
- Azure AD integration is available for the Blob and Queue services only in the preview.
- Azure AD integration is available for GPv1, GPv2, and Blob storage accounts in all public regions.
- Only storage accounts created with the Resource Manager deployment model are supported.
- Support for caller identity information in Azure Storage Analytics logging is coming soon.
- Azure AD authorization of access to resources in standard storage accounts is currently supported. Authorization of access to page blobs in premium storage accounts will be supported soon.
- Azure Storage supports both built-in and custom RBAC roles. You can assign roles scoped to the subscription, the resource group, the storage account, or an individual container or queue.
- The Azure Storage client libraries that currently support Azure AD integration include:
Get started with Azure AD for Storage
The first step in using Azure AD integration with Azure Storage is to assign RBAC roles for storage data to your service principal (a user, group, or application service principal) or managed identities for Azure resources. RBAC roles encompass common sets of permissions for containers and queues. To learn more about RBAC roles for Azure Storage, see Manage access rights to storage data with RBAC (Preview).
To use Azure AD to authorize access to storage resources in your applications, you need to request an OAuth 2.0 access token from your code. To learn how to request an access token and use it to authorize requests to Azure Storage, see Authenticate with Azure AD from an Azure Storage application (Preview). If you are using a managed identity, see Authenticate access to blobs and queues with Azure managed identities for Azure Resources (Preview).
Azure CLI and PowerShell now support logging in with an Azure AD identity. After you log in with an Azure AD identity, your session runs under that identity. To learn more, see Use an Azure AD identity to access Azure Storage with CLI or PowerShell (Preview).
For additional information about Azure AD integration for Azure Blobs and Queues, see the Azure Storage team blog post, Announcing the Preview of Azure AD Authentication for Azure Storage.