Authenticate access to Azure blobs and queues using Azure Active Directory (Preview)

Azure Storage supports authentication and authorization with Azure Active Directory (AD) for the Blob and Queue services. With Azure AD, you can use role-based access control (RBAC) to grant access to users, groups, or application service principals.

Authenticating users or applications using Azure AD credentials provides superior security and ease of use over other means of authorization. While you can continue to use Shared Key authorization with your applications, using Azure AD circumvents the need to store your account access key with your code. You can also continue to use shared access signatures (SAS) to grant fine-grained access to resources in your storage account, but Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS. Microsoft recommends using Azure AD authentication for your Azure Storage applications when possible.

Note

  • The preview of Azure AD authentication for blobs and queues is intended for non-production use only. Production service-level agreements (SLAs) are not currently available. If Azure AD authentication is not yet supported for your scenario, continue to use Shared Key authorization or SAS tokens in your applications.

  • During the preview, RBAC role assignments may take up to five minutes to propagate.

  • To authorize blob and queue operations with an OAuth token, you must use HTTPS.

  • The Azure portal now supports using Azure AD credentials to read and write blob and queue data, as part of the preview release.

  • Azure Storage Explorer currently uses your storage account key to access blob and queue data. OAuth access is supported for blobs.

  • Azure Files supports authentication with Azure AD over SMB for domain-joined VMs only (preview). To learn about using Azure AD over SMB for Azure Files, see Overview of Azure Active Directory authentication over SMB for Azure Files (preview).

About the preview

Keep in mind the following points about the preview:

  • Azure AD integration is available for the Blob and Queue services only in the preview.
  • Azure AD integration is available for GPv1, GPv2, and Blob storage accounts in all public regions.
  • Only storage accounts created with the Resource Manager deployment model are supported.
  • Support for caller identity information in Azure Storage Analytics logging is coming soon.
  • Azure AD authorization of access to resources in standard storage accounts is currently supported. Authorization of access to page blobs in premium storage accounts will be supported soon.
  • Azure Storage supports both built-in and custom RBAC roles. You can assign roles scoped to the subscription, the resource group, the storage account, or an individual container or queue.
  • The Azure Storage client libraries that currently support Azure AD integration include:

Get started with Azure AD for Storage

The first step in using Azure AD integration with Azure Storage is to assign RBAC roles for storage data to your service principal (a user, group, or application service principal) or managed identities for Azure resources. RBAC roles encompass common sets of permissions for containers and queues. To learn more about RBAC roles for Azure Storage, see Manage access rights to storage data with RBAC (Preview).

To use Azure AD to authorize access to storage resources in your applications, you need to request an OAuth 2.0 access token from your code. To learn how to request an access token and use it to authorize requests to Azure Storage, see Authenticate with Azure AD from an Azure Storage application (Preview). If you are using a managed identity, see Authenticate access to blobs and queues with Azure managed identities for Azure Resources (Preview).

Azure CLI and PowerShell now support logging in with an Azure AD identity. After you log in with an Azure AD identity, your session runs under that identity. To learn more, see Use an Azure AD identity to access Azure Storage with CLI or PowerShell (Preview).

Next steps

For additional information about Azure AD integration for Azure Blobs and Queues, see the Azure Storage team blog post, Announcing the Preview of Azure AD Authentication for Azure Storage.