Authorize access to blobs and queues using Azure Active Directory
Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to Blob and Queue storage. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against Blob or Queue storage.
Authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your blob and queue applications when possible to minimize potential security vulnerabilities inherent in Shared Key.
Authorization with Azure AD is available for all general-purpose and Blob storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization.
Blob storage additionally supports creating shared access signatures (SAS) that are signed with Azure AD credentials. For more information, see Grant limited access to data with shared access signatures.
Azure Files supports authorization with AD (preview) or Azure AD DS (GA) over SMB for domain-joined VMs only. To learn about using AD (preview) or Azure AD DS (GA) over SMB for Azure Files, see Overview of Azure Files identity-based authentication support for SMB access.
Authorization with Azure AD is not supported for Azure Table storage. Use Shared Key to authorize requests to Table storage.
Overview of Azure AD for blobs and queues
When a security principal (a user, group, or application) attempts to access a blob or queue resource, the request must be authorized, unless it is a blob available for anonymous access. With Azure AD, access to a resource is a two-step process. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. Next, the token is passed as part of a request to the Blob or Queue service and used by the service to authorize access to the specified resource.
The authentication step requires that an application request an OAuth 2.0 access token at runtime. If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a managed identity to access blobs or queues. To learn how to authorize requests made by a managed identity to the Azure Blob or Queue service, see Authorize access to blobs and queues with Azure Active Directory and managed identities for Azure Resources.
The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Storage provides Azure roles that encompass common sets of permissions for blob and queue data. The roles that are assigned to a security principal determine the permissions that the principal will have. To learn more about assigning Azure roles for Azure Storage, see Manage access rights to storage data with Azure RBAC.
Native applications and web applications that make requests to the Azure Blob or Queue service can also authorize access with Azure AD. To learn how to request an access token and use it to authorize requests for blob or queue data, see Authorize access to Azure Storage with Azure AD from an Azure Storage application.
Assign Azure roles for access rights
Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob and queue data. You can also define custom roles for access to blob and queue data.
When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.
Azure built-in roles for blobs and queues
Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:
- Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. For more information, see Access control in Azure Data Lake Storage Gen2.
- Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
- Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
- Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.
- Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
- Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
- Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
- Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.
Only roles explicitly defined for data access permit a security principal to access blob or queue data. Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account via Azure AD. However, if a role includes the Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. For more information, see Use the Azure portal to access blob or queue data.
For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the Storage section in Azure built-in roles for Azure RBAC. Additionally, for information about the different types of roles that provide permissions in Azure, see Classic subscription administrator roles, Azure roles, and Azure AD roles.
Azure role assignments may take up to five minutes to propagate.
To learn how to assign an Azure built-in role to a security principal, see one of the following articles:
- Use the Azure portal to assign an Azure role for access to blob and queue data
- Use the Azure CLI to assign an Azure role for access to blob and queue data
- Use the Azure PowerShell module to assign an Azure role for access to blob and queue data
Access permissions for data operations
For details on the permissions required to call specific Blob or Queue service operations, see Permissions for calling blob and queue data operations.
Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.
The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:
- An individual container. At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
- An individual queue. At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
- The storage account. At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
- The resource group. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
- The subscription. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.
- A management group. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in all of the subscriptions in the management group.
For more information about Azure role assignments and scope, see What is Azure role-based access control (Azure RBAC)?.
Access data with an Azure AD account
Access to blob or queue data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Azure AD account or by using the account access keys (Shared Key authorization).
Data access from the Azure portal
The Azure portal can use either your Azure AD account or the account access keys to access blob and queue data in an Azure storage account. Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you.
When you attempt to access blob or queue data, the Azure portal first checks whether you have been assigned an Azure role with Microsoft.Storage/storageAccounts/listkeys/action. If you have been assigned a role with this action, then the Azure portal uses the account key for accessing blob and queue data via Shared Key authorization. If you have not been assigned a role with this action, then the Azure portal attempts to access data using your Azure AD account.
To access blob or queue data from the Azure portal using your Azure AD account, you need permissions to access blob and queue data, and you also need permissions to navigate through the storage account resources in the Azure portal. The built-in roles provided by Azure Storage grant access to blob and queue resources, but they don't grant permissions to storage account resources. For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the Reader role, scoped to the level of the storage account or higher. The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. To learn more about how to assign permissions to users for data access in the Azure portal with an Azure AD account, see Use the Azure portal to assign an Azure role for access to blob and queue data.
The Azure portal indicates which authorization scheme is in use when you navigate to a container or queue. For more information about data access in the portal, see Choose how to authorize access to blob data in the Azure portal and Choose how to authorize access to queue data in the Azure portal.
Data access from PowerShell or Azure CLI
Azure CLI and PowerShell support signing in with Azure AD credentials. After you sign in, your session runs under those credentials. To learn more, see Run Azure CLI or PowerShell commands with Azure AD credentials to access blob or queue data.