Configuring Azure AD authentication for Azure Storage using Azure Portal
In this tutorial, we’ll learn how to use Azure portal to configure Azure AD authentication for Azure storage. Also, how to assign Azure responsibilities using the Azure portal.
However, the Azure portal provides a simple interface for assigning Azure roles and managing access to your storage resources. In this, you can also assign Azure roles for blob and queue with Azure command-line tools or the Azure Storage management APIs.
When an Azure role is assigned to a security principal in Azure AD. Azure then allows that security principal access to those resources. Access can be restricted to the subscription level, the resource group, the storage account, or a single container or queue.
Azure roles for blobs and queues
Azure provides Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth that includes:
- Firstly, storage Blob Data Owner that is for setting ownership and managing POSIX access control for Azure Data Lake Storage Gen2.
- Secondly, storage Blob Data Contributor that grants read/write/delete permissions to Blob storage resources.
- Thirdly, storage Blob Data Reader that grants read-only permissions to Blob storage resources.
- Next, storage Blob Delegator that is used for getting a user delegation key for creating a shared access signature that is signed with Azure AD credentials for a container or blob.
- Then, storage Queue Data Message Processor that grants peek, retrieve, and delete permissions to messages in Azure Storage queues.
- Lastly, storage Queue Data Message Sender which is for granting add permissions to messages in Azure Storage queues.
Only roles specifically established for data access, on the other hand, allow a security principal to access blob or queue data. A security principal can manage a storage account using built-in roles such as Owner, Contributor, and Storage Account Contributor. If a role contains Microsoft.Storage/storageAccounts/listKeys/action, a user can utilise Shared Key authorization with the account access keys to access data in the storage account.
Determining resource scope
Before assigning an Azure role to a security principal, firstly, determine the scope of access that the security principal should have. The list below explains the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:
- Firstly, an individual container. At this scope, a role assignment applies to all of the blobs in the container including the container properties and metadata.
- Secondly, an individual queue. Here, a role assignment applies to messages in the queue including queue properties and metadata.
- Thirdly, the storage account. This refers to a role assignment that applies to all containers and their blobs, or to all queues and their messages.
- After that, the resource group. Here, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
- Then, the subscription. This refers to a role assignment that applies to all of the containers or queues in all of the storage accounts. Further, in all of the resource groups in the subscription.
- Lastly, a management group. This refers to the role assignment that applies to all of the containers or queues in all of the storage accounts. Further, in all of the resource groups in all of the subscriptions in the management group.
Assigning Azure roles using the Azure portal
After determining the appropriate scope for a role assignment, navigate to that resource in the Azure portal. Show the Access Control (IAM) settings for the resource, and follow these instructions for managing role assignments:
- Firstly, assign the appropriate Azure Storage Azure role to grant access to an Azure AD security principal.
- Then, assign the Azure Resource Manager Reader role to users who need to access containers or queues via the Azure portal using their Azure AD credentials.
Assigning an Azure built-in role
Before assigning a role to a security principal, first, consider the scope of the permissions you are granting.
- Firstly, in the Azure portal, go to your storage account and display the Overview for the account.
- Secondly, under Services, select Blobs.
- Thirdly, locate the container for which you want to assign a role, and display the container’s settings.
- Then, select Access control (IAM) to display access control settings for the container. After that, select the Role assignments tab to view the list of role assignments.
- Fifthly, click the Add role assignment button to add a new role.
- After that, in the Add role assignment window, select the Azure Storage role that you want to assign. Then, search for locating the security principal to which you want to assign that role.
- Lastly, click Save.
Assigning the Reader role for portal access
When assigning a built-in or custom role for Azure Storage to a security principal, then you are granting permissions to that security principal for performing operations on data in your storage account. That is to say, the built-in Data Reader roles provide read permissions for the data in a container or queue, while the built-in Data Contributor roles provide read, write, and delete permissions for a container or queue. However, permissions are scoped to the specified resource.
And, if your users need to be able to access blobs in the Azure portal, then assign them an additional Azure role, the Reader role, to those users, at the level of the storage account or above. Moreover, the Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them.
Follow the steps below for assigning the Reader role so that a user can access blobs from the Azure portal. For example, let’s assume the assignment is scoped to the storage account and for that:
- Firstly, in the Azure portal, navigate to your storage account.
- Secondly, select Access control (IAM) to display the access control settings for the storage account. Then, select the Role assignments tab to see the list of role assignments.
- Thirdly, in the Add role assignment window, select the Reader role.
- Then, from the Assign access to the field, select Azure AD user, group, or service principal.
- After that, search for locating the security principal to which you want to assign the role.
- Lastly, save the role assignment.
Reference: Microsoft Documentation