Allow user-based access to Blob Containers (for support employees)
For auditing purposes and to prevent data corruption, we want to give our support employees a user-centric, read-only access to Blob Containers in order to be able to investigate possible data corruptions (caused by bugs in systems).
This is not possible now because the security architecture of Blob Service does not even know the concept of users or roles.
SAS is not secure enough mechanism because it gives access to anyone by just sharing a link + you can't track who's actually using it.
Thank you for you feedback. This work has been started. We will provide updates when they become available. For any further questions, or to discuss your specific scenario, send us an email at firstname.lastname@example.org.
Any news on the AD integration with Blob Storage containers?
Peter Schmatz - Microsoft commented
You cannot do this directly. One option would be to create a WebService with AAD/AD integration, which authenticates the user, and then read/write data to the Blob (you could hard code the storage keys in the web app) Here’s another idea using Azure Key Vault http://www.dushyantgill.com/blog/2015/04/26/say-goodbye-to-key-management-manage-access-to-azure-storage-data-using-azure-ad/
Ganesh Majeti commented
Do we have a way to tag specific AD users to be allowed to access a blob? if not when can we expect this feature?
This seems to parallel https://feedback.azure.com/forums/217298-storage/suggestions/8587855-provide-acl-via-rbac-on-containers-and-logical-fol where is appears they are also asking down to the folder level. It would certainly be nice to go down to the virtual folder, but the container would be a good first step. Currently the closest option is "contributer" at the account level which opens way more rights to *all* storage under that account.
Vojtech Vit commented
It's actually also useful for our testers in environments they are not allowed to have write access to.
Shawn Cicoria commented
Should have the ability to apply RBAC on a container using the AAD group or principal and folders (logical) should support these same set of ACLs.
enable oAuth 2.0 for Azure Storage Tables/Blobs