Azure storage config to authorize via microsoft entra

MiladIld
December 6, 2023
185 views
1 vote
2 Answers

I think I am having a misconfiguration and going through the docs in the pas few days still having the following issue.

I have a web app which uploads to a blob in azure and it works fine.
my requirement is only people who are in the azure ad will be authorize to open the files from the link

what I do is after uploading the file it has a hyperlink on the UI which works fine if the anonymous access to the storage is enabled.

But what I want is only people who are in the current active directory will be able to see the link.

So I am logged in and have the current configuration on the Azure storage config

and then when I click on the link I get

and when it comes to IAM, I added Storage Blob Data Contributor role to my user.

I was wondering what would I be missing?

Answers

Chosen as BEST ANSWER

Thanks for the response, @venkatesan reply is similiar to my final solution where instead I made a function in the app where when the user clicks on the link app generates a token that adds to the hyperlink and the link is only valid for 1 second in our case.

                var uri = new Uri(Filename);
            string filenames = Path.GetFileName(uri.LocalPath);

            CloudStorageAccount storageAccount = CloudStorageAccount.Parse(storageConfig.ConnectionString);
            CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
            CloudBlobContainer container = blobClient.GetContainerReference(storageConfig.ContainerName);
            CloudBlockBlob _blockBlob = container.GetBlockBlobReference(filenames);


            var sas = _blockBlob.GetSharedAccessSignature(new SharedAccessBlobPolicy()
            {
                SharedAccessExpiryTime = DateTime.UtcNow.AddSeconds(1),
                Permissions = SharedAccessBlobPermissions.Read,
            });
            return _blockBlob.Uri.AbsoluteUri + sas;

(Edit)

- Venkatesan
- December 5, 2023 at 6:58 am
- 0 votes
0
My requirement is only people who are in the Azure ad will be authorised to open the files from the link

I agree with Thomas’s comment, In the browser, the request doesn’t include any OAuth token.

In my environment, I had configured as same as you:

Portal:

If you need to authorize the user to authenticate with Azure AD first you need to fetch the oauth token from the user.

You can use the below Python code that will authenticate with Azure ad and authorize you to open the files from the link.

Code:
```
from azure.identity import DefaultAzureCredential
import requests

credential=DefaultAzureCredential()
token=credential.get_token("https://storage.azure.com/.default")

url = "https://venkat678.blob.core.windows.net/test/readme.txt"

headers = {"Authorization": "Bearer " + token.token, "x-ms-version" :"2023-11-03"}
response = requests.get(url, headers=headers)

print(response.text)
```
First in your terminal login az-login and In the above code are using the Azure Identity library to authenticate and get a token for accessing Azure Storage.

Token making as GET request to read the contents of a file readme.txt stored in an Azure Blob Storage container venkat678.blob.core.windows.net/test.

Output:
```
COM Test Suite Readme
---------------------

Running the test suite:
-----------------------
* Open a command prompt
* Change to the "win32comtest" directory.
* run "testall.py".  This will perform level 1 testing.
  You may specify 1, 2, or 3 on the command line ("testutil 3")
  to execute more tests.
```
Reference:

azure.identity.DefaultAzureCredential class | Microsoft Learn
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.