You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/blobs/authorize-access-azure-active-directory.md
+21-1Lines changed: 21 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,6 +39,13 @@ To learn about how to access data in the Azure portal with an Azure AD account,
39
39
40
40
### Use Azure AD to authorize access in application code
41
41
42
+
To authorize access to Azure Storage with Azure AD, you can use one of the following client libraries to acquire an OAuth 2.0 token:
43
+
44
+
- The Azure Identity client library is recommended for most development scenarios.
45
+
- The [Microsoft Authentication Library (MSAL)](../../active-directory/develop/msal-overview.md) may be suitable for certain advanced scenarios.
46
+
47
+
#### Azure Identity client library
48
+
42
49
The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Azure Active Directory (Azure AD) via the [Azure SDK](https://github.com/Azure/azure-sdk). The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of Azure Storage requests.
43
50
44
51
An advantage of the Azure Identity client library is that it enables you to use the same code to acquire the access token whether your application is running in the development environment or in Azure. The Azure Identity client library returns an access token for a security principal. When your code is running in Azure, the security principal may be a managed identity for Azure resources, a service principal, or a user or group. In the development environment, the client library provides an access token for either a user or a service principal for testing purposes.
@@ -47,7 +54,18 @@ The access token returned by the Azure Identity client library is encapsulated i
Authorizing blob data operations with Azure AD is supported only for REST API versions 2017-11-09 and later. For more information, see [Versioning for the Azure Storage services](/rest/api/storageservices/versioning-for-the-azure-storage-services#specifying-service-versions-in-requests).
57
+
#### Microsoft Authentication Library (MSAL)
58
+
59
+
While Microsoft recommends using the Azure Identity client library when possible, the MSAL library may be appropriate to use in certain advanced scenarios. For more information, see [Learn about MSAL](../../active-directory/develop/msal-overview.md).
60
+
61
+
When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide an Azure AD resource ID. The Azure AD resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account.
62
+
63
+
The following table describes the values that you can provide for the resource ID. The resource ID for Azure Storage is the same for all public and sovereign clouds:
64
+
65
+
|Resource ID |Description |
66
+
|---------|---------|
67
+
|`https://<account>.blob.core.windows.net` <br /><br /> `https://<account>.queue.core.windows.net`| The service endpoint for a given storage account. Use this value to acquire a token for authorizing requests to that specific Azure Storage account and service only. Replace the value in brackets with the name of your storage account. |
68
+
|`https://storage.azure.com/`| Use to acquire a token for authorizing requests to any Azure Storage account. |
51
69
52
70
## Assign Azure roles for access rights
53
71
@@ -125,6 +143,8 @@ Azure CLI and PowerShell support signing in with Azure AD credentials. After you
125
143
126
144
[!INCLUDE [Blob Storage feature support in Azure Storage accounts](../../../includes/azure-storage-feature-support.md)]
127
145
146
+
Authorizing blob data operations with Azure AD is supported only for REST API versions 2017-11-09 and later. For more information, see [Versioning for the Azure Storage services](/rest/api/storageservices/versioning-for-the-azure-storage-services#specifying-service-versions-in-requests).
147
+
128
148
## Next steps
129
149
130
150
-[Authorize access to data in Azure Storage](../common/authorize-data-access.md)
0 commit comments