Skip to content

Commit 816f3a0

Browse files
Stacyrch140Stacyrch140
authored
Merge pull request #294191 from pauljewellmsft/auth-portal-images
Update auth options article screenshots/descriptions
2 parents db77002 + 7020989 commit 816f3a0

14 files changed

+40
-59
lines changed

articles/storage/blobs/authorize-data-operations-portal.md

Lines changed: 15 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -6,34 +6,33 @@ author: pauljewellmsft
66
ms.author: pauljewell
77
ms.service: azure-blob-storage
88
ms.topic: how-to
9-
ms.date: 12/10/2021
10-
9+
ms.date: 02/06/2025
1110
ms.reviewer: nachakra
1211
---
1312

1413
# Choose how to authorize access to blob data in the Azure portal
1514

1615
When you access blob data using the [Azure portal](https://portal.azure.com), the portal makes requests to Azure Storage under the covers. A request to Azure Storage can be authorized using either your Microsoft Entra account or the storage account access key. The portal indicates which method you're using, and enables you to switch between the two if you have the appropriate permissions.
1716

18-
You can also specify how to authorize an individual blob upload operation in the Azure portal. By default the portal uses whichever method you're already using to authorize a blob upload operation, but you have the option to change this setting when you upload a blob.
19-
2017
## Permissions needed to access blob data
2118

2219
Depending on how you want to authorize access to blob data in the Azure portal, you need specific permissions. In most cases, these permissions are provided via Azure role-based access control (Azure RBAC). For more information about Azure RBAC, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md).
2320

2421
### Use the account access key
2522

26-
To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action **Microsoft.Storage/storageAccounts/listkeys/action**. This Azure role can be a built-in or a custom role. Built-in roles that support **Microsoft.Storage/storageAccounts/listkeys/action** include the following, in order from least to greatest permissions:
23+
To access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action **Microsoft.Storage/storageAccounts/listkeys/action**. This Azure role can be a built-in or a custom role.
24+
25+
The following built-in roles, listed from least to greatest permissions, support **Microsoft.Storage/storageAccounts/listkeys/action**:
2726

28-
- The [Reader and Data Access](../../role-based-access-control/built-in-roles.md#reader-and-data-access) role
29-
- The [Storage Account Contributor role](../../role-based-access-control/built-in-roles.md#storage-account-contributor)
30-
- The Azure Resource Manager [Contributor role](../../role-based-access-control/built-in-roles.md#contributor)
31-
- The Azure Resource Manager [Owner role](../../role-based-access-control/built-in-roles.md#owner)
27+
- [Reader and Data Access](../../role-based-access-control/built-in-roles.md#reader-and-data-access)
28+
- [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor)
29+
- Azure Resource Manager [Contributor](../../role-based-access-control/built-in-roles.md#contributor)
30+
- Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner)
3231

3332
When you attempt to access blob data in the Azure portal, the portal first checks whether you have been assigned a role with **Microsoft.Storage/storageAccounts/listkeys/action**. If you have been assigned a role with this action, then the portal uses the account key for accessing blob data. If you haven't been assigned a role with this action, then the portal attempts to access data using your Microsoft Entra account.
3433

3534
> [!IMPORTANT]
36-
> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation is not permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Microsoft Entra credentials to access blob data in the portal. For information about accessing blob data in the portal with Microsoft Entra ID, see [Use your Microsoft Entra account](#use-your-azure-ad-account).
35+
> When a storage account is locked with an Azure Resource Manager **ReadOnly** lock, the [List Keys](/rest/api/storagerp/storageaccounts/listkeys) operation isn't permitted for that storage account. **List Keys** is a POST operation, and all POST operations are prevented when a **ReadOnly** lock is configured for the account. For this reason, when the account is locked with a **ReadOnly** lock, users must use Microsoft Entra credentials to access blob data in the portal. For information about accessing blob data in the portal with Microsoft Entra ID, see [Use your Microsoft Entra account](#use-your-azure-ad-account).
3736
3837
> [!NOTE]
3938
> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, including the **Microsoft.Storage/storageAccounts/listkeys/action**, so a user with one of these administrative roles can also access blob data with the account key. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
@@ -44,8 +43,8 @@ When you attempt to access blob data in the Azure portal, the portal first check
4443

4544
To access blob data from the Azure portal using your Microsoft Entra account, both of the following statements must be true for you:
4645

47-
- You are assigned either a built-in or custom role that provides access to blob data.
48-
- You are assigned the Azure Resource Manager [Reader](../../role-based-access-control/built-in-roles.md#reader) role, at a minimum, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.
46+
- You're assigned either a built-in or custom role that provides access to blob data.
47+
- You're assigned the Azure Resource Manager [Reader](../../role-based-access-control/built-in-roles.md#reader) role, at a minimum, scoped to the level of the storage account or higher. The **Reader** role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.
4948

5049
The Azure Resource Manager **Reader** role permits users to view storage account resources, but not modify them. It doesn't provide read permissions to data in Azure Storage, but only to account management resources. The **Reader** role is necessary so that users can navigate to blob containers in the Azure portal.
5150

@@ -69,11 +68,9 @@ If you're authenticating using the account access key, you see **Access Key** sp
6968

7069
:::image type="content" source="media/authorize-data-operations-portal/auth-method-access-key.png" alt-text="Screenshot showing user currently accessing containers with the account key":::
7170

72-
To switch to using Microsoft Entra account, select the link highlighted in the image. If you have the appropriate permissions via the Azure roles that are assigned to you, you're able to proceed. However, if you lack the right permissions, you see an error message like the following one:
71+
If you want to switch to use the Microsoft Entra account, select the link highlighted in the image. If you have the appropriate permissions via the Azure roles that are assigned to you, you're able to proceed. If you don't have the right permissions, you see an error message and no blobs appear in the list.
7372

74-
:::image type="content" source="media/authorize-data-operations-portal/auth-error-azure-ad.png" alt-text="Error shown if Microsoft Entra account does not support access":::
75-
76-
Notice that no blobs appear in the list if your Microsoft Entra account lacks permissions to view them. Select the **Switch to access key** link to use the access key for authentication again.
73+
Select the **Switch to access key** link to use the access key for authentication again.
7774

7875
<a name='authenticate-with-your-azure-ad-account'></a>
7976

@@ -83,24 +80,9 @@ If you're authenticating using your Microsoft Entra account, you see **Microsoft
8380

8481
:::image type="content" source="media/authorize-data-operations-portal/auth-method-azure-ad.png" alt-text="Screenshot showing user currently accessing containers with Microsoft Entra account":::
8582

86-
To switch to using the account access key, select the link highlighted in the image. If you have access to the account key, then you're able to proceed. However, if you lack access to the account key, you see an error message like the following one:
87-
88-
:::image type="content" source="media/authorize-data-operations-portal/auth-error-access-key.png" alt-text="Error shown if you do not have access to account key":::
89-
90-
Notice that no blobs appear in the list if you don't have access to the account keys. Select the **Switch to Microsoft Entra user Account** link to use your Microsoft Entra account for authentication again.
91-
92-
## Specify how to authorize a blob upload operation
93-
94-
When you upload a blob from the Azure portal, you can specify whether to authenticate and authorize that operation with the account access key or with your Microsoft Entra credentials. By default, the portal uses the current authentication method, as shown in [Determine the current authentication method](#determine-the-current-authentication-method).
95-
96-
To specify how to authorize a blob upload operation, follow these steps:
97-
98-
1. In the Azure portal, navigate to the container where you wish to upload a blob.
99-
1. Select the **Upload** button.
100-
1. Expand the **Advanced** section to display the advanced properties for the blob.
101-
1. In the **Authentication Type** field, indicate whether you want to authorize the upload operation by using your Microsoft Entra account or with the account access key, as shown in the following image:
83+
If you want to switch to use the account access key, select the link highlighted in the image. If you have access to the account key, then you're able to proceed. If you don't have access to the account key, you see an error message and no blobs appear in the list.
10284

103-
:::image type="content" source="media/authorize-data-operations-portal/auth-blob-upload.png" alt-text="Screenshot showing how to change authorization method on blob upload":::
85+
Select the **Switch to Microsoft Entra user account** link to use your Microsoft Entra account for authentication again.
10486

10587
<a name='default-to-azure-ad-authorization-in-the-azure-portal'></a>
10688

articles/storage/blobs/media/authorize-data-operations-portal/auth-blob-upload.png

-31.1 KB
Binary file not shown.

articles/storage/blobs/media/authorize-data-operations-portal/auth-error-access-key.png

-33.2 KB
Binary file not shown.

articles/storage/blobs/media/authorize-data-operations-portal/auth-error-azure-ad.png

-33 KB
Binary file not shown.

articles/storage/blobs/media/authorize-data-operations-portal/auth-method-access-key.png

20.7 KB
Loading

articles/storage/blobs/media/authorize-data-operations-portal/auth-method-azure-ad.png

17.8 KB
Loading

articles/storage/blobs/media/authorize-data-operations-portal/default-auth-account-create-portal.png

-7.04 KB
Loading

articles/storage/blobs/media/authorize-data-operations-portal/default-auth-account-update-portal.png

-101 Bytes
Loading

0 commit comments

Comments
 (0)