Skip to content

Commit fceadd9

Browse files
authored
Merge pull request #190507 from tamram/tamram22-0303
Table RBAC GA
2 parents 2f0a534 + 115190a commit fceadd9

9 files changed

+21
-33
lines changed

articles/storage/blobs/assign-azure-role-data-access.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,6 @@ You can also assign an Azure Resource Manager role that provides additional perm
4848

4949
> [!NOTE]
5050
> Prior to assigning yourself a role for data access, you will be able to access data in your storage account via the Azure portal because the Azure portal can also use the account key for data access. For more information, see [Choose how to authorize access to blob data in the Azure portal](../blobs/authorize-data-operations-portal.md).
51-
>
52-
> The preview version of Storage Explorer in the Azure portal does not support using Azure AD credentials to view and modify blob data. Storage Explorer in the Azure portal always uses the account keys to access data. To use Storage Explorer in the Azure portal, you must be assigned a role that includes **Microsoft.Storage/storageAccounts/listkeys/action**.
5351
5452
# [PowerShell](#tab/powershell)
5553

articles/storage/blobs/authorize-data-operations-portal.md

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -54,9 +54,6 @@ For information about the built-in roles that support access to blob data, see [
5454

5555
Custom roles can support different combinations of the same permissions provided by the built-in roles. For more information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md) and [Understand role definitions for Azure resources](../../role-based-access-control/role-definitions.md).
5656

57-
> [!NOTE]
58-
> The preview version of Storage Explorer in the Azure portal does not support using Azure AD credentials to view and modify blob data. Storage Explorer in the Azure portal always uses the account keys to access data. To use Storage Explorer in the Azure portal, you must be assigned a role that includes **Microsoft.Storage/storageAccounts/listkeys/action**.
59-
6057
## Navigate to blobs in the Azure portal
6158

6259
To view blob data in the portal, navigate to the **Overview** for your storage account, and click on the links for **Blobs**. Alternatively you can navigate to the **Containers** section in the menu.

articles/storage/common/authorize-data-access.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ The following table describes the options that Azure Storage offers for authoriz
2424
| Azure Files (SMB) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | Not supported | [Supported, only with AAD Domain Services](../files/storage-files-active-directory-overview.md) | [Supported, credentials must be synced to Azure AD](../files/storage-files-active-directory-overview.md) | Not supported |
2525
| Azure Files (REST) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | Not supported | Not supported | Not supported |
2626
| Azure Queues | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../queues/authorize-access-azure-active-directory.md) | Not Supported | Not supported |
27-
| Azure Tables | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../tables/authorize-access-azure-active-directory.md) (preview) | Not supported | Not supported |
27+
| Azure Tables | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported](../tables/authorize-access-azure-active-directory.md) | Not supported | Not supported |
2828

2929
Each authorization option is briefly described below:
3030

articles/storage/common/identity-library-acquire-token.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ When an Azure AD security principal attempts to access data in an Azure Storage
3636

3737
- [Assign an Azure role for access to blob data](../blobs/assign-azure-role-data-access.md)
3838
- [Assign an Azure role for access to queue data](../queues/assign-azure-role-data-access.md)
39-
- [Assign an Azure role for access to table data (preview)](../tables/assign-azure-role-data-access.md)
39+
- [Assign an Azure role for access to table data](../tables/assign-azure-role-data-access.md)
4040

4141
> [!NOTE]
4242
> When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or container, queue, or table.

articles/storage/queues/assign-azure-role-data-access.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,8 +49,6 @@ You can also assign an Azure Resource Manager role that provides additional perm
4949

5050
> [!NOTE]
5151
> Prior to assigning yourself a role for data access, you will be able to access data in your storage account via the Azure portal because the Azure portal can also use the account key for data access. For more information, see [Choose how to authorize access to queue data in the Azure portal](../queues/authorize-data-operations-portal.md).
52-
>
53-
> The preview version of Storage Explorer in the Azure portal does not support using Azure AD credentials to view and modify queue data. Storage Explorer in the Azure portal always uses the account keys to access data. To use Storage Explorer in the Azure portal, you must be assigned a role that includes **Microsoft.Storage/storageAccounts/listkeys/action**.
5452
5553
# [PowerShell](#tab/powershell)
5654

articles/storage/queues/authorize-data-operations-portal.md

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -52,9 +52,6 @@ For information about the built-in roles that support access to queue data, see
5252

5353
Custom roles can support different combinations of the same permissions provided by the built-in roles. For more information about creating Azure custom roles, see [Azure custom roles](../../role-based-access-control/custom-roles.md) and [Understand role definitions for Azure resources](../../role-based-access-control/role-definitions.md).
5454

55-
> [!NOTE]
56-
> The preview version of Storage Explorer in the Azure portal does not support using Azure AD credentials to view and modify queue data. Storage Explorer in the Azure portal always uses the account keys to access data. To use Storage Explorer in the Azure portal, you must be assigned a role that includes **Microsoft.Storage/storageAccounts/listkeys/action**.
57-
5855
## Navigate to queues in the Azure portal
5956

6057
To view queue data in the portal, navigate to the **Overview** for your storage account, and click on the links for **Queues**. Alternatively you can navigate to the **Queue service** section in the menu.

articles/storage/tables/assign-azure-role-data-access.md

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,35 +1,37 @@
11
---
2-
title: Assign an Azure role for access to table data (preview)
2+
title: Assign an Azure role for access to table data
33
titleSuffix: Azure Storage
4-
description: Learn how to assign permissions for table data (preview) to an Azure Active Directory security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Azure AD.
4+
description: Learn how to assign permissions for table data to an Azure Active Directory security principal with Azure role-based access control (Azure RBAC). Azure Storage supports built-in and Azure custom roles for authentication and authorization via Azure AD.
55
services: storage
66
author: tamram
77

88
ms.service: storage
99
ms.topic: how-to
10-
ms.date: 07/13/2021
10+
ms.date: 03/03/2022
1111
ms.author: tamram
12-
ms.reviewer: dineshm
12+
ms.reviewer: nachakra
1313
ms.subservice: common
1414
ms.custom: devx-track-azurepowershell, devx-track-azurecli
1515
ms.devlang: azurecli
1616
---
1717

18-
# Assign an Azure role for access to table data (preview)
18+
# Assign an Azure role for access to table data
1919

20-
Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access table data in Azure Storage (preview).
20+
Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access table data in Azure Storage.
2121

2222
When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. An Azure AD security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).
2323

2424
To learn more about using Azure AD to authorize access to table data, see [Authorize access to tables using Azure Active Directory](authorize-access-azure-active-directory.md).
2525

26-
> [!IMPORTANT]
27-
> Authorization with Azure AD for tables is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
28-
2926
## Assign an Azure role
3027

3128
You can use PowerShell, Azure CLI, or an Azure Resource Manager template to assign a role for data access.
3229

30+
> [!IMPORTANT]
31+
> The Azure portal does not currently support assigning an Azure RBAC role that is scoped to the table. To assign a role with table scope, use PowerShell, Azure CLI, or Azure Resource Manager.
32+
>
33+
> You can use the Azure portal to assign a role that grants access to table data to an Azure Resource Manager resource, such as the storage account, resource group, or subscription.
34+
3335
# [PowerShell](#tab/powershell)
3436

3537
To assign an Azure role to a security principal, call the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) command. The format of the command can differ based on the scope of the assignment. In order to run the command, you must have a role that includes **Microsoft.Authorization/roleAssignments/write** permissions assigned to you at the corresponding scope or above.
@@ -81,7 +83,6 @@ Keep in mind the following points about Azure role assignments in Azure Storage:
8183

8284
- When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or table.
8385
- If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a table.
84-
- The preview version of Storage Explorer in the Azure portal does not support using Azure AD credentials to view and modify table data. Storage Explorer in the Azure portal always uses the account keys to access data. To use Storage Explorer in the Azure portal, you must be assigned a role that includes **Microsoft.Storage/storageAccounts/listkeys/action**.
8586

8687
## Next steps
8788

articles/storage/tables/authorize-access-azure-active-directory.md

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
2-
title: Authorize access to tables using Active Directory (preview)
2+
title: Authorize access to tables using Active Directory
33
titleSuffix: Azure Storage
4-
description: Authorize access to Azure tables using Azure Active Directory (Azure AD) (preview). Assign Azure roles for access rights. Access data with an Azure AD account.
4+
description: Authorize access to Azure tables using Azure Active Directory (Azure AD). Assign Azure roles for access rights. Access data with an Azure AD account.
55
services: storage
66
author: tamram
77

@@ -12,17 +12,14 @@ ms.author: tamram
1212
ms.subservice: common
1313
---
1414

15-
# Authorize access to tables using Azure Active Directory (preview)
15+
# Authorize access to tables using Azure Active Directory
1616

17-
Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to table data (preview). With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service.
17+
Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to table data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Table service.
1818

1919
Authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft recommends using Azure AD authorization with your table applications when possible to assure access with minimum required privileges.
2020

2121
Authorization with Azure AD is available for all general-purpose in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization.
2222

23-
> [!IMPORTANT]
24-
> Authorization with Azure AD for tables is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
25-
2623
## Overview of Azure AD for tables
2724

2825
When a security principal (a user, group, or application) attempts to access a table resource, the request must be authorized. With Azure AD, access to a resource is a two-step process. First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. Next, the token is passed as part of a request to the Table service and used by the service to authorize access to the specified resource.
@@ -78,4 +75,4 @@ For details on the permissions required to call specific Table service operation
7875
## Next steps
7976

8077
- [Authorize access to data in Azure Storage](../common/authorize-data-access.md)
81-
- [Assign an Azure role for access to table data](assign-azure-role-data-access.md)
78+
- [Assign an Azure role for access to table data](assign-azure-role-data-access.md)

articles/storage/tables/authorize-managed-identity.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
title: Authorize access to table data with a managed identity (preview)
2+
title: Authorize access to table data with a managed identity
33
titleSuffix: Azure Storage
44
description: Use managed identities for Azure resources to authorize table data access from applications running in Azure VMs, function apps, and others.
55
services: storage
@@ -15,7 +15,7 @@ ms.devlang: csharp
1515
ms.custom: devx-track-csharp
1616
---
1717

18-
# Authorize access to table data with managed identities for Azure resources (preview)
18+
# Authorize access to table data with managed identities for Azure resources
1919

2020
Azure Table Storage supports Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to table data using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud.
2121

@@ -82,4 +82,4 @@ public static void CreateTable(string accountName, string tableName)
8282
## Next steps
8383

8484
- [Assign an Azure role for access to table data](assign-azure-role-data-access.md)
85-
- [Authorize access to tables using Azure Active Directory (preview)](authorize-access-azure-active-directory.md)
85+
- [Authorize access to tables using Azure Active Directory](authorize-access-azure-active-directory.md)

0 commit comments

Comments
 (0)