Use Microsoft Entra ID to authorize access in application code

To authorize access to Azure Storage with Microsoft Entra ID, you can use one of the following client libraries to acquire an OAuth 2.0 token:

  • The Azure Identity client library is recommended for most development scenarios.
  • The Microsoft Authentication Library (MSAL) may be suitable for certain advanced scenarios.

Azure Identity client library

The Azure Identity client library simplifies the process of getting an OAuth 2.0 access token for authorization with Microsoft Entra ID via the Azure SDK. The latest versions of the Azure Storage client libraries for .NET, Java, Python, JavaScript, and Go integrate with the Azure Identity libraries for each of those languages to provide a simple and secure means to acquire an access token for authorization of Azure Storage requests.

An advantage of the Azure Identity client library is that it enables you to use the same code to acquire the access token whether your application is running in the development environment or in Azure. The Azure Identity client library returns an access token for a security principal. When your code is running in Azure, the security principal may be a managed identity for Azure resources, a service principal, or a user or group. In the development environment, the client library provides an access token for either a user or a service principal for testing purposes.

The access token returned by the Azure Identity client library is encapsulated in a token credential. You can then use the token credential to get a service client object to use in performing authorized operations against Azure Storage. A simple way to get the access token and token credential is to use the DefaultAzureCredential class that is provided by the Azure Identity client library. DefaultAzureCredential attempts to get the token credential by sequentially trying several different credential types. DefaultAzureCredential works in both the development environment and in Azure.

The following table points to additional information for authorizing access to data in various scenarios:


Language.NETJavaJavaScriptPythonGo
Overview of auth with Microsoft Entra IDHow to authenticate .NET applications with Azure servicesAzure authentication with Java and Azure IdentityAuthenticate JavaScript apps to Azure using the Azure SDKAuthenticate Python apps to Azure using the Azure SDKN/A
Auth using developer service principalsAuthenticate .NET apps to Azure services during local development using service principalsAzure authentication with service principalAuth JS apps to Azure services with service principalAuthenticate Python apps to Azure services during local development using service principalsAzure SDK for Go authentication with a service principal
Auth using developer or user accountsAuthenticate .NET apps to Azure services during local development using developer accountsAzure authentication with user credentialsAuth JS apps to Azure services with dev accountsAuthenticate Python apps to Azure services during local development using developer accountsAzure authentication with the Azure SDK for Go
Auth from Azure-hosted appsAuthenticating Azure-hosted apps to Azure resources with the Azure SDK for .NETAuthenticate Azure-hosted Java applicationsAuthenticating Azure-hosted JavaScript apps to Azure resources with the Azure SDK for JavaScriptAuthenticating Azure-hosted apps to Azure resources with the Azure SDK for PythonAuthentication with the Azure SDK for Go using a managed identity
Auth from on-premises appsAuthenticate to Azure resources from .NET apps hosted on-premisesN/AAuthenticate on-premises JavaScript apps to Azure resourcesAuthenticate to Azure resources from Python apps hosted on-premisesN/A
Identity client library overviewAzure Identity client library for .NETAzure Identity client library for JavaAzure Identity client library for JavaScriptAzure Identity client library for PythonAzure Identity client library for Go

Microsoft Authentication Library (MSAL)

While Microsoft recommends using the Azure Identity client library when possible, the MSAL library may be appropriate to use in certain advanced scenarios. 

When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide a Microsoft Entra resource ID. The Microsoft Entra resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account.

When you provide a resource ID that is specific to a single storage account and service, the resource ID is used to acquire a token for authorizing requests to the specified account and service only. The following table lists examples of values to use for the resource ID, based on the cloud you're working with. Replace <account-name> with the name of your storage account.


CloudResource ID
Azure Globalexample: account-name.blob.core.windows.net
Azure Governmentexample: account-name.blob.core.usgovcloudapi.net
Azure China 21Vianetexample: account-name.blob.core.chinacloudapi.cn

You can also provide a resource ID that applies to any storage account, as shown in the following table. This resource ID is the same for all public and sovereign clouds, and is used to acquire a token for authorizing requests to any storage account.


CloudResource ID
Azure Global
Azure Government
Azure China 21Vianet
example: storage.azure.com


microsoft windows server certification training courses malaysia

Comments

Post a Comment

Popular posts from this blog

Azure built-in roles for tables

Azure RBAC provides built-in roles for authorizing access to table data using Microsoft Entra ID and OAuth. Built-in roles that provide permissions to tables in Azure Storage include: Storage Table Data Contributor: Use to grant read/write/delete permissions to Table storage resources. Storage Table Data Reader: Use to grant read-only permissions to Table storage resources. To learn how to assign an Azure built-in role to a security principal, see Assign an Azure role for access to table data. To learn how to list Azure RBAC roles and their permissions, see List Azure role definitions. For more information about how built-in roles are defined for Azure Storage, see Understand role definitions. For information about creating Azure custom roles, see Azure custom roles. Only roles explicitly defined for data access permit a security principal to access table data. Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage acc...
Read more

Explore Dataflows Gen2 in Microsoft Fabric

  In Microsoft Fabric, you can create a Dataflow Gen2 in the Data Factory workload or Power BI workspace, or directly in the lakehouse. Since our scenario is focused on data ingestion, let's look at the  Data Factory  workload experience. Dataflows Gen2 use Power Query Online to visualize transformations.  1. Power Query ribbon Dataflows Gen2 support a wide variety of data source connectors. Common sources include cloud and on-premises relational databases, Excel or flat files, SharePoint, SalesForce, Spark, and Fabric lakehouses. Then there are numerous data transformations possible, such as: Filter and Sort rows Pivot and Unpivot Merge and Append queries Split and Conditional split Replace values and Remove duplicates Add, Rename, Reorder, or Delete columns Rank and Percentage calculator Choose Top N and Bottom N You can also create and manage data source connections, manage parameters, and configure the default data destination in this ribbon. 2. Queries pane The ...
Read more

Select and configure an appropriate method for access to Azure Blobs

Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service. Authorization with Microsoft Entra ID is available for all general-purpose and Blob storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Microsoft Entra authorization. For optimal security, Microsoft recommends using Microsoft Entra ID with managed identities to authorize requests against blob, queue, and table data, whenever possible. Authorization with Microsoft Entra ID and managed identities provides superior security and ease of use over Shared Key author...
Read more