API Updates
To align with security best practices, Microsoft Entra ID and RBAC (role-based access control) support is now generally available for the following Azure Storage data plane APIs:
- Get Account Information
- Get Container ACL
- Set Container ACL
- Get Queue ACL
- Set Queue ACL
- Get Table ACL
- Set Table ACL
To learn more, see Authorize with Microsoft Entra ID (REST API) – Azure Storage.
These APIs now support OAuth 2.0-based authentication via Microsoft Entra ID with Azure Storage. As part of this enhancement, the REST API responses for unauthorized access were changed.
Previously, if you tried to use these APIs with OAuth, we returned an HTTP 404 status code. Now, if you use these APIs with OAuth but don’t have the right permissions (for example, Get Account Information requires Azure RBAC action Microsoft.Storage/storageAccounts/blobServices/getInfo/action
), we return an HTTP 403 status code (unauthorized access). If you send an anonymous request for bearer challenge, we return an HTTP 401 status code, which is the same behavior as with the other APIs.
If you took a dependency on an HTTP 404 error code for these operations, we recommend that you change your application code to support both 404 and 403 error codes. The best practice for checking unsupported APIs isn’t to take a dependency on error codes, but to refer to Authorize with Microsoft Entra ID (REST API) – Azure Storage.
Why You Should Default to OAuth
You should use OAuth as the default authentication method because it aligns with security best practices and provides a more secure and scalable way to manage access to resources. OAuth offers several advantages over SAS (Shared Access Signature) and account key authentication methods.
OAuth provides token-based authentication, which allows for more granular access control and better security management. Tokens can be scoped to specific permissions and have expiration times, reducing the risk of long-term exposure of sensitive credentials. In contrast, SAS and account key methods rely on static keys that can be more vulnerable to unauthorized access and misuse. OAuth supports modern authentication protocols and integrates seamlessly with various identity providers, making it easier to implement and manage across different platforms and applications. It also allows for full auditability and monitoring for storage access governance. Learn more at What Is OAuth? | Microsoft Security.
The Azure Identity library’s DefaultAzureCredential
API further simplifies OAuth usage by providing a unified way to authenticate across different environments. It automatically handles the authentication flow, making it easier for you to integrate OAuth into your applications without having to manage multiple credential types.
Example Code Snippet for .NET
Here’s a short snippet demonstrating how to use the Azure Identity library’s DefaultAzureCredential
API to authenticate and access Azure Storage APIs like Get Account Information:
using Azure.Identity;
using Azure.Storage.Blobs;
var credential = new DefaultAzureCredential();
var blobServiceClient = new BlobServiceClient(new Uri("https://.blob.core.windows.net"), credential);
// Example: Get Account Information
var accountInfo = blobServiceClient.GetAccountInfo();
Console.WriteLine($"Account Kind: {accountInfo.AccountKind}, SKU: {accountInfo.SkuName}");
Conclusion
The support for Microsoft Entra ID and RBAC brings these APIs in line with security best practices. We recommend you use OAuth with these APIs to attain more secure and scalable access management.
Resources
Help and Support
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request:
- For Issue type, select Technical.
- For Subscription, select your subscription.
- For Service, select My services.
- For Service type, select the applicable service: either Blob Storage, Queue Storage, or Table Storage.
- For Resource, select the Azure resource you’re creating a support request for.
- For Summary, type a description of your issue.
- For Problem type, select Authentication and Authorization.
- For Problem subtype, select Issues using Azure AD (RBAC, ABAC, & OAuth).
0 comments
Be the first to start the discussion.