To align with security best practices, Microsoft Entra ID and RBAC (role-based access control) support is now generally available for the following Azure Storage data plane APIs:<\/p>\n
To learn more, see Authorize with Microsoft Entra ID (REST API) – Azure Storage<\/a>.<\/p>\n These APIs now support OAuth 2.0-based authentication via Microsoft Entra ID with Azure Storage. As part of this enhancement, the REST API responses for unauthorized access were changed.<\/p>\n Previously, if you tried to use these APIs with OAuth, we returned an HTTP 404 status code. Now, if you use these APIs with OAuth but don’t have the right permissions (for example, Get Account Information requires Azure RBAC action If you took a dependency on an HTTP 404 error code for these operations, we recommend that you change your application code to support both 404 and 403 error codes. The best practice for checking unsupported APIs isn’t to take a dependency on error codes, but to refer to Authorize with Microsoft Entra ID (REST API) – Azure Storage<\/a>.<\/p>\n You should use OAuth as the default authentication method because it aligns with security best practices and provides a more secure and scalable way to manage access to resources. OAuth offers several advantages over SAS (Shared Access Signature) and account key authentication methods.<\/p>\n OAuth provides token-based authentication, which allows for more granular access control and better security management. Tokens can be scoped to specific permissions and have expiration times, reducing the risk of long-term exposure of sensitive credentials. In contrast, SAS and account key methods rely on static keys that can be more vulnerable to unauthorized access and misuse. OAuth supports modern authentication protocols and integrates seamlessly with various identity providers, making it easier to implement and manage across different platforms and applications. It also allows for full auditability and monitoring for storage access governance. Learn more at What Is OAuth? | Microsoft Security<\/a>.<\/p>\n The Azure Identity library’s Here’s a short snippet demonstrating how to use the Azure Identity library’s The support for Microsoft Entra ID and RBAC brings these APIs in line with security best practices. We recommend you use OAuth with these APIs to attain more secure and scalable access management.<\/p>\n If you have questions, get answers from community experts in Microsoft Q&A<\/a>. If you have a support plan and you need technical help, create a support request<\/a>:<\/p>\n To align with security best practices, Microsoft Entra ID and RBAC support is now generally available for several Azure Storage data plane APIs.<\/p>\n","protected":false},"author":195644,"featured_media":3487,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[701,732,738],"class_list":["post-3484","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-sdk","tag-net","tag-release","tag-storage"],"acf":[],"blog_post_summary":" To align with security best practices, Microsoft Entra ID and RBAC support is now generally available for several Azure Storage data plane APIs.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts\/3484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/users\/195644"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/comments?post=3484"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts\/3484\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/media\/3487"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/media?parent=3484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/categories?post=3484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/tags?post=3484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Microsoft.Storage\/storageAccounts\/blobServices\/getInfo\/action<\/code>), we return an HTTP 403 status code (unauthorized access). If you send an anonymous request for bearer challenge<\/a>, we return an HTTP 401 status code, which is the same behavior as with the other APIs.<\/p>\nWhy You Should Default to OAuth<\/h3>\n
DefaultAzureCredential<\/code> API further simplifies OAuth usage by providing a unified way to authenticate across different environments. It automatically handles the authentication flow, making it easier for you to integrate OAuth into your applications without having to manage multiple credential types.<\/p>\nExample Code Snippet for .NET<\/h3>\n
DefaultAzureCredential<\/code> API to authenticate and access Azure Storage APIs like Get Account Information:<\/p>\nusing Azure.Identity; \r\nusing Azure.Storage.Blobs; \r\n\r\nvar credential = new DefaultAzureCredential(); \r\nvar blobServiceClient = new BlobServiceClient(new Uri(\"https:\/\/.blob.core.windows.net\"), credential); \r\n\r\n\/\/ Example: Get Account Information \r\nvar accountInfo = blobServiceClient.GetAccountInfo(); \r\nConsole.WriteLine($\"Account Kind: {accountInfo.AccountKind}, SKU: {accountInfo.SkuName}\"); <\/code><\/pre>\nConclusion<\/h3>\n
Resources<\/h3>\n
\n
Help and Support<\/h3>\n
\n