Share via

Blob Storage Static Website access in browser behind Entra ID auth?

olj5ovr 0 Reputation points
2025-02-27T11:49:43.02+00:00

Hi, so currently I need to host some doxygen documentation that is generated in Azure DevOps pipelines. That documentation should only be available to selected users/groups from Entra ID. I thought it was a simple process of just putting the blob storage open to the internet and assigning a role to limit viewing, but the website still is available to everyone. Tried using the normal containers, but if I give anonymous blob access to them, everyone can access too.

Also, I would like to use the Entra ID system, not the SAS keys and I know that Storage Explorer would be limiting the users, but this is supposed to be a website, that anyone can access but they are limited to view certain files by Entra ID/Role based, that was my idea.

How can I achieve this? How can I limit the users that check this URLs on the browser?

Example:
project1.html -> only accessible to group1
project2.html -> only accessible to group2
project3.html -> only accessible to group1 and group2

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,393 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
1,087 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva Nair 410 Reputation points Microsoft Vendor
    2025-02-27T15:18:03.1633333+00:00

    Hi João Pedro Tavares Oliveira,

    welcome to Microsoft Q&A,

    Lets work on limit the users-

    1. Set the Blob Storage container to Private to prevent anonymous access. This ensures all requests must be authenticated.
    2. Create an Azure Function or App Service to act as a proxy. Authenticate users via Entra ID. Check the user’s Entra ID group membership using Microsoft Graph API. Authorize access to specific files based on group membership. Generate short-lived User Delegation SAS Tokens to securely access the files.
    3. Register an App in Entra ID for your proxy. Assign API permissions like GroupMember.Read.All. Implement authentication (if using frontend) or EasyAuth (in Azure App Service).
    4. In the proxy, map group IDs to file paths. For example: Allow group1 to access project1.html. Allow group2 to access project2.html. Check the user's groups before generating the SAS token.
    5.  If the user is authorized: Generate a short-lived SAS token using the User Delegation Key. Redirect the user to the Blob URL with the SAS token appended.
    6. To enforce authentication globally, use Azure Front Door or Application Gateway in front of the proxy to require Entra ID login before reaching the Blob Storage.

    Please do refer below link for reference-

    https://learn.microsoft.com/en-us/azure/static-web-apps/add-authentication

    https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization

    https://learn.microsoft.com/en-us/azure/static-web-apps/configuration

    If you have any further assistant, do let me know. 

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.