Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,020 questions
How to use Azure App Service Auth in web app to control blob access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 38%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
Chris W
0
Reputation points
Hi, hoping someone can help me with some gaps in my understanding of how to use the azure app service authentication component. I'm trying to write a simple web app (in this case python) that allows a user to login, chose a container and upload a blob. The containers available should be constrained by the signed in users access
What I currently have
My web app is published to Azure and running. The BlobServiceClient is being constructed using DefaultAzureCredential() and so to do this I've enabled system assigned identity in the web app and granted it blob access. At this point, only users assigned to the enterprise app can sign in (great) but the list of containers available and the upload itself are being performed as the managed identity (not great)
I'm sort of confused as to what I need to do to get to my end goal. I've seen a couple of roughly similar scenarios (function apps) using two app registrations and user_impersonation but I didn't fully understand the reasoning or logic. I've also wondered whether I can use AppServiceAuthSession cookie to build the credential for the blob client but my googling hasn't got me that far. I believe I can do this via standard MSAL libraries but I was hoping the Azure auth service would make things even easier.
I should point out I'm primarily a sys admin not a developer
Any guidance much appreciated
Thanks
{count} votes
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Shree Hima Bindu Maganti 1,620 Reputation points Microsoft Vendor2025-01-10T17:37:11.2166667+00:00 Hi Chris W
Welcome to the Microsoft Q&A Platform!
To control Azure Blob access in your web app using Azure App Service Authentication, you can leverage Azure AD for authentication and authorization.- Go to App Service > Authentication in the Azure Portal.
- Select Microsoft (Azure AD).
- Use the same Azure AD tenant as your Blob Storage account.
- Add redirect URIs for your app.
- Navigate to Storage Account > Access Control (IAM).
- Storage Blob Data Reader (for read access).
- Storage Blob Data Contributor (for upload access).
- Assign these roles to Azure AD users/groups.
- Modify Your Web App to Use Azure AD Tokens
-
pip install azure-identity azure-storage-blob flask msal - Use MSAL or
AppServiceAuthSessionto retrieve user tokens from Azure AD. - Use the retrieved token to create a
TokenCredentialforBlobServiceClient.
from flask import Flask, request, jsonify from azure.storage.blob import BlobServiceClient from azure.identity import TokenCredential app = Flask(__name__) @app.route("/upload", methods=["POST"]) def upload_blob(): user_token = request.headers.get("Authorization").replace("Bearer ", "") credential = TokenCredential(token=user_token) blob_service_client = BlobServiceClient( account_url="https://<your-storage-account>.blob.core.windows.net", credential=credential ) containers = blob_service_client.list_containers() return jsonify([c.name for c in containers]) if __name__ == "__main__": app.run(debug=True)ref:https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
Sign in to comment
Sign in to answer