Share via

How to use Azure App Service Auth in web app to control blob access

Chris W 0 Reputation points
2025-01-03T10:33:55.9233333+00:00

Hi, hoping someone can help me with some gaps in my understanding of how to use the azure app service authentication component. I'm trying to write a simple web app (in this case python) that allows a user to login, chose a container and upload a blob. The containers available should be constrained by the signed in users access

What I currently have

My web app is published to Azure and running. The BlobServiceClient is being constructed using DefaultAzureCredential() and so to do this I've enabled system assigned identity in the web app and granted it blob access. At this point, only users assigned to the enterprise app can sign in (great) but the list of containers available and the upload itself are being performed as the managed identity (not great)

I'm sort of confused as to what I need to do to get to my end goal. I've seen a couple of roughly similar scenarios (function apps) using two app registrations and user_impersonation but I didn't fully understand the reasoning or logic. I've also wondered whether I can use AppServiceAuthSession cookie to build the credential for the blob client but my googling hasn't got me that far. I believe I can do this via standard MSAL libraries but I was hoping the Azure auth service would make things even easier.

I should point out I'm primarily a sys admin not a developer

Any guidance much appreciated

Thanks

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,036 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,180 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shree Hima Bindu Maganti 1,955 Reputation points Microsoft Vendor
    2025-01-10T17:37:11.2166667+00:00

    Hi Chris W
    Welcome to the Microsoft Q&A Platform!
    To control Azure Blob access in your web app using Azure App Service Authentication, you can leverage Azure AD for authentication and authorization.

    • Go to App Service > Authentication in the Azure Portal.
    • Select Microsoft (Azure AD).
    • Use the same Azure AD tenant as your Blob Storage account.
    • Add redirect URIs for your app.
    • Navigate to Storage Account > Access Control (IAM).
    • Storage Blob Data Reader (for read access).
    • Storage Blob Data Contributor (for upload access).
    • Assign these roles to Azure AD users/groups.
    • Modify Your Web App to Use Azure AD Tokens
    • pip install azure-identity azure-storage-blob flask msal
    • Use MSAL or AppServiceAuthSession to retrieve user tokens from Azure AD.
    • Use the retrieved token to create a TokenCredential for BlobServiceClient.
    from flask import Flask, request, jsonify
from azure.storage.blob import BlobServiceClient
from azure.identity import TokenCredential
app = Flask(__name__)
@app.route("/upload", methods=["POST"])
def upload_blob():
    user_token = request.headers.get("Authorization").replace("Bearer ", "")
    credential = TokenCredential(token=user_token)
    blob_service_client = BlobServiceClient(
        account_url="https://<your-storage-account>.blob.core.windows.net",
        credential=credential
    )
    containers = blob_service_client.list_containers()
    return jsonify([c.name for c in containers])
if __name__ == "__main__":
    app.run(debug=True)

    ref:https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

    https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.