I have PDF files in an Azure Blob Storage container that's set to private, so no public access is allowed. I want to ensure that users can only access these PDFs after logging in with their Office 365 (Azure AD) accounts.

The challenge is that if I generate a (SAS) link for a specific PDF, anyone with the link can access it, which isn’t secure. On the other hand, if I use the regular blob URL (without a SAS token), no one can access the file since the container is private.

Is there a way to configure Azure services so that users are required to log in with their Office 365 accounts to access the PDFs directly through the URL, without needing to build a custom application?

I have PDF files in an Azure Blob Storage container that's set to private, so no public access is allowed. I want to ensure that users can only access these PDFs after logging in with their Office 365 (Azure AD) accounts.

The challenge is that if I generate a (SAS) link for a specific PDF, anyone with the link can access it, which isn’t secure. On the other hand, if I use the regular blob URL (without a SAS token), no one can access the file since the container is private.

Is there a way to configure Azure services so that users are required to log in with their Office 365 accounts to access the PDFs directly through the URL, without needing to build a custom application?

• azure
• azure-active-directory
• azure-blob-storage
• blob

Share Follow asked Nov 19, 2024 at 20:26 user14937393user14937393 2

• Refer this learn.microsoft/en-us/azure/storage/blobs/… you can access the blob storage by assigning Storage blob data contributor role to access the pdf file from azure blob storage. – Venkatesan Commented Nov 20, 2024 at 4:05
• Check the below answer. – Venkatesan Commented Nov 20, 2024 at 4:55

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

I want to ensure that users can only access these PDFs after logging in with their Office 365 (Azure AD) accounts.

You can use the Azure AD integration to access the pdf file from azure blob storage.

First, create a group and add office 365 users in that group.

Ask admin, to assign the Storage Blob Data Reader or Storage Blob Data Contributor role to the storage account.

To assign you need object id of the group and you can assign through this cli command.

Command:

az login
az role assignment create \
    --assignee <object id of group> \
    --role "Storage Blob Data Reader" or "Storage Blob Data contributor"
    --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>"

Now, you can use the below command to sign in with account and access the pdf file(private) from the azure blob storage.

Command:

az login
az storage blob download --account-name "venkat326123" --container-name "result" --name "demo.pdf" --file "xxxx" --auth-mode login

Output:

 az storage blob download --account-name "venkat326123" --container-name "result" --name "demo.pdf" --file "your local path" --auth-mode login
Finished[#############################################################]  100.0000%
{
  "container": "result",
  "content": "",
  "contentMd5": null,
  "deleted": false,
  "encryptedMetadata": null,
  "encryptionKeySha256": null,
  "encryptionScope": null,
  "hasLegalHold": null,
  "hasVersionsOnly": null,
  "immutabilityPolicy": {
    "expiryTime": null,
    "policyMode": null
  },
  "isAppendBlobSealed": null,
  "isCurrentVersion": true,
  "lastAccessedOn": "2024-11-20T04:41:30+00:00",
  "metadata": {},
  "name": "demo.pdf",
  "objectReplicationDestinationPolicy": null,
  "objectReplicationSourceProperties": [],
  "properties": {
    "appendBlobCommittedBlockCount": null,
    "blobTier": null,
    "blobTierChangeTime": null,
    "blobTierInferred": null,
    "blobType": "BlockBlob",
    "contentLength": 76712,
    "contentRange": "bytes None-None/76712",
    "contentSettings": {
      "cacheControl": null,
      "contentDisposition": null,
      "contentEncoding": null,
      "contentLanguage": null,
      "contentMd5": "+qI9Ts30dTjLfyEYTtPpRQ==",
      "contentType": "application/pdf"
    },
    "copy": {
      "completionTime": null,
      "destinationSnapshot": null,
      "id": null,
      "incrementalCopy": null,
      "progress": null,
      "source": null,
      "status": null,
      "statusDescription": null
    },
    "creationTime": "2024-11-20T04:40:25+00:00",
    "deletedTime": null,
    "etag": "\"0xxxxx494A\"",
    "lastModified": "2024-11-20T04:40:25+00:00",
    "lease": {
      "duration": null,
      "state": "available",
      "status": "unlocked"
    },
    "pageBlobSequenceNumber": null,
    "pageRanges": null,
    "rehydrationStatus": null,
    "remainingRetentionDays": null,
    "serverEncrypted": true
  },
  "rehydratePriority": null,
  "requestServerEncrypted": true,
  "snapshot": null,
  "tagCount": null,
  "tags": null,
  "versionId": "2024-11-20T04:40:25.9062090Z"
}

File:

Reference:

Authorize access to blobs using Microsoft Entra ID - Azure Storage | Microsoft Learn