Azure Storage Authentication Options
Azure Storage Authentication is the process of verifying the identity of a client that is requesting access to an Azure storage account. Azure Storage supports several authentication options that can be used to secure access to storage accounts, such as:
- Shared Key Authentication: This method of authentication uses a shared key that is known to both the client and the storage account to sign request headers.
- Shared Access Signature (SAS) Authentication: This method of authentication uses a shared access signature (SAS) token to provide restricted access to a storage account. A SAS token can be generated for a specific resource or set of resources within a storage account and can be used to grant read, write, or delete access to that resource.
- Azure Active Directory (AAD) Authentication: This method of authentication allows you to secure access to a storage account using Azure AD. By connecting a storage account to Azure AD, you can use Azure AD authentication to grant access to specific users or applications that are already authenticated with Azure AD.
- OAuth Authentication: This method of authentication allows you to authenticate with Azure Storage using an OAuth 2.0 Bearer Token. The token is passed in the Authorization header and is verified by Azure Storage.
- Token-based Authentication: This method of authentication is an advanced authentication method and includes authentication with SAS, OAuth 2.0 bearer tokens and JSON Web Tokens (JWT)
Choosing the best authentication option depends on your requirements such as security, ease of use and ease of integration with existing systems or platforms. For example, for testing or development purposes, Shared Key authentication can be sufficient and easier to implement, but for production environments that requires high level of security or integration with enterprise environments you may prefer to use Azure AD or OAuth.
How to connect your Azure Storage Accounts to your On-Premise Active Directory
Connecting a storage account to an on-premises Active Directory (AD) allows you to secure access to the storage account using on-premises AD authentication. This can be useful in scenarios where you want to provide access to the storage account to a specific group of users or applications that are already authenticated with your on-premises AD.
Here’s an overview of the process for connecting a storage account to an on-premises AD:
- Create a Domain Name System (DNS) alias: To connect to the on-premises AD, you will need to create a DNS alias that points to the on-premises AD. This can be done by creating a CNAME record in your DNS server.
- Configure the storage account to use AD authentication: In the Azure portal, go to the storage account settings and enable AD authentication for the storage account. You will need to provide the DNS alias that you created earlier and specify the domain name of your on-premises AD.
- Create a group in the on-premises AD: To grant access to the storage account, you will need to create a group in your on-premises AD. This group will be used to manage access to the storage account.
- Assign the storage Blob Data Contributor role to the group: To grant access to the storage account, you will need to assign the storage Blob Data Contributor role to the group. This role allows the members of the group to manage blobs in the storage account
- Add users or computer to the group: To grant access to storage account you should add users or computer to the group you created in step 3
It’s worth to mention that this process requires that you have your own domain controller and DNS server, and that your azure storage account and your on-premise network should be connected through a VPN or ExpressRoute.
Also, it would require an ADFS or other third party solution to facilitate the integration and trust relationship between on-premises AD and Azure AD.