Connecting a storage account to an on-premises Active Directory (AD) allows you to secure access to the storage account using on-premises AD authentication. This can be useful in scenarios where you want to provide access to the storage account to a specific group of users or applications that are already authenticated with your on-premises AD.
Here’s an overview of the process for connecting a storage account to an on-premises AD:
Create a Domain Name System (DNS) alias: To connect to the on-premises AD, you will need to create a DNS alias that points to the on-premises AD. This can be done by creating a CNAME record in your DNS server.
Configure the storage account to use AD authentication: In the Azure portal, go to the storage account settings and enable AD authentication for the storage account. You will need to provide the DNS alias that you created earlier and specify the domain name of your on-premises AD.
Create a group in the on-premises AD: To grant access to the storage account, you will need to create a group in your on-premises AD. This group will be used to manage access to the storage account.
Assign the storage Blob Data Contributor role to the group: To grant access to the storage account, you will need to assign the storage Blob Data Contributor role to the group. This role allows the members of the group to manage blobs in the storage account
Add users or computer to the group: To grant access to storage account you should add users or computer to the group you created in step 3
It’s worth to mention that this process requires that you have your own domain controller and DNS server, and that your azure storage account and your on-premise network should be connected through a VPN or ExpressRoute.
Also, it would require an ADFS or other third party solution to facilitate the integration and trust relationship between on-premises AD and Azure AD.