How to enable AAD authentication for a storage account

Hong Ooi

It’s possible to authenticate to a storage account using an OAuth token obtained via Azure Active Directory (AAD). This has several advantages:

Here, we’ll take you through the steps involved to configure a storage account for AAD authentication. The assumption here is that you’re an administrator for your AAD tenant, or have the appropriate rights to create AAD app registrations and set role assignments on resources—if you don’t know what these terms mean, you probably don’t have such rights!

Authenticate as a user

Authenticating as a user is relatively straightforward: you can think of it as “logging into” the storage account with your username. This involves the following:

Create an app registration

You can create a new app registration using any of the usual methods. For example to create an app registration in the Azure Portal (https://portal.azure.com/), click on “Azure Active Directory” in the menu bar down the left, go to “App registrations” and click on “New registration”. Name the app something suitable, eg “AzureStor R interface to storage”.

Once the app registration has been created, note the app ID.

Set the app permissions

To enable users to authenticate to storage with this app, add the “user_impersonation” delegated permission for the Azure Storage API. In the Portal, you can set this by going to the “API permissions” pane for your app reigstration, then clicking on “Add a permission”.

Give users a role assignment in the storage account

Having registered an app ID for AzureStor, you then add the appropriate role assignments for your users. These role assignments are set for the resource, not the app registration. In the Portal, you can set these by going to your storage account resource, then clicking on “Access Control (IAM)”.

The main role assignments to be aware of are:

Note that AzureStor does not provide an R interface to queue storage; for that, you can use the AzureQstor package.

Authenticating

Once this is done, your users can authenticate to storage as follows. Here. app_id is the ID of the app registration you’ve just created.

# obtaining a token from an R session on the local machine
token <- AzureAuth::get_azure_token("https://storage.azure.com", tenant="yourtenant", app="app_id")

# obtaining a token from a remote R session: RStudio Server/Databricks
token <- AzureAuth::get_azure_token("https://storage.azure.com", tenant="yourtenant", app="app_id",
    auth_type="device_code")

# use the token to login to storage (blob in this case)
endp <- storage_endpoint("https://yourstorageacct.blob.core.windows.net", token=token)

Authenticate as the application

In the previous section, we described how users can authenticate as themselves with AzureStor. Here, we’ll describe how to authenticate as the application, that is, without a signed-in user. This is useful in a scenario such as a CI/CD or deployment pipeline that needs to run without user intervention.

The process is as follows:

Create the app registration and give it a client secret

Creating the app registration is much the same as before, except that you don’t need to set a redirect URI or enable public client flows. Instead you give the app a client secret, which is much the same as a password (and should similarly be kept secure). In the Portal, you can set this in the “Certificates and Secrets” pane for your app registration.

It’s also possible to authenticate with a client certificate (public key), but this is more complex and we won’t go into it here. For more details, see the Azure Active Directory documentation and the AzureAuth intro vignette.

Give the app’s service principal a role assignment in the storage account

This is again similar to assigning a user a role, except now you assign it to the service principal for your app. The same roles assignments as before can be used.

Authenticating

To authenticate as the app, use the following code:

# use the app ID and client secret you noted before
token <- AzureAuth::get_azure_token("https://storage.azure.com", tenant="yourtenant", app="app_id",
    password="client_secret")

endp <- storage_endpoint("https://yourstorageacct.blob.core.windows.net", token=token)