We are excited to announce the preview of Azure AD Authentication for Azure Blobs and Queues. This capability is one of the features most requested by enterprise customers looking to simplify how they control access to their data as part of their security or compliance needs. This capability is available in all public regions of Azure.
Azure Storage supports several mechanisms that give you flexibility to control who can access your data, as well as how, when, and from where they can access it. With AAD authentication, customers can now use Azure’s role-based access control framework to grant specific permissions to users, groups and applications down to the scope of an individual blob container or queue. This capability extends the existing Shared Key and SAS Tokens authorization mechanisms which continue to be available.
Developers can also leverage Managed Service Identity (MSI) to give Azure resources (Virtual Machines, Function Apps, Virtual Machine Scale Set etc.) an automatically managed identity in Azure AD. Administrators can assign roles to these identities and run applications securely, without having any credentials in your code.
Administrators can grant permissions and use AAD Authentication with any Azure Resource Manager storage account using the Azure portal, Azure PowerShell, CLI or the Microsoft Azure Authorization Resource Provider API. This feature is available for all redundancy types of Azure Storage.
As with most previews, this should not be used for production workloads and there will be no production SLA until the feature becomes Generally Available.
Find out more about Azure AD Authentication for Storage.