Loading...

Public Preview: Introducing Azure AD Support for Azure Files SMB shares REST API

Public Preview: Introducing Azure AD Support for Azure Files SMB shares REST API

We are excited to announce public preview of Azure Active Directory (Azure AD) support for Azure Files REST API with OAuth authentication. This capability enables share-level read and write access to Server Message Block (SMB) Azure file shares for users, groups, and managed identities (MI) when accessing through the REST API. With this announcement, cloud native and modern applications that use REST APIs can utilize identity-based authentication and authorization to access file shares. 

 

With Azure AD support, applications can access Azure file shares securely, without storing or managing any credentials. Applications can now leverage managed identities to secure access to customer-owned file shares. Application users can grant permissions to managed identities and provide identity-based access to application file shares.

 

Authorization with Azure AD provides better security and ease of use over storage account access key authorization. This is because Azure AD enables identity-based share-level access using Azure role-based access control (Azure RBAC) while the storage account access keys provide full access to the storage account and the data. With Azure AD support for Azure Files REST API, users can now transition away from using Shared Key and SAS token authorization. For existing SMB access options, please refer Azure Files identity-based authentication options for SMB access. 

 

Azure Portal also now supports using Azure AD to authenticate requests to Azure Files. Users can choose Azure AD identity-based authentication method for the actions they take through portal such as browsing their file share contents. Find out more about authorizing access to file data in Azure Portal. 

 

karthikrv_0-1684733840737.png

 

 

Example use case 

A customer application using managed identities wants to access file share data for periodic backup purposes. This application only requires read access to the source file share A, with no regard to file-specific permission, and write access to the destination file share B. With Azure AD authentication with Azure Files REST API, the customer can now use Azure's role-based access control framework to grant specific permissions to the application. The users of the application can assign the following roles to the MI:  

 

With the above-mentioned role assignments, the users have more granular access per share. In addition, all identity and access management are enforced through Azure AD, removing any need to store or manage secrets. 

 

Prior to Azure AD authentication support, this application would have to call the Files REST API using either the storage account key or SAS key, enabling superuser access to the storage account. 

 

Get Started 

Azure Files OAuth with REST public preview is for FileREST data plane APIs that support operations on files and directories within file shares. There is no change to existing control plane APIs, that support OAuth, used for management activities related to FileService and FileShare resources. 

 

Azure PowerShell cmdlets, Azure CLI and Azure Portal that call REST APIs can also use OAuth to access Azure File shares. The latest versions of the Azure Storage client libraries for .NET, Java, Python and JavaScript have been updated to support this feature. 

 

To enable privileged access that would read all or write all by bypassing any file/directory level ACLs, the applications will need to explicitly declare such intent when leveraging the REST API. Please refer Azure AD Authentication for Azure Files to learn more on how to implement this. 

 

Azure Files REST API with OAuth authentication is available to all customers of Azure AD, in all public regions of Azure and for all redundancy types of Azure Storage. 

 

References: 

For any questions, comments, feedback or to learn what’s new, please reach out to [email protected]. 

Published on:

Learn more
Azure Storage Blog articles
Azure Storage Blog articles

Azure Storage Blog articles

Share post:

Related posts

Generally Available: Transition to WS2012 / R2 ESUs enabled by Azure Arc from Volume Licensing

Customers that have enrolled in WS2012/ R2 ESUs through Volume Licensing for Year 1 can transition to Azure Arc for Year 2 of the program. Ext...

2 hours ago

Soft delete for NFS Azure file shares is now Generally Available.

Soft delete protects your Azure file shares from accidental deletion. The following feature was already made available for SMB File share...

6 hours ago

Announcing v7.0 Support on vCore-based Azure Cosmos DB for MongoDB

    We are thrilled to announce that vCore-based Azure Cosmos DB for MongoDB now officially supports version 7.0. This addition expa...

23 hours ago

Skyrocket Your Efficiency: Dive into Azure Cloud-Native solutions

This blog invites you to explore the power of cloud-native solutions, which can transform the way businesses operate and innovate. As part of ...

1 day ago

[Mitigated] Azure Lab Services - Maintenance update outage

Hi, We are experiencing a service outage due to ongoing maintenance since around July 21st, 4 pm PDT. The service is currently not available i...

2 days ago

Azure Lab Services - Maintenance update outage

Hi, We are experiencing a service outage due to ongoing maintenance since around July 21st, 4 pm PDT. The service is currently not available i...

2 days ago

Dataverse: Create Custom Integration To Azure Cosmos DB for PostgreSQL

In a world where integration is common to do. Especially, because clouds is a common term, for sure, there are requests to integrate Dataverse...

3 days ago

Recovery options for Azure Virtual Machines (VM) affected by CrowdStrike Falcon agent

We are aware of an issue that started on 19 July 2024 at 04:09UTC, which resulted in customers experiencing unresponsiveness and startup failu...

3 days ago

Use cases of Advanced Network Observability for your Azure Kubernetes Service clusters

Introduction  Advanced Network Observability is the inaugural feature of the Advanced Container Networking Services (ACNS) suite bringing...

4 days ago

Azure Update Manager to support CIS hardened images among other images

What’s coming in by end of July 2024: Azure Update Manager will add support for 35 CIS hardened images. This is the first time that Update Man...

4 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy