Azure blob storage supports two ways of authorization for blob access. Either you use the storage account key or a derivate SAS token – or you use AAD RBAC to access blob.
I did a quick test today to check if it would be possible to use a B2B guest to access blob storage. Want to find out more?
Inviting a guest to your storage container
I decided to use an existing storage account for this test. I did create a new container on this storage account, called ‘testb2b’.
![](/wp-content/uploads/2019/12/image-6.png)
The default authorization is still storage account key (or SAS). I switched this to AAD.
![](/wp-content/uploads/2019/12/image-7.png)
And then I went ahead and invited my guest. This guest exists in my own AAD tenant, nillsf.com.
![](/wp-content/uploads/2019/12/image-8.png)
If this is the first time this guest is invited to your directory, he’ll get an invitation. Since Ben doesn’t have email (he is just a demo user for me), I used the invitation URL from the notification for him the accept his invite.
![](/wp-content/uploads/2019/12/image-9.png)
![](/wp-content/uploads/2019/12/image-10.png)
And then finally, I uploaded a file to that storage account (still using my own user in the azure portal) so I would have some data to show:
![](/wp-content/uploads/2019/12/image-11.png)
Using Storage Explorer to access files using AAD RBAC
To demo the fact that we can connect, I decided to use the Storage Explorer. This is a free tool you can use to connect to Azure storage.
![](/wp-content/uploads/2019/12/image-12.png)
First, I added my ben@nillsf.com to the storage explorer accounts.
![](/wp-content/uploads/2019/12/image-13.png)
After that, I added the resource (the container) via AAD authorization.
![](/wp-content/uploads/2019/12/image-14.png)
This will ask you for the account to use and the container location. Once you enter that, you can use storage explorer to see the files.
![](/wp-content/uploads/2019/12/image-15.png)
And as you can see, I can now see and download my file using storage explorer.
![](/wp-content/uploads/2019/12/image-16.png)
Conclusion
The goal of this post was to prove that I can invite Azure AD B2B guests to connect to storage accounts using Azure AD authorization. This worked perfectly.