{"id":637,"date":"2019-12-20T14:11:58","date_gmt":"2019-12-20T22:11:58","guid":{"rendered":"http:\/\/blog.nillsf.com\/?p=637"},"modified":"2019-12-20T14:12:01","modified_gmt":"2019-12-20T22:12:01","slug":"sharing-blob-storage-with-azure-ad-b2b-guests","status":"publish","type":"post","link":"https:\/\/nillsf.com\/index.php\/2019\/12\/20\/sharing-blob-storage-with-azure-ad-b2b-guests\/","title":{"rendered":"Sharing Blob storage with Azure AD B2B guests"},"content":{"rendered":"\n

Azure blob storage supports two ways of authorization for blob access. Either you use the storage account key or a derivate SAS token – or you use AAD RBAC to access blob.<\/p>\n\n\n\n

I did a quick test today to check if it would be possible to use a B2B guest to access blob storage. Want to find out more?<\/p>\n\n\n\n

Inviting a guest to your storage container<\/h2>\n\n\n\n

I decided to use an existing storage account for this test. I did create a new container on this storage account, called ‘testb2b’.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The default authorization is still storage account key (or SAS). I switched this to AAD.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And then I went ahead and invited my guest. This guest exists in my own AAD tenant, nillsf.com.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

If this is the first time this guest is invited to your directory, he’ll get an invitation. Since Ben doesn’t have email (he is just a demo user for me), I used the invitation URL from the notification for him the accept his invite.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

And then finally, I uploaded a file to that storage account (still using my own user in the azure portal) so I would have some data to show:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using Storage Explorer to access files using AAD RBAC<\/h2>\n\n\n\n

To demo the fact that we can connect, I decided to use the Storage Explorer<\/a>. This is a free tool you can use to connect to Azure storage. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

First, I added my ben@nillsf.com to the storage explorer accounts.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After that, I added the resource (the container) via AAD authorization.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This will ask you for the account to use and the container location. Once you enter that, you can use storage explorer to see the files. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And as you can see, I can now see and download my file using storage explorer. <\/p>\n\n\n\n

\"\"

<\/figcaption><\/figure>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

The goal of this post was to prove that I can invite Azure AD B2B guests to connect to storage accounts using Azure AD authorization. This worked perfectly. <\/p>\n","protected":false},"excerpt":{"rendered":"

Azure blob storage supports two ways of authorization for blob access. Either you use the storage account key or a derivate SAS token – or you use AAD RBAC to access blob. I did a quick test today to check if it would be possible to use a B2B guest to access blob storage. Want […]<\/p>\n","protected":false},"author":1,"featured_media":644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2,4],"tags":[8,68],"class_list":["post-637","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-management","tag-azure","tag-blob"],"jetpack_featured_media_url":"https:\/\/nillsfblog.blob.core.windows.net\/media\/2019\/12\/image-12.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/637","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/comments?post=637"}],"version-history":[{"count":1,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/637\/revisions"}],"predecessor-version":[{"id":649,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/posts\/637\/revisions\/649"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/media\/644"}],"wp:attachment":[{"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/media?parent=637"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/categories?post=637"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nillsf.com\/index.php\/wp-json\/wp\/v2\/tags?post=637"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}