Blog Post

ITOps Talk Blog
2 MIN READ

How to Copy Azure Storage Account Files with AzCopy and Azure AD Credentials

thomasmaurer's avatar
thomasmaurer
Icon for Microsoft rankMicrosoft
Jul 16, 2019

In the last couple of weeks, you might have seen that I wrote a couple of blog posts on how to manage Azure Blob Storage with AzCopy. Including how you can upload files to Azure Blob Storage container with PowerShell, sync files to Azure Blob storage or even migrate AWS S3 buckets to Azure. In most cases you have used AzCopy, you might have used SAS tokens, with AzCopy v10 however you can also use Azure AD accounts and service principles.

 

 

Authenticate against Azure with AzCopy using Azure AD accounts is simple. You can use the AzCopy login command:

 

azcopy login

 

If your account is in multiple Azure AD tenant, you can also add the specific tenant ID.

 

azcopy login --tenant-id "XXXXXXXX-XXXX-XXXXX-XXXXX-XXXXXXXXXXX"

 

You can find your tenant ID, login to the Azure Portal, go to Azure Active Directory -> Properties; there you find your Directory/Tenant ID.

 

After running this command, you will need to open the device login page and enter your code to authenticate. If you signed-in correctly, you will see the following page:

 

 

 

Set the right permissions

 

Important, to interact with the Azure Storage Account, you will need to set the right permissions for the account, even if you are the storage account owner.

If you want to download files from Azure blob storage, make sure that your user identity has the Storage Blob Data Reader role assigned. If you want to upload files, you will need to assign Storage Blob Data Contributor or Storage Blob Data Owner.

 

You can assign these roles on different scopes, with more and less granularity.

  • Container (file system)
  • Storage account
  • Resource group
  • Subscription

With the right permissions and login, you can now easily upload and download files from your Azure Storage Account using AzCopy and your Azure AD credentials.

 

 

 

azcopy copy “C:\temp\images” “https://account.blob.core.windows.net/images/" --recursive=true

 

If you are like me and you get the following error:

 

“RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.”

 

 

 

You don’t have the right permissions, and you will need to see grant access to Azure blob and queue data with RBAC in the Azure portal, Azure CLI or Azure PowerShell.

 

I hope this article helps you, especially when you didn’t configure the necessary permissions, or your account is in multiple Azure AD tenants. If you have any questions, please let me know in the comments.

Updated May 17, 2021
Version 4.0
  • ShawnO's avatar
    ShawnO
    Copper Contributor

    Seriously... your going to stop with an Error and say research why if you get the same thing.... 

  • HI ShawnO 

     

    I hope you are doing great.

    There is the exact link so you find the official documentation to set the right permission. Because not everyone wants to set the exact same permissions. But I will see if I find something to make it easier understandable. 

  • inboxkrish7129's avatar
    inboxkrish7129
    Copper Contributor

    Hi 

    In my case,I can only run this azcopy after I use azcopy login on pipeline.

     

    Any leads on this pls.