Blog Post

Azure Storage Blog
3 MIN READ

General Availability: Introducing Azure AD Support for Azure Files SMB shares REST API

karthikrv's avatar
karthikrv
Icon for Microsoft rankMicrosoft
May 24, 2023

Today, we are excited to announce the general availability of Azure Active Directory (Azure AD) support for Azure Files REST API.

 

This capability enables share-level read and write access to Server Message Block (SMB) Azure file shares for users, groups, and managed identities (MI) when accessing through the REST API. With this announcement, cloud native and modern applications that use REST APIs can utilize identity-based authentication and authorization to access file shares.

 

With Azure AD support, applications can access Azure file shares securely, without storing or managing any credentials. Applications can now leverage managed identities to secure access to customer-owned file shares. Application users can grant permissions to managed identities and provide identity-based access to application file shares.

 

Authorization with Azure AD provides better security and ease of use over storage account access key authorization. This is because Azure AD enables identity-based share-level access using Azure role-based access control (Azure RBAC) while the storage account access keys provide full access to the storage account and the data. With Azure AD support for Azure Files REST API, users can now transition away from using Shared Key and SAS token authorization. For existing SMB access options, please refer Azure Files identity-based authentication options for SMB access. 

 

Azure Portal also now supports using Azure AD to authenticate requests to Azure Files. Users can choose Azure AD identity-based authentication method for the actions they take through portal such as browsing their file share contents. Find out more about authorizing access to file data in Azure Portal. 

 

 

 

Example use case 

A customer application using managed identities wants to access file share data for periodic backup purposes. This application only requires read access to the source file share A, with no regard to file-specific permission, and write access to the destination file share B. With Azure AD authentication with Azure Files REST API, the customer can now use Azure's role-based access control framework to grant specific permissions to the application. The users of the application can assign the following roles to the MI:  

 

With the above-mentioned role assignments, the users have more granular access per share. In addition, all identity and access management are enforced through Azure AD, removing any need to store or manage secrets. 

 

Prior to Azure AD authentication support, this application would have to call the Files REST API using either the storage account key or SAS key, enabling superuser access to the storage account. 

 

Get Started 

Azure Files OAuth with REST general availability is for FileREST data plane APIs that support operations on files and directories within file shares. There is no change to existing control plane APIs, that support OAuth, used for management activities related to FileService and FileShare resources. 

 

Azure PowerShell cmdlets, Azure CLI and Azure Portal that call REST APIs can also use OAuth to access Azure File shares. The latest versions of the Azure Storage client libraries for .NET, Java, Python and JavaScript have been updated to support this feature. 

 

To enable privileged access that would read all or write all by bypassing any file/directory level ACLs, the applications will need to explicitly declare such intent when leveraging the REST API. Please refer Azure AD Authentication for Azure Files to learn more on how to implement this. 

 

Azure Files REST API with OAuth authentication is available to all customers of Azure AD, in all public regions of Azure and for all redundancy types of Azure Storage. 

 

References: 

For any questions, comments, feedback or to learn what’s new, please reach out to FilesADAuth@microsoft.com. 

Updated Jul 20, 2023
Version 3.0

6 Comments

  • Steven-H's avatar
    Steven-H
    Brass Contributor

    So this is intended as back-end thing to support read/write access to file shares via an application or for priviledged users to browse the content of a file share for support or similar purpose? In other words, there is no intention for this to be an end-user method of access data in the share?

     

    Any plans on supporting Azure File shares with Azure AD Authentication without a domain?

  • Biss1873's avatar
    Biss1873
    Copper Contributor

    Hi,
    Can anyone confirm that this new feature is now in GA. In this article it is mentioned GA but in this post (https://azure.microsoft.com/en-us/updates/azure-files-rest-oauth/ ) it is still mentioned: Public Preview.

     

    Thanks!

  • awsmolak's avatar
    awsmolak
    Copper Contributor

    Agree 100%. SharePoint document libraries are expensive and very suboptimal for some of our use cases. We work with tons of large read-only files that needs to be frequently accessed across our organization. Mapped SMB fileshares are essential for us, the REST interfaces won't provide an experience that is useable for the vast majority of our users. They really can't be expected to use anything besides mapped drives.

  • HoundDogZA's avatar
    HoundDogZA
    Copper Contributor

    Now if only you could somehow have full Drive Mapping of Azure File Shares in Windows 10/11 for all your users over Internet using only Azure AD identity, that is also secure. Without need for VPN and ADDS requirement. Then Azure Files would be a game changer for the hybrid and WFH world. SharePoint Online is failing at replacing File Servers in many cases, due to library sync limits and also unsupported Drive mapping, and yet Azure Files is so close to bridging that gap, but it has hurdles (perhaps necessary) that hurts its adoption.

  • Abhijeetbhor Azure Function uses SMB mount to connect to Azure file shares and not REST API interface. This public preview feature will enable Azure AD authentication for Azure file shares accessed via REST.

  • Abhijeetbhor's avatar
    Abhijeetbhor
    Copper Contributor

    Is there way to use function app managed identity to access storage account file share used to store runtime. 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' app setting is required in premium function app which uses storage account connection string (using access key).