Azure blob storage supports two ways of authorization for blob access. Either you use the storage account key or a derivate SAS token – or you use AAD RBAC to access blob.
I did a quick test today to check if it would be possible to use a B2B guest to access blob storage. Want to find out more?
Inviting a guest to your storage container
I decided to use an existing storage account for this test. I did create a new container on this storage account, called ‘testb2b’.
The default authorization is still storage account key (or SAS). I switched this to AAD.
And then I went ahead and invited my guest. This guest exists in my own AAD tenant, nillsf.com.
If this is the first time this guest is invited to your directory, he’ll get an invitation. Since Ben doesn’t have email (he is just a demo user for me), I used the invitation URL from the notification for him the accept his invite.
And then finally, I uploaded a file to that storage account (still using my own user in the azure portal) so I would have some data to show:
Using Storage Explorer to access files using AAD RBAC
To demo the fact that we can connect, I decided to use the Storage Explorer. This is a free tool you can use to connect to Azure storage.
First, I added my ben@nillsf.com to the storage explorer accounts.
After that, I added the resource (the container) via AAD authorization.
This will ask you for the account to use and the container location. Once you enter that, you can use storage explorer to see the files.
And as you can see, I can now see and download my file using storage explorer.
Conclusion
The goal of this post was to prove that I can invite Azure AD B2B guests to connect to storage accounts using Azure AD authorization. This worked perfectly.