Table of Contents
Which Azure Storage Services Support Azure AD Authentication Integration?
Master Azure Storage authentication for your AZ-500 exam by learning that only Azure Blob Storage and Queue Storage support Azure AD authentication. Understand why Table Storage and File Storage still rely on shared access keys or SAS tokens for access control.
Question
You can configure Azure AD authentication for which of the following?
A. Queues, Blobs
B. Queues, Blobs, Files
C. Queues, Blobs, Tables
D. Queues, Files
Answer
A. Queues, Blobs
Explanation
The correct answer is A. Only Azure Storage Queues and Blobs support Azure Active Directory (Azure AD) authentication. Table Storage and File Storage do not currently support Azure AD integration for authentication and authorization.
Only Azure Storage queues and blobs support Azure AD authentication.
Azure AD Authentication for Supported Services
Azure AD authentication provides a modern, secure approach to accessing Azure Storage resources without managing shared access keys. This integration allows you to use Azure RBAC roles and managed identities for fine-grained access control.
Blob Storage with Azure AD
- RBAC Roles: You can assign built-in roles like Storage Blob Data Reader, Storage Blob Data Contributor, or Storage Blob Data Owner to users, groups, or service principals.
- Managed Identity Support: Applications can use system-assigned or user-assigned managed identities to access blob data without storing credentials in code.
- Conditional Access: Azure AD authentication enables the use of Conditional Access policies to control blob access based on location, device compliance, or other conditions.
Queue Storage with Azure AD
- Message Processing: Applications can authenticate to Azure Storage Queues using Azure AD credentials to send, receive, and process messages.
- RBAC Integration: Similar to blobs, you can use roles like Storage Queue Data Reader, Storage Queue Data Contributor, or Storage Queue Data Message Processor.
- Service-to-Service Authentication: Microservices can authenticate to queues using managed identities, eliminating the need for connection strings with embedded keys.
Why Other Storage Services Don’t Support Azure AD
- Table Storage: This NoSQL service currently only supports authentication through storage account keys or Shared Access Signatures (SAS). It lacks the Azure AD integration found in Blob and Queue storage.
- File Storage (Azure Files): While Azure Files supports some forms of identity-based authentication for SMB shares (using on-premises Active Directory or Azure AD Domain Services), it does not support the same Azure AD authentication model used by Blob and Queue storage for REST API access.
Alternative Authentication Methods
For services that don’t support Azure AD authentication:
- Shared Access Signatures (SAS): Provide time-limited, fine-grained access to specific resources without exposing the full storage account key.
- Storage Account Keys: Offer full access to all storage services within the account but should be carefully managed and rotated regularly.
- Connection Strings: Include authentication information for accessing storage services, though they typically embed storage account keys.
This limitation is important for designing secure Azure applications, as you must plan different authentication strategies for different storage services within the same solution.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.