locked
Is that possible add AD control accessing Azure storage RRS feed

  • Question

  • I know we can use AccountKey access/manage Azure storage. our concern is employee can get the account key and access the Azure storage at outside corporate network. 

    Is that possible we can tie corporate AD and Azure AD to control who can access Azure storage? Also, do they have audit system viewing who access the Azure storage? 

    Thanks,

    Monday, April 13, 2015 2:51 PM

Answers

All replies

  • Hi,

    The Role Based Access Control must be able to help you in this. Please refer : http://azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/

    However, regarding connecting Corporate AD to Azure AD, you may need to look in to this article: http://blogs.technet.com/b/ad/archive/2014/08/04/connecting-ad-and-azure-ad-only-4-clicks-with-azure-ad-connect.aspx

    Regards,

    Manu

    Monday, April 13, 2015 5:32 PM
  • It looks like the Role Based Access Control is for management only. Not for data modification.  I would like find a way to restrict certain people from specific network can upload/delete blob from storage account. Using account key, we can do manage/modify the data but can't restrict it from a specific people or network.   

    Role-based access control is supported only for management operations of the Azure resources in Azure Preview portal and Azure Resource Manager APIs. Not all data level operations for Azure resources can be authorized via RBAC. For instance, create/read/update/delete of Storage Accounts can be controlled via RBAC, but create/read/update/delete of blobs or tables within the Storage Account cannot yet be controlled via RBAC. Similarly, create/read/update/delete of a SQL DB can be controlled via RBAC but create/read/update/delete of SQL tables within the DB cannot yet be controlled via RBAC.

    Monday, April 13, 2015 9:33 PM
  • As of now, it is not possible to restrict access to Azure storage with reference to specific network directly.

    However, you can direct all traffic through your Web Role and filter traffic there to allow access to storage containers. I havn't tried this, but just a thought if it might help you someway.

    Also, please look into this: https://msdn.microsoft.com/en-us/library/azure/dd179391.aspx

    Regards,

    Manu
    Tuesday, April 14, 2015 4:11 PM