Azure-docs: Storage Explorer
I believe that the current restriction against Portal access with the new DataActions also applies to Storage Explorer. That is, even if you are assigned a role such as "Storage Blob Data Reader (Preview)", you won't be able to view blobs through Storage Explorer unless you also have a role with the Microsoft.Storage/storageAccounts/listkeys/action operation.
Just wanted to note that for others' reference and hopefully get a document update if that information is indeed accurate.
Thanks!
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 1ca94e03-5f05-6703-1672-8062f31c0780
- Version Independent ID: a6a8d9e9-9aac-c0ed-c474-34cbd0609584
- Content: Use RBAC to manage access rights to containers and queues (preview) - Azure Storage
- Content Source: articles/storage/common/storage-auth-aad-rbac.md
- Service: storage
- GitHub Login: @tamram
- Microsoft Alias: tamram
dcbrown16
All 11 comments
Thanks for the feedback! We are currently investigating and will update you shortly.
Karishma-Tiwari-MSFT
on 2 Oct 2018
@dcbrown16 Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.
AdamS-MSFT
on 5 Oct 2018
@dcbrown16 - Thank you for your feedback. You are right, the Storage Explorer still uses keys to access blob and queue data, and does not support using Azure AD credentials. I've updated the content accordingly, and the change should go live soon.
Portal support for using Azure AD credentials to read/write blob data is now available. This just happened in the past several days.
tamram
on 10 Oct 2018
Great, thanks for confirming and for the update regarding the Portal.
dcbrown16
on 10 Oct 2018
Storage Explorer 1.61 release notes suggest it now supports RBAC access for blobs. Haven't verified this myself, but if ready maybe worth updating the docs.
You can now use Storage Explorer to access your Blob data via RBAC. If you are signed in and Storage Explorer is unable to retrieve the keys for your Storage account, then an OAuth token will be used to authenticate when interacting with your data
markarnolditpro
on 3 Jan 2019
Reopened so @tamram can assess, thanks @markarnolditpro!
dcbrown16
on 7 Jan 2019
As of this update, I would expect an Azure AD user with only Storage Blob Data Contributor (Preview) (or Reader) permission, either on the Storage Account or an individual Container, to be able to use Storage Explorer to access the appropriate container(s). That does not currently seem to be the case?
I'll try also granting Storage Account Contributor, but that's more access than this user needs to have.
dahlbyk
on 10 Jan 2019
I have the same problem. I have created an storage account and a blob container inside. I assign the "Storage Blob Data Contributor (Preview)" role to an AD user and with this user I can't acces to a files in the container from Azure Explorer. Not works yet with the last 1.6.2 version of Azure Explorer?
tonisc
on 15 Feb 2019
I made another test. I also assign a "Reader" role to the same user and after works fine. This user can use Azure Explorer for read the files in the STA container. This is the normal operation?
tonisc
on 15 Feb 2019
Storage Explorer does indeed support RBAC. However, you also need Reader (management-level) access to list your storage accounts. This is a known limitation we'll be providing some more documentation on, and a solution will be available sometime in the future.
craxal
on 1 Mar 2019
@dcbrown16 - Thanks for your feedback. We have this work in our backlog and will address it soon.
please-close
tamram
on 15 Apr 2019
Related issues
paulmarshall
·
3Comments
bdcoder2
·
3Comments
bityob
·
3Comments
Favna
·
3Comments
jebeld17
·
3Comments
Most helpful comment
Storage Explorer does indeed support RBAC. However, you also need Reader (management-level) access to list your storage accounts. This is a known limitation we'll be providing some more documentation on, and a solution will be available sometime in the future.