Authenticate Azure Storage Files using Microsoft Entra ID

Question

Authenticate Azure Storage Files using Microsoft Entra ID

Saurabh Bhandari 0

Hi team,

I have a storage account with all permissions needed for Microsoft Entra ID, that is Storage File Data Privileged Reader and Storage File Data Privileged Contributor.

I am able to create, get, delete files, and listfileshare using SAS or Storage Key.
I am able to get only a list of file shares using Microsoft Entra ID
I am not able to create, get, or delete files using Microsoft Entra ID

I am using the below SDK and Java 8:

``

Code Sample:

 TokenCredential tokenCredential = new ClientSecretCredentialBuilder()
          .clientId("id") 
          .clientSecret("secret") 
          .tenantId("tenantid")  
          .build();



ShareServiceClient serviceClient = new ShareServiceClientBuilder()
          .endpoint(fileShareUrl)
          .credential(tokenCredential)
          .shareTokenIntent(ShareTokenIntent.BACKUP)
          .buildClient();

 ShareClient shareClient = serviceClient.getShareClient("files");

      String fileName = "testfile.txt";
      ShareFileClient fileClient = shareClient.getFileClient(fileName);

      byte[] fileContent = "Hello, Azure File Share!".getBytes(StandardCharsets.UTF_8);
      long fileSize = fileContent.length;

       fileClient = shareClient.createFile(fileName,
         fileSize);
      fileClient.upload(new ByteArrayInputStream(Base64.decodeBase64(fileContent)),
          Base64.decodeBase64(fileContent).length, new ParallelTransferOptions());

      System.out.println("File uploaded successfully!");

Ask:

Is there any other permission needed for it?
Is there something I am doing wrong?
Also, I want to know to authenticate through Microsoft Entra ID. Do I need to configure identity-based access for this?

Hari Babu Vattepally 2,640 Reputation points Microsoft External Staff

2025-04-18T13:55:46.8133333+00:00
Hi @Saurabh Bhandari,

To create, get, or delete files using Microsoft Entra ID, make sure you have the necessary permissions. As the roles which you mentioned Storage File Data Privileged Reader and Storage File Data Privileged Contributor generally should allow these tasks. However, it's important to double-check that the relevant RBAC actions for file operations are explicitly granted.

However, please make sure to check the following permissions are also included:

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read for reading files.

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write for creating and deleting files.

Unfortunately, if the issue still persists. Also, please check the following recommendations and check if the issue is resolved:

Please make sure that the roles are accurately assigned to the identity (user, group, or application) attempting to access the storage account.

Make sure the OAuth 2.0 token you obtain includes all the required scopes for the operations you intend to execute.

Yes, you need to set up identity-based access for Microsoft Entra ID, including configuring roles and ensuring authentication and authorization with Azure Storage.

After checking all the above and if the issue still persists, please refer for the log in the Azure Portal or for the error message for more details.

For more additional information, please refer to the below documentation:

Authorize with Microsoft Entra ID

Authorize access to blobs using Microsoft Entra ID

I hope the above helps in addressing your query.

Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members. Accepted answers show up at the top, resulting in improved discoverability for others.
Saurabh Bhandari 0 Reputation points

2025-04-21T07:16:16.68+00:00
Why do I need to add RBAC actions for file operations that are explicitly granted

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read for reading files.

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write for creating and deleting files.

As the role I have assigned has the permissions for data actions:

Also, while configuring identity-based access for Microsoft Entra ID, I am getting an error:
As there was mentioned :Before enabling this setting, make sure Microsoft Entra Domain Services (Microsoft Entra DS) is enabled for your Azure tenant. Otherwise, this operation will fail.

When I tried to add in Microsoft Doman Services, I get an error:

ASK

If I have to add explicit permission. How can I do it, and what permission is needed to do it?

How to configure Identity-based access for Microsoft Entra Domain Services?

What permission will be needed to add a tenant to Microsoft Domain Services? Can only the admin do it?
Hari Babu Vattepally 2,640 Reputation points Microsoft External Staff

2025-04-21T14:51:28.8333333+00:00
Hi @Saurabh Bhandari,

Below is the detailed explanation to address more about your query regarding RBAC actions and Identity based access.

You should explicitly declare actions and data actions instead of using wildcard characters. For file operations, please add the following RBAC actions:

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read for reading files.

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write for creating and deleting files. To add these permissions, you can create a custom role that includes these specific actions or modify an existing role to include them.

However, to set up identity-based access, make sure Microsoft Entra Domain Services (Microsoft Entra DS) is enabled for your Azure tenant. Check the settings in the Azure portal and ensure the necessary configurations are in place. Errors may indicate that the service is not correctly set up.

Generally, only users with administrative privileges can add a tenant to Microsoft Domain Services. The required permissions might differ, but typically, an admin role is needed to carry out these actions.

Explicit RBAC actions need to be added because, even if a role has permissions for data actions, Azure requires specific actions to be defined for certain operations to ensure precise access control.

For more additional information, please refer to the below documents:

Authorize with Microsoft Entra ID

Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST

Choose how to authorize access to file data in the Azure portal

I hope the above helps in addressing your query.
Hari Babu Vattepally 2,640 Reputation points Microsoft External Staff

2025-04-22T11:00:28.5266667+00:00

Hi @Saurabh Bhandari,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Venkatesan S 1,475 Reputation points Microsoft External Staff

2025-04-23T12:51:09.2133333+00:00

Hi Saurabh Bhandari

Could you please use this Azure CLI command to verify the RBAC role present for Microsoft Entra ID?

Command:
az role assignment list --assignee <your-client-id> --all --output table

Accepted answer

0 additional answers

Your answer

Saurabh Bhandari 0 Reputation points

2025-04-21T07:16:16.68+00:00

Why do I need to add RBAC actions for file operations that are explicitly granted

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read for reading files.

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write for creating and deleting files.

As the role I have assigned has the permissions for data actions:

Also, while configuring identity-based access for Microsoft Entra ID, I am getting an error:
As there was mentioned :Before enabling this setting, make sure Microsoft Entra Domain Services (Microsoft Entra DS) is enabled for your Azure tenant. Otherwise, this operation will fail.

When I tried to add in Microsoft Doman Services, I get an error:

ASK

If I have to add explicit permission. How can I do it, and what permission is needed to do it?

How to configure Identity-based access for Microsoft Entra Domain Services?

What permission will be needed to add a tenant to Microsoft Domain Services? Can only the admin do it?
Hari Babu Vattepally 2,640 Reputation points Microsoft External Staff

2025-04-21T14:51:28.8333333+00:00

Hi @Saurabh Bhandari,

Below is the detailed explanation to address more about your query regarding RBAC actions and Identity based access.

You should explicitly declare actions and data actions instead of using wildcard characters. For file operations, please add the following RBAC actions:

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read for reading files.

Microsoft.Storage/storageAccounts/fileServices/fileShares/files/write for creating and deleting files. To add these permissions, you can create a custom role that includes these specific actions or modify an existing role to include them.

However, to set up identity-based access, make sure Microsoft Entra Domain Services (Microsoft Entra DS) is enabled for your Azure tenant. Check the settings in the Azure portal and ensure the necessary configurations are in place. Errors may indicate that the service is not correctly set up.

Generally, only users with administrative privileges can add a tenant to Microsoft Domain Services. The required permissions might differ, but typically, an admin role is needed to carry out these actions.

Explicit RBAC actions need to be added because, even if a role has permissions for data actions, Azure requires specific actions to be defined for certain operations to ensure precise access control.

For more additional information, please refer to the below documents:

Authorize with Microsoft Entra ID

Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST

Choose how to authorize access to file data in the Azure portal

I hope the above helps in addressing your query.
Hari Babu Vattepally 2,640 Reputation points Microsoft External Staff

2025-04-22T11:00:28.5266667+00:00

Hi @Saurabh Bhandari,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Venkatesan S 1,475 Reputation points Microsoft External Staff

2025-04-23T12:51:09.2133333+00:00

Hi Saurabh Bhandari

Could you please use this Azure CLI command to verify the RBAC role present for Microsoft Entra ID?

Command:
az role assignment list --assignee <your-client-id> --all --output table

Answer 1

Venkatesan S 1,475 Microsoft External Staff

Hi Saurabh Bhandari

I created a Microsoft Entra Id (App registration) with name of venkat789.

Portal:

enter image description here

I have now assigned the Storage File Data Privileged Reader and Storage File Data Privileged Contributor RBAC roles to the Microsoft Entra ID at the storage account level.

Once you have assigned it, you can verify through the portal or using an Azure CLI command. In my environment, I verified it using an Azure CLI command.

Command and output:

xxxxxxxx [ ~ ]$ az role assignment list --assignee "e25b10xxxxxxxx9f720c55bace" --all --output table
Principal                             Role                                      Scope
------------------------------------  ----------------------------------------  -----------------------------------------------------------------------------------------------------------------------------------------
e25b1025-3fxxxxxxxxxxx3-9f720c55bace  Storage File Data Privileged Contributor  /subscriptions/xxxxx/resourceGroups/venkatesan-rg/providers/Microsoft.Storage/storageAccounts/venkat326123
e25b1025-3fxxxxxxxxxxx3-9f720c55bace  Storage File Data Privileged Reader       /subscriptions/xxxxxx/resourceGroups/venkatesan-rg/providers/Microsoft.Storage/storageAccounts/venkat326123

enter image description here

Now, I used the below code, to

list files from share
Create and upload a file
Download/get the file content
Delete the file

with Microsoft Entra ID authentication using Azure Java SDK.

Code:

public class App {

    public static void main(String[] args) {
        // Entra ID credentials and storage details
        String tenantId = "9xxxxx";
        String clientId = "xxxxx";
        String clientSecret = "xxxx";
        String storageAccountName = "xxxxxx";
        String fileShareUrl = String.format("https://%s.file.core.windows.net", storageAccountName);
        String shareName = "xxxx";
        String fileName = "testfile.txt";

        // Authenticate using Microsoft Entra ID
        ClientSecretCredential credential = new ClientSecretCredentialBuilder()
                .tenantId(tenantId)
                .clientId(clientId)
                .clientSecret(clientSecret)
                .build();

        ShareServiceClient serviceClient = new ShareServiceClientBuilder()
                .endpoint(fileShareUrl)
                .credential(credential)
                .shareTokenIntent(ShareTokenIntent.BACKUP)
                .buildClient();

        // Create and upload a file
        ShareClient shareClient = serviceClient.getShareClient(shareName);
        ShareFileClient fileClient = shareClient.getRootDirectoryClient().getFileClient(fileName);
        byte[] content = "Hello from Microsoft Entra ID!".getBytes(StandardCharsets.UTF_8);
        fileClient.create(content.length);
        ByteArrayInputStream inputStream = new ByteArrayInputStream(content);
        ParallelTransferOptions options = new ParallelTransferOptions()
               .setBlockSizeLong(4 * 1024 * 1024L)
               .setMaxConcurrency(2);
        fileClient.upload(inputStream, content.length, options);
        System.out.println("File created and uploaded: " + fileName);

        // Download file
        ByteArrayOutputStream stream = new ByteArrayOutputStream();
        fileClient.download(stream);
        System.out.printf("Completed downloading the file with content: %n%s%n%n",
                new String(stream.toByteArray(), StandardCharsets.UTF_8));

        // Recursive listing
        System.out.println("Recursively listing all files and folders:");
        listFilesRecursively(shareClient.getRootDirectoryClient(), "");

        // Delete file
        fileClient.delete();
        System.out.println("File deleted: " + fileName);
    }

    // Recursive listing helper
    public static void listFilesRecursively(ShareDirectoryClient directoryClient, String path) {
        for (ShareFileItem item : directoryClient.listFilesAndDirectories()) {
            String fullPath = path.isEmpty() ? item.getName() : path + "/" + item.getName();
            if (item.isDirectory()) {
                System.out.println("Directory: " + fullPath);
                ShareDirectoryClient subDirClient = directoryClient.getSubdirectoryClient(item.getName());
                listFilesRecursively(subDirClient, fullPath);
            } else {
                System.out.println("File: " + fullPath);
            }
        }
    }
}

Output:

File created and uploaded: testfile.txt
Completed downloading the file with content: 
Hello from Microsoft Entra ID!

Recursively listing all files and folders:
File: demo.jpg
Directory: sample
File: sample/aml.gif
File: sample/aml1.gif
File: sample/aml2.gif
File: sample/copyblob.gif
File: sample/copyblob1.gif
File: sample/copyblob2.gif
File: sample.jpg
File: testfile.txt
File: xxxxxxx.zip
File deleted: testfile.txt

enter image description here

Reference: Enable access to Azure file shares using OAuth over REST | Microsoft Learn

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Venkatesan S 1,475 Reputation points Microsoft External Staff

2025-04-25T03:32:50.0833333+00:00

Saurabh Bhandari
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Saurabh Bhandari 0 Reputation points

2025-04-28T04:53:32.1733333+00:00
@venkatesan s I am getting this error:

Exception in thread "main" com.azure.storage.file.share.models.ShareStorageException: If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call.

If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.

Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.

If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call.

If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.

Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.

Status code 403, "?<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.

RequestId:eac08e77-601a-0061-51f7-b7b1a3000000

Time:2025-04-28T04:42:50.7432096Z</Message></Error>

I am using the below code, and the same privileges you have assigned are assigned to the storage account

TokenCredential tokenCredential = new ClientSecretCredentialBuilder() .clientId("id") .clientSecret("secret") .tenantId("tenantid") .build(); ShareServiceClient serviceClient = new ShareServiceClientBuilder() .endpoint(fileShareUrl) .credential(tokenCredential) .shareTokenIntent(ShareTokenIntent.BACKUP) .buildClient(); ShareClient shareClient = serviceClient.getShareClient("files"); String fileName = "testfile.txt"; ShareFileClient fileClient = shareClient.getFileClient(fileName); byte[] fileContent = "Hello, Azure File Share!".getBytes(StandardCharsets.UTF_8); long fileSize = fileContent.length; fileClient = shareClient.createFile(fileName, fileSize); fileClient.upload(new ByteArrayInputStream(Base64.decodeBase64(fileContent)), Base64.decodeBase64(fileContent).length, new ParallelTransferOptions()); System.out.println("File uploaded successfully!");

Can you help me understand why this error is occurring in my case?
Venkatesan S 1,475 Reputation points Microsoft External Staff

2025-04-28T05:00:05.06+00:00
Hi Saurabh Bhandari

First, use shareClient.getRootDirectoryClient().getFileClient(fileName).

Then call .create(fileSize).

Then .upload() the content.

Saurabh Bhandari 0

@venkatesan s I have updated the code as you said, and I am getting the same error:

ShareServiceClient serviceClient = new ShareServiceClientBuilder().endpoint(fileShareUrl)
        .credential(tokenCredential).shareTokenIntent(ShareTokenIntent.BACKUP).buildClient();
    ShareClient shareClient = serviceClient.getShareClient("files");
    String fileName = "testfile.txt";
    ShareFileClient fileClient = shareClient.getRootDirectoryClient().getFileClient(fileName);
    byte[] content = "Hello, Azure File Share!".getBytes(StandardCharsets.UTF_8);
    fileClient.create(content.length);
    ByteArrayInputStream inputStream = new ByteArrayInputStream(content);
    fileClient.upload(inputStream, content.length, new ParallelTransferOptions());
    System.out.println("File uploaded successfully!");

Venkatesan S 1,475 Microsoft External Staff

Here is my full code and dependency:

import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.storage.common.ParallelTransferOptions;
import com.azure.storage.file.share.*;
import com.azure.storage.file.share.models.ShareFileItem;
import com.azure.storage.file.share.models.ShareTokenIntent;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.nio.charset.StandardCharsets;

public class App {

    public static void main(String[] args) {
        // Entra ID credentials and storage details
        String tenantId = "xxxx";
        String clientId = "xxxxx;
        String clientSecret = "xxxx";
        String storageAccountName = "xxxxxx";
        String fileShareUrl = String.format("https://%s.file.core.windows.net", storageAccountName);
        String shareName = "share1";
        String fileName = "testfile.txt";

        // Authenticate using Microsoft Entra ID
        ClientSecretCredential credential = new ClientSecretCredentialBuilder()
                .tenantId(tenantId)
                .clientId(clientId)
                .clientSecret(clientSecret)
                .build();

        // Build the service client
        ShareServiceClient serviceClient = new ShareServiceClientBuilder()
                .endpoint(fileShareUrl)
                .credential(credential)
                .shareTokenIntent(ShareTokenIntent.BACKUP)
                .buildClient();

        // Create and upload a file
        ShareClient shareClient = serviceClient.getShareClient(shareName);
        ShareFileClient fileClient = shareClient.getRootDirectoryClient().getFileClient(fileName);
        byte[] content = "Hello from Microsoft Entra ID!".getBytes(StandardCharsets.UTF_8);
        fileClient.create(content.length);
        ByteArrayInputStream inputStream = new ByteArrayInputStream(content);
        ParallelTransferOptions options = new ParallelTransferOptions()
               .setBlockSizeLong(4 * 1024 * 1024L)
               .setMaxConcurrency(2);
        fileClient.upload(inputStream, content.length, options);
        System.out.println("File created and uploaded: " + fileName);

        // Download file
        ByteArrayOutputStream stream = new ByteArrayOutputStream();
        fileClient.download(stream);
        System.out.printf("Completed downloading the file with content: %n%s%n%n",
                new String(stream.toByteArray(), StandardCharsets.UTF_8));

        // Recursive listing
        System.out.println("Recursively listing all files and folders:");
        listFilesRecursively(shareClient.getRootDirectoryClient(), "");

        // Delete file
        fileClient.delete();
        System.out.println("File deleted: " + fileName);
    }

    // Recursive listing helper
    public static void listFilesRecursively(ShareDirectoryClient directoryClient, String path) {
        for (ShareFileItem item : directoryClient.listFilesAndDirectories()) {
            String fullPath = path.isEmpty() ? item.getName() : path + "/" + item.getName();
            if (item.isDirectory()) {
                System.out.println("Directory: " + fullPath);
                ShareDirectoryClient subDirClient = directoryClient.getSubdirectoryClient(item.getName());
                listFilesRecursively(subDirClient, fullPath);
            } else {
                System.out.println("File: " + fullPath);
            }
        }
    }
}

Pom.xml:

 <dependency>
     <groupId>com.azure</groupId>
     <artifactId>azure-storage-file-share</artifactId>
     <version>12.21.4</version>
 </dependency>
 <dependency>
     <groupId>com.azure</groupId>
     <artifactId>azure-identity</artifactId>
     <version>1.13.1</version>
  </dependency>

Please try to run the above code in your environment with proper share name, clientid, tenantid, client secret.

Saurabh Bhandari 0 Reputation points

2025-04-28T08:54:22.94+00:00

@venkatesan s Thanks for your help

Share via

Authenticate Azure Storage Files using Microsoft Entra ID

0 additional answers

Your answer