Share via

Azure container apps connect to Azure file share

Van Huy Tuyen 40 Reputation points
2025-10-16T07:41:33.16+00:00

Dear all,

We're using the Azure container apps, which connect to Azure file share

Azure Defender for cloud shows: Storage accounts should prevent shared key access with crintical priority

But in Azure portal, we only show only one method (storage account key) to connect to Azure file share from Azure container app

So, how can we use other authentication methods, or how can we fix this issue?

Thank you!

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thanmayi Godithi 2,215 Reputation points Microsoft External Staff Moderator
    2025-10-16T09:16:31.7366667+00:00

    Hi @Van Huy Tuyen ,

    Thank you for reaching out on the Microsoft Q&A forum.

    I understand that you’re using Azure Container Apps connected to an Azure File Share, and Azure Defender for Cloud has raised a recommendation stating:

    "Storage accounts should prevent shared key access."

    You’d like to know if it’s possible to use Microsoft Entra ID or SAS token–based authentication instead of the storage account key, and how to address this recommendation.

    As of now, Azure Container Apps only support mounting Azure File Shares using the storage account key.

    • Microsoft Entra ID (formerly Azure AD) based authentication-Not currently supported for Azure Container Apps when mounting Azure File Shares.
    • SAS tokens-Not supported for mounting Azure File Shares from Container Apps.
    • Storage account key-The only supported authentication method at this time.

    This behaviour is confirmed in official documentation:

    While Azure Files supports identity-based authentication (Kerberos, Microsoft Entra Domain Services, and Microsoft Entra ID) for Windows and Linux VMs, these authentication flows are not available for Azure Container Apps.

    You can refer to:

    Additionally, Microsoft’s engineering team has acknowledged this limitation, and there are open requests to enable Managed Identity–based mounting for Container Apps:

    Since shared key authentication is currently the only supported option, the Defender for Cloud recommendation (“prevent shared key access”) cannot yet be fully remediated for Container Apps mounting Azure Files.

    However, to maintain security best practices:

    • Rotate storage account keys regularly.
    • Store keys securely in Azure Key Vault and reference them in Container Apps secrets.
    • Monitor Azure Updates for announcements on Managed Identity or Microsoft Entra ID support in future releases.

    This limitation aligns with current product design and documentation. Microsoft is actively working on enabling identity-based access options in future updates.

    Kindly let us know if the above helps or you need further assistance on this issue.

    If the above is helpful, kindly "Accept the answer". If you have extra questions about this answer, please click "Comment".

    0 comments
  2. Amira Bedhiafi 41,111 Reputation points Volunteer Moderator
    2025-10-16T10:06:31.5033333+00:00

    Hello Van !

    Thank you for posting on Microsoft Learn Q&A.

    Azure Defender for Cloud is flagging storage accounts should prevent shared key access because shared keys are considered less secure than Azure AD / managed identity based authentication.

    However, Azure Container Apps currently support mounting Azure Files only via storage account keys not via Azure AD or SAS tokens.

    It's either you use Azure Blob storage or managed identity based mounting or you can use Azure Files with SAS Token but consider this as a limited workaround.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.