An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
Hello Nalini Bhavaraju
We have reviewed your request to securely share access to JPEG files stored in Azure Blob Storage via a Power BI report, ensuring only authorized organizational users can access them. Our analysis indicates that exposing blob URLs, particularly SAS URLs, through Power BI is not fully secure, as these URLs act as bearer tokens and can be used by anyone who has access until they expire, which may not satisfy strict security requirements.
To improve security, we suggest using Microsoft Entra ID (Azure AD) authentication instead of direct storage URLs. Rather than storing full blob URLs in the SQL database, store only metadata like file identifiers or blob paths. Power BI can then display a link to a secure internal application (such as Azure App Service, API, or Azure Function) instead of directly linking to the storage account.
When users click the link in Power BI, they are redirected to this application, which is protected by Microsoft Entra ID. The application validates user permissions and securely retrieves the file from Azure Blob Storage using a managed identity or approved access method, either streaming the file or providing a short-lived access mechanism.
For additional security, consider configuring the storage account with a Private Endpoint and disabling public network access where possible. This restricts access to private network paths and prevents exposure to the public internet. It is also recommended to disable Shared Key authorization and enforce identity-based access control using Microsoft Entra ID.
This approach ensures access is managed through user identity, enhances auditability, and follows Azure security best practices, while allowing users to access files through Power BI.
Check the documents for more understanding:
https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access?tabs=blobs
https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal
Hope the above answer helps! Please let us know do you have any further queries.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.