Authenticated Access to Files in Azure Data lake Storage Blob

Nalini Bhavaraju 210 Reputation points
2026-04-20T16:48:31.8266667+00:00

Hi Team,

I have several files (.jpeg) in the Blob storage and I am using Python code to process some logic and create attachment URLs for each of the files in the Blob, store the attachments to a table in Azure SQL database.

Power BI will access the SQL table and will generate a report. Users will ideally click on the URLs via power BI report and will access the files in the browser.

I would like to provide Authentication to the files so that no one outside the organization can access these files. I tried to generate the SAS URLs but seems to be not secure enough.

Is there any other way to meet this requirement?

Thanks,

Nalini.

Azure Data Lake Storage
Azure Data Lake Storage

An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.


2 answers

Sort by: Most helpful
  1. Praveen Bandaru 11,640 Reputation points Microsoft External Staff Moderator
    2026-04-23T04:50:10.4766667+00:00

    Hello Nalini Bhavaraju

    We have reviewed your request to securely share access to JPEG files stored in Azure Blob Storage via a Power BI report, ensuring only authorized organizational users can access them. Our analysis indicates that exposing blob URLs, particularly SAS URLs, through Power BI is not fully secure, as these URLs act as bearer tokens and can be used by anyone who has access until they expire, which may not satisfy strict security requirements.

    To improve security, we suggest using Microsoft Entra ID (Azure AD) authentication instead of direct storage URLs. Rather than storing full blob URLs in the SQL database, store only metadata like file identifiers or blob paths. Power BI can then display a link to a secure internal application (such as Azure App Service, API, or Azure Function) instead of directly linking to the storage account.

    When users click the link in Power BI, they are redirected to this application, which is protected by Microsoft Entra ID. The application validates user permissions and securely retrieves the file from Azure Blob Storage using a managed identity or approved access method, either streaming the file or providing a short-lived access mechanism.

    For additional security, consider configuring the storage account with a Private Endpoint and disabling public network access where possible. This restricts access to private network paths and prevents exposure to the public internet. It is also recommended to disable Shared Key authorization and enforce identity-based access control using Microsoft Entra ID.

    This approach ensures access is managed through user identity, enhances auditability, and follows Azure security best practices, while allowing users to access files through Power BI.

    Check the documents for more understanding:

    https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json

    https://learn.microsoft.com/en-us/azure/storage/common/authorize-data-access?tabs=blobs

    https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory

    https://learn.microsoft.com/en-us/power-bi/create-reports/power-bi-hyperlinks-in-tables?tabs=powerbi-desktop

    https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal


    Hope the above answer helps! Please let us know do you have any further queries.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments No comments

  2. Vallepu Venkateswarlu 10,260 Reputation points Microsoft External Staff Moderator
    2026-04-20T17:33:42.77+00:00

    Hi Nalini Bhavaraju,

    Welcome to Microsoft Q&A Platform.

    It sounds like you want to keep your JPEGs in a private Blob container but still give your Power BI users clickable URLs without people outside your AAD tenant being able to grab those files.

    Leverage Azure AD + User-Delegation SAS

    • Disable all anonymous/public access on your container (AllowBlobPublicAccess=False).
      Have your Python code authenticate to Azure AD (via a Service Principal or Managed Identity) and call the Blob service to get a user-delegation SAS.
    • User-delegation SAS tokens are minted by Azure AD, inherit your role-based access control, and can be scoped very tightly (short TTL, IP restrictions, specific permissions).
    • Store those short-lived URLs in SQL. When someone clicks them, the token itself is the auth proof.

    Front your blobs with a tiny AAD-protected API or Azure Function

    • Keep the container private.
    • Build a lightweight HTTP endpoint (Function or API Management) that validates the caller’s AAD token, streams the blob, and returns it.
    • URLs in Power BI point to this endpoint. Only users in your tenant who sign in can retrieve the images.

    (Optional) Use Azure Front Door + AAD Auth

    • Place an Azure Front Door in front of your storage account.
    • Configure Front Door to require an Azure AD login (via Conditional Access) before passing through to your private blob.

    Power BI considerations

    • If you’re embedding web images in PBI, ensure you’re using a connector or visual that can pass through authentication tokens or consume the user-delegation SAS.
    • Alternatively, load binary image data into Power BI via the ADLS Gen2 connector (with OAuth) and bind it as images inside the report.

    If the above steps did not help resolve your issue, please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.

    Ref: Create a service SAS for a container or blob with Python

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.