Introduction.
When you are working in the cloud, storing files is just half the job the real power (and responsibility) comes with deciding who gets to access your data and how.
A lot of people start with storage account keys or SAS tokens to share files in Azure, but those methods can be tricky to manage securely, especially as your team or workload grows. What if you could tie storage access directly to your Azure AD user account, just like you do with other Microsoft services? Well, you can and that’s exactly what this mini lab is about.
First, you will have to Sign in to your Active Microsoft Azure Account on: https://portal.azure.com/
Step 1: Assign Yourself a Role.
To get started, follow these steps Assign Yourself a Role
A. On your Azure Portal home page, on the search bar, search for Storage Accounts and click on it.
B. Select the storage account (storageacct1demo1) you created previously while setting up your environment for this exercise. You can click the storage account name it’s a clickable link to open it. (Tip: Make sure it’s associated with the resource group RG1.)
C. In the Storage account,
- Go to Access control (IAM).
- Click + Add > Add role assignment.
D. On the Basics tab,
- Under Job Function Roles 2.Search for Storage Blob Data Contributor and click on the result.
- And then click on Next.
E. Under Members tab,
- Select User, group, or service principal
- Click on + Select Members
- And then find and select your Azure AD user.
- Click on Select
F. Click on the Review + Assign tab, and select Review + Assign
Step 2: Verify Access Using Azure CLI
Now that you’ve assigned your Azure AD user the Storage Blob Data Contributor role, it’s time to check that it actually works and the easiest way is with the Azure CLI.
First thing, you need to Install Azure CLI if is not installed in your computer yet (https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)
A. Open your terminal or Azure Cloud Shell, run the commend
az login and and select you Azure account.
B. Select your subscription and tent.
C. Run the command az storage blob list --account-name <your-storage-account-name> --container-name <your-container-name> --auth-mode login
👉 This lists blobs in the container using your Azure AD identity, not an account key.
If you get a list back success! 🎉
Step 3: Test Revoking Access
Finally, test what happens when you remove your Azure AD role. By taking away your permission, you will see how access is instantly blocked proving that RBAC makes it easy to grant and revoke storage access securely.
A. Back in the Azure portal, in your Storage Account (storageacct2demo1) go to Access control (IAM) again.
B. Click on Role assignments tab.
- Search for Storage Blob Data Contributor
- You should see your own account listed under Members
C. Select your account, then click Remove or delete assignment at the top. Confirm the removal when prompted.
D. Wait a minute, then try listing blobs again with the same CLI command: az storage blob list --account-name <your-storage-account-name> --container-name <your-container-name> --auth-mode login
E. You can see that we got an authorization error proving that Azure AD RBAC now blocks you.
Conclusion
This shows just how powerful Azure AD can be for securing your storage accounts. Instead of relying only on account keys and SAS tokens, you can use identity-based access control to decide exactly who gets in and shut off access just as easily.
With Azure AD, you get stronger security, easier management, and better compliance all while following best practices for modern cloud environments.
Keep exploring! Try combining RBAC with conditional access, MFA, or even user delegation SAS for an extra layer of security. The more you practice, the more confident you’ll get at building secure, well-managed storage solutions in Azure.
If this was helpful, feel free to like, comment, or share your thoughts and follow along for more step-by-step Azure guides!
Top comments (0)