Skip to main content
Feedback

Azure Blob - External Identity Provider Authentication

You can use the following authentication options for Azure Blob Storage access:

  1. Azure Machine/Client Credentials - Direct communication with Azure and blob storage

    screenshot of the Azure M2M (client credentials) settings

  2. External Identity Provider Authentication - Authentication through external providers like Okta or Auth0

    screenshot of the Azure Blob externap idp m2m settings

Key Features

External Identity Provider Flow

  • Customers provide Azure tenant ID and application ID (registered in Azure AD)
  • No secret sharing required - authentication handled through external identity provider
  • Token exchange process: External IDP token → Azure token → Blob storage access
  • Uses federated identity credentials in Azure

Supported providers

  • Okta (primary testing done with this)
  • Auth0
  • Other external identity providers (potentially)

Configuration requirements

Okta Configuration

  • Register the application in Okta
  • Configure the API/Authorization server in Okta
  • Set up the token endpoint and metadata URL
  • Application should use private key authentication (not client secret - this is disabled/not supported)
  • Default token settings can be used (no special grant types needed)

Azure Configuration

  • Register the application in Azure AD
  • Configure federated identity credentials
  • Link the Okta application to the Azure application via:
    • Issuer URL (from Okta)
    • Application ID (from Okta)
    • Audience configuration

Required Azure Permissions

Two roles are needed for the registered application:

  • Storage Blob Data Contributor - For data operations (upload/download/listing)
  • Storage Account Contributor OR Reader - For accessing storage properties and metadata
note

Reader role may be sufficient instead of Storage Account Contributor for metadata operations.

Technical Implementation

Token Management

  • Uses the Microsoft library for Azure communication
  • Automatic token refresh handling
  • Checks token expiration before each API call
  • Refreshes the token if less than 5 minutes remaining
  • Based on client credential flow (no refresh tokens)
  • Default token lifetime: 1 hour (configurable via policy)

Customer Benefits

  • Enhanced Security - No need to share Azure credentials directly
  • Centralized Access Management - Customers can manage access through their existing identity provider
  • Quick Access Control - Can disable access centrally through their IDP without touching individual services
  • Simplified Credential Management - Reduces credential sprawl

Customer Responsibilities

  • Configure their Okta/external IDP
  • Register application in their Azure subscription
  • Assign appropriate roles to the application
  • Provide configuration details (tenant ID, application ID, token endpoints)
On this Page