Earlier this year, Microsoft introduced support for Entra ID authentication to an Azure file share using the REST API. So why should we care about using Entra ID support for an Azure File share? well, the combination is that now we have a multi-protocol file service. This means that regular users can access the file share using SMB (internally) while we can surface the share using REST API as well for 3. party providers that need to copy/move/insert data, which historically might have been solved using FTP services.
I was recently involved in setting up Entra ID authentication for an Azure File Share and uploading data using the REST API which I thought that I should share how we did it. This approach was using a service principal that was being used to authenticate to the file share.
1: Set up a service principal within Entra ID
2: Set up a storage account with a file share in Azure and set up a share
3: Configure the access method to Entra ID
4: Add the following permissions to the service principal on the storage account (Storage File Data Privileged Contributor)
This allows the service principal (with read, write, delete and modify NTFS permission access on Azure Storage file shares.) Now that the permissions are in place, we need to try and authenticate. For this part Im just going to use simple REST API to verify that I can access the shares.
Firstly we need to generate an access token based on the service principle. This can be done using REST API as well. To do it, it requires that you have tenant id, client id, client secret and the URL of the file share. This is used to generate an access token.
curl –location ‘https://login.microsoftonline.com/(tenanted)/oauth2/v2.0/token’ –form ‘grant_type=”client_credentials”‘ –form ‘client_id=”clientid”‘ –form ‘client_secret=”clientsecret”‘ –form ‘scope=https://fielsharename.file.core.windows.net/.default’
Then use the access token to interact with the Files REST API.
curl –location ‘https://nameofstorageaccount.file.core.windows.net/test/test?restype=directory&comp=list’ –header ‘Authorization: Bearer accesstoken’ –header ‘x-ms-version: 2022-11-02’ –header ‘x-ms-file-request-intent: backup’
This can then be used access to the file share using REST APi.