IAM Archives - File transfer tool from Limagito

10 Feb

How to use azure AD RBAC authentication instead of storage keys

Q: Does Filemover support authentication to Azure Storage using Azure AD with RBAC roles (for example “Storage Blob Data Contributor” or “Storage Blob Data Reader”), instead of using storage account keys or SAS tokens? If this is not currently supported, is it something that is planned for a future release? For security reasons, we are looking to avoid the use of storage account keys and would prefer to rely on role-based access control where possible.

A: This option was added for Azure Block Blobs in v2026.2.9.0

In our example we used Azure as Source:

limagito filemover azure as source

The new Authentication option “Service-to-service Access Token request” is only available for Block Blobs:

limagito file mover azure AD RBAC authentication

Next we selected our Azure Storage Container

limagito file mover azure container setup

Azure OAuth2 setup, the following fields are needed:
- Token Endpoint URL: https://login.microsoftonline.com/%realm/oauth2/v2.0/token
- Application Client ID: > Check App registration below
- Client Secret Value: > Check App registration below
- Scope: https://storage.azure.com/.default
- Realm (Tenant ID): > Check App registration below

limagito file mover azure AD RBAC authentication

Assign Role via Azure Portal:

Go to your Storage Account
Click on Access Control (IAM)
Click Add role assignment
Select role: Storage Blob Data Contributor
Assign access to: User, group, or service principal
Select members: Search for your Service Principal (Application name)
Click Review + assign

Required Azure RBAC roles for Block Blobs:

To use Block Blobs with OAuth, your Service Principal must have one of these roles:

Role	Permissions	Use Case
Storage Blob Data Reader	Read, List	Read/download only
Storage Blob Data Contributor	Read, Write, Delete	Upload + Download

Storage Blob Data Contributor:

Limagito7 was added using Azure ‘App registrations’

limagito filemover azure app registrations

limagito file mover azure app registrations

Here you can find:

Application (Client) ID needed in OAuth2 setup
Directory (Tenant) ID needed in OAuth2 setup

limagito filemover application client ID

We added a ‘Client secret’ which Value field is used as Client Secret in the OAuth2 setup of our filemover.

limagito filemover azure client secrets

There is also an alternative, using a ‘Certificate’ instead of a ‘Client secret’, you can add this under ‘Certificates & secrets’ > Certificates > Upload certificate (public part of the key)

limagito file mover azure certificates and secrets

In this case the OAuth2 does not need a Client Secret, this is replaced by the Private Key file.

limagito file mover azure oauth2 setup

Select Auth Options:

Add your private Key File (.pfx)
Add password if needed
How to create a self signed certificate using PowerShell

limagito file mover private key authentication

If you need any help about this new ‘azure AD RBAC authentication’ option, please let us know.

Best Regards,

Limagito Team

#azure #managedfiletransfer #filetransfer #filemanagement

By Limagito-Team Azure azure authentication, IAM, RBAC

Contact Us Now

IAM

How to use azure AD RBAC authentication instead of storage keys

Assign Role via Azure Portal:

Required Azure RBAC roles for Block Blobs:

Storage Blob Data Contributor:

Limagito7 was added using Azure ‘App registrations’

SEARCH

CATEGORIES

ARCHIVES

TAGS

DISCOVER OUR SITE