Azure Storage Blob/File per tenant

Question

I'm trying to understand how I can achieve the following in our multi-tenant application: - Have a seperate 'file location' per tenant (guid) - Ability to map this file location to a PC - Make sure that a 'file location' can only be accessed with a single key, meaning, one key should not be allowed to access multiple 'file locations' - Restrict access to pure read-only purposes

I was looking at Azure File Shares, but, when creating a few fileshares, I noticed that, when trying to map the fileshare to my PC, it's using the same key for all these fileshares. That's a problem, I don't want to give any tenant the possibility to map different tenant's file locations using the same key.

Answer 1

File shares now come with IAM (Preview), so how about you create a security group, add the user(s) to that group, and associate the file share with that security group.

Answer 2

I don't think mapping a file share to a PC would work as in order to create a network share drive, you would need account key and account key is defined at storage account level and not at individual share level.

One possible solution would be to create a Shared Access Signature (SAS) URL with Read and List permissions (because you want only read-only access) for each tenant for their respective blob container/file share and share that SAS URL with the concerned stakeholders. They can then use Microsoft Storage Explorer to connect to this particular blob container/file share and explore the contents.

To prevent the misuse of this SAS URL, you must create a SAS Token using a Stored Access Policy so that the SAS Token can be revoked in case it is compromised.