Azure – You can now enable anonymous read access on Blob Storage or Container

Disclaimer you need to evaluate if you need or not to enable this new feature, anonymous read access on Azure Blob Storage, as any client will be able to read the data stored on the corresponding Blob Storage.

As you know, access to data stored on Azure Blob Storage is managed either by implementing Azure AD or Shared Keys authorizations.

With this new capability you can enable an anonymous access if you need to share the data stored on the Blob Storage to anybody without having to share the access keys because you may not know upfront who will access it; similar to publishing on a public website.

For example, this can be useful when you use Azure Blob storage to store public documents being accessible through a link on your public website.

Anonymous access for Blob Storage

To enable this new capability, logon to your Azure portal (https://portal.azure.com/) and search for Storage account (or the name of the existing storage account you want to configure)

Then access the Configuration blade, available under the Settings section

And turn on (or off) the Blob public access

You can also use Azure Cli using the below commands

storage_account_id=$(az resource show –name <name of the storage account> –resource-group <resource group hosting the storage account> –resource-type Microsoft.Storage/storageAccounts –query id –output tsv)

az resource update –ids $storage_account_id –set properties.allowBlobPublicAccess=<true or false depending if you want to allow/disallow the anonymous access>

Anonymous access for Blob Container

Similar to the above anonymous access for Blob Storage, logon to your Azure portal (https://portal.azure.com/) and search for Storage account (or the name of the existing storage account you want to configure)

Then access the Containers configuration blade under the Blob service section

Then select the container(s) you want to enable the anonymous access and open the Change access level to choose the corresponding access level (anonymous for blob only or anonymous access for containers and blob)

You can also use Azure Cli using the below commands

az storage container set-permission –name <container-name> –account-name <account-name> –public-access <container or blob> –account-key <account-key> –auth-mode key

Check/Review if anonymous access is enabled

You can check/review if the anonymous access is enabled by using either the below Azure Cli commands or metrics from the portal

$rgName = <resource group hosting the storage account>
$accountName = <name of the storage account>

$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context

Get-AzStorageContainer -Context $ctx | Select Name, PublicAccess

Using the metrics blade from the portal, logon to your Azure portal (https://portal.azure.com/) and search for Storage account (or the name of the existing storage account you want to configure)

Then access the Metrics blade under the Monitoring section

Select the following filters for your metric

• Metric Namespace: blob
• Metric: Transactions
• Aggregation: Sum

Then add a filter for authentication with the operator set to = (equal sign) and value set to Anonymous