Blob Public Access

Blob storage supports anonymous public read access for containers and blobs. This allows you to share your data with anyone without requiring authentication. There are different levels of public access you can configure, each with its own security implications.

Important: Enabling public access can expose your data to unauthorized access. Carefully consider the implications and use public access only when necessary.

Container Public Access Levels

You can configure the public access level for an entire storage container. The following options are available:

Private (No Anonymous Access): This is the default setting. Access to the container and its blobs is restricted to authenticated users.
Blob (Anonymous Read Access for Blobs): Blobs within the container can be read anonymously, but container metadata and the blob list are not accessible anonymously.
Container (Anonymous Read Access for Containers and Blobs): All container data, including blob metadata and the blob list, can be read anonymously.

Configuring Container Public Access

You can configure container public access through the Azure portal, Azure CLI, PowerShell, or the Azure Storage SDKs.

Using the Azure Portal

Navigate to your storage account in the Azure portal.
Select "Containers" under "Data storage".
Click on the container you want to configure.
In the container's overview page, click "Change access level".
Select the desired public access level.
Click "OK" to save the changes.

Using Azure CLI

To set the public access level to "blob":

az storage container set-permission --account-name  --name  --public-access blob

To set the public access level to "container":

az storage container set-permission --account-name  --name  --public-access container

To set the public access level to "off" (private):

az storage container set-permission --account-name  --name  --public-access off

Accessing Public Blobs

When a container has public access enabled (either Blob or Container level), blobs within that container can be accessed directly via their URL. The URL format is typically:

https://.blob.core.windows.net//

Tip: Use Shared Access Signatures (SAS) for more granular control over temporary access to specific blobs or containers, rather than relying solely on public access.

Security Considerations

Minimize Public Access: Only enable public access if it's absolutely necessary for your application.
Least Privilege: If you enable public access, choose the most restrictive level that meets your needs (e.g., Blob over Container).
Review Permissions Regularly: Periodically check the public access settings of your containers to ensure they are still appropriate.
Monitor Access: Utilize Azure Monitor and Storage Analytics to track access patterns and identify any suspicious activity.
Sensitive Data: Never store sensitive or personally identifiable information (PII) in publicly accessible containers.

Disabling Public Access

To disable public access for a container, set the public access level to "Private" using one of the methods described above.

Disabling public access will immediately revoke anonymous access to the container and its blobs. All access will then require proper authentication.

Warning: Once public access is disabled, any direct URLs pointing to blobs within that container will no longer work for anonymous users.

Understanding and correctly configuring public access for your Azure Blob Storage containers is crucial for data security and access management. Always prioritize security best practices.