Authorize access to Azure file share data in the Azure portal
Summary β Choose how to authorize access to file data in the Azure portal
Key points
The Azure portal can authorize requests to Azure Files using either:
your Microsoft Entra (Azure AD) account β recommended, or
the storage account access key β not recommended (higher security risk).
The portal indicates which method is in use and lets you switch if you have the required permissions.
By default the portal applies the current authentication method to all file shares, but you can override it for individual file shares.
Important (security)
Accessing file shares with storage account keys is less secure. Authenticate with Microsoft Entra when possible. For guidance on protecting keys, see Manage storage account access keys: https://docs.azure.cn/en-us/storage/common/storage-account-keys-manage
Permissions and roles
To use Microsoft Entra account authentication (recommended):
You must have a role that grants access to file data (built-in or custom).
You must also have at least the Azure Resource Manager Reader role scoped to the storage account or higher so you can browse to file shares in the portal.
Two built-in roles specifically enabling OAuth access to file data: Storage File Data Privileged Reader and Storage File Data Privileged Contributor.
Additional RBAC info: Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST β https://docs.azure.cn/en-us/storage/files/authorize-oauth-rest
To use the storage account access key:
You need an Azure role that includes the action Microsoft.Storage/storageAccounts/listkeys/action (examples: Reader and Data Access; Storage Account Contributor; Contributor; Owner).
If your account has that list-keys permission, the portal will by default use the storage account key; otherwise it will try Microsoft Entra authentication.
Locks and special cases
If the storage account has an Azure Resource Manager ReadOnly lock, the List Keys operation is blocked (it's a POST), so users must use Microsoft Entra credentials to access file data in the portal.
Switch authentication for a specific file share
Step: Check or change the Authentication method
The Authentication method field shows whether the portal is using Access Key or Microsoft Entra user account. Use the provided link to switch to:
"Switch to Microsoft Entra user account" (requires the RBAC permissions listed above), or
"Switch to access key" (requires access to the storage account key).
Additional RBAC actions required for Microsoft Entra switching
The portal requires these extra RBAC permissions to use Microsoft Entra authentication:
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
Behavior notes
If your Microsoft Entra account lacks permissions to view file shares, no file shares will appear when you switch to Microsoft Entra authentication.
If you don't have access to the storage account key, no file shares appear when you switch to access key authentication.
Classic subscription admin roles (Service Administrator and Co-Administrator) have Owner-equivalent permissions, including listkeys permission.
References
Access Azure file shares using Microsoft Entra ID with Azure Files OAuth over REST: https://docs.azure.cn/en-us/storage/files/authorize-oauth-rest
Authorize access to data in Azure Storage: https://docs.azure.cn/en-us/storage/common/authorize-data-access
Manage storage account access keys: https://docs.azure.cn/en-us/storage/common/storage-account-keys-manage
Last updated: 07/31/2025
Was this helpful?