Azure Storage: GA Support for Entra ID and RBAC in Supplemental APIs

On 26 August 2025, Microsoft announced the general availability (GA) of Entra ID authentication and role-based access control (RBAC) for several supplemental Azure Storage APIs. This update improves security and gives administrators more precise control over sensitive operations such as managing container, queue, and table access permissions.

What has changed

The following APIs now support Entra ID and RBAC:

• GetAccountInfo
• GetContainerACL / SetContainerACL
• GetQueueACL / SetQueueACL
• GetTableACL / SetTableACL

These APIs now support OAuth 2.0 authentication via Entra ID.
A key change is the way error responses are returned:

• Before: using OAuth without the right permissions resulted in 404 (not found).
• Now:
  • 403 (forbidden) is returned when OAuth is used but the caller does not have the required permission (for example, Microsoft.Storage/storageAccounts/blobServices/getInfo/action for GetAccountInfo).
  • 401 (unauthorised) is returned for anonymous requests.
  • 404 (not found) is still possible if the resource itself does not exist.

If your application logic depends on the old 404 behaviour, you should update it to handle both 404 and 403 responses. Microsoft also recommends not relying on error codes to detect unsupported APIs but instead following the Entra ID authorization guidance.

Why this matters

• Improved security – no more reliance on shared keys.
• Granular access – assign only the necessary permissions.
• Consistent responses – OAuth error codes now match industry standards.
• Application impact – developers may need to update their code to support the new response model.

Practical Lab: Using RBAC with Container ACLs

Scenario: Your application only needs to read a container’s ACL, without requiring full access to the storage account.

Step 1 – Create a custom role

1. Open the Azure portal → Subscriptions → Pick your Subscription → Access-control (IAM) → + Add custom role.
2. Name the role Storage ACL Reader.
3. Add permissions:

• • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/tableServices/tables/read
  • Microsoft.Storage/storageAccounts/queueServices/queues/read

Step 2 – Assignable Scope

1. Choose where the role can be assigned: Management group, subscription, or Resource group.
2. Review and create the role.

Step 3 – Test access with Azure CLI

Run:

az storage container show-permission \
–account-name MyStorageAccount \
–name mycontainer \
–auth-mode login

• If the role is correctly assigned, the ACL details are shown.
• If not, you will see an AuthorizationFailure error.

Conclusion

With this GA update, Azure Storage administrators can manage supplemental APIs using Entra ID and RBAC, while developers should review their applications: for the new error response model. This improves both security and operational consistency across the plataform.