In the last couple of weeks, you might have seen that I wrote a couple of blog posts on how to manage Azure Blob Storage with AzCopy. Including how you can upload files to Azure Blob Storage container with PowerShell, sync files to Azure Blob storage or even migrate AWS S3 buckets to Azure. In most cases you have used AzCopy, you might have used SAS tokens, with AzCopy v10 however you can also use Azure AD accounts and service principals.

Authenticate against Azure with AzCopy using Azure AD accounts is simple. You can use the AzCopy login command:

azcopy login

If your account is in multiple Azure AD tenant, you can also add the specific tenant ID.

azcopy login --tenant-id "XXXXXXXX-XXXX-XXXXX-XXXXX-XXXXXXXXXXX"

You can find your tenant ID, login to the Azure Portal, go to Azure Active Directory -> Properties; there you find your Directory/Tenant ID.

After running this command, you will need to open the device login page and enter your code to authenticate. If you signed-in correctly, you will see the following page:

Set the right permissions

Important, to interact with the Azure Storage Account, you will need to set the right permissions for the account, even if you are the storage account owner.

If you want to download files from Azure blob storage, make sure that your user identity has the Storage Blob Data Reader role assigned. If you want to upload files, you will need to assign Storage Blob Data Contributor or Storage Blob Data Owner.

You can assign these roles on different scopes, with more and less granularity.

Container (file system)

Storage account

Resource group

Subscription

With the right permissions and login, you can now easily upload and download files from your Azure Storage Account using AzCopy and your Azure AD credentials.

azcopy copy “C:\temp\images” “https://account.blob.core.windows.net/images/" --recursive=true

If you are like me and you get the following error:

“RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.”

You don’t have the right permissions, and you will need to see grant access to Azure blob and queue data with RBAC in the Azure portal, Azure CLI or Azure PowerShell.

I hope this article helps you, especially when you didn’t configure the necessary permissions, or your account is in multiple Azure AD tenants. If you have any questions, please let me know in the comments.