How to Access Storage Account Using System Managed Identity

Azure blob storage can be accessed using Managed Identity. This post will briefly talk about Managed Identity and enable Managed Identity to access Azure Blob from the WebApp.

What is Managed Identity

Managed Identity provides Azure services with an automatically managed identity in AAD (Azure Active Directory). It helps to authenticate to any service that supports AAD authentication without maintaining credentials in your code. It is a great feature from security perspective because credentials are not accessible to you. Managed identities can be used without any additional cost.

There are two types of managed identities —

System-assigned : Some services allow to create System Assigned Identity from service instance. This identity can be turned ON/OFF from the Identity option of the Azure Service. Once, identity has been assigned to the Azure resource, it can request token from Azure AD. This identity cannot be shared means it can be associated to single Azure Resource at a time.

User-assigned : This identity can be assigned to a single Azure resource. Once identity has created, then you have to explicitly delete it. This identity can be shared, means it can be associated to multiple Azure Resource.


Let’s suppose, you want to access Blob Storage from a WebApp using System Assigned Managed Identity. You would need below services to complete the implementation in Azure.

  • Create a general purpose – V2 storage account
  • Create an App Server Plan under free plan or any other plan as applicable
  • Create a WebApp under the App Service Plan

*To keep the things sort and simple, this post does not cover steps to create the services

Once services are up and running, we are good to start the implementation.

1- Enable WebApp Managed Identity – Below steps should be perform to enable managed identity for the WebApp.

  1. Go to resource group <Resource Group>
  2. Select App Service <App Service Instance>
  3. Left blade, under Settings, select Identity, then System Assigned
  4. Click on “On”, then click on Save
  5. Click on “Azure role assignment” and assign RBAC “Storage Blob Data Contributor” at the Storage Resource level.
1. Identity
2. Enable System Identity
3. Identity Generated
4. Assign RBAC Permission

2- Create .Net Core Web Application – Now, open Visual Studio 2019 and create a new .Net Core MVC web application<WebApplication1>. You need to add NuGet packages “Azure.Storage.Blobs” and “Azure.Identity”.

Now, you can add code in HomeController.cs file. In this file, you would add two functions named CreateContainer and CreateBlob respectively.

async static Task<BlobContainerClient> 
 CreateContainer(string accountName, string containerName)
   string containerEndpoint = 
   BlobContainerClient containerClient 
         = new BlobContainerClient(new Uri(containerEndpoint),
                                   new DefaultAzureCredential());
  await containerClient.CreateIfNotExistsAsync();
  return containerClient;
async static Task CreateBlob(string blobName)
  var containerClient = 
     await CreateContainer("<StorageAccount>", "<Container>");
 string blobContents = "<StringToWrite>";
 byte[] byteArray = Encoding.ASCII.GetBytes(blobContents);
  using (MemoryStream stream = new MemoryStream(byteArray))
      await containerClient.UploadBlobAsync(blobName, stream);

Now, add two Post Action methods in HomeController.cs file as written below.

public IActionResult CreateContainer()
  CreateContainer("<StorageAccount>", "<Container>")
  ViewBag.Message = "Container Created Successfully";
  return View("Index");
public IActionResult CreateBlob()
  ViewBag.Message = "Blob Created Successfully";
  return View("Index");

Now, add HTML code in Index.cshtml file to call the controller’s methods as written below.

    ViewData["Title"] = "Home Page";
@using (Html.BeginForm("CreateContainer", "Home", FormMethod.Post))
<div class="form-group">
    <div class="col-md-offset-2 col-md-5">
        <input type="submit" 
               value="Create Container" 
               class="btn btn-default btn-primary" 
               onclick="location.href='@Url.Action("CreateContainer", "Home")'" />
@using (Html.BeginForm("CreateBlob", "Home", FormMethod.Post))
<div class="form-group">
    <div class="col-md-offset-2 col-md-5">       
        <input type="submit" 
               value="Create Blob" id="Submit" 
               class="btn btn-default btn-primary" 
               onclick="location.href='@Url.Action("CreateBlob", "Home")'" />
    <div class="form-group">

3- Publish website to Azure WebApp– Right click on the project <WebApplication1> and click on Publish. Select appropriate Resource Group, WebApp Service and follow the publish wizard. Once publish completes, it will open the WebApp with two buttons as displayed.

5. Azure WebApp


Now, if all the configurations have been done correctly and project has been deployed successfully, then we can verify the output by clicking on “Create Container” and “Create Blob” (This action will create both Container and Blob). If you click “Create Blob” multiple time, you will see that it would create that many files in the container.

6. WebApp Output

Now, navigate to Storage Account > Container to verify the files which have been created. Click on any file to verify the content of the file.

7. Container Output

So, you have seen Managed Identity (System Generated) and access Azure Blob Storage using Managed Identity. To implement this, you don’t need maintain any kind of credential anywhere in code. Similarly, Azure services which support Identity can be used with other Azure Services without any configuration overhead.

If you have any suggestions/feedback, please put them in the comment box.

Happy Learning đŸ™‚

One thought on “How to Access Storage Account Using System Managed Identity

Add yours

Leave a Reply

Up ↑

%d bloggers like this: