Azure Storage provides extensions for PowerShell that enable you to sign in and run scripting commands with Microsoft Entra credentials. When you sign in to PowerShell with Microsoft Entra credentials, an OAuth 2.0 access token is returned. That token is automatically used by PowerShell to authorize subsequent data operations against Blob storage. For supported operations, you no longer need to pass an account key or SAS token with the command.

You can assign permissions to blob data to a Microsoft Entra security principal via Azure role-based access control (Azure RBAC). For more information about Azure roles in Azure Storage, seeAssign an Azure role for access to blob data.

サポート対象の操作

The Azure Storage extensions are supported for operations on blob data. Which operations you may call depends on the permissions granted to the Microsoft Entra security principal with which you sign in to PowerShell. Permissions to Azure Storage containers are assigned via Azure RBAC. For example, if you have been assigned theBlob Data Reader role, then you can run scripting commands that read data from a container. If you have been assigned theBlob Data Contributor role, then you can run scripting commands that read, write, or delete a container or the data they contain.

For details about the permissions required for each Azure Storage operation on a container, seeCall storage operations with OAuth tokens.

Call PowerShell commands using Microsoft Entra credentials

To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Microsoft Entra credentials, create a storage context to reference the storage account, and include the-UseConnectedAccount parameter.

The following example shows how to create a container in a new storage account from Azure PowerShell using your Microsoft Entra credentials. 角括弧内のプレースホルダーをあなたの値に置き換えてください。

1. Sign in to your Azure account with theConnect-AzAccount command:

   Connect-AzAccount

   For more information about signing into Azure with PowerShell, seeSign in with Azure PowerShell.

2. Create an Azure resource group by callingNew-AzResourceGroup.

   $resourceGroup = "sample-resource-group-ps"$location = "eastus"New-AzResourceGroup -Name $resourceGroup -Location $location

3. Create a storage account by callingNew-AzStorageAccount.

   $storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup `  -Name "<storage-account>" `  -SkuName Standard_LRS `  -Location $location `  -AllowBlobPublicAccess $false

4. Get the storage account context that specifies the new storage account by callingNew-AzStorageContext. When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. Include the-UseConnectedAccount parameter to call any subsequent data operations using your Microsoft Entra credentials:

   $ctx = New-AzStorageContext -StorageAccountName "<storage-account>" -UseConnectedAccount

5. Before you create the container, assign theStorage Blob Data Contributor role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning Azure roles, seeAssign an Azure role for access to blob data.

   重要

   Azure role assignments may take a few minutes to propagate.

6. Create a container by callingNew-AzStorageContainer. Because this call uses the context created in the previous steps, the container is created using your Microsoft Entra credentials.

   $containerName = "sample-container"New-AzStorageContainer -Name $containerName -Context $ctx

次のステップ

• Assign an Azure role for access to blob data
• Authorize access to data in Azure Storage