core 3.1 – Trying to access AAD secured blob storage using the token of a logged in user

I have a core web app(not API) that is attempting to access a Azure storage that is protected by Azure AD. The core web app redirects the user to Azure AD sign in page. In case of successful authentication, the user is provided access to view various pages in the web app.

In one of the pages, the user needs to upload something in a Azure blob storage that is AAD protected.

What did I try

  • Create an AAD app registration.
  • Set redirect URIs as appropriate for the web app
  • Provide API permissions for the Azure AD app to be able to access Azure Storage(Delegated permission)
  • Provide API permissions for the AAD App to Graph with "User.Read" scope
  • Provide Blob Storage Contributor role at Storage container level to the above Azure AD app and to the AAD User

Enable User signin in the core Web App

public void ConfigureServices(IServiceCollection services)
            //.EnableTokenAcquisitionToCallDownstreamApi(new string[]{ "" })
            //.AddDownstreamWebApi("azurestorage", Configuration.GetSection("storage"))
        services.AddControllersWithViews(options =>
            var policy = new AuthorizationPolicyBuilder()
            options.Filters.Add(new AuthorizeFilter(policy));


In the controller, I have the following code which fails

 var cred = new DefaultAzureCredential();
        BlobContainerClient blobServiceClient = new BlobContainerClient(new Uri(""), cred);
        var blbos = blobServiceClient.GetBlobs();
        foreach(var b in blbos) // Fails here


Any ideas on what am I missing here

Read more here:

Content Attribution

This content was originally published by Hari Subramaniam at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: