Can anyone confirm that to make a REST requestd to Azure storage we have to do these steps?
client ID
and client secret
API permissions
-> Add permission
-> Azure storage
, add user_impersonation
as API permission that would allow the Application to access the Storage account on behalf of the signed-in user.Access control IAM
-> Add role
-> assign the given signed-in user (email)
whichever role that you like.In this logic, one has to grant the read/write/complete-storage-account
access to the Role in step 3 and then impersonate that behavior to App created.
But let's say that I want to grant these levels of access while the token request. Shown in fig:
Can I do so? That I get these read/write/owner kind of different permissions while accessing the token. If not then how can I manage different access levels?
You don't need multiple applications, but multiple users are needed, when you use the Delegated permission user_impersonation
of Azure Storage
API i.e. https://storage.azure.com/user_impersonation
in the scope
, the app will get all the permissions of the user in the storage account after user login. Besides, I notice you used https://myaccount.blob.core.windows.net/user_impersonation
, which just works for a specific storage account, make sure it meets your requirement.