Good day,
Is it possible to define a Conditional Access policy regulating access to a blob service of a particular Storage Account?
Let's say, our general policy is too restrictive (say, it requires MFA or particular source IP ranges) - and we want to make exceptions for calls to <our-storage-account>.blob.core.windows.net. Is it possible?
I saw couple of mentions that it's possible to add an Azure Files service of a particular Storage Account to the list of Conditional Access policy exclusions (here and here):
Azure AD Kerberos doesn't support using MFA to access Azure file shares configured with Azure AD Kerberos. You must exclude the Azure AD app representing your storage account from your MFA conditional access policies if they apply to all apps.
The storage account app should have the same name as the storage account in the conditional access exclusion list. When searching for the storage account app in the conditional access exclusion list, search for: [Storage Account] <your-storage-account-name>.file.core.windows.net
But when I tried to search the list of cloud apps for Conditional Access policy exclusions by [Storage Account] or by specific Account's name, I found no matches.
Will adding "managed identity" to the Storage Account help? As far as I understand, it's used for calls initiated by the Storage Account itself (to Key Vault, to obtain an encryption key) - not for clients traffic to its blob service.
Thanks,
Mucius.
