Share via

How to handle unauthenticated blob requests on the default Azure Storage domain?

Yasemin Aykalkan (Zer A.Ş.) 20 Reputation points
2025-04-17T08:52:40.32+00:00

Hi everyone,

We have a public, non-static Azure Storage account that doesn't yet have a custom domain configured. Currently, Blob anonymous access is enabled, but we plan to disable it soon for security reasons.

The challenge is:

Our customers already use direct blob URLs like:

https://<account>.blob.core.windows.net/container/filename.docx

These URLs don’t include SAS tokens, and they rely on anonymous access.

Once we disable anonymous access, these requests will start failing due to authorization errors.

However, we want to ensure that users can still access these resources seamlessly by being redirected to a service that can generate a valid SAS token.

We’ve already tried the following approaches:

Azure CDN

Azure Front Door

Blob-triggered Azure Functions

Azure Private Endpoint

Unfortunately, none of these seemed to allow us to capture or handle unauthenticated requests made directly to the default Azure Blob domain (*.blob.core.windows.net) before the error occurs.

What we’re trying to do:

We want to detect and respond to unauthorized access attempts on the default blob domain by redirecting users to an endpoint that can generate a SAS token.

Is there any way to achieve this on the default blob domain, or is it simply not possible due to how Azure handles blob requests at the platform level?

Any insights, workarounds, or confirmation would be greatly appreciated.

Thanks in advance!

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,143 questions
Accepted answer
  1. Venkatesan S 1,625 Reputation points Microsoft External Staff
    2025-04-22T10:09:08.2266667+00:00

    Hi @Yasemin Aykalkan (Zer A.Ş.)

    Is there any way to achieve this on the default blob domain, or is it simply not possible due to how Azure handles blob requests at the platform level?

    No, it’s not possible to intercept or redirect unauthenticated requests made directly to the default Azure Blob domain (*.blob.core.windows.net) before Azure returns an error. This behavior is by design and enforced at the Azure Storage platform level.

    Why Redirection Isn’t Possible on blob.core.windows.net?

    Azure Storage endpoints (https://<account>.blob.core.windows.net/...) are managed entirely by the Azure platform. Requests hitting these endpoints go directly to the Azure Blob service — there's no opportunity to hook into the pipeline or inject custom behavior like redirection or request inspection before authorization occurs. To intercept and reroute requests, you'll need to host the blob content behind a custom domain using one of:

    • Azure Front Door or
    • Azure CDN (Standard/Premium from Microsoft)

    Then configure the origin to point to your Blob Storage and attach a custom domain.

    This MS-Document, is very relevant if you're trying to access blob data programmatically using OAuth 2.0 token-based authentication via Microsoft Entra ID.

    Note: This works only for applications, not for end users in a browser.

    Hope the above suggestion helps! Please let us know do you have any further queries.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.