I have an Azure Storage Account and want to grant read access to a colleague. All identities are in the same Azure Active Directory so it was easy to add him to the "Reader" role in the Access Control blade of the Azure portal.
When he opens Microsoft Azure Storage Explorer the subscription and storage account are visible but the node for Blob Containers can't be expanded. Exception says:
Could not obtain keys for Storage Account. Please check that you have the correct permissions
Looks like this is now possible (In preview). Your AD users can be given the "Storage Blob Data Reader" privilege. https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-aad-authentication-for-storage/
This is expected behavior. Essentially to list storage keys, the user should be in a role that allows listKeys operation. The built-in Reader role does not have permission to perform listKeys operation.
The rationale (a bit convoluted though) behind this decision is that a user in Reader role should only be able to Read and not perform any inserts/updates or deletes. Considering if someone has account key for a storage account, they can do these operations. Thus the user in Reader role is not granted permission to list the account keys.
What you could do is create a Shared Access Signature (SAS) with read/list permissions and share that SAS URL with your colleague. Then they will be able to access the data in that storage account but won't be able to perform any create/update/delete operations.
