I am writing a server side application that will run on an internal server (a physical box, not inside Azure). The application needs access to a blob storage container. The data in the blob storage is confidential, it should not be publicly accessible and should also not be accessible to all users in the tenant. I am currently trying to figure out the best/most secure way to grant my application access to the data in the blob storage.
In the Azure documentation it is mentioned that SAS should be protected the same way as account keys, which in turn you should "use Azure Key Vault to manage and rotate your keys securely". To authenticate against a key vault you have to either use managed identities (only supported for resources hosted in Azure, so not in this case) or create an app registration and assign the permissions to access the key vault using RBAC to the app registration. When creating an app registration, you have to choose which account types are allowed to sign in to the application (Accounts in the organizational directory or any account). As mentioned earlier, I do not want to grant users in the tenant access to the blob or the key vault, so they should not be able to log in to the application. Is this possible somehow or is using an app registration the wrong approach in this case? Or is the role assignment of the application not delegated to the user and only relevant when using a client secret?
It is also unclear to me what the benefit of using a key vault in this scenario would be in comparison to a SAS derived from an access policy. Both would allow revocation and in the case of the key vault I would still have to place a secret on the server to grant the application access.
I think you should first look at managed identities as an authentication mechanism and only use a service principal or SAS keys if for whatever reason managed identity does not meet your needs. As per the below article, managed identity can be extended to an on-premise VM. https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication
Without a managed identity you are stuck with bad answers, as you have so well expressed. Your understanding is correct, if you assign a role to an application identity (either a managed identity or a service principal) that access is not delegated to the user, only the application has the access. Using a managed identity is advantageous because Azure does all of the credential management for you.