Using AAD user & RBAC role for Storage Account Access
- To access blob data in the Azure portal with Azure AD credentials, a user must have the following role assignments:
- A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor
- The Azure Resource Manager Reader role, at a minimum
- To learn how to assign these roles to a user, follow the instructions provided in Assign Azure roles using the Azure portal.
- The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to blob containers in the Azure portal.
- For example, if you assign the Storage Blob Data Contributor role to user Mary at the level of a container named sample-container, then Mary is granted read, write, and delete access to all of the blobs in that container. However, if Mary wants to view a blob in the Azure portal, then the Storage Blob Data Contributor role by itself will not provide sufficient permissions to navigate through the portal to the blob in order to view it. The additional permissions are required to navigate through the portal and view the other resources that are visible there.
- A user must be assigned the Reader role to use the Azure portal with Azure AD credentials. However, if a user has been assigned a role with Microsoft.Storage/storageAccounts/listKeys/action permissions, then the user can use the portal with the storage account keys, via Shared Key authorization. To use the storage account keys, Shared Key access must be permitted for the storage account.
Tag:Azure
