Can I use service principal to create/update the life management policy of the storage account in another subscription

George Sun 1 Reputation point
2021-11-09T21:53:18.017+00:00

Hi,

I wonder whether I can use my service principal to create/update the life management policy of the storage account in another subscription. If yes, what is the scopes/permissions configuration in my service principal and in the destination storage account?

Best
George

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,608 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,294 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 43,001 Reputation points Microsoft Employee
    2021-11-10T08:27:47.267+00:00

    @George Sun In order to understand the issue better :You are trying to create Service principal for Azure Blob Storage lifecycle management for another Subscription am I correct? If so it's not possible for now!

    From the service principal's perspective, it should be able to authenticate / access against the resources if the subscriptions are within the same tenant

    Management Policies - Create Or Update : Service: Storage Resource Provider

    148135-image.png

    Additional information: Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.
    148034-image.png

    148104-image.png

    Which operations can I perform using managed identities?

    Authorize access to blob or queue data from a native or web application

    Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.

    An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources. The RBAC roles that are assigned to a security principal determine the permissions that the principal will have. To learn more about assigning Azure roles for blob access, see Assign an Azure role for access to blob data

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 148141-image.png and 148076-image.png wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments