Roles and requirements for Azure Data Share

This article describes roles and permissions required to share and receive data using Azure Data Share service.

Roles and requirements

With Azure Data Share service, you can share data without exchanging credentials between data provider and consumer. For snapshot-based sharing, Azure Data Share service uses Managed Identities (previously known as MSIs) to authenticate to Azure data store. Azure Data Share resource's managed identity needs to be granted access to Azure data store to read or write data.

To share or receive data from an Azure data store, user needs at least the following permissions.

  • Permission to write to the Azure data store. Typically, this permission exists in the Contributor role.

For storage and data lake snapshot-based sharing, you also need permission to create role assignment in the Azure data store. Typically, permission to create role assignments exists in the Owner role, User Access Administrator role, or a custom role with Microsoft.Authorization/role assignments/write permission assigned. This permission is not required if the data share resource's managed identity is already granted access to the Azure data store. Below is a summary of the roles assigned to Data Share resource's managed identity:

Data Store Type Data Provider Source Data Store Data Consumer Target Data Store
Azure Blob Storage Storage Blob Data Reader Storage Blob Data Contributor
Azure Data Lake Gen1 Owner Not Supported
Azure Data Lake Gen2 Storage Blob Data Reader Storage Blob Data Contributor

For SQL snapshot-based sharing, a SQL user needs to be created from an external provider in Azure SQL Database with the same name as the Azure Data Share resource. Azure Active Directory admin permission is required to create this user. Below is a summary of the permission required by the SQL user.

SQL Database Type Data Provider SQL User Permission Data Consumer SQL User Permission
Azure SQL Database db_datareader db_datareader, db_datawriter, db_ddladmin
Azure Synapse Analytics db_datareader db_datareader, db_datawriter, db_ddladmin

Data provider

For storage and data lake snapshot-based sharing, to add a dataset in Azure Data Share, provider data share resource's managed identity needs to be granted access to the source Azure data store. For example, in the case of storage account, the data share resource's managed identity is granted the Storage Blob Data Reader role. This is done automatically by the Azure Data Share service when user is adding dataset via Azure portal and the user has the proper permission. For example, user is an owner of the Azure data store, or is a member of a custom role that has the Microsoft.Authorization/role assignments/write permission assigned.

Alternatively, user can have owner of the Azure data store add the data share resource's managed identity to the Azure data store manually. This action only needs to be performed once per data share resource. To create a role assignment for the data share resource's managed identity manually, follow the below steps.

  1. Navigate to the Azure data store.
  2. Select Access Control (IAM).
  3. Select Add a role assignment.
  4. Under Role, select the role in the role assignment table above (for example, for storage account, select Storage Blob Data Reader).
  5. Under Select, type in the name of your Azure Data Share resource.
  6. Click Save.

To learn more about role assignment, refer to Assign Azure roles using the Azure portal. If you are sharing data using REST APIs, you can create role assignment using API by referencing Assign Azure roles using the REST API.

For SQL snapshot-based sharing, a SQL user needs to be created from an external provider in SQL Database with the same name as the Azure Data Share resource while connecting to SQL database using Azure Active Directory authentication. This user needs to be granted db_datareader permission. A sample script along with other prerequisites for SQL-based sharing can be found in the Share from Azure SQL Database or Azure Synapse Analytics tutorial.

Data consumer

To receive data into storage account, consumer data share resource's managed identity needs to be granted access to the target storage account. The data share resource's managed identity needs to be granted the Storage Blob Data Contributor role. This is done automatically by the Azure Data Share service if the user specifies a target storage account via Azure portal and the user has proper permission. For example, user is an owner of the storage account, or is a member of a custom role which has the Microsoft.Authorization/role assignments/write permission assigned.

Alternatively, user can have owner of the storage account add the data share resource's managed identity to the storage account manually. This action only needs to be performed once per data share resource. To create a role assignment for the data share resource's managed identity manually, follow the below steps.

  1. Navigate to the Azure data store.
  2. Select Access Control (IAM).
  3. Select Add a role assignment.
  4. Under Role, select the role in the role assignment table above (for example, for storage account, select Storage Blob Data Reader).
  5. Under Select, type in the name of your Azure Data Share resource.
  6. Click Save.

To learn more about role assignment, refer to Assign Azure roles using the Azure portal. If you are receiving data using REST APIs, you can create role assignment using API by referencing Assign Azure roles using the REST API.

For SQL-based target, a SQL user needs to be created from an external provider in SQL Database with the same name as the Azure Data Share resource while connecting to SQL database using Azure Active Directory authentication. This user needs to be granted db_datareader, db_datawriter, db_ddladmin permission. A sample script along with other prerequisites for SQL-based sharing can be found in the Share from Azure SQL Database or Azure Synapse Analytics tutorial.

Resource provider registration

You may need to manually register the Microsoft.DataShare resource provider into your Azure subscription in the following scenarios:

  • View Azure Data Share invitation for the first time in your Azure tenant
  • Share data from an Azure data store in a different Azure subscription from your Azure Data Share resource
  • Receive data into an Azure data store in a different Azure subscription from your Azure Data Share resource

Follow these steps to register the Microsoft.DataShare resource provider into your Azure Subscription. You need Contributor access to the Azure subscription to register resource provider.

  1. In the Azure portal, navigate to Subscriptions.
  2. Select the subscription that you're using for Azure Data Share.
  3. Click on Resource Providers.
  4. Search for Microsoft.DataShare.
  5. Click Register.

To learn more about resource provider, refer to Azure resource providers and types.

Next steps