Grant access to Azure blob and queue data with RBAC in the Azure portal

Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob or queue data.

When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

This article describes how to use the Azure portal to assign RBAC roles. The Azure portal provides a simple interface for assigning RBAC roles and managing access to your storage resources. You can also assign RBAC roles for blob and queue resources using Azure command-line tools or the Azure Storage management APIs. For more information about RBAC roles for storage resources, see Authenticate access to Azure blobs and queues using Azure Active Directory.

RBAC roles for blobs and queues

Azure provides the following built-in RBAC roles for authorizing access to blob and queue data using Azure AD and OAuth:

Note

RBAC role assignments may take up to five minutes to propagate.

Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

Determine resource scope

Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.

The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • An individual container. At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • An individual queue. At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • The storage account. At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • The resource group. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • The subscription. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

Important

If your subscription includes an Azure DataBricks namespace, roles assigned at the subscription scope will be blocked from granting access to blob and queue data.

Assign RBAC roles using the Azure portal

After you have determined the appropriate scope for a role assignment, navigate to that resource in the Azure portal. Display the Access Control (IAM) settings for the resource, and follow these instructions to manage role assignments:

  1. Assign the appropriate Azure Storage RBAC role to grant access to an Azure AD security principal.

  2. Assign the Azure Resource Manager Reader role to users who need to access containers or queues via the Azure portal using their Azure AD credentials.

The following sections describe each of these steps in more detail.

Note

As an owner of your Azure Storage account, you are not automatically assigned permissions to access data. You must explicitly assign yourself an RBAC role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or a container or queue.

You cannot assign a role scoped to a container or queue if your storage account has a hierarchical namespace enabled.

Assign a built-in RBAC role

Before you assign a role to a security principal, be sure to consider the scope of the permissions you are granting. Review the Determine resource scope section to decide the appropriate scope.

The procedure shown here assigns a role scoped to a container, but you can follow the same steps to assign a role scoped to a queue:

  1. In the Azure portal, navigate to your storage account and display the Overview for the account.

  2. Under Services, select Blobs.

  3. Locate the container for which you want to assign a role, and display the container's settings.

  4. Select Access control (IAM) to display access control settings for the container. Select the Role assignments tab to see the list of role assignments.

    Screenshot showing container access control settings

  5. Click the Add role assignment button to add a new role.

  6. In the Add role assignment window, select the Azure Storage role that you want to assign. Then search to locate the security principal to which you want to assign that role.

    Screenshot showing how to assign an RBAC role

  7. Click Save. The identity to whom you assigned the role appears listed under that role. For example, the following image shows that the user added now has read permissions to data in the container named sample-container.

    Screenshot showing list of users assigned to a role

You can follow similar steps to assign a role scoped to the storage account, resource group, or subscription.

Assign the Reader role for portal access

When you assign a built-in or custom role for Azure Storage to a security principal, you are granting permissions to that security principal to perform operations on data in your storage account. The built-in Data Reader roles provide read permissions for the data in a container or queue, while the built-in Data Contributor roles provide read, write, and delete permissions to a container or queue. Permissions are scoped to the specified resource.

For example, if you assign the Storage Blob Data Contributor role to user Mary at the level of a container named sample-container, then Mary is granted read, write, and delete access to all of the blobs in that container.

However, if Mary wants to view a blob in the Azure portal, then the Storage Blob Data Contributor role by itself will not provide sufficient permissions to navigate through the portal to the blob in order to view it. Additional Azure AD permissions are required to navigate through the portal and view the other resources that are visible there.

If your users need to be able to access blobs in the Azure portal, then assign them an additional RBAC role, the Reader role, to those users, at the level of the storage account or above. The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources.

Follow these steps to assign the Reader role so that a user can access blobs from the Azure portal. In this example, the assignment is scoped to the storage account:

  1. In the Azure portal, navigate to your storage account.
  2. Select Access control (IAM) to display the access control settings for the storage account. Select the Role assignments tab to see the list of role assignments.
  3. In the Add role assignment window, select the Reader role.
  4. From the Assign access to field, select Azure AD user, group, or service principal.
  5. Search to locate the security principal to which you want to assign the role.
  6. Save the role assignment.

Note

Assigning the Reader role is necessary only for users who need to access blobs or queues using the Azure portal.

Next steps