Use the Azure portal to assign an Azure role for access to blob and queue data
Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob or queue data.
When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.
This article describes how to use the Azure portal to assign Azure roles. The Azure portal provides a simple interface for assigning Azure roles and managing access to your storage resources. You can also assign Azure roles for blob and queue resources using Azure command-line tools or the Azure Storage management APIs. For more information about Azure roles for storage resources, see Authenticate access to Azure blobs and queues using Azure Active Directory.
Azure roles for blobs and queues
Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:
- Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. For more information, see Access control in Azure Data Lake Storage Gen2.
- Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
- Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
- Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.
- Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
- Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
- Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
- Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.
Only roles explicitly defined for data access permit a security principal to access blob or queue data. Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account via Azure AD. However, if a role includes the Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. For more information, see Use the Azure portal to access blob or queue data.
For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the Storage section in Azure built-in roles for Azure RBAC. Additionally, for information about the different types of roles that provide permissions in Azure, see Classic subscription administrator roles, Azure roles, and Azure AD roles.
Azure role assignments may take up to five minutes to propagate.
Determine resource scope
Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. Best practices dictate that it's always best to grant only the narrowest possible scope.
The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:
- An individual container. At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
- An individual queue. At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
- The storage account. At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
- The resource group. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
- The subscription. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.
- A management group. At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in all of the subscriptions in the management group.
For more information about Azure role assignments and scope, see What is Azure role-based access control (Azure RBAC)?.
Assign Azure roles using the Azure portal
After you have determined the appropriate scope for a role assignment, navigate to that resource in the Azure portal. Display the Access Control (IAM) settings for the resource, and follow these instructions to manage role assignments:
Assign the appropriate Azure Storage Azure role to grant access to an Azure AD security principal.
Assign the Azure Resource Manager Reader role to users who need to access containers or queues via the Azure portal using their Azure AD credentials.
The following sections describe each of these steps in more detail.
As an owner of your Azure Storage account, you are not automatically assigned permissions to access data. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or a container or queue.
You cannot assign a role scoped to a container or queue if your storage account has a hierarchical namespace enabled.
Assign an Azure built-in role
Before you assign a role to a security principal, be sure to consider the scope of the permissions you are granting. Review the Determine resource scope section to decide the appropriate scope.
The procedure shown here assigns a role scoped to a container, but you can follow the same steps to assign a role scoped to a queue:
In the Azure portal, go to your storage account and display the Overview for the account.
Under Services, select Blobs.
Locate the container for which you want to assign a role, and display the container's settings.
Select Access control (IAM) to display access control settings for the container. Select the Role assignments tab to see the list of role assignments.
Click the Add role assignment button to add a new role.
In the Add role assignment window, select the Azure Storage role that you want to assign. Then search to locate the security principal to which you want to assign that role.
Click Save. The identity to whom you assigned the role appears listed under that role. For example, the following image shows that the user added now has read permissions to data in the container named sample-container.
You can follow similar steps to assign a role scoped to the storage account, resource group, or subscription.
Assign the Reader role for portal access
When you assign a built-in or custom role for Azure Storage to a security principal, you are granting permissions to that security principal to perform operations on data in your storage account. The built-in Data Reader roles provide read permissions for the data in a container or queue, while the built-in Data Contributor roles provide read, write, and delete permissions to a container or queue. Permissions are scoped to the specified resource.
For example, if you assign the Storage Blob Data Contributor role to user Mary at the level of a container named sample-container, then Mary is granted read, write, and delete access to all of the blobs in that container.
However, if Mary wants to view a blob in the Azure portal, then the Storage Blob Data Contributor role by itself will not provide sufficient permissions to navigate through the portal to the blob in order to view it. Additional Azure AD permissions are required to navigate through the portal and view the other resources that are visible there.
If your users need to be able to access blobs in the Azure portal, then assign them an additional Azure role, the Reader role, to those users, at the level of the storage account or above. The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources.
Follow these steps to assign the Reader role so that a user can access blobs from the Azure portal. In this example, the assignment is scoped to the storage account:
- In the Azure portal, navigate to your storage account.
- Select Access control (IAM) to display the access control settings for the storage account. Select the Role assignments tab to see the list of role assignments.
- In the Add role assignment window, select the Reader role.
- From the Assign access to field, select Azure AD user, group, or service principal.
- Search to locate the security principal to which you want to assign the role.
- Save the role assignment.
Assigning the Reader role is necessary only for users who need to access blobs or queues using the Azure portal.
The preview version of Storage Explorer in the Azure portal does not support using Azure AD credentials to view and modify blob or queue data. Storage Explorer in the Azure portal always uses the account keys to access data. To use Storage Explorer in the Azure portal, you must be assigned a role that includes Microsoft.Storage/storageAccounts/listkeys/action.
- For more information about Azure roles for storage resources, see Authenticate access to Azure blobs and queues using Azure Active Directory.
- To learn more about Azure RBAC, see What is Azure role-based access control (Azure RBAC)?.
- To learn how to assign and manage Azure role assignments with Azure PowerShell, Azure CLI, or the REST API, see these articles:
- To learn how to authorize access to containers and queues from within your storage applications, see Use Azure AD with Azure Storage applications.