Example Azure role assignment conditions (preview)

Important

Azure ABAC and Azure role assignment conditions are currently in preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

This article list some examples of role assignment conditions.

Prerequisites

For information about the prerequisites to add or edit role assignment conditions, see Conditions prerequisites.

Blob index tags

Example: Read blobs with a blob index tag

This condition allows users to read blobs with a blob index tag key of Project and a value of Cascade. Attempts to access blobs without this key-value tag will not be allowed.

You must add this condition to any role assignments that include the following action.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Diagram of condition showing read access to blobs with a blob index tag.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.Read.WithTagConditions'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read content from a blob with tag conditions
Attribute source Resource
Attribute Blob index tags [Values in key]
Key {keyName}
Operator StringEquals
Value {keyValue}

Screenshot of condition editor in Azure portal showing read access to blobs with a blob index tag.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.Read.WithTagConditions'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
Get-AzStorageBlob -Container <containerName> -Blob <blobName> -Context $bearerCtx 

Example: New blobs must include a blob index tag

This condition requires that any new blobs must include a blob index tag key of Project and a value of Cascade.

There are two actions that allow you to create new blobs, so you must target both. You must add this condition to any role assignments that include one of the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

Diagram of condition showing new blobs must include a blob index tag.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
 )
 OR 
 (
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEquals 'Cascade'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Write to a blob with blob index tags
Write to a blob with blob index tags
Attribute source Request
Attribute Blob index tags [Values in key]
Key {keyName}
Operator StringEquals
Value {keyValue}

Screenshot of condition editor in Azure portal showing new blobs must include a blob index tag.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$localSrcFile = # path to an example file, can be an empty txt
$ungrantedTag = @{'Project'='Baker'}
$grantedTag = @{'Project'='Cascade'}
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# try ungranted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example2 -Blob "Example2.txt" -Tag $ungrantedTag -Context $bearerCtx
# try granted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example2 -Blob "Example2.txt" -Tag $grantedTag -Context $bearerCtx

Example: Existing blobs must have blob index tag keys

This condition requires that any existing blobs be tagged with at least one of the allowed blob index tag keys: Project or Program. This condition is useful for adding governance to existing blobs.

There are two actions that allow you to update tags on existing blobs, so you must target both. You must add this condition to any role assignments that include one of the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write

Diagram of condition showing existing blobs must have blob index tag keys.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
 )
 OR 
 (
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Write to a blob with blob index tags
Write blob index tags
Attribute source Request
Attribute Blob index tags [Keys]
Operator ForAllOfAnyValues:StringEquals
Value {keyName1}
{keyName2}

Screenshot of condition editor in Azure portal showing existing blobs must have blob index tag keys.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&`$keys`$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$localSrcFile = # path to an example file, can be an empty txt
$ungrantedTag = @{'Mode'='Baker'}
$grantedTag = @{'Program'='Alpine';'Project'='Cascade'}
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# try ungranted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example3 -Blob "Example3.txt" -Tag $ungrantedTag -Context $bearerCtx
# try granted tags
$content = Set-AzStorageBlobContent -File $localSrcFile -Container example3 -Blob "Example3.txt" -Tag $grantedTag -Context $bearerCtx

Example: Existing blobs must have a blob index tag key and values

This condition requires that any existing blobs to have a blob index tag key of Project and values of Cascade, Baker, or Skagit. This condition is useful for adding governance to existing blobs.

There are two actions that allow you to update tags on existing blobs, so you must target both. You must add this condition to any role assignments that include one of the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write

Diagram of condition showing existing blobs must have a blob index tag key and values.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
 )
 OR 
 (
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&$keys$&] ForAnyOfAnyValues:StringEquals {'Project'}
  AND
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] ForAllOfAnyValues:StringEquals {'Cascade', 'Baker', 'Skagit'}
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Write to a blob with blob index tags
Write blob index tags
Attribute source Request
Attribute Blob index tags [Keys]
Operator ForAnyOfAnyValues:StringEquals
Value {keyName}
Operator And
Expression 2
Attribute source Request
Attribute Blob index tags [Values in key]
Key {keyName}
Operator ForAllOfAnyValues:StringEquals
Value {keyValue1}
{keyValue2}
{keyValue3}

Screenshot of condition editor in Azure portal showing existing blobs must have a blob index tag key and values.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&`$keys`$&] ForAnyOfAnyValues:StringEquals {'Project'} AND @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] ForAllOfAnyValues:StringEquals {'Cascade', 'Baker', 'Skagit'}))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$localSrcFile = <pathToLocalFile>
$ungrantedTag = @{'Project'='Alpine'}
$grantedTag1 = @{'Project'='Cascade'}
$grantedTag2 = @{'Project'='Baker'}
$grantedTag3 = @{'Project'='Skagit'}
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# try ungranted tags
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $ungrantedTag -Context $bearerCtx
# try granted tags
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag1 -Context $bearerCtx
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag2 -Context $bearerCtx
Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag3 -Context $bearerCtx

Blob container names or paths

Example: Read, write, or delete blobs in named containers

This condition allows users to read, write, or delete blobs in storage containers named blobs-example-container. This condition is useful for sharing specific storage containers with other users in a subscription.

There are five actions for read, write, and delete of existing blobs. You must add this condition to any role assignments that include one of the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.

Suboperations are not used in this condition because the subOperation is needed only when conditions are authored based on tags.

Diagram of condition showing read, write, or delete blobs in named containers.

Storage Blob Data Owner

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
 )
)

Storage Blob Data Contributor

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Delete a blob
Read a blob
Write to a blob
Create a blob or snapshot, or append data
All data operations for accounts with hierarchical namespace enabled (if applicable)
Attribute source Resource
Attribute Container name
Operator StringEquals
Value {containerName}

Screenshot of condition editor in Azure portal showing read, write, or delete blobs in named containers.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$localSrcFile = <pathToLocalFile>
$grantedContainer = "blobs-example-container"
$ungrantedContainer = "ungranted"
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Ungranted Container actions
$content = Set-AzStorageBlobContent -File $localSrcFile -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Get-AzStorageBlobContent -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Remove-AzStorageBlob -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx
# Granted Container actions
$content = Set-AzStorageBlobContent -File $localSrcFile -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx
$content = Remove-AzStorageBlob -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx

Example: Read blobs in named containers with a path

This condition allows read access to storage containers named blobs-example-container with a blob path of readonly/*. This condition is useful for sharing specific parts of storage containers for read access with other users in the subscription.

You must add this condition to any role assignments that include the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.

Diagram of condition showing read access to blobs in named containers with a path.

Storage Blob Data Owner

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
  AND
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'
 )
)

Storage Blob Data Reader, Storage Blob Data Contributor

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
  AND
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)
Attribute source Resource
Attribute Container name
Operator StringEquals
Value {containerName}
Expression 2
Operator And
Attribute source Resource
Attribute Blob path
Operator StringLike
Value {pathString}

Screenshot of condition editor in Azure portal showing read access to blobs in named containers with a path.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$grantedContainer = "blobs-example-container"
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Try to get ungranted blob
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "Ungranted.txt" -Context $bearerCtx
# Try to get granted blob
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "readonly/Example6.txt" -Context $bearerCtx

Example: Read or list blobs in named containers with a path

This condition allows read access and also list access to storage containers named blobs-example-container with a blob path of readonly/*. Condition #1 applies to read actions excluding list blobs. Condition #2 applies to list blobs. This condition is useful for sharing specific parts of storage containers for read or list access with other users in the subscription.

You must add this condition to any role assignments that include the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.

Diagram of condition showing read and list access to blobs in named containers with a path.

Storage Blob Data Owner

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
  AND
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringStartsWith 'readonly/'
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
  AND
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'
 )
)

Storage Blob Data Reader, Storage Blob Data Contributor

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
  AND
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringStartsWith 'readonly/'
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'
  AND
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:prefix] StringStartsWith 'readonly/'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Note

The Azure portal uses prefix='' to list blobs from container's root directory. After the condition is added with the list blobs operation using prefix StringStartsWith 'readonly/', targeted users won't be able to list blobs from container's root directory in the Azure portal.

Condition #1 Setting
Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)
Attribute source Resource
Attribute Container name
Operator StringEquals
Value {containerName}
Expression 2
Operator And
Attribute source Resource
Attribute Blob path
Operator StringStartsWith
Value {pathString}
Condition #2 Setting
Actions List blobs
All data operations for accounts with hierarchical namespace enabled (if applicable)
Attribute source Resource
Attribute Container name
Operator StringEquals
Value {containerName}
Expression 2
Operator And
Attribute source Request
Attribute Blob prefix
Operator StringStartsWith
Value {pathString}

Example: Write blobs in named containers with a path

This condition allows a partner (an Azure AD guest user) to drop files into storage containers named Contosocorp with a path of uploads/contoso/*. This condition is useful for allowing other users to put data in storage containers.

You must add this condition to any role assignments that include the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if role definition includes this action, such as Storage Blob Data Owner.
Add if the storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.

Diagram of condition showing write access to blobs in named containers with a path.

Storage Blob Data Owner

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp'
  AND
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'
 )
)

Storage Blob Data Contributor

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp'
  AND
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Write to a blob
Create a blob or snapshot, or append data
All data operations for accounts with hierarchical namespace enabled (if applicable)
Attribute source Resource
Attribute Container name
Operator StringEquals
Value {containerName}
Expression 2
Operator And
Attribute source Resource
Attribute Blob path
Operator StringLike
Value {pathString}

Screenshot of condition editor in Azure portal showing write access to blobs in named containers with a path.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$grantedContainer = "contosocorp"
$localSrcFile = <pathToLocalFile>
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Try to set ungranted blob
$content = Set-AzStorageBlobContent -Container $grantedContainer -Blob "Example7.txt" -Context $bearerCtx -File $localSrcFile
# Try to set granted blob
$content = Set-AzStorageBlobContent -Container $grantedContainer -Blob "uploads/contoso/Example7.txt" -Context $bearerCtx -File $localSrcFile

Example: Read blobs with a blob index tag and a path

This condition allows a user to read blobs with a blob index tag key of Program, a value of Alpine, and a blob path of logs*. The blob path of logs* also includes the blob name.

You must add this condition to any role assignments that include the following action.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Diagram of condition showing read access to blobs with a blob index tag and a path.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.Read.WithTagConditions'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Program<$key_case_sensitive$>] StringEquals 'Alpine'
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'logs*'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read content from a blob with tag conditions
Attribute source Resource
Attribute Blob index tags [Values in key]
Key {keyName}
Operator StringEquals
Value {keyValue}

Screenshot of condition 1 editor in Azure portal showing read access to blobs with a blob index tag and a path.

Condition #2 Setting
Actions Read a blob
Attribute source Resource
Attribute Blob path
Operator StringLike
Value {pathString}

Screenshot of condition 2 editor in Azure portal showing read access to blobs with a blob index tag and a path.

Azure PowerShell

Here's how to add this condition using Azure PowerShell.

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.Read.WithTagConditions'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Program<`$key_case_sensitive`$>] StringEquals 'Alpine')) AND ((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'logs*'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's how to test this condition.

$grantedContainer = "contosocorp"
# Get new context for request
$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
# Try to get ungranted blobs
# Wrong name but right tags
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "AlpineFile.txt" -Context $bearerCtx
# Right name but wrong tags
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logsAlpine.txt" -Context $bearerCtx
# Try to get granted blob
$content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logs/AlpineFile.txt" -Context $bearerCtx

Blob versions or blob snapshots

Example: Read current blob versions and a specific blob version

This condition allows a user to read current blob versions as well as read blobs with a version ID of 2022-06-01T23:38:32.8883645Z. The user cannot read other blob versions.

Note

The condition includes a NOT Exists expression for the version ID attribute. This expression is included so that the Azure portal can list list the current version of the blob.

You must add this condition to any role assignments that include the following action.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Diagram of condition showing read access to a specific blob version.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeEquals '2022-06-01T23:38:32.8883645Z'
  OR
  NOT Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId]
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read a blob
Attribute source Request
Attribute Version ID
Operator DateTimeEquals
Value <blobVersionId>
Expression 2
Operator Or
Attribute source Request
Attribute Version ID
Exists Checked
Negate this expression Checked

Example: Delete old blob versions

This condition allows a user to delete versions of a blob that are older than 06/01/2022 to perform clean up.

You must add this condition to any role assignments that include the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action

Diagram of condition showing delete access to old blob versions.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'})
 )
 OR 
 (
  @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeLessThan '2022-06-01T00:00:00.0Z'
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Delete a blob
Delete a version of a blob
Attribute source Request
Attribute Version ID
Operator DateTimeLessThan
Value <blobVersionId>

Example: Read current blob versions and any blob snapshots

This condition allows a user to read current blob versions and any blob snapshots.

You must add this condition to any role assignments that include the following action.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Diagram of condition showing read access to current blob versions and any blob snapshots.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:snapshot]
  OR
  NOT Exists @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId]
  OR
  @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read a blob
Attribute source Request
Attribute Snapshot
Exists Checked
Expression 2
Operator Or
Attribute source Request
Attribute Version ID
Exists Checked
Negate this expression Checked
Expression 3
Operator Or
Attribute source Resource
Attribute Is hierarchical namespace enabled
Operator BoolEquals
Value True

Hierarchical namespace

Example: Read only storage accounts with hierarchical namespace enabled

This condition allows a user to only read blobs in storage accounts with hierarchical namespace enabled. This condition is applicable only at resource group scope or above.

You must add this condition to any role assignments that include the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if role definition includes this action, such as Storage Blob Data Owner.

Diagram of condition showing read access to storage accounts with hierarchical namespace enabled.

Storage Blob Data Owner

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true
 )
)

Storage Blob Data Reader, Storage Blob Data Contributor

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read a blob
All data operations for accounts with hierarchical namespace enabled (if applicable)
Attribute source Resource
Attribute Is hierarchical namespace enabled
Operator BoolEquals
Value True

Encryption scope

Example: Read blobs with specific encryption scopes

This condition allows a user to read blobs encrypted with encryption scope validScope1 or validScope2.

You must add this condition to any role assignments that include the following action.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Diagram of condition showing read access to blobs with encryption scope validScope1 or validScope2.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'validScope1', 'validScope2'}
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read a blob
Attribute source Resource
Attribute Encryption scope name
Operator ForAnyOfAnyValues:StringEquals
Value <scopeName>

Example: Read or write blobs in named storage account with specific encryption scope

This condition allows a user to read or write blobs in a storage account named sampleaccount and encrypted with encryption scope ScopeCustomKey1. If blobs are not encrypted or decrypted with ScopeCustomKey1, request will return forbidden.

You must add this condition to any role assignments that include the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

Note

Since encryption scopes for different storage accounts could be different, it's recommended to use the storageAccounts:name attribute with the encryptionScopes:name attribute to restrict the specific encryption scope to be allowed.

Diagram of condition showing read or write access to blobs in sampleaccount storage account with encryption scope ScopeCustomKey1.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'
  AND
  @Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name] ForAnyOfAnyValues:StringEquals {'ScopeCustomKey1'}
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read a blob
Write to a blob
Create a blob or snapshot, or append data
Attribute source Resource
Attribute Account name
Operator StringEquals
Value <accountName>
Expression 2
Operator And
Attribute source Resource
Attribute Encryption scope name
Operator ForAnyOfAnyValues:StringEquals
Value <scopeName>

Principal attributes

Example: Read or write blobs based on blob index tags and custom security attributes

This condition allows read or write access to blobs if the user has a custom security attribute that matches the blob index tag.

For example, if Brenda has the attribute Project=Baker, she can only read or write blobs with the Project=Baker blob index tag. Similarly, Chandra can only read or write blobs with Project=Cascade.

You must add this condition to any role assignments that include the following actions.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

For more information, see Allow read access to blobs based on tags and custom security attributes.

Diagram of condition showing read or write access to blobs based on blob index tags and custom security attributes.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.Read.WithTagConditions'})
 )
 OR 
 (
  @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>]
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
  AND
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
 )
 OR 
 (
  @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project] StringEquals @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>]
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read content from a blob with tag conditions
Attribute source Principal
Attribute <attributeset>_<key>
Operator StringEquals
Option Attribute
Attribute source Resource
Attribute Blob index tags [Values in key]
Key <key>
Condition #2 Setting
Actions Write to a blob with blob index tags
Write to a blob with blob index tags
Attribute source Principal
Attribute <attributeset>_<key>
Operator StringEquals
Option Attribute
Attribute source Request
Attribute Blob index tags [Values in key]
Key <key>

Example: Read blobs based on blob index tags and multi-value custom security attributes

This condition allows read access to blobs if the user has a custom security attribute with any values that matches the blob index tag.

For example, if Chandra has the Project attribute with the values Baker and Cascade, she can only read blobs with the Project=Baker or Project=Cascade blob index tag.

You must add this condition to any role assignments that include the following action.

Action Notes
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

For more information, see Allow read access to blobs based on tags and custom security attributes.

Diagram of condition showing read access to blobs based on blob index tags and multi-value custom security attributes.

(
 (
  !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.Read.WithTagConditions'})
 )
 OR 
 (
  @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] ForAnyOfAnyValues:StringEquals @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Project]
 )
)

Azure portal

Here are the settings to add this condition using the Azure portal.

Condition #1 Setting
Actions Read content from a blob with tag conditions
Attribute source Resource
Attribute Blob index tags [Values in key]
Key <key>
Operator ForAnyOfAnyValues:StringEquals
Option Attribute
Attribute source Principal
Attribute <attributeset>_<key>

Next steps