Looking for Kusto query or a azure policy where an alert should be generated when azure blob data action role permissions are assigned on a built in or custom role for a storage account.

Question

{
  "mode": "All",
  "policyType": "Custom",
  "displayName": "Audit Blob Data Action Role Permissions Assignments",
  "description": "Audits when roles with Azure Blob data action permissions are assigned.",
  "metadata": {
    "category": "Storage"
  },
  "parameters": {},
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Authorization/roleAssignments"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
              "contains": "dataActions",
              "value": "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "audit"
    }
  }
}

Answer 1

Thanks for posting your question in the Microsoft Q&A forum.

If I understood correctly this is an example of such a query:

AzureActivity
| where ResourceProvider == "Microsoft.Authorization"
| where ActivityStatus == "Success"
| where ResourceGoverningType == "Microsoft.Storage/storageAccounts/providers/roleAssignments"
| extend action = tostring(properties.actions[0])
| extend roleDefinitionId = tostring(properties.roleDefinitionId)
| extend principalId = tostring(properties.principalId)
| where action == "Microsoft.Storage/storageAccounts/blobServices/containers/write"
| where roleDefinitionId startswith "/providers/Microsoft.Authorization/roleDefinitions/"
| project RoleAssignmentId = tostring(properties.roleAssignmentId), RoleDefinitionId = roleDefinitionId, PrincipalId = principalId, Action = action, ResourceId = tostring(properties.resourceId)

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful **

Answer 2

Sahith Thatipalli thank you for the reply. Based on my understanding, you are trying to achieve the following:

1. Assume that a "custom" role has been defined (customer_role_1) which contains the data action roles related to "blob read" and "blob write"
2. You want to get alerted, when any user (user1) assigns this customer role (customer_role_1) to another user - user2

If I understood the scenario correctly, there is no direct way to make it work. One of the ways to get it to work is provided below (there could be other ways to make it work, like Automation, but the core steps required are going to be same)

A high-level step to get alerted for this scenario will be:

1. Create Alert rule with scope set to the "Azure Storage Account" for which alert needs to be created
2. Set alert Signal Name as "Create role assignment" -> and Status as "Started"
3. This will alert when a role assignment is done on the Storage account
4. For this alert rule, set "action group" as a logic app. For more details, see Customize alert notifications by using Logic Apps
5. Using this step, the information contained in alert (which role was assigned, which storage account got the role assigned etc. ) would be in Logic Apps.
6. Parse the role definitionId from the response
7. Use Role Definitions - Get to get details of role using the HTTP action parameters in logic apps. For details, see Call external HTTP or HTTPS endpoints from workflows in Azure Logic Apps
8. Check if the returned role definition contains data action of interest (blob read/write)
9. Generate a notification as mentioned in point 4 above.

This is a very high-level step for a customized solution as per the requirement. The basic idea is ==> get details of role assignment from activity log --> check if that role assignment was done for Azure storage account --> check if this role assignment has actions of interest for which alert needs to be generated --> sent a email notification.

---

As you see, this is a complex route to take for this task.

Instead, I would suggest reviewing the RBAC role assigned and granting permissions to provide "Role assignment permission" to specific users only. In short, this will avoid unintended role assignments.

Hope this helps.