Deny Assignment Not Blocking Access to Storage Account

Question

I’ve deployed a storage account using a deployment stack that includes a deny assignment intended to block access to all principals. The deny settings appear to be configured correctly (see attached screenshot).

However, I assigned a test user the 'Storage Blob Data Reader' role at the subscription level, and this user is still able to access blobs in the storage account.

My expectation is that the deny assignment should override the RBAC role and prevent access entirely. Can you help me understand why this deny assignment is not working as expected?

Answer 1

Hi @Andrew McWilliams,

Thanks for the response,

If a user is assigned the Storage Blob Data Reader role, they will have permissions to read blobs. While deny assignments are intended to block actions, if they are not explicitly configured to deny the specific actions permitted by the role, the role may still take precedence. Therefore, it is crucial to ensure that deny assignments are accurately set up to restrict the actions you want to block.

Also, as said that users cannot directly create deny assignments; however, they can configure them through deployment stacks. Therefore, while deployment stacks enable the creation of deny assignments, it is not possible to create them independently outside of this context.

Here the limitation is due to Azure managing these assignments, meaning users are unable to create them directly through the Azure portal or other interfaces.

And, regarding deployment stacks, they manage only explicitly created resources. If a resource is created implicitly, such as those automatically generated as dependencies of other resources, the deny settings applied to the deployment stack will not affect these implicitly created resources. Consequently, if the storage account or its components were created implicitly, the deny assignment may not apply, potentially allowing access that is expected to be restricted.

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Answer 2

I have observed the following:

• Azure Deny Assignments Behavior:
  1. Deny assignments apply only to the Azure Resource Manager (management plane). They do not affect the data plane.
  2. Management plane vs. Data plane:
     • Management plane: Operations like creating, deleting, or configuring resources.
     • Data plane: Operations on the resource’s data, such as reading, writing, or deleting blobs.
  3. My observations:
  • Contributor role + deny assignment:
    • You can see the storage account because Contributor grants read access to resource metadata.
    • You cannot modify the storage account because deny assignment blocks management plane changes.
    • You cannot access data because Contributor does not grant data plane permissions.
  • Storage Blob Data Reader role:
    • You can read blob data because this role grants data plane read permissions.
    • You cannot write or delete because the role is read-only.
  • Storage Blob Data Contributor role:
    • You can read, write, and delete blob data because this role grants full data plane permissions.
    • Deny assignment does not block these actions since they are data plane operations.
  Summary:
• Deny assignments block management plane actions, even if you have RBAC roles like Contributor.
  • Deny assignments do not block data plane actions. Data plane access is controlled by Azure RBAC roles for data plane or shared keys/SAS tokens.
  • Assigning Storage Blob Data Reader or Contributor works for data access despite deny assignments.