Assign an Azure role for access to queue data

Microsoft Entra authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access queue data.

When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. A Microsoft Entra security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

To learn more about using Microsoft Entra ID to authorize access to queue data, see Authorize access to queues using Microsoft Entra ID.

Note

This article shows how to assign an Azure role for access to queue data in a storage account. To learn about assigning roles for management operations in Azure Storage, see Use the Azure Storage resource provider to access management resources.

Assign an Azure role

You can use the Azure portal, PowerShell, Azure CLI, or an Azure Resource Manager template to assign a role for data access.

To access queue data in the Azure portal with Microsoft Entra credentials, a user must have the following role assignments:

  • A data access role, such as Storage Queue Data Contributor
  • The Azure Resource Manager Reader role

To learn how to assign these roles to a user, follow the instructions provided in Assign Azure roles using the Azure portal.

The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to queues and messages in the Azure portal.

For example, if you assign the Storage Queue Data Contributor role to user Mary at the level of a queue named sample-queue, then Mary is granted read, write, and delete access to that queue. However, if Mary wants to view a queue in the Azure portal, then the Storage Queue Data Contributor role by itself will not provide sufficient permissions to navigate through the portal to the queue in order to view it. The additional permissions are required to navigate through the portal and view the other resources that are visible there.

A user must be assigned the Reader role to use the Azure portal with Microsoft Entra credentials. However, if a user has been assigned a role with Microsoft.Storage/storageAccounts/listKeys/action permissions, then the user can use the portal with the storage account keys, via Shared Key authorization. To use the storage account keys, Shared Key access must be permitted for the storage account. For more information on permitting or disallowing Shared Key access, see Prevent Shared Key authorization for an Azure Storage account.

You can also assign an Azure Resource Manager role that provides additional permissions beyond than the Reader role. Assigning the least possible permissions is recommended as a security best practice. For more information, see Best practices for Azure RBAC.

Note

Prior to assigning yourself a role for data access, you will be able to access data in your storage account via the Azure portal because the Azure portal can also use the account key for data access. For more information, see Choose how to authorize access to queue data in the Azure portal.

Keep in mind the following points about Azure role assignments in Azure Storage:

  • When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or queue.
  • When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect.
  • Built-in roles with data actions can be assigned at management group scope. However, in rare scenarios there might be a significant delay (up to 12 hours) before data action permissions are effective for certain resource types. Permissions will eventually be applied. For built-in roles with data actions, adding or removing role assignments at management group scope is not recommended for scenarios where timely permission activation or revocation, such as Microsoft Entra Privileged Identity Management (PIM), is required.
  • If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a queue.

Next steps