How to stop inherited management and subscription groups from accessing storage account keys.

Sandhya Reddy Veera 21 Reputation points


I have a Gen2 storage account to store confidential data. This storage account inherits Management and subscription level

groups in contributor and owner roles. How can we avoid access to the storage account keys for these inherited groups.


Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,273 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,526 questions
0 comments No comments
{count} votes

Accepted answer
  1. Luke Murray 10,276 Reputation points MVP

    I am not aware of away to prevent the IAM/RBAC roles from being excluded at specific resource levels.

    You would need to move the Subscription holding the storage account to a new management group, excluding the permissions.


    Adjust the permissions of that management group, to prevent storage account read access.

    FYI: I looked into Deny Assignments as well ( but this is for Blueprint created resources, not entirely for your usecase.

    "You can't directly create your own deny assignments."

    0 comments No comments

0 additional answers

Sort by: Most helpful