Hello @Artyom Lukianov Welcome to Microsoft QnA! Unfortunaltely there is no guarantee in the form of an SLA or a standard time that Custom Role assigments are updated I have seen variety on most cases Your approach is quite impressive by the way I suppose you have already seen the Documentation https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-examples?tabs=portal-visual-editor You can utilize Azure Monitor to get insight of the changes, so you can have an idea You can utilize API Calls to poll the Storage Account and get the status as well I can think of making an application layer/function that controls access based on your custom logic and can instantly enforce changes or using Azure Functions with a combination of Event Grid and Blob Storage triggers to enforce custom access patterns. If this is a Custom APP , use the Polling logic into a Logic App and delay the completion until you get the response that you want . I hope this helps! Kindly mark the answer as Accepted and Upvote in case it helped! Regards
How long takes to update all Azure components to be aware of role assignment conditions changes?
Artyom Lukianov
40
Reputation points
Hi folks, I have some specific use case when I need to make one of containers under the storage account read-only for specific service principal, so what I did:
- I configured new custom security attribute under Entra
- I add new custom security attribute to my service principal(that supports multiple values, each value is container name)
- I updated storage account role assignment with condition
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
)
OR
(
NOT @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:
Accepted answer
-
Konstantinos Passadis 19,376 Reputation points MVP
2024-01-17T16:20:42.7966667+00:00