How long takes to update all Azure components to be aware of role assignment conditions changes?

Artyom Lukianov 40 Reputation points
2024-01-17T15:47:08.4066667+00:00

Hi folks, I have some specific use case when I need to make one of containers under the storage account read-only for specific service principal, so what I did:

  1. I configured new custom security attribute under Entra
  2. I add new custom security attribute to my service principal(that supports multiple values, each value is container name)
  3. I updated storage account role assignment with condition
   (
    (
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
     AND
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
     AND
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
     AND
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
    )
    OR 
    (
     NOT @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,164 questions
0 comments No comments
{count} votes

Accepted answer
  1. Konstantinos Passadis 19,376 Reputation points MVP
    2024-01-17T16:20:42.7966667+00:00

    Hello @Artyom Lukianov Welcome to Microsoft QnA!  Unfortunaltely there is no guarantee in the form of an SLA or a standard time that Custom Role assigments are updated I have seen variety on most cases Your approach is quite impressive by the way I suppose you have already seen the Documentation https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-examples?tabs=portal-visual-editor You can utilize Azure Monitor to get insight of the changes, so you can have an idea  You can utilize API Calls to poll the Storage Account and get the status as well I can think of making an application layer/function that controls access based on your custom logic and can instantly enforce changes or using Azure Functions with a combination of Event Grid and Blob Storage triggers to enforce custom access patterns. If this is a Custom APP , use the Polling logic into a Logic App and delay the completion until you get the response that you want .   I hope this helps! Kindly mark the answer as Accepted and Upvote in case it helped! Regards


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.