How long takes to update all Azure components to be aware of role assignment conditions changes?

Artyom Lukianov 40 Reputation points
2024-01-17T15:47:10.65+00:00

Hi folks, I have some specific use case when I need to make one of containers under the storage account read-only for specific service principal, so what I did:

  1. I configured new custom security attribute under Entra
  2. I add new custom security attribute to my service principal(that supports multiple values, each value is container name)
  3. I updated storage account role assignment with condition
   (
    (
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
     AND
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
     AND
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
     AND
     !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
    )
    OR 
    (
     NOT @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,362 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sumarigo-MSFT 47,471 Reputation points Microsoft Employee
    2024-01-22T08:51:18.43+00:00

    @Artyom Lukianov Firstly, Apologies for the delay response here! Thank you for posting your query here! Welcome to Microsoft Q&A Forum.

    When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect. If you're using the Azure portal, Azure PowerShell, or Azure CLI, you can force a refresh of your role assignment changes by signing out and signing in. If you're making role assignment changes with REST API calls, you can force a refresh by refreshing your access token.

    Cause You added managed identities to a group and assigned a role to that group. The back-end services for managed identities maintain a cache per resource URI for around 24 hours. Solution It can take several hours for changes to a managed identity's group or role membership to take effect. For more information, see Limitation of using managed identities for authorization. When you make changes to role assignments in Azure, it can take some time for all components to be aware of the changes. The amount of time it takes for the changes to propagate can vary depending on a number of factors, such as the size of your Azure environment and the number of role assignments that need to be updated.

    In general, changes to role assignments should propagate within a few minutes. However, in some cases it may take longer for the changes to take effect. If you are experiencing delays in the propagation of role assignment changes, you can try the following steps:

    1. Check the status of the role assignment changes in the Azure portal. You can do this by going to the "Activity log" in the Azure portal and looking for any errors or warnings related to the role assignment changes.
    2. Check the status of the Azure services that are affected by the role assignment changes. If there are any issues with the services, it may be affecting the propagation of the role assignment changes.
    3. Try logging out of the Azure portal and logging back in again. This can sometimes help to refresh the portal and ensure that the changes are being propagated correctly.

    This article describes some common solutions for issues related to Azure role-based access control (Azure RBAC).

    Additional information: Steps to assign an Azure role

    Assign Azure resource roles in Privileged Identity Management

    Once you know the security principal, role, and scope, you can assign the role. You can assign roles using the Azure portal, Azure PowerShell, Azure CLI, Azure SDKs, or REST APIs.

    You can have up to 4000 role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. You can have up to 500 role assignments in each management group. For more information, see Troubleshoot Azure RBAC limits.

    Please let us know if you have any further queries. I’m happy to assist you further.    

    --- 

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.