Hey @Marco
To restrict users of the group on specific blob containers, you can try the following policy
{
"if": {
"field": "principalType",
"equals": "Group",
"field": "principalName",
"equals": "GroupS",
"field": "actions",
"notEquals": ["Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete"],
"equals": "Microsoft.Authorization/roleAssignments"
},
"then": {
"effect": "deny"
}
}
Enforcing assignments for only group S within specific blob containers could look like the following but I would suggest using some sort of pattern logic in place of {cotaniner1}
instead of listing each individual container.
{
"if": {
"field": "principalType",
"equals": "Group",
"field": "principalName",
"equals": "GroupS",
"field": "scope",
"notEquals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}/blobservices/default/containers/{container1}",
"field": "scope",
"notEquals": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccount}/blobservices/default/containers/{container2}",
"equals": "Microsoft.Authorization/roleAssignments"
},
"then": {
"effect": "deny"
}
}
These haven't been tested and may need some massaging to fit your use case but should get you pointed in the right direction.