RBAC access to storage account not working

Pawan Kumar 20 Reputation points
2024-11-13T03:57:16.94+00:00

Hi All,
I have one Entra User id and given him storage account contributor access with build in and Custom role also . But that User is not able to see anything in the storage account when i login to azure portal with user id. Similarly i setup access to Azure translation service and its working fine . Could you please suggest what needs to be check and how this issue can be resolved?
Thanks

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,281 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,541 questions
{count} votes

Accepted answer
  1. Vinod Kumar Reddy Chilupuri 1,760 Reputation points Microsoft Vendor
    2024-11-13T09:35:51.11+00:00

    Hi @Pawan kumar

    Welcome to Microsoft Q&A, thanks for posting your query.
    To access blob data from the Azure portal using your Microsoft Entra account, both of the following statements must be true for you:

    • You are assigned either a built-in or custom role that provides access to blob data.
    • You are assigned the Azure Resource Manager Reader role, at a minimum, scoped to the level of the storage account or higher. The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.

    The Azure Resource Manager Reader role permits users to view storage account resources, but not modify them. It doesn't provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to blob containers in the Azure portal.

    https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-portal#use-your-microsoft-entra-account

    https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
    https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep

     

    • Check Role Assignments: Make sure the user has the right roles assigned specifically for the storage account. Verify that these roles are applied at the right level, like the storage account itself or the resource group containing it.
    • Review Access Policies: Look over any access policies that might be affecting the user’s access. For instance, check for conditional access policies that could be blocking access to the storage account.
    • Inspect Custom Roles: If you’ve assigned a custom role, confirm that it includes all permissions needed for accessing the storage account. Custom roles can sometimes miss certain permissions required for specific actions.
    • Ensure Anonymous Access is Disabled: Check that anonymous (public) access is turned off on the storage account. Disabling public access helps prevent unauthorized access to the data.
    • Consider Identity-Based Access: Use identity-based access with a Managed Identity on the storage account for more secure and reliable access control than using account keys.
    • Check for Error Messages or Logs: Look for any error messages or logs related to the user's access issue. These details can help you solve your issue.

    Please let us know if you have any further queries. I’m happy to assist you further. 


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.