![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 1%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,686 questions
Hi @SHIVAKUMAR Madhurashree K (Madhura)
Welcome to Microsoft Q&A! Thanks for posting the question.
Please confirm if my understanding is correct. You have two different users, one who creates the storage account and the other who creates the event grid subscription. You want to limit the permission to those users but at the same time the user who has the permission to create the event grid subscription should able to view the storage account in the drop down list while creating the event grid subscription with topic type as "Storage Account".
Can you provide more details on what do you mean by "Consider the situation where User A and B are in different regions."
In your scenario, if both the user is in the same subscription or both the subscriptions are in the same tenant then you can give the permission to the user and your above scenario will work as expected.
If the subscription is in a different tenant then it will not work as you cannot view the resources of subscription that are part of different tenants in the Azure portal. At a time you will only see all subscriptions where you have permission that is part of the same tenant.
To view other tenants you need to switch directory (tenants) from the Azure portal.
You can refer to associate an Azure Subscription for more details on how to Associate or add an Azure subscription to your Azure Active Directory tenant.
Once your same or different subscriptions are in the same tenant then you can refer to storage in build roles and see if the inbuild roles help you. If you only need to restrict them only to view then you only need Microsoft.Storage/storageAccounts/read action permission on that susbcription and you can create the custom role and assign only Microsoft.Storage/storageAccounts/read permission to that role as below screenshot. You can refer to Azure custom roles document for more details.
Once you have defined the custom role you can assign this custom role to your user who will be creating the event grid subscription.
That user should also have write access to event grid subscription on that subscription. Please refer to this document for build-in or custom roles for event grid resources.
Hope the above helps you and feel free to get back to me if you need any assistance.