Share via

Storage Blob Data Contributor lacks Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action permissions

Oleksandr Trapeznikov 5 Reputation points
2025-06-12T18:40:51.92+00:00

Current built in "Storage Blob Data Contributor" role doesn't include Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action permissions, which are required in order to list blobs with a prefix filter.

We use Azure python SDK list_blobs method with name_starts_with, and it fails with AuthorizationPermissionMismatch with Storage Blob Data Contributor role. Custom role which includes Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action resolves the error, but we want to avoid managing custom roles for such basic operations.

Is there a specific reason from the Storage Account product team to not include filter action? If not, can the ticket be created to the product team to add it?

Thanks!

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,529 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator
    2025-06-12T20:02:08.93+00:00

    Hi @Oleksandr Trapeznikov,

    Thanks for the question.

    The "Storage Blob Data Contributor" role does not include the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action permission, which is essential for listing blobs with a prefix filter using the Azure Python SDK's list_blobs method. Without this permission, you may encounter an AuthorizationPermissionMismatch error when attempting operations that require it. This limitation can be problematic for users who need to filter blobs in their Azure storage accounts, as they will be unable to perform such actions without the necessary permission. It is important to be aware of this restriction and consider alternative roles or permissions that can accommodate the required operations.

    To address this issue without managing custom roles, you might need to keep an eye on updates to the built-in roles provided by Azure, as they may include additional permissions in the future. For now, using a custom role that includes the required permission is the only way to avoid this error.

    However, I would also request you to push for solution and please provide feedback to Microsoft through Azure Feedback Portal. Sharing detailed feedback can help highlight the importance of this issue and potentially expedite the development of a solution.

    It is important to communicate the impact and urgency of this matter clearly to Microsoft, as user feedback plays a crucial role in their prioritization process. By doing so, you contribute to the improvement of their services, which can benefit all users facing similar challenges.

    For more information, please refer the below documents:

    I hope this information helps. Please do let us know if you have any further queries.

    Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.