Azure Storage --> permissions per folder

damiank 21 Reputation points

Hello Everyone,
I have the question regarding permissions for Azure Storage.

short description:

we have created the Storage account (blob storage) and within the account we are going to create many containers and in which container we are going to have multiple folders and files.

the goal:

we want to grant permissions for end users for specific containter and also for specific folder within container, but I noticed that we can grant the access permissions per Container only.
so how I can grant the access per each folder (within Container) ?

Please help:)


Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,511 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,265 questions
{count} votes

Accepted answer
  1. Sumarigo-MSFT 42,586 Reputation points Microsoft Employee

    @damiank Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Adding more information to the above response! You can use Shared access signature (SAS) can be used to restrict access to either an entire blob container or an individual blob. This is because a folder in blob storage is virtual and not a real folder. You may refer to the suggestion mentioned in this article

    Additional information: Authorizing access to Azure Storage

    If you use ADLS Gen2 you can set an ACL on a folder.. For existing storage account blob container/ folder : Access control lists (ACLs) in Azure Data Lake Storage Gen2

    Azure Data Lake Storage Gen2 implements an access control model that supports both Azure role-based access control (Azure RBAC) and POSIX-like access control lists (ACLs). This article summarizes the basics of the access control model for Data Lake Storage Gen2.

    ACLs are applied on the file and folder level. The key thing to remember is that you are always going to need RBAC Control Plane permissions in combination with ACLs. Best practice is to assign your security principals RBAC Reader role on the Storage Account/Container level and continue with more restrictive ACLs on the file and folder level.

    There are two types of ACLs:
    Access ACLs: They control access to an object. An object can be a file or a folder.
    Default ACLs: These are ACLs assigned on the folder level only which get inherited as Access ACLs by the child file or folder.

    You can also configure directory and file level permissions over SMB in Azure File Share (After you assign share-level permissions with Azure RBAC, you must configure proper Windows ACLs at the root, directory, or file level, to take advantage of granular access control.)

    Please let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to 155842-image.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    2 people found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Vaibhav Chaudhari 38,436 Reputation points

    Folders in the Azure Blob storage are virtual. They look like a folders but they are not real folders just like the folders in your local computer.

    If you need to grant access on folder level, you need to use Azure Data Lake Gen2 i.e. Azure Storage account where Hierarchical namespace setting is enabled.

    Please don't forget to Accept Answer and Up-vote if the response helped -- Vaibhav

    1 person found this answer helpful.
    0 comments No comments