APIM access to storage account with ACL

Vikas Tiwari 766 Reputation points

I have few APIM proxies which inserts incoming payloads into different ADLS Gen2 folders.

i.e. /api/v1/customer will store payload into "mycontainer/customers" folder at ADLS Gen2
/api/v1/product will store payload into "mycontainer/products" folder at ADLS Gen2

APIM using MSI to access storage account using contributor role.

Can I fine grain security using ACL and give access at folder level to specific APIM proxy? (i.e. using above scenario /api/v1/customer must only post data into "mycontainer/customers" folder, and should throw error if try to post payload into wrong folder such as "mycontainer/products").


Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,951 questions
Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,426 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
724 questions
0 comments No comments
{count} votes

Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 85,586 Reputation points Microsoft Employee

    Hello @Vikas Tiwari ,

    Thanks for the question and using MS Q&A platform.

    Unfortunately, you cannot use fine grain security using ACL and give access at folder level to specific APIM proxy.

    Reason: Azure API Management relies on Azure role-based access control (Azure RBAC) to enable fine-grained access management for API Management services and entities (for example, APIs and policies).

    API Management currently provides three built-in roles and will add two more roles in the near future. These roles can be assigned at different scopes, including subscription, resource group, and individual API Management instance.


    For more details, refer to How to use Role-Based Access Control in Azure API Management

    You can associate a security principal with an access level for files and directories. Each association is captured as an entry in an access control list (ACL).

    For more details, refer to Access control lists (ACLs) in Azure Data Lake Storage Gen2.

    Hope this will help. Please let us know if any further queries.


    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

0 additional answers

Sort by: Most helpful