Uredi

Deli z drugimi prek


Assign an Azure role for access to table data

Microsoft Entra authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access table data in Azure Storage.

When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. A Microsoft Entra security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

To learn more about using Microsoft Entra ID to authorize access to table data, see Authorize access to tables using Microsoft Entra ID.

Assign an Azure role

You can use PowerShell, Azure CLI, or an Azure Resource Manager template to assign a role for data access.

Important

The Azure portal does not currently support assigning an Azure RBAC role that is scoped to the table. To assign a role with table scope, use PowerShell, Azure CLI, or Azure Resource Manager.

You can use the Azure portal to assign a role that grants access to table data to an Azure Resource Manager resource, such as the storage account, resource group, or subscription.

To assign an Azure role to a security principal, call the New-AzRoleAssignment command. The format of the command can differ based on the scope of the assignment. In order to run the command, you must have a role that includes Microsoft.Authorization/roleAssignments/write permissions assigned to you at the corresponding scope or above.

To assign a role scoped to a table, specify a string containing the scope of the table for the --scope parameter. The scope for a table is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/tableServices/default/tables/<table-name>

The following example assigns the Storage Table Data Contributor role to a user, scoped to a table. Make sure to replace the sample values and the placeholder values in brackets with your own values:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Storage Table Data Contributor" `
    -Scope  "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/tableServices/default/tables/<table>"

For information about assigning roles with PowerShell at the subscription, resource group, or storage account scope, see Assign Azure roles using Azure PowerShell.

Keep in mind the following points about Azure role assignments in Azure Storage:

  • When you create an Azure Storage account, you are not automatically assigned permissions to access data via Microsoft Entra ID. You must explicitly assign yourself an Azure role for Azure Storage. You can assign it at the level of your subscription, resource group, storage account, or table.
  • When you assign roles or remove role assignments, it can take up to 10 minutes for changes to take effect.
  • Built-in roles with data actions can be assigned at management group scope. However, in rare scenarios there might be a significant delay (up to 12 hours) before data action permissions are effective for certain resource types. Permissions will eventually be applied. For built-in roles with data actions, adding or removing role assignments at management group scope is not recommended for scenarios where timely permission activation or revocation, such as Microsoft Entra Privileged Identity Management (PIM), is required.
  • If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure roles that are scoped to the storage account or a table.

Next steps