Azure Storage Role Based Access Control : Revoking Delete Access using RoleDefinition via Powershell

Published Jul 24 2019 06:39 AM 2,317 Views
Microsoft

Scenario :

The end-user should not be able to delete the data but can execute other data operations like create/update etc. in the storage account.

 

Pre-Requisites :

 

  • The admin must have adequate access under the tenant i.e. privileges to create a custom AD Role. Refer to this article
  • The user must be admin/contributor to the said storage account so that he can grant the access.

Step 1: Creation of a custom Azure Active Directory Role :

 

The JSON file of the Azure AD Role is as follows :

Blog-1.png

 

Using PowerShell to create a Role DefinitionBlog-2.png

 

Step 2: Retrieving the created Role :blog-3.png

 

Step 3: Assignment of the Role :

  • Log in to the Azure Portal -> The Storage Account -> Access Control (IAM)
  • Provide the required type of security principal.
  • Search for the user to whom the access should be assigned.blog-4.png

     

  • Now when the said user, tries to execute a delete operation, he will observe an errorblog-5.png

     

    Hope this helps.
Co-Authors
Version history
Last update:
‎Feb 03 2021 08:43 PM
Updated by: