Azure Storage Role Based Access Control : Revoking Delete Access using RoleDefinition via Powershell

Published Jul 24 2019 06:39 AM 2,317 Views

Scenario :

The end-user should not be able to delete the data but can execute other data operations like create/update etc. in the storage account.


Pre-Requisites :


  • The admin must have adequate access under the tenant i.e. privileges to create a custom AD Role. Refer to this article
  • The user must be admin/contributor to the said storage account so that he can grant the access.

Step 1: Creation of a custom Azure Active Directory Role :


The JSON file of the Azure AD Role is as follows :



Using PowerShell to create a Role DefinitionBlog-2.png


Step 2: Retrieving the created Role :blog-3.png


Step 3: Assignment of the Role :

  • Log in to the Azure Portal -> The Storage Account -> Access Control (IAM)
  • Provide the required type of security principal.
  • Search for the user to whom the access should be


  • Now when the said user, tries to execute a delete operation, he will observe an errorblog-5.png


    Hope this helps.
Version history
Last update:
‎Feb 03 2021 08:43 PM
Updated by: