%3CLINGO-SUB%20id%3D%22lingo-sub-762166%22%20slang%3D%22en-US%22%3EAzure%20Storage%20-%20Role%20Based%20Access%20Control%20%3A%20Revoking%20Delete%20Access%20for%20the%20End%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-762166%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3E%3CSTRONG%3EScenario%20%3A%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3EThe%20end-user%20should%20not%20be%20able%20to%20delete%20the%20data%20but%20can%20execute%20other%20data%20operations%20like%20create%2Fupdate%20etc.%20in%20the%20storage%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3EPre-Requisites%20%3A%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20admin%20must%20have%20adequate%20access%20under%20the%20tenant%20i.e.%20privileges%20to%20create%20a%20custom%20AD%20Role.%20Refer%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fcustom-roles%23who-can-create-delete-update-or-view-a-custom-role%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EThe%20user%20must%20be%20admin%2Fcontributor%20to%20the%20said%20storage%20account%20so%20that%20he%20can%20grant%20the%20access.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3EStep%201%3A%3C%2FSTRONG%3E%3C%2FEM%3E%26nbsp%3B%3CEM%3E%3CSTRONG%3ECreation%20of%20a%20custom%20Azure%20Active%20Directory%20Role%20%3A%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20JSON%20file%20of%20the%20Azure%20AD%20Role%20is%20as%20follows%20%3A%3C%2FP%3E%0A%3CP%20style%3D%22text-align%3A%20left%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Blog-1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124294i4115A828FE1E2B46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Blog-1.png%22%20alt%3D%22Blog-1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20PowerShell%20to%20create%20a%20Role%20Definition%3CEM%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Blog-2.png%22%20style%3D%22width%3A%20719px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124295iDF16905F3E32FA79%2Fimage-dimensions%2F719x83%3Fv%3D1.0%22%20width%3D%22719%22%20height%3D%2283%22%20title%3D%22Blog-2.png%22%20alt%3D%22Blog-2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3EStep%202%3A%20Retrieving%20the%20created%20Role%20%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22blog-3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124296i4A07C8EB49F52806%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22blog-3.png%22%20alt%3D%22blog-3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3EStep%203%3A%20Assignment%20of%20the%20Role%20%3A%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELog%20in%20to%20the%20Azure%20Portal%20-%26gt%3B%20The%20Storage%20Account%20-%26gt%3B%20Access%20Control%20(IAM)%3C%2FLI%3E%0A%3CLI%3EProvide%20the%20required%20type%20of%20security%20principal.%3C%2FLI%3E%0A%3CLI%3ESearch%20for%20the%20user%20to%20whom%20the%20access%20should%20be%20assigned.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22blog-4.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124298i09FAFB0421E66DEC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22blog-4.png%22%20alt%3D%22blog-4.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3ENow%20when%20the%20said%20user%2C%20tries%20to%20execute%20a%20delete%20operation%2C%20he%20will%20observe%20an%20error%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22blog-5.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124299i15DF298E827EDF9D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22blog-5.png%22%20alt%3D%22blog-5.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3EHope%20this%20helps.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-762166%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Storage%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Scenario :

The end-user should not be able to delete the data but can execute other data operations like create/update etc. in the storage account.

 

Pre-Requisites :

 

  • The admin must have adequate access under the tenant i.e. privileges to create a custom AD Role. Refer to this article
  • The user must be admin/contributor to the said storage account so that he can grant the access.

Step 1: Creation of a custom Azure Active Directory Role :

 

The JSON file of the Azure AD Role is as follows :

Blog-1.png

 

Using PowerShell to create a Role DefinitionBlog-2.png

 

Step 2: Retrieving the created Role :blog-3.png

 

Step 3: Assignment of the Role :

  • Log in to the Azure Portal -> The Storage Account -> Access Control (IAM)
  • Provide the required type of security principal.
  • Search for the user to whom the access should be assigned.blog-4.png

     

  • Now when the said user, tries to execute a delete operation, he will observe an errorblog-5.png

     

    Hope this helps.