Custom RBAC role in Azure Storage to perform upload / download operation & restrict delete operation
Published May 15 2020 06:59 AM 4,745 Views


This article explains step by step procedure to accomplish the below requirement in Azure Storage using custom RBAC role:

  1. Read and write operation for container and blobs should be allowed for the users
  2. Delete operations should be restricted

The above custom RBAC role should be assigned at the resource group level.



  1. Azure Storage GPV2 / ADLS Gen 2 Storage account
  2. Ensure that you have enough permissions to create custom roles, such as Owner or User Access Administrator


You could follow the below steps to create a custom RBAC role using the Azure portal.

The creation of custom RBAC role can be done using the below methods:

  1. Using PowerShell : please refer :
  2. Using AzCLI : please refer :
  3. Using Rest API : please refer :

Step 1:

  1. Sign-in to the Azure portal with your credentials
  2. Go to the resource group where you could like the role to be implemented/ scoped to.
  3. Select Access Control (IAM)->Add-> Add Custom Role:



Step 2:

Give a suitable name and description for the role.




Step 3:

The Baseline permission parameters helps with deciding whether you want to create your custom role by cloning and then modifying an existing role or by starting from scratch.

  • Here, I would be choosing the option of <Clone a Role >
  • Role to clone: I would be choosing is <Storage Blob Data Contributor> as it inclines more to the custom role that I would create. You could choose any other roles to clone as per your use case.



Step 4:

Under the Permissions Tab, I would be altering the permissions as per my use case. I would be making changes to the below highlighted permissions as it aligns to my use case:




To Add/ Exclude permissions

  1. Choose the option either add/ exclude and then you search for the resource you would like to assign the permission.
  2. As I would like to exclude the permission for deletion operation at the storage account, I have used the below:



Excluding the required permissions:

  1. Under Not Actions : This is more inclined to management plane permissions. I have chosen the below 2 permissions:



  1. For Not Data Actions: This is more inclined to Data Plane operations



The final format of the Custom RBAC role is as below, with scope at resource group level. This has been created by clicking on the create option




Step 5:

Once the role has been created the role, we can assign it to the user as below

  1. Azure portal -> Resource group
  2. Access control (IAM) -> add-> role assignment
  3. From the role assignment choose the custom role you have created and assign it to the user




Please Note

Along with the above permission, I have given the user Reader permission at the subscription level. You could give the Reader permission at the resource group level too.

We mainly have Management Plane and Data Plane while providing permissions to the user.

Hence, it is important that you give minimum of ‘Reader’ role at the Management plane level


Step 6:

The storage account <teststorage2355> was deployed under the resource group <CustomRBAC> where the Custom RBAC role was assigned for the user

The below operations were checked by the user to see if the RBAC role was working appropriately:


  1. Upload blobs to blob storage successfully



  1. Download blobs from blob storage successfully


  1. Delete blobs from blob storage causing the below failures



  1. Deletion of container could also delete the blobs. while I tried deleting the container the below error was observed


  1. Deletion of storage account can also delete the blobs. While I tried deletion of storage account the below is the error:



Hope this helps !


1 Comment
Version history
Last update:
‎May 19 2020 11:52 PM
Updated by: