Can you inherit RBAC blob storage roles from Azure AD Security Groups?

2
votes

I'm having trouble with the authentication using Azure Blob Storage, we're using ADAL in an Angular app to connect with Azure Blob storage.

I have set up the Azure App Registration with Storage impersonate and can acquire a token for the user to the https://storage.azure.com/ resource.

The Storage Account has Access Controls configured for Storage Blob Data Contributor for users, now this is where I start to have problems.

If I assign the user directly to Storage Blob Data Contributor - everything works as expected and we can query and upload blobs.

However, if we assign Storage Blob Data Contributor to an AD Security Group, members of said AD Group cannot access the storage and receive 403 errors with the x-ms-error-code: AuthorizationPermissionMismatch header.

Are there any restrictions on assigning permissions via groups? Do we need Premium AD? Any help would be much appreciated.

Update

Confirmed not an issue with Premium AD as that's still not working after trying a tenancy that has P2.

The documentation here states;

When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

Surely that means that you can assign roles either per person or inherit from a group???

Full context;

  1. App Registration configured with Azure Storage -> user_impersonation App configuration
  2. User has the Storage Blob Data Contributor role assigned via GROUP ASSIGNMENT User Role Assignment v1
  3. Angular App can authorize against https://storage.azure.com/ and acquire a token JWT Token
  4. 403 error on the PUT request with the error code AuthorizationPermissionMismatch HTTP PUT Error
  5. Update role assignments to include a direct assignment User Role Assignment v2
  6. Acquire a new token...
  7. PUT now works and the image is stored successfully Successfuly PUT

Now this works - it's proved the Groups is the cause. Why do group assignments not give users access?

Again any help would be appreciated!

Update 2

As requested in the answer below;

"Check Access" option from the "IAM Access" blade shows I have the Storage Blob Data Contributor role assignment from three groups (QA - Technician, QA - Site Admin w/o customer data and QA - Site Admin w/ customer data)

IAM Access - Check Access

I haven't changed these the users associated with the roles since they were created several months ago, and as the image above shows, I must be a member of the role to be included here.

The Group is not dynamically assigned, all users are assigned to the Roles by the Membership section. Does it matter that these are via another group? i.e.

Development Group in QA - Site Admin w/o customer data group

Development Group members

1
angularazureazure-active-directoryazure-storage-blobsadal
Did you ever find out what the problem was? I just encountered the same problem.Daniel Sklenitzka

1 Answers

0
votes

Could you please use "Check Access" option from the "IAM Access" blade on the affected storage account in azure portal and see if the user who is part of the group shows the role assignment via inheritance? Also I would request you to check if the user is part of the group at the point we attempted access . Is the group having dynamic membership user assignment ?

storage account > IAM > Add role and add the special permission for this type of request, STORAGE BLOB DATA CONTRIBUTOR, I would recommend you to please look into these article

For now, you can test the identity based access using the PowerShell https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-powershell

Let me know the status