Azure Storage restrict access one container only

3
votes

This is my situation: Two groups in Azure AD. Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1

To achieve this I have given IAM Role Permission on each container accordingly (assigned Storage Blob Data Contributor Role to group).

Code Sample I used: https://github.com/Azure-Samples/storage-dotnet-azure-ad-msal

But to upload/download any file on container I have to assign role of Storage Blob Data Contributor on Storage Account as well. If I give Storage Blob Data Contributor on Storage Account then that Group users can add files to any container.

So is there any way to achieve like, Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1

1
azureazure-active-directoryazure-storageazure-storage-blobs

1 Answers

1
votes

Denying group to a container is not supported yet. As given in the image taken from IAM blade: "At this time, the only way you can add your own deny assignments is by using Azure Blueprints." Denying access to users is quite a process. So it is best if you create two storage accounts and manage the access at storage account level instead of Container. This is not for group but for a single user in group. enter image description here