Unable to add Azure guest user to access storage accounts

0
votes

Context: I have limited experience with Azure, but looking to add a few guest users external to our organization to allow them to use Azure blob storage to upload dataset they can use (e.g., add, edit, delete), but otherwise limit all of their permissions.

My approach is to create a storage account for each of them, then adjust the permissions for that account.

What I have done:

  • Create new storage account
  • Add external user as "Guest user"
  • For the storage account, adjusted the permissions such that for that specific user I added their Role Assignment as "Storage Blob Data Contributer"

Problem: When the user logs into their Azure portal they are unable to find this resource or seemingly get access to it. I'm wondering if there are other permissions I need to enable to make this work?

1
azure

1 Answers

0
votes

Storage Blob Data Contributor is a data plane role. To see the Storage Accounts, your guest users will need at least Reader role on the actual storage account (control plane). If you wanted just one role to allow both planes, you can give your users Reader and Data Access BuiltInRole

More Context

Azure operations can be divided into two categories - control plane and data plane. A simplistic way of thinking of this from an on-prem storage perspective is control plane give access to the physical (e.g. you have access to the server room where the disks are and you can swap out drives and needed) whereas data plane is you have permissions on the file share to view files.

When I talk to customers, I try to equate access to the portal as access to your on-prem datacenter. You only give it out to the people that need physical access.

You can also look at Azure Date Explorer but you still need the proper data/control plane permissions.