How to control access to identity-specific folders in Azure Blob Storage using ABAC
An example use case:
I have an Azure Blob Container named "my-org-documents"; a specific folder should be shared across all the identities. However, each identity can only write into their subfolders.
I will use the below identities as example:
[email protected] (AD user)
ExampleMI12 (managed identity)
I have created a path called test, managedidentity and sharedfolder under the container, so the structure is as below:
my-org-documents/test
my-org-documents/managedidentity
my-org-documents/sharedfolder
My task is completed when:
- Active Directory user "test" is able to read/write into sharedfolder
- Active Directory user "test" is able to read/write into test folder but not into managedidentity folder.
- Managed Identity "ExampleMI12" is able to read/write into sharedfolder
- Managed Identity "ExampleMI12" is able to read/write into "ExampleMI12" folder but not into test folder.
Scoping the role assignment:
In such scenario, you can achieve the target by assigning "Storage Blob Data Contributor" to the required identity while applying ABAC conditions to add more control over folder access.
Configuring the user permissions:
- Assigning "Storage Data Contributor role" to user "test" on the storage account level.
-Then, in the conditions tab, I will add the below policy:
The above ABAC policy will only allow read/write access to "test" and "sharedfolder" paths, while it will deny access to all the other folders inside the "my-org-document" container or any other container inside the storage account.
Configuring the managed identity permissions:
- Assigning "Storage Data Contributor role" to managed identity "ExampleMI12" on the storage account level.
- Then, in the conditions tab, I will add the below policy:
Conclusion:
In this scenario, I was able to control folder level access for AD identities by assigning a role to each identity while adding specific ABAC conditions that will add more granularity over the wide role access.
Note: For ADLS endpoint, the ABAC policy should be modified to remove the ending slash from the blob path. Similar to the below example:
Note:
Please add "microsoft.storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action" action on all conditions if:
1- The role definition contains this action, such as "Storage blob data owner"
2- The storage accounts included in this condition have hierarchical namespace enabled or might be enabled in the future.
Published on:
Learn moreRelated posts
Fundamentals of Azure DevOps with SQL projects
Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...
Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers
Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...
What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)
We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...
Power Automate Flow — HTTP Trigger to Azure OpenAI
Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...
Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB
The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...