Share via

Azure RBAC for

Boris Zugic (Nokia) 20 Reputation points
2025-11-24T22:32:23.3066667+00:00

Hi, I’m trying to clarify how Azure Storage RBAC interacts with the Azure Portal UI.

From my testing, it appears that:

A user with Owner or Contributor (management-plane roles) can upload, delete, and list blobs through the Azure Portal even if they have no data-plane roles like “Storage Blob Data Reader/Contributor”.

A user with only data-plane roles (e.g., “Storage Blob Data Reader”) cannot browse or interact with blobs through the Portal UI, but can list/read blobs programmatically using Entra ID authentication.

My understanding is that this is because:

  1. The portal uses storage account keys (or a SAS generated using the account keys), so only users with Microsoft.Storage/storageAccounts/listKeys/action can perform blob operations in the portal.
  2. The portal does not check data-plane roles.

Therefore, because the Azure portal does not check data-plane roles, only management-plane roles with Microsoft.Storage/storageAccounts/listKeys/action can use the portal to perform blob operations.

Can someone confirm this?

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
0 comments
Answer accepted by question author
  1. Adam Zachary 2,025 Reputation points
    2025-11-25T02:04:44.33+00:00

    I’ve tested this many times, and yes, your understanding is correct.

    Owner/Contributor can browse and modify blobs in the Azure Portal because the portal uses account keys, not data-plane RBAC. Those roles have the listKeys permission, which lets the portal pull the storage keys and act as if it was the storage account itself.

    Users who only have data-plane roles cannot use the portal UI because the portal won’t use AAD-based data-plane RBAC for browsing. But they can still read/write blobs through CLI/SDK because those tools use proper AAD authentication.

    So, the behavior you described is exactly how Azure works today

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkatesan S 925 Reputation points Microsoft External Staff Moderator
    2025-11-24T23:28:54.86+00:00

    Hi Boris Zugic (Nokia),

    Thanks for reaching out Microsoft Q&A,

    • Azure Portal does not use data-plane RBAC when accessing blobs. Instead, it relies on storage account keys or a SAS generated from those keys. Because of this, only users with management-plane permissions such as Microsoft.Storage/storageAccounts/listKeys/action (e.g., Owner, Contributor, Storage Account Contributor) can browse, upload, and delete blobs in the Azure Portal.
    • Users who have only data-plane roles (like Storage Blob Data Reader/Contributor) cannot interact with blobs in the portal UI, but they can access blobs programmatically using Azure AD authentication.
    • Management-plane roles → Portal retrieves keys > full blob access in the UI.
    • Data-plane roles only → Portal cannot get keys > no blob browsing in UI.
    • Programmatic access (CLI/SDK) correctly uses data-plane RBAC(AAD) > works without keys.

    Reference:

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2025-11-24T22:32:31.9566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Your understanding of how Azure Storage RBAC interacts with the Azure Portal UI is mostly correct. Here are the key points:

    1. Management-plane roles: Users with roles like Owner or Contributor can perform blob operations in the Azure Portal, even if they do not have data-plane roles such as Storage Blob Data Reader or Contributor. This is because these management-plane roles allow access to the storage account keys, which are necessary for operations in the portal.
    2. Data-plane roles: Users with only data-plane roles (e.g., Storage Blob Data Reader) cannot browse or interact with blobs in the Azure Portal UI. However, they can still access blobs programmatically using Microsoft Entra ID authentication, as they have the necessary permissions for data access.
    3. Authorization mechanism: The Azure Portal checks for the Microsoft.Storage/storageAccounts/listKeys/action permission, which is part of the management-plane roles. If a user has this permission, the portal can use the storage account keys to perform blob operations. The portal does not check for data-plane roles when performing these operations.

    Thus, your conclusion that the Azure Portal does not check data-plane roles and relies on management-plane roles with the appropriate permissions to perform blob operations is accurate.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.