Azure blob download restrictions

Hello Smriti

We have reviewed your request concerning Azure Storage access, specifically the ability for users to view or list blobs without permitting them to download data to their local devices.

Currently, Azure RBAC does not offer a built-in “view-only without download” permission for Blob Storage. Roles like Storage Blob Data Reader allow both listing and downloading blobs, and these permissions cannot be separated using standard RBAC.

Azure does offer alternative solutions for this requirement. One option is to use Attribute-Based Access Control (ABAC) conditions, which enable restricting access to only the Blob List operation. This lets users view blob names and metadata but prevents downloading content, and it can be set at the role assignment level without changing the storage account or application architecture.

Other approaches include using SAS tokens with list-only permissions for specific scenarios or implementing an application or API layer to control access. For broader governance needs, Microsoft Purview DLP or Defender for Cloud Apps policies can help block downloads at the user or device level.

Check the below reference document:
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-auth-abac-portal

https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

Hi Smriti,

Thanks for reaching out in Microsoft Q&A forum,

I want to enable user in Azure to have reader/Storage blob data reader role in azure storage account, but do not want to allow the download of the blobs in their local system.I checked for azure RBAC but could not find any way to restrict download access.Kindly suggest some alternatives or best practices.

Azure ABAC as a solid option to refine access for the Storage Blob Data Reader role, allowing blob listing while restricting full downloads through smart conditions.

ABAC fits:

ABAC layers conditions onto standard RBAC roles, using attributes like blob tags or request context to differentiate listing (metadata views) from content reads (downloads). This addresses the core RBAC gap where read permissions bundle both actions together.

Setup example:

Tag your blobs first (e.g., Project=NoDownload), then assign the role with a condition like: (!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[tags:Project] StringEqualsIgnoreCase 'Allowed'). Users list blobs fine, but downloads fail unless tags match.​

Steps:

• Tag blobs via Portal or CLI: az storage blob update --tags Project=NoDownload.
• In IAM > Add role assignment > Storage Blob Data Reader > Add condition for read action with tag check.
• Test in Storage Explorer lists work, downloads get denied.

Official Docs:

• Add role assignment condition for blobs (Azure portal)​
• Azure ABAC for Storage
• Example Azure role assignment conditions for Blob Storage - Azure Storage | Microsoft Learn

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.