Users are not able to see some resources in a resource group where they have respective contributor access.

Pankaj Dua 0 Reputation points
2024-08-29T11:24:41.9633333+00:00

I created a resource group and added some resources in that. There I added my team through security group which has respective contributor roles for those resources.

Some of these resources including blob storage is not visible to the team.

To troubleshoot, I added role assignments for some resources to users directly on blob storage resource. But still those specific users too can not see the storage account.

What can be the root cause and how to fix it?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,787 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
791 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
365 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 7,306 Reputation points Microsoft Vendor
    2024-08-30T07:53:01.2033333+00:00

    Hello Pankaj Dua,

    Greetings! Welcome to Microsoft Q&A Platform.

    Storage Blob Data Contributor RBAC role only lets you manage the Data actions i.e (Read, write, and delete Azure Storage containers and blobs) not Management Action i.e to view the Storage account from Azure portal.

    To access blob data from the Azure portal using your Azure AD account, both of the following statements must be true for you:

    • You have been assigned a built-in role i.e Storage Blob Data Contributor that provides access to blob data.
    • You have been assigned the Azure Resource Manager Reader role, at a minimum, scoped to the level of the storage account or higher. The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.

    The Azure Resource Manager Reader role permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources. The Reader role is necessary so that users can navigate to blob containers in the Azure portal.

    There is also another way i.e assign a user with Reader and Data Access Rbac role on Storage account or Resource group level.

    Let's you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.

    Another possibility might be, if there is someone else who has access in your tenant, can you please confirm whether there is a firewall enabled on the storage account?

    If so, your network might be blocked and you may need to make sure the storage account has the network enabled under Storage Account > Networking > Allow Access from Selected Networks. If there is someone else who has access, that person can check and enable "All networks"

    Hope this helps! Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.