FAQ for Azure role assignment conditions

Frequently asked questions

Can you pick the storage container names or blob path in the visual ABAC condition builder in the Azure portal?

You must write the storage container name, blob path, tag name, or values in the condition. There is no picking experience for the attribute values.

Can you check for the existence of an attribute from a condition?

You can use the Exists operator with any ABAC attribute, but it is only supported in the visual ABAC condition builder for a few of them. You can add the Exists operator to any attribute using other tools, such as PowerShell, the Azure CLI, the REST API, and the condition code editor in the Azure portal. For a list of attributes for which it is supported in the visual condition builder, see the Exists function operator. To add the exists operator to an attribute when building an expression in a condition, select the supported source and attribute, then select the box next to Exists under it. See Build expressions in the portal for more details.

Can you group expressions?

If you add three or more expressions for a targeted action, you must define the logical grouping of those expressions in the code editor, Azure PowerShell, or Azure CLI. A logical grouping of a AND b OR c can be either (a AND b) OR c or a AND (b OR c ).

Are conditions supported via Microsoft Entra Privileged Identity Management (Microsoft Entra PIM) for Azure resources?

Yes, for specific roles. For more information, see Assign Azure resource roles in Privileged Identity Management.

Are conditions supported for classic administrators?

No.

Can you add conditions to custom role assignments?

Yes, as long as the custom role includes actions that support conditions.

Do the conditions increase latency for access to storage blobs?

No, based on our benchmark tests, conditions are not expected to add any user perceivable latency.

What new properties have been introduced in the role assignment schema to support conditions?

Here are the new condition properties:

  • condition: Condition statement built using one or more actions from role definition and attributes.
  • conditionVersion: A condition version number. Defaults to 2.0 and is the only publicly supported version.

There is also a new description property for role assignments:

  • description: The description for the role assignment that can be used to describe the condition.

Is a condition applied to the entire role assignment or specific actions?

A condition is only applied to the specific targeted actions.

What are the limits for a condition?

A condition can be up to 8 KB long.

What are the limits for a description?

A description can be up to 2 KB long.

Is it possible to create a role assignment with and without a condition, but using the same tuple of security principal, role definition, and scope?

No, if you try to create this role assignment, an error is displayed.

Are conditions in role assignments offering an explicit deny effect?

No, conditions in role assignments do not have an explicit deny effect. Conditions in role assignments filter down access granted in a role assignment, which can result in access not allowed. Explicit deny effect is part of deny assignments.

Next steps