Prerequisites for Azure role assignment conditions

  • Article

To add or edit Azure role assignment conditions, you must have the following prerequisites.

Storage accounts

For conditions that use blob index tags, you must use a storage account that is compatible with the blob index feature. For example, only General Purpose v2 (GPv2) storage accounts with hierarchical namespace (HNS) disabled are currently supported. For more information, see Manage and find Azure Blob data with blob index tags

Azure PowerShell

When using Azure PowerShell to add or update conditions, you must use the following versions:

Azure CLI

When using Azure CLI to add or update conditions, you must use the following versions:

REST API

When using the REST API to add or update conditions, you must use the following versions:

  • 2020-03-01-preview or later
  • 2020-04-01-preview or later if you want to utilize the description property for role assignments
  • 2022-04-01 is the first stable version

For more information, see API versions of Azure RBAC REST APIs.

Permissions

Just like role assignments, to add or update conditions, you must be signed in to Azure with a user that has the Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as Role Based Access Control Administrator.

Principal attributes

To use principal attributes (custom security attributes in Microsoft Entra ID), you must have the following:

For more information about custom security attributes, see:

Environment attributes

To use the Private endpoint attribute, you must have at least one private endpoint configured in your subscription.

To use the Subnet attribute, you must have at least one virtual network subnet using service endpoints configured in your subscription.

Next steps