Use the Azure Storage resource provider to access management resources

Azure Resource Manager is the deployment and management service for Azure. The Azure Storage resource provider is a service that is based on Azure Resource Manager and that provides access to management resources for Azure Storage. You can use the Azure Storage resource provider to create, update, manage, and delete resources such as storage accounts, private endpoints, and account access keys. For more information about Azure Resource Manager, see Azure Resource Manager overview.

You can use the Azure Storage resource provider to perform actions such as creating or deleting a storage account or getting a list of storage accounts in a subscription. To authorize requests against the Azure Storage resource provider, use Microsoft Entra ID. This article describes how to assign permissions to management resources, and points to examples that show how to make requests against the Azure Storage resource provider.

Management resources versus data resources

Azure provides two REST APIs for working with Azure Storage resources. These APIs form the basis of all actions you can perform against Azure Storage. The Azure Storage REST API enables you to work with data in your storage account, including blob, queue, file, and table data. The Azure Storage resource provider REST API enables you to work with the storage account and related resources.

A request that reads or writes blob data requires different permissions than a request that performs a management operation. Azure RBAC provides fine-grained control over permissions to both types of resources. When you assign an Azure role to a security principal, make sure that you understand what permissions that principal will be granted. For a detailed reference that describes which actions are associated with each Azure built-in role, see Azure built-in roles.

Azure Storage supports using Microsoft Entra ID to authorize requests against Blob and Queue storage. For information about Azure roles for blob and queue data operations, see Authorize access to blobs and queues using Active Directory.

Assign management permissions with Azure role-based access control (Azure RBAC)

Every Azure subscription has an associated Microsoft Entra ID that manages users, groups, and applications. A user, group, or application is also referred to as a security principal in the context of the Microsoft identity platform. You can grant access to resources in a subscription to a security principal that is defined in the Active Directory by using Azure role-based access control (Azure RBAC).

When you assign an Azure role to a security principal, you also indicate the scope at which the permissions granted by the role are in effect. For management operations, you can assign a role at the level of the subscription, the resource group, or the storage account. You can assign an Azure role to a security principal by using the Azure portal, the Azure classic CLI, PowerShell, or the Azure Storage resource provider REST API.

For more information, see What is Azure role-based access control (Azure RBAC)? and Azure roles, Microsoft Entra roles, and classic subscription administrator roles.

Built-in roles for management operations

Azure provides built-in roles that grant permissions to call management operations. Azure Storage also provides built-in roles specifically for use with the Azure Storage resource provider.

Built-in roles that grant permissions to call storage management operations include the roles described in the following table:

Azure role Description Includes access to account keys?
Owner Can manage all storage resources and access to resources. Yes, provides permissions to view and regenerate the storage account keys.
Contributor Can manage all storage resources, but cannot manage access to resources. Yes, provides permissions to view and regenerate the storage account keys.
Reader Can view information about the storage account, but cannot view the account keys. No.
Storage Account Contributor Can manage the storage account, get information about the subscription's resource groups and resources, and create and manage subscription resource group deployments. Yes, provides permissions to view and regenerate the storage account keys.
User Access Administrator Can manage access to the storage account. Yes, permits a security principal to assign any permissions to themselves and others.
Virtual Machine Contributor Can manage virtual machines, but not the storage account to which they are connected. Yes, provides permissions to view and regenerate the storage account keys.

The third column in the table indicates whether the built-in role supports the Microsoft.Storage/storageAccounts/listkeys/action. This action grants permissions to read and regenerate the storage account keys. Permissions to access Azure Storage management resources do not also include permissions to access data. However, if a user has access to the account keys, then they can use the account keys to access Azure Storage data via Shared Key authorization.

Custom roles for management operations

Azure also supports defining Azure custom roles for access to management resources. For more information about custom roles, see Azure custom roles.

Code samples

For code examples that show how to authorize and call management operations from the Azure Storage management libraries, see the following samples:

Azure Resource Manager versus classic deployments

The Resource Manager and classic deployment models represent two different ways of deploying and managing your Azure solutions. Azure recommends using the Azure Resource Manager deployment model when you create a new storage account. If possible, Azure also recommends that you recreate existing classic storage accounts with the Resource Manager model. Although you can create a storage account using the classic deployment model, the classic model is less flexible and will eventually be deprecated.

For more information about Azure deployment models, see Resource Manager and classic deployment.

Next steps