Hi everyone.

I have an ADLS Gen2 account. I have a colleague who needs to have access to that account and be able to view the data within the Azure Portal. I have followed the instructions from the documentation above: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal#assign-the-reader-role-for-portal-access.

Namely, I have given my colleague "Reader" permission on the storage account, and "Storage Blob Data Reader" at the container level. However, when they attempt to view the data in the "Storage Explorer (preview)" in the Azure Portal, they're presented with this error:

It seems like the Storage Explorer in the portal still requires the user to have Microsoft.Storage/storageAccounts/listKeys/action which suggests that it is trying to use storage account access keys to authenticate the user. I was under the impression that this now used AAD authentication (& associated RBAC roles), but it doesn't seem that's the case. (ref: https://docs.microsoft.com/en-us/azure/storage/common/storage-access-blobs-queues-portal?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#azure-ad-account)

Using the Azure Storage Explorer desktop client, it works fine - my colleague can view the data with no problems.

Is this a known issue? Will this change when the Storage Explorer in the portal becomes GA? Is there a good way to get around this, or will I have to define a custom role which grants access to list the storage account keys?

Thanks,

Ed

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 1ca94e03-5f05-6703-1672-8062f31c0780
• Version Independent ID: a6a8d9e9-9aac-c0ed-c474-34cbd0609584
• Content: Use the Azure portal to assign an RBAC role for data access - Azure Storage
• Content Source: articles/storage/common/storage-auth-aad-rbac-portal.md
• Service: storage
• Sub-service: common
• GitHub Login: @tamram
• Microsoft Alias: tamram