Storage Auth Abac Examples - Document Details

Date	Scan ID	Status	Bias Status
2025-08-19 00:01	#85	completed	✅ Clean
2025-07-13 21:37	#48	completed	❌ Biased
2025-07-12 23:44	#41	in_progress	❌ Biased

$localSrcFile = <pathToLocalFile> $grantedContainer = "blobs-example-container" $ungrantedContainer = "ungranted" # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # Ungranted Container actions $content = Set-AzStorageBlobContent -File $localSrcFile -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx $content = Get-AzStorageBlobContent -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx $content = Remove-AzStorageBlob -Container $ungrantedContainer -Blob "Example5.txt" -Context $bearerCtx # Granted Container actions $content = Set-AzStorageBlobContent -File $localSrcFile -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx $content = Remove-AzStorageBlob -Container $grantedContainer -Blob "Example5.txt" -Context $bearerCtx

$grantedContainer = "blobs-example-container" # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # Try to get ungranted blob $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "Ungranted.txt" -Context $bearerCtx # Try to get granted blob $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "readonly/Example6.txt" -Context $bearerCtx

$grantedContainer = "contosocorp" # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # Try to get ungranted blobs # Wrong name but right tags $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "AlpineFile.txt" -Context $bearerCtx # Right name but wrong tags $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logsAlpine.txt" -Context $bearerCtx # Try to get granted blob $content = Get-AzStorageBlobContent -Container $grantedContainer -Blob "logs/AlpineFile.txt" -Context $bearerCtx

$subId = "<your subscription id>" $rgName = "<resource group name>" $storageAccountName = "<storage account name>" $roleDefinitionName = "Storage Blob Data Contributor" $userUpn = "<user UPN>" $userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id $containerName = "container1" $vnetName = "virtualnetwork1" $subnetName = "default" $scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName" $condition = ` "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) ` ) ` OR ` ( ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' ` AND ` @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName' ` ) ` )" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName Get-AzStorageBlob -Container <containerName> -Blob <blobName> -Context $bearerCtx

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$localSrcFile = # path to an example file, can be an empty txt $ungrantedTag = @{'Project'='Baker'} $grantedTag = @{'Project'='Cascade'} # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # try ungranted tags $content = Set-AzStorageBlobContent -File $localSrcFile -Container example2 -Blob "Example2.txt" -Tag $ungrantedTag -Context $bearerCtx # try granted tags $content = Set-AzStorageBlobContent -File $localSrcFile -Container example2 -Blob "Example2.txt" -Tag $grantedTag -Context $bearerCtx

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&`$keys`$&] ForAllOfAnyValues:StringEquals {'Project', 'Program'}))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$localSrcFile = # path to an example file, can be an empty txt $ungrantedTag = @{'Mode'='Baker'} $grantedTag = @{'Program'='Alpine';'Project'='Cascade'} # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # try ungranted tags $content = Set-AzStorageBlobContent -File $localSrcFile -Container example3 -Blob "Example3.txt" -Tag $ungrantedTag -Context $bearerCtx # try granted tags $content = Set-AzStorageBlobContent -File $localSrcFile -Container example3 -Blob "Example3.txt" -Tag $grantedTag -Context $bearerCtx

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})) OR (@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags&`$keys`$&] ForAnyOfAnyValues:StringEquals {'Project'} AND @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<`$key_case_sensitive`$>] ForAllOfAnyValues:StringEquals {'Cascade', 'Baker', 'Skagit'}))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$localSrcFile = <pathToLocalFile> $ungrantedTag = @{'Project'='Alpine'} $grantedTag1 = @{'Project'='Cascade'} $grantedTag2 = @{'Project'='Baker'} $grantedTag3 = @{'Project'='Skagit'} # Get new context for request $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # try ungranted tags Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $ungrantedTag -Context $bearerCtx # try granted tags Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag1 -Context $bearerCtx Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag2 -Context $bearerCtx Set-AzStorageBlobTag -Container example4 -Blob "Example4.txt" -Tag $grantedTag3 -Context $bearerCtx

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container'))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'readonly/*'))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'contosocorp' AND @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'uploads/contoso/*'))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$grantedContainer = "contosocorp" $localSrcFile = <pathToLocalFile> $bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName # Try to set ungranted blob $content = Set-AzStorageBlobContent -Container $grantedContainer -Blob "Example7.txt" -Context $bearerCtx -File $localSrcFile # Try to set granted blob $content = Set-AzStorageBlobContent -Container $grantedContainer -Blob "uploads/contoso/Example7.txt" -Context $bearerCtx -File $localSrcFile

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Program<`$key_case_sensitive`$>] StringEquals 'Alpine')) AND ((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringLike 'logs*'))" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$condition = "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) ` ) ` OR ` ( ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue' ` ) ` )" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$condition = "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) ` ) ` OR ` ( ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/metadata:testKey] StringEquals 'testValue' ` ) ` ) ` $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$subId = "<your subscription id>" $rgName = "<resource group name>" $storageAccountName = "<storage account name>" $roleDefinitionName = "Storage Blob Data Reader" $userUpn = "<user UPN>" $userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id $containerName = "container1" $dateTime = "2023-05-01T13:00:00.000Z" $scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName" $condition = ` "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) ` ) ` OR ` ( ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' ` AND ` @Environment[UtcNow] DateTimeGreaterThan '$dateTime' ` ) ` )" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$subId = "<your subscription id>" $rgName = "<resource group name>" $storageAccountName = "<storage account name>" $roleDefinitionName = "Storage Blob Data Reader" $userUpn = "<user UPN>" $userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id $scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName" $condition = ` "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) ` ) ` OR ` ( ` ( ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] StringEquals 'high' ` AND ` @Environment[isPrivateLink] BoolEquals true ` ) ` OR ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] StringNotEquals 'high' ` ) ` )" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$subId = "<your subscription id>" $rgName = "<resource group name>" $storageAccountName = "<storage account name>" $roleDefinitionName = "Storage Blob Data Contributor" $userUpn = "<user UPN>" $userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id $containerName = "container1" $privateEndpointName = "privateendpoint1" $scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName" $condition = ` "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'}) ` AND ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'}) ` ) ` OR ` ( ` ( ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals '$containerName' ` AND ` @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/privateEndpoints/$privateEndpointName' ` ) ` OR ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringNotEquals '$containerName' ` ) ` )" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

$subId = "<your subscription id>" $rgName = "<resource group name>" $storageAccountName = "<storage account name>" $roleDefinitionName = "Storage Blob Data Reader" $userUpn = "<user UPN>" $userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id $privateEndpointName = "privateendpoint1" $scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName" $condition = ` "( ` ( ` !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) ` ) ` OR ` ( ` ( ` @Principal[Microsoft.Directory/CustomSecurityAttributes/Id:sensitivity] StringEqualsIgnoreCase @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] ` AND ` @Environment[Microsoft.Network/privateEndpoints] StringEqualsIgnoreCase '/subscriptions/$subid/resourceGroups/$rgname/providers/Microsoft.Network/privateEndpoints/$privateEndpointName' ` ) ` OR ` @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:sensitivity<`$key_case_sensitive`$>] StringNotEquals 'high' ` ) ` )" $testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID $testRa.Condition = $condition $testRa.ConditionVersion = "2.0" Set-AzRoleAssignment -InputObject $testRa -PassThru

Document Details

About This Page

Bias Analysis

Scan History

Flagged Code Snippets