Queues Auth Abac Examples - Document Details

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.

View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Detected Bias Types

powershell_heavy

missing_linux_example

windows_tools

Summary

The documentation page provides detailed examples for Azure Queue Storage role assignment conditions, but all command-line examples are exclusively in Azure PowerShell. There are no examples using cross-platform tools such as Azure CLI, Bash, or scripting languages commonly used on Linux. This creates a bias toward Windows users and environments, as PowerShell is the default shell on Windows and not always the preferred or available tool on Linux systems. The documentation also references 'AzurePowerShell' in its metadata, reinforcing this bias.

Recommendations

Add equivalent Azure CLI (az) command examples for all scenarios currently shown with PowerShell. Azure CLI is cross-platform and widely used on Linux and macOS.
Where scripting is shown, provide both PowerShell and Bash (or at least shell-agnostic) script snippets for common operations.
Explicitly mention that all examples are possible on Linux and macOS, and provide guidance or links for setting up the required tools on those platforms.
Review metadata and custom tags (such as 'devx-track-azurepowershell') to ensure they do not imply exclusivity to Windows/PowerShell.
Where possible, include screenshots or walkthroughs using the Azure CLI Cloud Shell, which is available in the Azure Portal and supports both Bash and PowerShell.

Create Pull Request

Scan History

Date	Scan	Status	Result
2026-01-14 00:00	#250	in_progress	Biased
2026-01-13 00:00	#246	completed	Biased
2026-01-11 00:00	#240	completed	Biased
2026-01-10 00:00	#237	completed	Biased
2026-01-09 00:34	#234	completed	Biased
2026-01-08 00:53	#231	completed	Biased
2025-08-19 00:01	#85	completed	Clean
2025-07-13 21:37	#48	completed	Biased
2025-07-12 23:44	#41	cancelled	Biased

Flagged Code Snippets

$bearerCtx = New-AzStorageContext -StorageAccountName $storageAccountName
Get-AzStorageQueue -Name <queueName> -Context $bearerCtx

$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Queue Data Contributor"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$queueName = "sample-queue"
$vnetName = "sample-vnet"
$subnetName = "default"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"

$condition = `
"( `
 ( `
  !(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/write'}) `
 ) `
 OR ` 
 ( `
  @Resource[Microsoft.Storage/storageAccounts/queueServices/queues:name] StringEquals '$queueName' `
  AND `
  @Environment[Microsoft.Network/virtualNetworks/subnets] StringEqualsIgnoreCase '/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName' `
 ) `
)"

$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

$condition = "((!(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete'}) AND !(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/queueServices/queues:name] StringEquals 'sample-queue'))"
$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru

$subId = "<your subscription id>"
$rgName = "<resource group name>"
$storageAccountName = "<storage account name>"
$roleDefinitionName = "Storage Queue Data Reader"
$userUpn = "<user UPN>"
$userObjectID = (Get-AzADUser -UserPrincipalName $userUpn).Id
$queueName = "sample-queue"
$dateTime = "2023-05-01T13:00:00.000Z"
$scope = "/subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"

$condition = `
"( `
 ( `
 !(ActionMatches{'Microsoft.Storage/storageAccounts/queueServices/queues/messages/read'}) `
 ) `
 OR ` 
 ( `
  @Resource[Microsoft.Storage/storageAccounts/queueServices/queues:name] StringEquals '$queueName' `
  AND `
  @Environment[UtcNow] DateTimeGreaterThan '$dateTime' `
 ) `
)"

$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName $roleDefinitionName -ObjectId $userObjectID
$testRa.Condition = $condition
$testRa.ConditionVersion = "2.0"
Set-AzRoleAssignment -InputObject $testRa -PassThru