A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra authentication. It must not manage storage account settings, keys, or other containers. Which approach is best?
Trap 1: Assign Storage Account Contributor at the resource group scope.
This grants management-plane control over the storage account and is much broader than needed.
Trap 2: Assign Reader and give the service principal a storage account…
This introduces stored credentials and does not follow the Entra-based least-privilege requirement.
Trap 3: Assign Contributor at the subscription scope and restrict access…
Naming conventions do not enforce security, and subscription scope is unnecessarily broad.
- A
Assign Storage Account Contributor at the resource group scope.
Why wrong: This grants management-plane control over the storage account and is much broader than needed.
- B
Create a custom role with blob dataActions only and assign it at the container scope.
This allows data access while avoiding storage account management permissions and limiting scope.
- C
Assign Reader and give the service principal a storage account access key.
Why wrong: This introduces stored credentials and does not follow the Entra-based least-privilege requirement.
- D
Assign Contributor at the subscription scope and restrict access with naming conventions.
Why wrong: Naming conventions do not enforce security, and subscription scope is unnecessarily broad.