Folder level access control in ADLS Gen2 for upcoming users

Question

I have a Gen2 storage account and created a container.

Folder Structure looks something like this

StorageAccount
  ->Container1
    ->normal-data
      ->Files 1....n
    ->sensitive-data
      ->Files 1....m

I want to give read only access to the user only for normal-data and NOT sensitive-data

This can be achieved by setting ACL's on the folder level and giving access to the security service principle.

But limitation of this approach is user can only access the files which are loaded into the directory after the ACL is set up, hence cannot access the files which are already present inside the directory.

Because of this limitation, new users cannot be given full read access (unless new users use the same service principle, which is not the ideal scenario in my usecase)

Please suggest a read-only access method in ADLS Gen2, where

1. If files are already present under a folder and a new user is onboarded, he should be able to read all the files under the folder
2. New user should get access to only normal-data folder and NOT to sensitive-data

PS : There is a script for assigning ACL's recursively. But as I will get close to million records each day under normal-data folder, it would not be feasible for me to use the recursive ACL script

Answer 1

You could create an Azure AD security group and give that group read only access to the read-only folder.

Then you can add new users to the security group.

See: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal