Restrict data movement from ADLS Gen2 to other platforms

Question

We are looking for a feature of restricting the data movement outside ADLS Gen2. If we grant read only access to an user or a SPN, they can copy the data from ADLS to any platform as they wish. Is there a way to restrict the data movement outside ADLS or generate alert if any such data movement outside ADLS is triggered?

Answer 1

Let's revisit the question , let's say that one user have read only access on storage account and so he can now view the data using the portal,Storage explorer etc. The user is planning to write an automation to copy the data from the account to some other account . here are few option which can be used and also if he can do that .

1. ADF : he cannot use as he does not have the keys
2. Powershell/CLI : He can do this if runs the script unders his user context . 3.Manually : User can always open the file and and safe that local and then play around with the data .

So to the extent I know I don't think we can solve this in totality .