a team stores data in a AZURE storage account, S1. They're all in the same AZURE subscription. Let's say, the team-members are: M1, M2, M3 and an admin A1. The team is visible in the AZURE-AD
The storage account consists of two containers: C1 and C2
How can I grant grant read-access of the blobs in C1 to team-members M2 and M3 and NOT to M1? Only the A1 shall have write-access to all containers in this S1.
Do I need a different solution or service for granting/revoking access-rights to team-members? Problem is that an SAS-connection string won't work since everybody inside the subscription has read-access to all storage-account, including all containers.
Is there any way to grant individual access to S1 with the granularity on the container-level?
Is there any way to grant individual access to S1 with the granularity on the container-level?
Sure you can. You can assign Storage Blob Data Reader role to "M2" and "M3" users and do not assign any storage data role to user "M1". These roles should be scoped to container "C1". For "A1", you can assign Storage Blob Data Contributor role scoped to the storage account.
Also, you may want to ensure that all of the users (M1, M2, and M3) do not have any control plane roles that would allow them to access the key for storage account. Alternately, you can simply turn off shared key based authorization for that storage account and force everyone in the team to use Azure AD based authorization.