We’ve configured RBAC for our storage accounts but AD group members are blocked from blob access. The security group has ‘Storage Blob Data Contributor’ assigned at the resource group scope, and I’ve verified the assignment in Azure Portal. However, users report AuthorizationFailed errors when trying to list or download blobs.
I’ve checked:
- Role assignment exists and shows as active
- Users are confirmed members of the security group
- Storage account firewall allows their IP ranges
The assignment was created 2 hours ago. Is there a propagation delay I’m missing? Also wondering if using a Microsoft 365 group instead of a security group could cause issues, though our group type shows as ‘Security’ in AD.
Any guidance on troubleshooting RBAC scope issues would be appreciated.
Thanks for the responses. Users have signed out/in multiple times. I confirmed the storage account is in the correct resource group and the scope shows properly in the role assignment blade.
We’re using user accounts with Azure AD authentication. The error happens both in Storage Explorer and when using Azure Portal directly. One user mentioned they can see the container but get denied when clicking into it.
I encountered something similar last month. Check if your security group is nested within another group. RBAC doesn’t always handle nested groups well, especially with recent changes to how Azure AD evaluates group membership. You might need to assign the role directly to the security group that contains the users, not a parent group.
Also verify the group type in Azure AD - even if it shows as ‘Security’, check if it’s cloud-only or synced from on-premises. Synced groups sometimes have different propagation behavior.
Quick question - are you using managed identities or user accounts? If it’s user accounts, they need to authenticate with Azure AD, not just storage account keys. Make sure they’re using Azure Storage Explorer with AD auth enabled, or if using Azure CLI:
az storage blob list --account-name mystorageacct \
--container-name mycontainer --auth-mode login
The --auth-mode login is critical for RBAC to work.