Create / configure an Azure storage account

Here we will create and configure a storage account in Azure granting the automation account the necessary permissions and creating a container for the report data.

Create a storage account

If you don't have one already create a storage account in Azure.

Create a container

Under Containers, create a container which we will use to store the data files exported from MS Graph. I've called mine intune-assignments. Set the Public access level to private.

Create a custom role

Here we will create a custom role at the storage account level which has just the permissions we need to upload data to the container. We will assign this role to the managed identity.

  • In the storage account, top-level, open the Access Control (IAM) pane

  • On the Roles tab, locate the role Storage Blob Data Contributor

  • Click the 3 dots on the right of the role and choose Clone

  • Give the role a name. I've used Storage Account Reader and Blob Contributor

  • On the Permissions tab, add or remove the cloned permissions as required. I've added two permissions that are required by this solution and removed a couple that aren't. All permissions are found under Microsoft.Storage.

    • Add Microsoft.Storage/storageAccounts/read

    • Add Microsoft.Storage/storageAccounts/listkeys/action

  • On the Assignable scopes tab, leave the default scope which should be the storage account itself

  • Click Review + create

Assign the role

Back in the Access Control (IAM) pane:

  • Click Add role assignment under Grant access to this resource

  • Locate the role you just created, select it and click Next

  • Against Assign access to, select Managed Identity. Click Select members

  • Locate for the managed identity under Automation Account and select it

  • Click Review + assign

Last updated