Create a storage account

If you don't have one already create a storage account in Azure.

Create a container

Under Containers, create a container which we will use to store the data files exported from MS Graph. I've called mine intune-assignments. Set the Public access level to private.

Create a custom role

Here we will create a custom role at the storage account level which has just the permissions we need to upload data to the container. We will assign this role to the managed identity.

• In the storage account, top-level, open the Access Control (IAM) pane

• On the Roles tab, locate the role Storage Blob Data Contributor

• Click the 3 dots on the right of the role and choose Clone

• Give the role a name. I've used Storage Account Reader and Blob Contributor

• On the Permissions tab, add or remove the cloned permissions as required. I've added two permissions that are required by this solution and removed a couple that aren't. All permissions are found under Microsoft.Storage.

  • Add Microsoft.Storage/storageAccounts/read

  • Add Microsoft.Storage/storageAccounts/listkeys/action

• On the Assignable scopes tab, leave the default scope which should be the storage account itself

• Click Review + create

Assign the role

Back in the Access Control (IAM) pane:

• Click Add role assignment under Grant access to this resource

• Locate the role you just created, select it and click Next

• Against Assign access to, select Managed Identity. Click Select members

• Locate for the managed identity under Automation Account and select it

• Click Review + assign