# Create / configure an Azure storage account

## Create a storage account

If you don't have one already create a [storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in Azure.

## Create a container

Under **Containers**, create a container which we will use to store the data files exported from MS Graph. I've called mine **intune-assignments**. Set the **Public access level** to **private**.

<figure><img src="https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWe9ieepRHnj7T8odXt%2Fuploads%2F5psjmWXjAID1C2Oo0nyC%2Fimage.png?alt=media&#x26;token=b4dcbbac-0234-41af-9cee-81b549302849" alt=""><figcaption></figcaption></figure>

## Create a custom role

Here we will create a custom role at the storage account level which has just the permissions we need to upload data to the container. We will assign this role to the managed identity.

* In the storage account, top-level, open the **Access Control (IAM)** pane
* On the **Roles** tab, locate the role **Storage Blob Data Contributor**
* Click the 3 dots on the right of the role and choose **Clone**
* Give the role a name. I've used **Storage Account Reader and Blob Contributor**

![](https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWe9ieepRHnj7T8odXt%2F-M_R8wzbJ8oME9Qt58aB%2F-M_ROpYgyDqg---0R4g1%2Fimage.png?alt=media\&token=e3110a81-5ca5-4ab2-9e08-f9ef65fd850e)

* On the **Permissions** tab, add or remove the cloned permissions as required. I've added two permissions that are required by this solution and removed a couple that aren't. All permissions are found under **Microsoft.Storage**.
  * Add **Microsoft.Storage/storageAccounts/read**
  * Add **Microsoft.Storage/storageAccounts/listkeys/action**

![](https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWe9ieepRHnj7T8odXt%2F-M_R8wzbJ8oME9Qt58aB%2F-M_RP_ec2Svw0oywmCNC%2Fimage.png?alt=media\&token=414a4d60-7297-4312-abb1-ea1c9ad99be8)

* On the **Assignable scopes** tab, leave the default scope which should be the storage account itself
* Click **Review + create**

## Assign the role

Back in the **Access Control (IAM)** pane:&#x20;

* Click **Add role assignment** under **Grant access to this resource**
* Locate the role you just created, select it and click **Next**
* Against **Assign access to**, select **Managed Identity**. Click **Select members**
* Locate for the managed identity under **Automation Account** and select it
* Click **Review + assign**