search

Create / configure an Azure storage account

Here we will create and configure a storage account in Azure granting the automation account the necessary permissions and creating a container for the report data.

hashtag
Create a storage account

If you don't have one already create a storage accountarrow-up-right in Azure.

hashtag
Create a container

Under Containers, create a container which we will use to store the data files exported from MS Graph. I've called mine patchmypc-powerbi. Set the Public access level to private.

hashtag
Create a custom role

Here we will create a custom role at the storage account level which has just the permissions we need to upload data to the container. We will assign this role to the managed identity or run as account.

  • In the storage account, top-level, open the Access Control (IAM) pane

  • On the Roles tab, locate the role Storage Blob Data Contributor

  • Click the 3 dots on the right of the role and choose Clone

  • Give the role a name. I've used Storage Account Reader and Blob Contributor

  • On the Permissions tab, add or remove the cloned permissions as required. I've added two permissions that are required by this solution and removed a couple that aren't. All permissions are found under Microsoft.Storage.

    • Add Microsoft.Storage/storageAccounts/read

    • Add Microsoft.Storage/storageAccounts/listkeys/action

  • On the Assignable scopes tab, leave the default scope which should be the storage account itself

  • Click Review + create

hashtag
Assign the role

Back in the Access Control (IAM) pane:

  • Click Add role assignment under Grant access to this resource

  • Locate the role you just created, select it and click Next

  • Select Managed Identity and click Select members

  • Locate the Managed identity for your automation account and select it

  • Click Review + assign a couple times to complete.

PreviousGrant API permissionsNextCreate an Azure automation runbook

Last updated

Was this helpful?