# Create / configure an Azure storage account ## Create a storage account If you don't have one already create a [storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) in Azure. ## Create a container Under **Containers**, create a container which we will use to store the data files exported from MS Graph. I've called mine **patchmypc-powerbi**. Set the **Public access level** to **private**. ![](https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWe9ieepRHnj7T8odXt%2F-MdarLkZkUUPVfFwGAQZ%2F-MdaxyIluuXQ5PPslEJH%2Fimage.png?alt=media\&token=060e4009-30f9-400c-a13b-bcbc8705ff5e) ## Create a custom role Here we will create a custom role at the storage account level which has just the permissions we need to upload data to the container. We will assign this role to the managed identity or run as account. * In the storage account, top-level, open the **Access Control (IAM)** pane * On the **Roles** tab, locate the role **Storage Blob Data Contributor** * Click the 3 dots on the right of the role and choose **Clone** * Give the role a name. I've used **Storage Account Reader and Blob Contributor** ![](https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWe9ieepRHnj7T8odXt%2F-M_R8wzbJ8oME9Qt58aB%2F-M_ROpYgyDqg---0R4g1%2Fimage.png?alt=media\&token=e3110a81-5ca5-4ab2-9e08-f9ef65fd850e) * On the **Permissions** tab, add or remove the cloned permissions as required. I've added two permissions that are required by this solution and removed a couple that aren't. All permissions are found under **Microsoft.Storage**. * Add **Microsoft.Storage/storageAccounts/read** * Add **Microsoft.Storage/storageAccounts/listkeys/action** ![](https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWe9ieepRHnj7T8odXt%2F-M_R8wzbJ8oME9Qt58aB%2F-M_RP_ec2Svw0oywmCNC%2Fimage.png?alt=media\&token=414a4d60-7297-4312-abb1-ea1c9ad99be8) * On the **Assignable scopes** tab, leave the default scope which should be the storage account itself * Click **Review + create** ## Assign the role Back in the **Access Control (IAM)** pane: * Click **Add role assignment** under **Grant access to this resource** * Locate the role you just created, select it and click **Next** * Select **Managed Identity** and click **Select members** * Locate the Managed identity for your automation account and select it * Click **Review + assign** a couple times to complete**.**