I have a user (MemberUser1) that is also member of my subcription and member of a group "Group1". This group has access defined in the assigned role of some resources" SQL server and two storage accounts. However, when I cannot connect to any storage account through that user, when I assign the role "Storage Blob Data Contributor"to that group - it says "Access Denied" for the user, even when I paste the direct link (https://portal.azure.com/#@{tenantID}/resource/subscriptions/{subscriptionID}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}).
Any idea of what might be causing this "Access Denied" problem? ChatGPT couldn't solve either.
I tried countless ways of troubbleshooting this with no success.
Let me explain:
- I was able to access the SQL server through the propagation of the access role from the "Engenharia de Dados" group through the user "Eduardo Gmail", which means that the member is correctly assigned to the group.
- I cannot access the storage account either from the Storage Explorer nor the Azure Portal, which means it is indeed an authorization problem.
- I can connect to the storage account using my admin user in the same computer and network/IP as the one I am not being able to connect via the member user Eduardo Gmail; also, I cannot connect either if I allow the resource to be access via public networks, which means it is not a connectivity/network/firewall issue.
- I tried to assign the "Storage Blob Data Owner" to the group and still cannot access, which means it is not a role-specific permission problem.
- I cannot access the resource through that user either even if I assign the role "Storage Blob Data Owner" directly to him.
- I waited more than 24h after assigning the role to make sure there was no time propagation issues.
I need to have access to the storage account from any user who is not admin by having them loging in through their account, without providing the access key to the storage account.