Prerequisites for Azure role assignment conditions

To add or edit Azure role assignment conditions, you must have the following prerequisites.

Contas de armazenamento

For conditions that use blob index tags, you must use a storage account that is compatible with the blob index feature. For example, only General Purpose v2 (GPv2) storage accounts with hierarchical namespace (HNS) disabled are currently supported. For more information, see Manage and find Azure Blob data with blob index tags

Azure PowerShell

When using Azure PowerShell to add or update conditions, you must use the following versions:

• Az module 5.5.0 or later
• Az.Resources module 3.2.1 or later
  • Included with Az module v5.5.0 and later, but can be manually installed through PowerShell Gallery
• Az.Storage preview module 2.5.2-preview or later

Azure CLI (Interface de Linha de Comando da Azure)

When using Azure CLI to add or update conditions, you must use the following versions:

• Azure CLI 2.18 or later

API REST

When using the REST API to add or update conditions, you must use the following versions:

• 2020-03-01-preview ou mais tarde
• 2020-04-01-preview ou posterior se você quiser utilizar a propriedade description para atribuições de função
• 2022-04-01 é a primeira versão estável

Para mais informações, consulte as versões das APIs REST do Azure RBAC.

Permissões

Just like role assignments, to add or update conditions, you must be signed in to Azure with a user that has the Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as Role Based Access Control Administrator.

Principais atributos

To use principal attributes (custom security attributes in Microsoft Entra ID), you must have the following:

• Attribute Assignment Administrator at attribute set or tenant scope
• Custom security attributes defined in Microsoft Entra ID

For more information about custom security attributes, see:

• Principal does not appear in Attribute source
• Adicionar ou desativar atributos de segurança personalizados no Microsoft Entra ID

Atributos do ambiente

To use the Private endpoint attribute, you must have at least one private endpoint configured in your subscription.

To use the Subnet attribute, you must have at least one virtual network subnet using service endpoints configured in your subscription.

Próximos passos

• Exemplo de condições de atribuição de função do Azure para Armazenamento de Blob
• Tutorial: Adicionar uma condição de atribuição de função para restringir o acesso a blobs usando o portal do Azure