Share via

How to give blob storage access to multiple rg's

Sumeet Bhandekar (TATA CONSULTANCY SERVICES LTD) 20 Reputation points Microsoft External Staff
2026-03-19T08:23:04.75+00:00

Currently storage account is having one subscription+rg need to give access to another like prod and dev environment.
note: I've already given access to managed identities but still not able to download the files from the storage.

Azure Storage
Azure Storage

Globally unique resources that provide access to data management services and serve as the parent namespace for the services.

0 comments
Answer accepted by question author
  1. Ravi Varma Mudduluru 9,360 Reputation points Microsoft External Staff Moderator
    2026-03-19T08:39:14.44+00:00

    Hello @ Sumeet Bhandekar

    Thank you for reaching out to Microsoft Q&A.

    I understand that the file was downloading correctly with the full size in the DEV environment. However, after migrating to the production environment, the file download was completing with a size of 0 KB.

    As discussed, we requested you to verify the issue from the App Service side, as it was not related to the storage service. After you updated the App Service settings specifically correcting the database connection, adding the storage account URL, and restarting the application. You were able to successfully download the file with the correct size in the production environment.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept Answer" and "Upvote" it. if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-19T08:23:32.7833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Blob Storage access is controlled at the storage account (and below) scope, not by the resource group of the caller. To let identities from multiple environments (dev/prod RGs, other subscriptions) access the same storage account, assign the appropriate data-plane roles (for blobs) to each identity at the correct scope.

    Use these checks and steps:

    1. Confirm the correct identity is used
      • For an Azure-hosted app (App Service, VM, Function, etc.), ensure the system-assigned or user-assigned managed identity that the app actually runs under is the one receiving the role assignment.
      • In multi-environment setups, each environment’s app/VM will typically have its own managed identity; each of those identities must be granted access.
    2. Assign Storage Blob Data roles per identity
      • In the storage account that holds the blobs:
        1. Go to Access control (IAM).
        2. Select + AddAdd role assignment.
        3. Choose a data role such as Storage Blob Data Reader (read-only) or Storage Blob Data Contributor (read/write/delete), depending on what is needed.
        4. In Assign access to, choose Managed identity.
        5. Select the managed identity of the dev app, then repeat for the prod app.
      • This works even if the identities are in different resource groups or subscriptions; the key is that the role assignment is done on the storage account (or container) scope.
      • The same pattern is shown for web apps, VMs, Stream Analytics jobs, and Foundry projects in the references: each identity gets a Storage Blob Data Contributor role on the storage account or container.
    3. Choose the right scope (account vs container)
      • Account-level scope (all containers):
        • Example with Azure CLI: 
                 az role assignment create \
         --role "Storage Blob Data Contributor" \
         --assignee <principal-id> \
         --scope /subscriptions/<subscription-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storage-account>
      • Container-level scope (single container): 
             az role assignment create \
       --role "Storage Blob Data Contributor" \
       --assignee <principal-id> \
       --scope /subscriptions/<subscription-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container-name>
      • Use the principal ID of each managed identity (dev and prod) as --assignee.
    4. Verify network and firewall settings
      • If the storage account has Firewalls and virtual networks enabled, ensure:
        • The dev/prod environment networks are allowed, or
        • Allow trusted Microsoft services to access this storage account is enabled when using certain Azure services.
      • If using SAS plus IP restrictions, confirm the client IPs (or proxies) are allowed; otherwise 403 errors can occur even with correct RBAC.
    5. Wait for RBAC propagation and test again
      • After adding role assignments, wait a few minutes for permissions to propagate.
      • Then test download from each environment using the managed identity (for example, via DefaultAzureCredential in code). If the identity and scope are correct, blob downloads should succeed.
    6. Common causes when “access is already given” but downloads fail
      • Role assigned to the wrong identity (e.g., app registration instead of managed identity actually used at runtime).
      • Role assigned at subscription/RG scope but not including the storage account (or assigned in a different subscription than the storage account).
      • Using blob management roles (like Storage Account Contributor) instead of data roles (Storage Blob Data Reader/Contributor).
      • Network/firewall restrictions blocking the request.

    Following the above, grant Storage Blob Data Reader or Storage Blob Data Contributor on the storage account or container to each managed identity from dev and prod, verify firewall settings, then retest downloads.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.