'Azure Storage restrict access one container only
This is my situation: Two groups in Azure AD. Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1
To achieve this I have given IAM Role Permission on each container accordingly (assigned Storage Blob Data Contributor Role to group).
Code Sample I used: https://github.com/Azure-Samples/storage-dotnet-azure-ad-msal
But to upload/download any file on container I have to assign role of Storage Blob Data Contributor on Storage Account as well. If I give Storage Blob Data Contributor on Storage Account then that Group users can add files to any container.
So is there any way to achieve like, Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1
Solution 1:[1]
Denying group to a container is not supported yet. As given in the image taken from IAM blade: "At this time, the only way you can add your own deny assignments is by using Azure Blueprints."
Denying access to users is quite a process. So it is best if you create two storage accounts and manage the access at storage account level instead of Container. This is not for group but for a single user in group. 
Solution 2:[2]
What you can do is assign 'Reader' access to the storage account, then 'Storage Blob Data Reader' for that same user/group, BUT provide a condition to only allow them access to containers of a specific name. In my example below I called the container "test-access-medata"
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | Sauron |