'Azure Storage restrict access one container only

This is my situation: Two groups in Azure AD. Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1

To achieve this I have given IAM Role Permission on each container accordingly (assigned Storage Blob Data Contributor Role to group).

Code Sample I used: https://github.com/Azure-Samples/storage-dotnet-azure-ad-msal

But to upload/download any file on container I have to assign role of Storage Blob Data Contributor on Storage Account as well. If I give Storage Blob Data Contributor on Storage Account then that Group users can add files to any container.

So is there any way to achieve like, Group 1 can access only container1, but not container2 Group 2 can access only container2, but not container1



Solution 1:[1]

Denying group to a container is not supported yet. As given in the image taken from IAM blade: "At this time, the only way you can add your own deny assignments is by using Azure Blueprints." Denying access to users is quite a process. So it is best if you create two storage accounts and manage the access at storage account level instead of Container. This is not for group but for a single user in group. enter image description here

Solution 2:[2]

What you can do is assign 'Reader' access to the storage account, then 'Storage Blob Data Reader' for that same user/group, BUT provide a condition to only allow them access to containers of a specific name. In my example below I called the container "test-access-medata"

enter image description here

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Sauron