azure-security

I'm trying to give our operations team read-only access to a storage account containing log files. I'd like to be able to give them the right to enumerate containers and read blobs. Ideally that would be the extent of their access. There are a couple of RBAC roles in preview that looked promising: Storage Blob Data Reader (Preview) is described as "Allows for read access to Azure Storage blobs containers and data" which sounds exactly like what I'm after Storage Blob Data Contributor (Preview) sounds like read/write to blob accounts Neither of these roles worked for me, however. The operations

According to this documentation : Application and Service principal are clearly two different things. Application is the global identity and Service principal is per Tenant/AAD But This Documentation and This Stack Overflow Question suggest they are the same. To make it more confusing, When I used the Graph API (from the first reference) and queried by my application name: https://graph.windows.net/<tenantName>/applications?api-version=1.6&$filter=displayName eq '<Apllication Name>' I see a object Id, an Application ID (which I thought were the same), but no service principal ID in the Json