conditions-prerequisites.md

title	description	services	author	manager	ms.service	ms.subservice	ms.topic	ms.workload	ms.date	ms.author
Prerequisites for Azure role assignment conditions (preview)	Prerequisites for Azure role assignment conditions (preview).	active-directory	rolyon	karenhoran	role-based-access-control	conditions	conceptual	identity	11/16/2021	rolyon

Prerequisites for Azure role assignment conditions (preview)

Important

Azure ABAC and Azure role assignment conditions are currently in preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

To add or edit Azure role assignment conditions, you must have the following prerequisites.

Storage accounts

For conditions that use blob index tags, you must use a storage account that is compatible with the blob index feature. For example, only General Purpose v2 (GPv2) storage accounts with hierarchical namespace (HNS) disabled are currently supported. For more information, see Manage and find Azure Blob data with blob index tags

Azure PowerShell

When using Azure PowerShell to add or update conditions, you must use the following versions:

• Az module 5.5.0 or later
• Az.Resources module 3.2.1 or later
  • Included with Az module v5.5.0 and later, but can be manually installed through PowerShell Gallery
• Az.Storage preview module 2.5.2-preview or later

Azure CLI

When using Azure CLI to add or update conditions, you must use the following versions:

• Azure CLI 2.18 or later

Permissions

Just like role assignments, to add or update conditions, you must be signed in to Azure with a user that has the Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as User Access Administrator or Owner.

Principal attributes

To use principal attributes (custom security attributes in Azure AD), you must have all of the following:

• Azure AD Premium P1 or P2 license
• Attribute Assignment Administrator at attribute set or tenant scope
• Custom security attributes defined in Azure AD

For more information about custom security attributes, see:

• Principal does not appear in Attribute source when adding a condition
• Add or deactivate custom security attributes in Azure AD

Next steps

• Example Azure role assignment conditions (preview)
• Tutorial: Add a role assignment condition to restrict access to blobs using the Azure portal (preview)