Skip to content

az storage file list undocumented action change in 2.79 #32543

New issue
New issue
Open
Open
az storage file list undocumented action change in 2.79#32543
Assignees
evelyn-yscalvinhzy
Labels
Auto-AssignAuto assign by botAuto-ResolveAuto resolve by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamBreaking ChangePossible-SolutionSimilar-IssueStorageaz storagecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@SysAdminforCoffee

Description

@SysAdminforCoffee
SysAdminforCoffee
opened on Dec 15, 2025

Describe the bug

In Az CLI version 2.78 and below, running "az storage file list" only called the action: "Microsoft.Storage/storageAccounts/fileServices/fileShares/files/read", which is the allowed DataActions of the following Azure RBAC roles:

Storage File Data Privileged Contributor: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-file-data-privileged-contributor
Storage File Data Privileged Reader: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-file-data-privileged-reader

However, with Az CLI version 2.79 and up, a new call was added: "Microsoft.Storage/storageAccounts/fileServices/shares/read", which is not included in the before mentioned RBAC roles. This causes a breaking change where the RBAC role no longer has enough permissions to perform the same task.

Related command

az storage file list

Errors

ERROR:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

Issue script & Debug output

  • task: AzureCLI@2
    displayName: 'Validate Deployment'
    inputs:
    azureSubscription: serviceprincipal
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |

          # List files in target directory
      $files = az storage file list `
        --account-name _storageaccountname_ `
        --share-name _sharename_ `
        --path _directoryname`_
        --auth-mode login `
        --backup-intent `
        --exclude-extended-info `
        --output json | ConvertFrom-Json

      $files.name

Diagnostic Log with Az CLI 2.78:
Image

Diagnostic Log with Az CLI 2.79+:
Image

Expected behavior

A list of files from the script

Environment Summary

Working version:

/usr/bin/az version
{
  "azure-cli": "2.78.0",
  "azure-cli-core": "2.78.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "azure-devops": "1.0.2"
  }
}

Not-working version:

/usr/bin/az version
{
  "azure-cli": "2.79.0",
  "azure-cli-core": "2.79.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "azure-devops": "1.0.2"
  }
}

Additional context

No response

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAuto-ResolveAuto resolve by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamBreaking ChangePossible-SolutionSimilar-IssueStorageaz storagecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions