Merge pull request #238361 from spelluru/patch-187

v-regandowner · web-flow · commit 48e3d31521b2 · 2023-05-23T11:42:02.000-04:00
RBAC on Storage
diff --git a/articles/event-hubs/event-hubs-capture-overview.md b/articles/event-hubs/event-hubs-capture-overview.md
@@ -2,7 +2,7 @@
 title: Capture streaming events - Azure Event Hubs | Microsoft Docs
 description: This article provides an overview of the Capture feature that allows you to capture events streaming through Azure Event Hubs. 
 ms.topic: article
-ms.date: 05/31/2022
+ms.date: 05/16/2023
 ---
 
 # Capture events through Azure Event Hubs in Azure Blob Storage or Azure Data Lake Storage
@@ -74,6 +74,26 @@ You can create an Azure Event Grid subscription with an Event Hubs namespace as
 ## Explore captured files
 To learn how to explore captured Avro files, see [Explore captured Avro files](explore-captured-avro-files.md).
 
+## Azure Storage account as a destination
+To enable capture on an event hub with Azure Storage as the capture destination, or update properties on an event hub with Azure Storage as the capture destination, the user or service principal must have an RBAC role with the following permissions assigned at the storage account scope. 
+
+```
+Microsoft.Storage/storageAccounts/blobServices/containers/write
+Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write permission(s) on above resource for the user or the application and retry.  
+```
+ 
+
+Without above permission, you will see below error: 
+
+```
+Generic: Linked access check failed for capture storage destination <StorageAccount Arm Id>.
+User or the application with object id <Object Id> making the request doesn't have the required data plane write permissions.
+Please enable Microsoft.Storage/storageAccounts/blobServices/containers/write, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write permission(s) on above resource for the user or the application and retry.
+TrackingId:<ID>, SystemTracker:mynamespace.servicebus.windows.net:myhub, Timestamp:<TimeStamp>
+```
+
+The [Storage Blob Data Owner](../role-based-access-control/built-in-roles.md#storage-blob-data-owner) is a built-in role with above permissions, so add the user account or the service principal to this role.  
+
 ## Next steps
 Event Hubs Capture is the easiest way to get data into Azure. Using Azure Data Lake, Azure Data Factory, and Azure HDInsight, you can perform batch processing and other analytics using familiar tools and platforms of your choosing, at any scale you need.
 
