You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cost-management-billing/costs/tutorial-improved-exports.md
+13-3Lines changed: 13 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,10 +39,20 @@ For Azure Storage accounts:
39
39
- Write permissions are required to change the configured storage account, independent of permissions on the export.
40
40
- Your Azure storage account must be configured for blob or file storage.
41
41
- Don't configure exports to a storage container that is configured as a destination in an [object replication rule](../../storage/blobs/object-replication-overview.md#object-replication-policies-and-rules).
42
-
- To export to storage accounts with configured firewalls, you need other privileges on the storage account. The other privileges are only required during export creation or modification. They are:
43
-
-**Owner** role or any custom role with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/permissions/read` permissions.
42
+
- To export to storage accounts with firewall rules, you need additional privileges on the storage account. These privileges are only required during export creation or modification:
43
+
44
+
-__Owner__ role on the storage account ___or___
45
+
46
+
- A __custom role__ that includes:
47
+
48
+
-`Microsoft.Authorization/roleAssignments/write`
49
+
50
+
-`Microsoft.Authorization/permissions/read`
51
+
52
+
When you configure the firewall, ensure that [Allow trusted Azure service access](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services) is enabled on the storage account. If you want to use the [Exports REST API](/rest/api/cost-management/exports) to write to a storage account behind a firewall, use API version __2023-08-01__ or later. All newer API versions continue to support exports behind firewalls.
53
+
54
+
A __system-assigned managed identity__ is created for a new export if the user has `Microsoft.Authorization/roleAssignments/write` permissions on the storage account. This setup ensures that the export will continue to work if you enable a firewall in the future. After the export is created or updated, the user no longer needs the __Owner__ role for routine operations.
44
55
45
-
- Additionally, ensure that you enable [Allow trusted Azure service access](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services) to the storage account when you configure the firewall.
46
56
- The storage account configuration must have the **Permitted scope for copy operations (preview)** option set to **From any storage account**.
47
57
:::image type="content" source="./media/tutorial-export-acm-data/permitted-scope-copy-operations.png" alt-text="Screenshot showing From any storage account option set." lightbox="./media/tutorial-export-acm-data/permitted-scope-copy-operations.png" :::
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments