#### 📘 Azure AI Foundry — Advanced Azure CLI Usage

#### 📖 Title

Advanced Azure CLI for Role Assignments & IAM

#### 📌 Purpose

While the basic Azure CLI setup authenticated you and created your workspace, advanced usage is required for **role assignments** and **fine-grained access control**.

This ensures:

* You (as a user) can manage your Azure Storage (upload/download blobs).
* Services like Azure AI Foundry can integrate with storage accounts securely.
* Minimal permissions are granted at the correct **scope** (subscription, resource group, or resource).

---

#### 1. Verify Current Role Assignments

List all roles for your **resource group**:

```powershell
az role assignment list --resource-group NobelDynamicsRG --output table
```

✅ Expected output (simplified):

```
Principal                             Role                    Scope
------------------------------------  ----------------------  -----------------------------------------------------------
e155fe89-b772-48e6-848c-387f2ce308c5  Azure AI Administrator  /subscriptions/.../resourceGroups/NobelDynamicsRG
```

📌 This only shows roles **scoped at the resource group level**.

---

#### 2. List Role Assignments for a Specific Resource

To see roles assigned **at the storage account level** (not just the group):

```powershell
az role assignment list `
  --scope /subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f `
  --output table
```

✅ Example output:

```
Principal                                                Role                                      Scope
-------------------------------------------------------  ----------------------------------------  -------------------------------------------------------------------------
e155fe89-b772-48e6-848c-387f2ce308c5                     Storage Blob Data Contributor             .../storageAccounts/nobelfoustoragecf4f1a19f
e155fe89-b772-48e6-848c-387f2ce308c5                     Storage File Data Privileged Contributor  .../storageAccounts/nobelfoustoragecf4f1a19f
mterfassa_gmail.com#EXT#@mterfassagmail.onmicrosoft.com  Storage Blob Data Contributor             .../storageAccounts/nobelfoustoragecf4f1a19f
```

📌 This shows your account (`mterfassa@outlook.com`) now has **Storage Blob Data Contributor**.


✅<u>**Actual Output - Masssara**</u>

In [None]:
C:\Users\massa> az role assignment list `
>>   --scope /subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f `
>>   --output table
Principal                                                Role                                      Scope
-------------------------------------------------------  ----------------------------------------  -------------------------------------------------------------------------------------------------------------------------------------------------------
e155fe89-b772-48e6-848c-387f2ce308c5                     Storage Blob Data Contributor             /subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f
e155fe89-b772-48e6-848c-387f2ce308c5                     Storage File Data Privileged Contributor  /subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f
mterfassa_gmail.com#EXT#@mterfassagmail.onmicrosoft.com  Storage Blob Data Contributor             /subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f
C:\Users\massa>

---

#### 3. Assign a Role to Yourself

Azure CLI role assignment requires an **Object ID**, not just your email.

##### 3.1 Get Your Object ID

```powershell
az ad signed-in-user show --query id -o tsv
```

✅ Example output:

```
29dd4f55-02aa-4ac4-99bc-edc41eb67fb7
```

---

##### 3.2 Create Role Assignment

Grant yourself **Storage Blob Data Contributor** access on the storage account:

```powershell
az role assignment create `
  --assignee-object-id 29dd4f55-02aa-4ac4-99bc-edc41eb67fb7 `
  --assignee-principal-type User `
  --role "Storage Blob Data Contributor" `
  --scope /subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f
```

✅ Expected success output (truncated):

```json
{
  "principalName": "mterfassa_gmail.com#EXT#@mterfassagmail.onmicrosoft.com",
  "principalType": "User",
  "roleDefinitionName": "Storage Blob Data Contributor",
  "scope": "/subscriptions/.../storageAccounts/nobelfoustoragecf4f1a19f"
}
```

✅<u>**Actual Output - Masssara**</u>

In [None]:
C:\Users\massa> az role assignment create `
>>   --assignee-object-id 29dd4f55-02aa-4ac4-99bc-edc41eb67fb7 `
>>   --assignee-principal-type User `
>>   --role "Storage Blob Data Contributor" `
>>   --scope /subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f
{
  "condition": null,
  "conditionVersion": null,
  "createdBy": "29dd4f55-02aa-4ac4-99bc-edc41eb67fb7",
  "createdOn": "2025-09-27T19:03:44.352471+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f/providers/Microsoft.Authorization/roleAssignments/00085da7-771a-48b7-b9ae-f0322f68e616",
  "name": "00085da7-771a-48b7-b9ae-f0322f68e616",
  "principalId": "29dd4f55-02aa-4ac4-99bc-edc41eb67fb7",
  "principalName": "mterfassa_gmail.com#EXT#@mterfassagmail.onmicrosoft.com",
  "principalType": "User",
  "resourceGroup": "NobelDynamicsRG",
  "roleDefinitionId": "/subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "roleDefinitionName": "Storage Blob Data Contributor",
  "scope": "/subscriptions/4e72e1a7-c2d3-438d-ac49-7a013a697c08/resourceGroups/NobelDynamicsRG/providers/Microsoft.Storage/storageAccounts/nobelfoustoragecf4f1a19f",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "29dd4f55-02aa-4ac4-99bc-edc41eb67fb7",
  "updatedOn": "2025-09-27T19:03:44.352471+00:00"
}
C:\Users\massa>

---

#### 4. Understanding Scopes

* **Subscription scope** → applies to *all resources* in your subscription.
* **Resource group scope** → applies only to resources in that group.
* **Resource scope** → applies only to one resource (best practice, least privilege).

✅ In this case, you correctly scoped the role **just to the storage account**.

---

#### 📊 Summary

* Verified IAM roles at both **resource group** and **resource level**.
* Learned how to get your **Object ID**.
* Successfully granted yourself **Storage Blob Data Contributor** at the storage account scope.
* Confirmed visibility in **Azure Storage Explorer**.

📂 Save as:

```
15_azure_cli_advanced.md
```

---

Would you like me to now **add a note in the master README milestones** marking this step as ✅ completed?
