Azure Control plane vs Data plane
Ever heard about the Azure Control plane vs Data plane segregation? You heard of plane segregation but couldn't quite make sense of it? Wondered why you can upload files to storage accounts, even without data access? Let's take a look. In all simplicity we have actions , and data actions . Actions are resource creation and configuration. Data actions are reading/writing and deleting data. (There is a common(?) misconception that ‘Owner’ can do everything, that is not the case) https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane Sounds simple enough, right? Let's have a quick look at some of the underlying roles which make this possible. For this example we will use an Azure storage account. But first, let's look at some roles ( https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles ). Owner is defined here: As you can see, we have all actions , and no data actio