Azure Blob Inventory: Storage Inventory Access Model

Storage Inventory automation is currently reader-only. Spotto does not create or update Blob Inventory policies/rules/containers in this phase.

Current Behavior (Reader-Only)

For each selected Storage Account resource, Spotto:

Runs Test Connection checks in the inventory analysis modal.
Validates that inventory reports are discoverable and schema is usable.
Syncs generated reports for analysis when automation is enabled.

Current Prerequisites

Spotto service principal has Storage Blob Data Reader on the target storage account.
Storage account Public network access is Enabled.
Existing Blob Inventory policy/rule is already configured in Azure and producing reports.

Setup details and validation flow are documented here:

Azure Storage Inventory feature guide

Write Permissions in This Phase

No additional write permission is required for Storage Inventory automatic analysis in this phase.

Future Scope (Not Enabled in This Phase)

Write-based provisioning (for example, creating/updating Blob Inventory policy/rule from Spotto) is future scope. If that capability is introduced, it is expected to require permissions such as:

Microsoft.Storage/storageAccounts/inventoryPolicies/read
Microsoft.Storage/storageAccounts/inventoryPolicies/write

Troubleshooting

If Test Connection fails, use the guidance in:
- Azure Storage Inventory troubleshooting
- Write permissions troubleshooting for generic RBAC/credential propagation issues

Next Steps

For further assistance, please Contact Us.

Current Behavior (Reader-Only)​

Current Prerequisites​

Write Permissions in This Phase​

Future Scope (Not Enabled in This Phase)​

Troubleshooting​

Next Steps​