Scenario : The end-user should not be able to delete the data but can execute other data operations like create/update etc. in the storage account.   Pre-Requisites :   The admin must have adequate access under the tenant i.e. privileges to create a custom AD Role. Refer to this article The user must be admin/contributor to the said storage account so that he can grant the access. Step 1: Creation of a custom Azure Active Directory Role :   The JSON file of the Azure AD Role is as follows :   Using PowerShell to create a Role Definition   Step 2: Retrieving the created Role :   Step 3: Assignment of the Role : Log in to the Azure Portal -> The Storage Account -> Access Control (IAM) Provide the required type of security principal. Search for the user to whom the access should be assigned.   Now when the said user, tries to execute a delete operation, he will observe an error   Hope this helps.