Setting up MyWorkDrive with Azure dependencies requires an administrator to have specific roles assigned in both Entra ID (Azure AD) and Azure RBAC (Role-Based Access Control). Without these roles in place, certain steps during setup — such as creating App Registrations, connecting Azure Storage, or configuring SharePoint sites — will fail or require escalation to another administrator.
This article outlines the roles needed, what each one enables, and why it is required for MyWorkDrive.
Entra ID Assigned Roles
Entra ID roles control what an administrator can do within Azure Active Directory — including managing applications, users, and directory-level permissions. The following roles are required to complete MyWorkDrive's Azure configuration.
SharePoint Administrator
Why it's needed: MyWorkDrive supports SharePoint sites as file storage and uses SharePoint as temporary storage for Office Online Editing. The SharePoint Administrator role is required to create and manage these sites within your Microsoft 365 tenant.
Used for: - Creating and managing SharePoint sites used as file storage shares in MyWorkDrive - Configuring SharePoint service sites used for Office Online Editing with Office 365 - Managing site permissions to ensure MyWorkDrive's App Registration can access the required sites
Without this role, SharePoint sites cannot be created or configured for use with MyWorkDrive, and Office Online Editing through SharePoint will not be functional.
Application Administrator
Why it's needed: MyWorkDrive connects to Microsoft Graph, Azure Storage, and SharePoint/OneDrive through an Entra ID App Registration. The Application Administrator role allows an administrator to create and manage these App Registrations and Enterprise Applications within the tenant.
Used for: - Creating the MyWorkDrive App Registration in your Azure tenant (Option 2 or Option 3 in the Setup Azure AD/Entra ID for MyWorkDrive guide) - Managing API permissions on the App Registration for Microsoft Graph, Azure Storage, and SharePoint - Managing Enterprise Applications associated with MyWorkDrive's Azure integration - Generating and rotating Client Secrets used by the MyWorkDrive server to authenticate with Azure
Without this role, the administrator cannot create or modify App Registrations, which are required for Entra ID authentication, Azure Storage access, and Office Online Editing.
Privileged Role Administrator
Why it's needed: When an App Registration requests API permissions in Azure — such as Graph API permissions to read users and groups, or access to Azure Storage — an administrator must explicitly grant admin consent for those permissions. Granting admin consent requires the Privileged Role Administrator role (or Global Administrator).
Used for: - Granting admin consent to API permissions on the MyWorkDrive App Registration - Approving delegated and application-level permissions required for Microsoft Graph, Azure Storage, and SharePoint access
Without this role, API permissions added to the App Registration will remain in a pending state and MyWorkDrive will be unable to access the required Azure resources. This is a common cause of consent errors during the setup wizard — see Consent Issues in Entra ID App Setup Wizard for more details.
Azure Role Assignments (RBAC)
Azure RBAC roles control what an administrator can do with Azure resources — such as virtual machines, networking, and storage accounts. These are assigned at the subscription or resource group level in the Azure Portal, and are separate from the Entra ID roles above.
Virtual Machine Contributor
Why it's needed: MyWorkDrive is installed on a Windows Server virtual machine. If that VM is hosted in Azure, the administrator configuring the environment needs the ability to create and manage the VM.
Used for: - Creating the Azure VM on which MyWorkDrive Server is installed - Managing VM size, configuration, and availability - Starting, stopping, and redeploying the VM as needed for maintenance
Without this role, the administrator cannot provision or manage the Azure VM that hosts the MyWorkDrive server. This role is only required if the MyWorkDrive server is hosted in Azure.
Network Contributor
Why it's needed: An Azure-hosted MyWorkDrive server requires proper network configuration — including virtual networks, subnets, network security groups, and public IP addresses — to communicate with storage resources and be accessible to end users.
Used for: - Creating and managing Virtual Networks (VNets) and subnets for the MyWorkDrive server VM - Configuring Network Security Groups (NSGs) to allow the required inbound and outbound ports - Managing public IP addresses if the MyWorkDrive server is published directly in Azure
Without this role, the administrator cannot configure the network infrastructure required for the MyWorkDrive server to communicate with Azure Storage or be accessible to users. This role is only required if the MyWorkDrive server is hosted in Azure.
Storage Account Contributor
Why it's needed: MyWorkDrive supports Azure File Shares and Azure Blob Storage as native storage options. The Storage Account Contributor role allows an administrator to create and manage the Azure Storage Accounts that contain these resources.
Used for: - Creating Azure Storage Accounts to host Azure File Shares or Azure Blob containers - Managing storage account settings, access tiers, and connection strings - Configuring storage accounts for use with MyWorkDrive via Connection String or Entra ID authentication
Without this role, Azure File Share and Azure Blob Storage cannot be provisioned or managed for use as MyWorkDrive storage. See Azure File Storage Options for details on connecting Azure Storage to MyWorkDrive.
User Access Administrator
Why it's needed: When using Entra ID authentication (rather than a Connection String) to connect MyWorkDrive to Azure Storage, the MyWorkDrive App Registration must be assigned specific RBAC roles on the storage account — such as Storage File Data SMB Share Contributor or Storage Blob Data Contributor. Assigning roles to other identities requires the User Access Administrator role.
Used for: - Assigning storage-level RBAC roles to the MyWorkDrive App Registration - Enabling Entra ID-based access to Azure File Shares and Azure Blob Storage - Managing role assignments on storage accounts as permissions or access requirements change
Without this role, the administrator cannot assign the necessary storage roles to the MyWorkDrive App Registration, and Entra ID-authenticated access to Azure Storage will not function.
Recommendation: Use Least Privileged Access with Constrained Role Assignment
The User Access Administrator role is broad by default — it grants the ability to assign any Azure role to any identity across the scope it is assigned at. For most organizations, this is more access than is necessary for the MyWorkDrive setup task, and it carries meaningful security risk if the account is compromised or misused.
We recommend constraining this role using Azure's Conditions feature, which allows you to limit the User Access Administrator to assigning only specific roles (such as Storage Blob Data Contributor or Storage File Data SMB Share Contributor) and only on specific resource types (such as storage accounts). This follows the principle of least privilege — the administrator can still complete the MyWorkDrive setup tasks, but cannot use this role to make broader or unintended role assignments elsewhere in the subscription.
How to apply constrained role assignment conditions in the Azure Portal:
- In the Azure Portal, navigate to the Subscription or Resource Group where the storage accounts reside.
- Go to Access Control (IAM) > Add > Add role assignment.
- Select the User Access Administrator role and click Next.
- Assign the role to the administrator's account and click Next to reach the Conditions tab.
- Under What user can do, select Allow user to only assign selected roles to selected principals.
- Click Add condition and configure the following constraints:
- Roles allowed to assign: limit to only the specific storage roles needed, such as
Storage Blob Data Contributor,Storage File Data SMB Share Contributor, and/orStorage File Data SMB Share Reader. - Resource type: constrain to
Microsoft.Storage/storageAccountsso the role assignment ability is limited to storage resources only.
- Save the condition and complete the role assignment.
With these conditions in place, the administrator can assign the required storage roles to the MyWorkDrive App Registration, but cannot assign broader roles or make changes outside of storage resources.
For environments with strict security or compliance requirements, applying constrained conditions on User Access Administrator is strongly recommended. It limits the blast radius of a compromised account and satisfies least-privilege requirements in audits and compliance frameworks such as CMMC, HIPAA, and ISO 27001.
Summary Table
| Role | Type | Required For |
|---|---|---|
| SharePoint Administrator | Entra ID Assigned Role | SharePoint storage shares, Office Online Editing |
| Application Administrator | Entra ID Assigned Role | App Registrations, Graph API, Azure Storage, Office Online Editing |
| Privileged Role Administrator | Entra ID Assigned Role | Granting admin consent to App Registration API permissions |
| Virtual Machine Contributor | Azure RBAC Role Assignment | Creating/managing the MyWorkDrive server VM in Azure |
| Network Contributor | Azure RBAC Role Assignment | Configuring networking for the MyWorkDrive server in Azure |
| Storage Account Contributor | Azure RBAC Role Assignment | Creating/managing Azure File Shares and Azure Blob Storage |
| User Access Administrator | Azure RBAC Role Assignment | Assigning storage roles to the MyWorkDrive App Registration |