In the case that there are two types of users that need different permissions. They want RBAC control at the directory level not the container level to be able to provide more granularity in permissions for different users.

Each of their directories have ACI RBAC control that is unique based on user and dir. However the ASA only allows MSI to specify Container for RBAC. RBAC container needs higher permissions that they do not want each user to have for every dir.

I think for ADLS gen 2 it is technically possible to use ACL only for assigning permissions to a managed identity. However, the problem is that ASA uses the blob storage API to write to ADLS gen 2, which requires container permissions. If we used a different API that allowed writing to a specific folder without performing container operations, this scenario would probably work.