What's the minimum role a SQL user needs to export a bacpac in Azure?

What’s the minimum role required for a SQL user to do this? We’re
trying to maintain the least privileges rule. Having a single SQL user
that can export bacpacs for all databases in a server is acceptable.

To perform any task in the Azure storage account, You’re required to assign at least Storage Blob Data Contributor or Storage Blob Data Owner role.

If you’re using SQL authentication with a local username and password, You can assign a User account with which you are logging into Azure Portal and accessing Azure SQL database with the storage blob data contributor role and SQL Server/DB contributor role to access the storage account and Azure SQL server. But the same Azure user account cannot access the SQL Server, Just perform management tasks. You can also use the same Azure user account to log into your Azure SQL database by adding it as an Azure AD SQL Admin. This will maintain a single user that can access both your Azure SQL and storage account.

I created one Azure AD user and assigned the following roles like below:-

Storage Blob data contributor role:- Allows managing storage containers and data and accessing the storage keys and performing storage account level tasks. [Assigned at Resource group level where our SQL and storage account exists.]

SQL DB Contributor role:- Allows to perform Azure SQL-related tasks but does not allow access to SQL DB. [Assigned at Resource group level where our SQL and storage account exists.]

Storage Account Contributor role:- Allows managing Storage account and its associated resources. [Assigned at Resource group level where our SQL and storage account exists.]

Note- I have added the Storage account Contributor role at the Subscription level just to allow the user to create a PowerShell
storage account in Azure cloud shell to run the export command. If you have your storage account and Azure SQL server in the same resource group as your cloud shell storage account, You can assign this role at that resource group level like above.

I tried the below command to export Azure SQL DB with siliconSQL user and it worked successfully like below:-

PowerShell Script:-

$SecurePassword=ConvertTo-SecureString xxxxxmelon@123 –asplaintext –force
New-AzSqlDatabaseExport -ResourceGroupName "siliconrg" -ServerName "azsqlservername" -DatabaseName "azsqlDBname" -StorageKeyType "StorageAccessKey" -StorageKey "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx<storage access key>dnzjSrjIC3k1IbT7ozsSw0WVGo+AStiPXEXA==" -StorageUri "https://siliconstrg123.blob.core.windows.net/bacpacs/database01.bacpac" -AdministratorLogin "siliconuser" -AdministratorLoginPassword $SecurePassword

Output:-

Alternatively, You can also add this user as Azure AD SQL admin to access the SQL server like below:-

Reference:-

Role required for bacpac import? · Issue #65893 · MicrosoftDocs/azure-docs · GitHub