Configure Azure AD authentication for an Azure Storage account 'storage1' to allow 'Group1' members to upload files via the Azure portal, adhering to the principle of least privilege. Identify the two necessary roles.