Configure your Azure Data Lake Storage Gen2

Question

Configure your Azure Data Lake Storage Gen2

Alejandro Axel Ruiz Ramos 0

Hi a have a Storage account, i need conect mi search whit sotrage mi storage its private, but when i Configure your Azure Data Lake Storage Gen2,

i have a error
Request is denied as the source is not allowed by applicable rules. The service is set 'publicNetworkAccess: Disabled'. Please review all service's network security settings to ensure the client is allowed.

I have a shared pivate acces azure search whit storage

what i do ?

Vallepu Venkateswarlu 8,170 Reputation points Microsoft External Staff Moderator

2026-04-20T18:39:53.4733333+00:00
Hi @ Alejandro Axel Ruiz Ramos,

Welcome to Microsoft Q&A Platform.

It looks like your storage account’s network settings are blocking the search indexer. By disabling publicNetworkAccess on your ADLS Gen2 account without explicitly allowing your Azure Cognitive Search service, all requests get denied.

Allow the search service through the storage firewall

Go to your Storage account → Networking → Firewalls and virtual networks Under “Firewalls,” select “Selected networks” (you already have it) and add your search service’s outbound IP addresses range.

Under “Exceptions,” check “Allow Azure services on the trusted services list to access this storage account.” This lets Azure Cognitive Search (a Microsoft-trusted service) connect without opening the whole internet.

Use a Private Endpoint / Private Link

Create a Private Endpoint for your storage account on the same VNet/subnet as your search service (or peered VNet).

Approve the endpoint connection in the storage account’s Private endpoint connections blade.
Verify your authentication method

If you’re using a managed identity, make sure:

Your search service’s system- or user-assigned identity has the Storage Blob Data Reader role on the storage account.

Under Networking → Firewalls, “Allow trusted Microsoft services” is enabled (or you’ve whitelisted the identity’s IP). – If you’re using a connection string (shared key or SAS), remember.

For firewall-protected accounts, connection-string authentication only works if your COSMOS/SEARCH service is in a different region OR you use a SAS + “Allow trusted Microsoft services.”

If the above steps did not help resolve your issue, please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Praveen Bandaru 11,545 Reputation points Microsoft External Staff Moderator

2026-04-23T20:27:56.6366667+00:00
Hello Alejandro Axel Ruiz Ramos

It seems that your storage account has publicNetworkAccess disabled, which is why your Azure Cognitive Search cannot connect when indexing data in your ADLS Gen2. Here are a couple of ways to resolve it.

In this setup, Azure AI Search can access the storage account only through a properly configured Shared Private Link.

Since your storage account is enabled for Azure Data Lake Storage Gen2, it is important to ensure that private connectivity is established for both the Blob and DFS endpoints, as both are required for successful operations. If either endpoint is missing or not approved, the connection will fail with the observed error.

We recommend verifying that a Shared Private Link is created from the Azure AI Search service to the storage account (using the correct subresource such as blob) and that its status is approved. Additionally, please confirm that private endpoints exist on the storage account for both Blob and DFS and that DNS resolution is correctly configured.

Finally, ensure that the Azure AI Search service has the required permissions on the storage account, such as Storage Blob Data Reader, to allow access during indexing.

Allow your Search service via firewall

In the portal, go to your Storage account → Networking → Firewalls and virtual networks

Under “Firewalls” select “Selected networks” and add the range of public IPs of your Azure Cognitive Search (or use the service tag AzureSearch if available).

Under “Exceptions” check “Allow Azure services on the trusted services list to access this storage account.” This authorizes Azure Cognitive Search without opening up to the entire Internet.

Use a Private Endpoint

Create a Private Endpoint for your Storage account in the same VNet/subnet (or in a peered VNet) where your Search service is.

In the Storage account, approve the connection in the “Private endpoint connections” section.

Make sure that your Search service has network access to that subnet.

Check permissions and authentication method

If you use Managed Identity: assign the Storage Blob Data Reader role to your search service on your Storage account.

If you use a connection string (SAS or Shared Key): make sure that the token/key has read permissions and that the Storage firewall allows your Search service IP or has "Allow trusted Microsoft services" enabled.

Check the below reference documents for more understanding:

Configure IP firewall rules to allow indexer connections from Azure AI Search

Make indexer connections to Azure Storage as a trusted service

https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

https://learn.microsoft.com/en-us/azure/search/search-indexer-howto-access-private?tabs=portal-create

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.
Praveen Bandaru 11,545 Reputation points Microsoft External Staff Moderator

2026-04-25T02:43:07.0833333+00:00

Hello Alejandro Axel Ruiz Ramos

I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if you found it useful, and don't hesitate to contact us if you have any further questions.

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

1 answer

Your answer

Praveen Bandaru 11,545 Reputation points Microsoft External Staff Moderator

2026-04-25T02:43:07.0833333+00:00

Hello Alejandro Axel Ruiz Ramos

I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if you found it useful, and don't hesitate to contact us if you have any further questions.

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

Answer 1

The error occurs because the storage account has publicNetworkAccess: Disabled, and Azure AI Search cannot reach it under the current network/security configuration.

To connect Azure AI Search to a private Azure Data Lake Storage Gen2 account, do the following checks and fixes:

Use trusted service + managed identity (same-region, firewall-based access)
- In the storage account:
  1. Go to Security + networking > Networking.
  2. On Public access > Manage, set Public network access scope to Enable from selected networks (not fully disabled).
  3. Under Exceptions, enable Allow trusted Microsoft services to access this resource.
- Still in the storage account, under Access control (IAM):
  1. Assign Storage Blob Data Reader to the Azure AI Search service’s managed identity (system-assigned) at minimum.
  2. If write is needed (enrichment cache, knowledge store, etc.), also assign Storage Blob Data Contributor.
- In Azure AI Search:
  1. Configure the data source/indexer to use managed identity authentication to the ADLS Gen2 account.
- Then test the connection using the Import data wizard, selecting ADLS Gen2 and Authenticate using managed identity. If it advances without error, the connection works.
If the storage account must keep publicNetworkAccess: Disabled
- When public network access is fully disabled, access is only possible via private endpoints.
- Ensure:
  1. A private endpoint exists for the storage account (blob/dfs) in the same virtual network where the Azure AI Search S2 resource can reach it.
  2. For S2 search with skillsets, configure a shared private link from Azure AI Search to the storage account as documented for indexers with private endpoints.
- If using Azure OpenAI “On Your Data” or similar architecture, also:
  1. Enable the storage account as a trusted service for Azure AI Search and Azure OpenAI based on managed identity.
  2. Use private endpoints from client machines if they also need access.
Check firewall rules if using Enable from selected networks
- If you switch from Disabled to Enable from selected networks:
  1. Make sure any required virtual networks or resource instance rules are configured so that Azure AI Search is allowed.
  2. Do not rely on IP rules alone if the connection is via managed identity and trusted service.

In summary, either:

Allow selected networks + trusted Microsoft services and use managed identity from Azure AI Search, or
Keep public access disabled but ensure private endpoints/shared private link are correctly configured so the search service can reach the storage account.

References:

Share via

Configure your Azure Data Lake Storage Gen2

1 answer

Your answer