An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
Hello Namreddy, Sirisha,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are receiving Forbidden when trying to view the ACL list.
The issue is not normally caused by the ACL entries themselves, because Storage Blob Data Owner grants full Blob data access and permits the principal to set ownership and modify ACLs for all items. If ACL viewing still returns Forbidden, the check points or path is to validate the storage account type, role scope, signed-in identity, portal management permissions, RBAC propagation, PIM activation, deny assignments, and storage networking restrictions. - https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control-model, and https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-azure-portal gives more insights.
The best-practice resolve is to:
- Confirm that Hierarchical namespace is enabled on the storage account, because ACL management applies to ADLS Gen2-enabled storage accounts.
- Confirm that Storage Blob Data Owner is assigned to the exact Microsoft Entra user, group, service principal, or managed identity accessing the container.
- Ensure the role is scoped to the target container, storage account, resource group, or subscription.
- If using Azure Portal, also assign at least Reader permission for Azure Resource Manager access.
- Wait for RBAC propagation if the role was newly assigned.
- Verify there is no inactive PIM assignment, deny assignment, firewall restriction, private endpoint routing issue, or identity mismatch.
- Validate the ACL operation outside the Portal using Azure CLI with Microsoft Entra authentication.
After these checks are corrected, you should be able to open Manage ACL in the Azure Portal or retrieve ACLs using Azure CLI without receiving Forbidden. Use the below resource links for more reading and steps:
- https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control-model
- https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-access-control
- https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-acl-azure-portal
- https://learn.microsoft.com/azure/storage/blobs/data-lake-storage-acl-cli
- https://learn.microsoft.com/azure/storage/blobs/assign-azure-role-data-access
I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.