d108205dla2hftraazu3n6s - ACL policy is Forbidden

Namreddy, Sirisha 0 Reputation points
2026-06-19T18:57:53.7566667+00:00

We have container and have "Storage Blob Data Owner" RBAC role still uanbel to see ACL list , it says Forbidden.

User's image

Azure Data Lake Storage
Azure Data Lake Storage

An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.


2 answers

Sort by: Most helpful
  1. Sina Salam 30,566 Reputation points Volunteer Moderator
    2026-06-20T15:34:29.4366667+00:00

    Hello Namreddy, Sirisha,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are receiving Forbidden when trying to view the ACL list.

    The issue is not normally caused by the ACL entries themselves, because Storage Blob Data Owner grants full Blob data access and permits the principal to set ownership and modify ACLs for all items. If ACL viewing still returns Forbidden, the check points or path is to validate the storage account type, role scope, signed-in identity, portal management permissions, RBAC propagation, PIM activation, deny assignments, and storage networking restrictions. - https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control-model, and https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-azure-portal gives more insights.

    The best-practice resolve is to:

    • Confirm that Hierarchical namespace is enabled on the storage account, because ACL management applies to ADLS Gen2-enabled storage accounts.
    • Confirm that Storage Blob Data Owner is assigned to the exact Microsoft Entra user, group, service principal, or managed identity accessing the container.
    • Ensure the role is scoped to the target container, storage account, resource group, or subscription.
    • If using Azure Portal, also assign at least Reader permission for Azure Resource Manager access.
    • Wait for RBAC propagation if the role was newly assigned.
    • Verify there is no inactive PIM assignment, deny assignment, firewall restriction, private endpoint routing issue, or identity mismatch.
    • Validate the ACL operation outside the Portal using Azure CLI with Microsoft Entra authentication.

    After these checks are corrected, you should be able to open Manage ACL in the Azure Portal or retrieve ACLs using Azure CLI without receiving Forbidden. Use the below resource links for more reading and steps:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    Was this answer helpful?

    0 comments No comments

  2. Venkatesan S 9,575 Reputation points Microsoft External Staff Moderator
    2026-06-19T19:20:00.0366667+00:00

    Hi @Namreddy, Sirisha ,

    Thank you for reaching out in Microsoft Q&A forum.

    Based on the information provided, we understand that the user has been assigned the Storage Blob Data Owner role but is receiving a "Forbidden" error when attempting to view or manage ACLs on the container.

    This behavior can occur due to several reasons, including:

    • The role assignment has not yet fully propagated.
    • The role is assigned at a scope that does not cover the target container or storage account.
    • The storage account has networking restrictions (such as firewalls or private endpoints) that prevent access.
    • The user is accessing through an inactive PIM assignment.
    • There is a deny assignment or other authorization restriction in place.
    • The storage account configuration or authentication method is preventing ACL operations.

    To help us further investigate, could you please provide the following details:

    1. Confirmation that the storage account has Hierarchical Namespace (HNS) enabled.
    2. The scope at which the Storage Blob Data Owner role is assigned (Storage Account, Resource Group, or Subscription).
    3. Whether the issue affects only one user or multiple users.

    Once we have this information, we can perform a deeper analysis and determine the exact cause of the authorization failure.

    For additional information regarding Azure Data Lake Storage access control and RBAC permissions, please refer to the following Microsoft documentation:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.