An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
Taniya Das (INFOSYS LIMITED) hi, thx for sharing urs issue here at Q&A portal,
Owner won’t help for reading ADLS data. Owner is management-plane. For files/ blobs u still need data-plane RBAC like Storage Blob Data Contributor, plus the network path has to go thru the private endpoint. If public access is disabled and Synapse is outside the storage VNet path, u’ll get 403 even with roles. So this is usually either RBAC identity mismatch or private endpoint/DNS issue.
For Synapse, make sure the role is assigned to the exact identity doing the access: Synapse workspace managed identity for pipelines/linked services, or ur own Entra user if u browse from Studio. Sometimes ppl grant the MI but test with their own user, or the other way around. Classic Azure trap.
See if the storage private endpoints. For ADLS Gen2 u normally need private endpoint/DNS for dfs and often blob too
privatelink.dfs.core.windows.net
privatelink.blob.core.windows.net
From Synapse side, the storage account name must resolve to the private IP, not public. If u use Synapse managed VNet, create a managed private endpoint from Synapse to the storage account and approve it on the storage side.
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
Quick way to narrow it down is temporarily allow selected networks / trusted services and test again. If it starts working, RBAC is likely ok and the issue is private endpoint/DNS. If it still fails, look at RBAC/ACLs.
if hierarchical namespace is enabled, POSIX ACLs can still block access even when RBAC is right. Check folder /file ACLs on the container path too.
rgds,
Alex
&
If my answer was helpful pls mark it and additional thx if u follow me at Q&A portal