how to Restrict public network access to azure Data Lake with private endpoint?

Taniya Das (INFOSYS LIMITED) 0 Reputation points Microsoft External Staff
2026-06-24T08:57:33.4733333+00:00

AuthorizationFailure (403) when Synapse tries to access the storage account — both when browsing in Synapse Studio and when testing via Azure CLI using our own (Owner-level) identity, and even via a pipeline run

how do we implement it then for this issue can anyone suggest on this how to resolve this AuthorizationFailure(403) from synapse adls added the screenshot?

Note: Granted Storage Blob Data Contributor role to the Synapse managed identity on the storage account also having owner role.

Azure Data Lake Storage
Azure Data Lake Storage

An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.

0 comments No comments

1 answer

Sort by: Most helpful
  1. Alex Burlachenko 23,250 Reputation points MVP Volunteer Moderator
    2026-06-24T14:46:19.4266667+00:00

    Taniya Das (INFOSYS LIMITED) hi, thx for sharing urs issue here at Q&A portal,

    Owner won’t help for reading ADLS data. Owner is management-plane. For files/ blobs u still need data-plane RBAC like Storage Blob Data Contributor, plus the network path has to go thru the private endpoint. If public access is disabled and Synapse is outside the storage VNet path, u’ll get 403 even with roles. So this is usually either RBAC identity mismatch or private endpoint/DNS issue.

    For Synapse, make sure the role is assigned to the exact identity doing the access: Synapse workspace managed identity for pipelines/linked services, or ur own Entra user if u browse from Studio. Sometimes ppl grant the MI but test with their own user, or the other way around. Classic Azure trap.

    See if the storage private endpoints. For ADLS Gen2 u normally need private endpoint/DNS for dfs and often blob too

    privatelink.dfs.core.windows.net

    privatelink.blob.core.windows.net

    From Synapse side, the storage account name must resolve to the private IP, not public. If u use Synapse managed VNet, create a managed private endpoint from Synapse to the storage account and approve it on the storage side.

    https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints

    https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

    Quick way to narrow it down is temporarily allow selected networks / trusted services and test again. If it starts working, RBAC is likely ok and the issue is private endpoint/DNS. If it still fails, look at RBAC/ACLs.

    if hierarchical namespace is enabled, POSIX ACLs can still block access even when RBAC is right. Check folder /file ACLs on the container path too.

    rgds,

    Alex

    &

    If my answer was helpful pls mark it and additional thx if u follow me at Q&A portal
    

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.