Synapse Analytics managed identity permission denied for ERP data ingestion from secure storage account

We’re migrating our ERP data warehouse to Synapse Analytics and hit a wall with managed identity permissions. Our Synapse pipeline is supposed to ingest daily ERP extracts from Azure Data Lake Storage Gen2, but it fails with “403 Forbidden” during pipeline execution.

The Synapse workspace has a system-assigned managed identity, and we’ve added it to the Storage Account with “Storage Blob Data Contributor” role. The connection test in Synapse Studio shows green, but when the pipeline actually runs, it can’t read the files. The storage account has firewall rules restricting access to specific VNets where our ERP system runs.

Error: Operation on target Copy_ERP_Data failed:
Failure type: User configuration issue
Details: Failed to read from storage account.
Status code: 403, Error: AuthorizationPermissionMismatch

We verified the managed identity RBAC assignment multiple times in the portal. The storage firewall shows the Synapse workspace VNet in the allowed list. What are we missing? The ERP data ingestion is critical for our financial reporting and we’re already two days behind schedule.

I checked and the Storage Blob Data Contributor role is assigned at the storage account level, which should cascade to all containers. We have three containers: erp-raw, erp-staging, and erp-archive. The pipeline tries to read from erp-raw.

Regarding the firewall, we added the Synapse workspace’s managed VNet to the allowed list. Are you saying the Integration Runtime uses different IPs? How do we allow those through the firewall?

I found the “Allow trusted Microsoft services” checkbox and enabled it. The pipeline progressed further but now fails with a different error: “This request is not authorized to perform this operation using this permission.” The error code changed from 403 to still 403 but different message. Progress, I guess?

I also noticed that in Synapse Studio, when I browse the storage account, I can see the containers and files just fine. But the pipeline can’t read them. Could this be a difference between how Studio authenticates versus how pipelines authenticate?

The 403 error with managed identity usually points to one of three issues: RBAC propagation delay, storage firewall blocking the Synapse runtime, or the managed identity not having permissions on the specific container/path level.

First, check if you granted the RBAC role at the storage account level or at the container level. Sometimes you need both. Second, storage firewall rules can be tricky with Synapse - the workspace VNet isn’t necessarily where the pipeline runtime executes. Synapse uses Azure Integration Runtime which might come from different IP ranges.

Yes! That’s exactly the issue. Synapse Studio uses YOUR user credentials to browse storage, but pipelines use the workspace managed identity. These are completely separate authentication contexts.

The new error message suggests the managed identity has some permissions but not the right ones for the specific operation. What type of dataset are you using in the pipeline - Parquet, CSV, JSON? Some formats require additional permissions. Also, if you’re using any transformations or the Copy activity with staging, you need permissions on the staging container too.

This is a common gotcha. When Synapse pipelines run, the actual data movement happens through the Integration Runtime, not directly from the workspace. If you’re using Azure Integration Runtime (the default), it operates from Microsoft-managed infrastructure, not your VNet.

You have two options: enable “Allow Azure services on the trusted services list to access this storage account” in the storage firewall settings, OR switch to using a Self-Hosted Integration Runtime within your VNet. The trusted services option is easier but less restrictive. Check the storage firewall exceptions - there should be a checkbox for trusted Microsoft services.

Let me provide a comprehensive solution addressing managed identity RBAC, storage firewall rules, and Synapse pipeline permissions systematically.

Managed Identity RBAC Configuration:

The core issue is that Synapse pipelines authenticate differently than Studio. Here’s the complete RBAC setup:

1. Verify Managed Identity Assignment:

# Get Synapse workspace managed identity
az synapse workspace show --name your-synapse-ws \
  --resource-group your-rg \
  --query identity.principalId -o tsv

2. Assign Correct RBAC Roles: You need Storage Blob Data Contributor at BOTH the storage account AND container level:

# Storage account level
az role assignment create \
  --assignee <managed-identity-id> \
  --role "Storage Blob Data Contributor" \
  --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storage-account>"

# Container level (critical for pipeline access)
az role assignment create \
  --assignee <managed-identity-id> \
  --role "Storage Blob Data Contributor" \
  --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/erp-raw"

3. Wait for Propagation: RBAC changes can take 5-10 minutes to propagate. This is often overlooked and causes intermittent failures.

Storage Firewall Rules Resolution:

The firewall configuration is likely your main blocker:

1. Enable Trusted Microsoft Services: In Azure Portal → Storage Account → Networking:

• Select “Enabled from selected virtual networks and IP addresses”
• Check “Allow Azure services on the trusted services list to access this storage account”
• This allows Synapse’s Azure Integration Runtime through the firewall

2. Add Synapse Managed VNet (if using): If your Synapse workspace uses a managed VNet:

az storage account network-rule add \
  --account-name <storage-account> \
  --subnet "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Synapse/workspaces/<workspace-name>/subnets/default"

3. Resource Instance Rules: For enhanced security, add a resource instance rule specifically for your Synapse workspace:

• In Storage Networking → Resource instances
• Add: Resource type = Microsoft.Synapse/workspaces
• Select your Synapse workspace
• This is more secure than broad trusted services access

Synapse Pipeline Permissions Fix:

Pipeline-specific configurations that commonly cause 403 errors:

1. Linked Service Authentication: Verify your Data Lake Storage linked service uses managed identity:

{
  "type": "AzureBlobFS",
  "typeProperties": {
    "url": "https://<account>.dfs.core.windows.net"
  },
  "connectVia": {
    "referenceName": "AutoResolveIntegrationRuntime"
  },
  "annotations": [],
  "authentication": "ManagedServiceIdentity"
}

2. Dataset Path Permissions: Ensure the managed identity has execute permissions on parent folders:

# If using hierarchical namespace (Data Lake Gen2)
az storage fs access set \
  --account-name <storage-account> \
  --file-system erp-raw \
  --permissions "rwx" \
  --acl-user <managed-identity-id>

3. Pipeline Activity Configuration: In your Copy activity, ensure source dataset uses managed identity:

• Source dataset → Connection → Authentication = System-assigned managed identity
• Verify “Test connection” succeeds with “To linked service” option

4. Integration Runtime Considerations: If using Azure IR (default):

• Ensure storage firewall has trusted services enabled
• Consider switching to Managed VNet IR for better security isolation

If using Self-Hosted IR:

• Add the IR machine’s IP to storage firewall allow list
• Ensure IR machine can reach storage account (test with Storage Explorer)

Troubleshooting Steps:

1. Test Managed Identity Access Directly:

# Get access token for managed identity
az account get-access-token --resource https://storage.azure.com/

# Use token to list blobs
curl -H "Authorization: Bearer <token>" \
  "https://<account>.blob.core.windows.net/erp-raw?restype=container&comp=list"

2. Check Activity Logs: In Azure Portal → Storage Account → Monitoring → Diagnostic logs:

• Enable logging for read/write operations
• Look for 403 errors with caller identity
• Verify the caller is your Synapse managed identity

3. Validate Firewall Rules:

az storage account show \
  --name <storage-account> \
  --query networkRuleSet

Complete Resolution Checklist:

✓ Synapse workspace has system-assigned managed identity enabled

✓ Managed identity has Storage Blob Data Contributor at storage account level

✓ Managed identity has Storage Blob Data Contributor at container level (erp-raw)

✓ Storage firewall has “Allow trusted Microsoft services” enabled

✓ Storage firewall includes Synapse managed VNet (if applicable)

✓ Linked service authentication is set to Managed Identity

✓ RBAC propagation wait time (10 minutes) has passed

✓ No deny assignments blocking the managed identity

✓ Integration Runtime can reach storage account (network connectivity)

After applying all these configurations, wait 15 minutes for full propagation, then test the pipeline. The combination of proper RBAC at multiple levels, correct firewall exceptions for Azure Integration Runtime, and managed identity authentication in the linked service will resolve your 403 errors.

I’ve dealt with this exact scenario multiple times. The issue is usually a combination of RBAC scope and storage firewall timing. Even after you enable trusted services, it can take 15-20 minutes for the firewall rules to propagate across all Azure storage nodes.

Also, double-check that you don’t have any deny assignments on the storage account or resource group. Deny assignments override allow permissions and can cause mysterious 403 errors even when RBAC looks correct. Run az role assignment list to check for any deny policies.