I’ve configured a Synapse Analytics workspace with managed identity enabled and assigned the Storage Blob Data Contributor role at the subscription level. However, ETL pipelines consistently fail when trying to read parquet files from our Data Lake Gen2 container. The error shows ‘AuthorizationPermissionMismatch’ even though RBAC permissions appear correct in the portal.
I’m trying to understand the difference between RBAC role assignments versus ACL permissions on the container itself. The managed identity shows up with the correct role, but I’m wondering if there’s something specific about Data Lake Gen2 container access that requires additional configuration beyond RBAC.
ErrorCode: AuthorizationPermissionMismatch
Message: This request is not authorized to perform this operation using this permission.
ActivityId: a7c3f891-4d2e-4f3b-9c8d-2e5f6a8b9c1d
Our data engineering team is blocked on multiple projects because of this. Has anyone resolved similar access issues between Synapse and ADLS Gen2?
Check if your storage account has hierarchical namespace enabled. That’s what makes it Gen2 versus regular blob storage. When HNS is enabled, you must configure both RBAC at the account level AND POSIX-like ACLs at the container/directory level. The managed identity needs execute (x) on all parent folders and read (r) on the actual files.
The RBAC role assignment should propagate down to containers, but there’s often a delay. More importantly, for Gen2 you should use the ‘Manage ACL’ option on the container itself, not just IAM. Navigate to your container in Storage Explorer or portal, right-click and select ‘Manage Access’. Add your Synapse workspace’s managed identity there with read and execute permissions. This is separate from the RBAC layer and is what Gen2 actually checks first.
Thanks both. Yes, HNS is enabled on our storage account. I can see the managed identity in the IAM blade with Storage Blob Data Contributor role. But when I navigate to the specific container’s Access Control, the managed identity doesn’t show up there. Do I need to add it separately at the container level?
One more thing to verify - check if your storage account firewall is blocking the Synapse workspace. Even with correct permissions, if the storage firewall doesn’t allow traffic from your Synapse workspace’s managed virtual network, you’ll see authorization errors that are actually connectivity issues in disguise.
I had the same issue last month. The key insight is that Data Lake Gen2 evaluates ACLs before RBAC. Even if your RBAC says you have contributor rights, if the ACL doesn’t explicitly grant access, you’ll get authorization failures. You need both layers configured correctly. Also, make sure the managed identity has been given enough time to propagate - sometimes takes 10-15 minutes after assignment.