Azure Table Storage
An Azure service that stores structured NoSQL data in the cloud.
177 questions
AuthorizationPermissionMismatch
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 64%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
Bernadine Lao
0
Reputation points Microsoft Employee
| 2/12/2025 9:41:39 AM | |
|---|---|
| TimeStamp | 2/12/2025 9:41:39 AM |
| Server RequestId | - |
| Error Detail | N/A |
| User | The user is a federated identity in an application that has blob, table queue data contributor roles. |
| Request URL | https://genevalogsnonprod.table.core.windows.net:443/ConfigurationsTable()?$format=application%2Fjson%3Bodata%3Dminimalmetadata&$filter=not%20%28IsActive%20eq%20true%29 |
| Operation | QueryEntities |
| Status | AuthorizationPermissionMismatch |
| Client IpAddress | 20.66.2.220:6160 |
| User Agent | azsdk-net-Data.Tables/12.8.3 (.NET 8.0.12; Microsoft Windows 10.0.20348) |
| Recommended role | NA |
We are using MSI+FIC to connect access the storage accounthttps://github.com/gladjohn/MSIFICLearning/blob/master/README.md
The managed identity itself do not have any roles with the storage account. Instead, it is stored as a federated credential to an application where in its service principal has all the roles {storage table, queue, blob data contributor} for the storage account. Do you have any solution for it without getting permissions for the managed identity itself?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 31%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Vinod Kumar Reddy Chilupuri 2,390 Reputation points Microsoft Vendor2025-02-12T15:10:16.3133333+00:00 Hi @Bernadine Lao
The error you are facing "AuthorizationPermissionMismatch" indicates that the managed identity (MSI) being used does not have the necessary permissions to access the Azure storage account, despite the federated identity in the application having the required roles. To resolve this issue without granting permissions directly to the managed identity itself, you may consider the following approaches:
- Proper Role Assignment: Verify that the federated identity (which is associated with the application) has the necessary roles assigned at the storage account level. This includes roles like "Storage Table Data Contributor," "Storage Queue Data Contributor," and "Storage Blob Data Contributor."
- Use Service Principal: If the application is using a service principal that has the required roles, ensure that the requests are being made under the context of that service principal instead of the managed identity. This may involve adjusting the authentication mechanism in your application to utilize the service principal directly.
- Check Access Policies: Review any access policies that may be in place for the storage account. Sometimes, specific access policies can restrict the permissions even if the roles are correctly assigned.
Please Refer to Azure documentation for role-based access control (RBAC) to ensure that all necessary configurations are correctly set up.
What is Azure role-based access control (Azure RBAC)? | Microsoft Learn
If you have implemented these steps and the issue persists, it may be necessary to consider granting permissions to the managed identity as a final option. This approach ensures that you exhaust all other possibilities before resorting to directly assigning permissions to the managed identity.
Data virtualization - Azure SQL Managed Instance | Microsoft Learn
Hope the above answer helps! Please let us know do you have any further queries.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
Vinod Kumar Reddy Chilupuri 2,390 Reputation points Microsoft Vendor
2025-02-13T16:43:03.8566667+00:00 Hi @Bernadine Lao
Just checking to see if the above suggestion helped you to solve your issue, please let us know if you have any further queries. If the above suggestion help do Upvote for the answer that helped you, this can be beneficial to other community members. -
Vinod Kumar Reddy Chilupuri 2,390 Reputation points Microsoft Vendor
2025-02-14T15:37:39.5033333+00:00 Hi @Bernadine Lao
Just checking to see if the above suggestion helped you to solve your issue, please let us know if you have any further queries. If the above suggestion help do Upvote for the answer that helped you, this can be beneficial to other community members.
Sign in to comment
Sign in to answer