Powershell - which cmdlet to assign rights to a Managed Identity

rdth 21 Reputation points
2022-03-22T15:39:43.173+00:00

Hi, I want to automate granting a managed identity to access a gen 2 data lake using Powershell. This is to allow my Data Factory ADLS based linked service to communicate with the storage account..

What powershell cmdlet would I use to achieve such a task?

Thanks in advance

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,354 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,639 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,387 questions
Accepted answer
  1. Saurabh Sharma 23,751 Reputation points Microsoft Employee
    2022-03-23T22:24:11.157+00:00

    Hi @rdth ,

    Thanks for using Microsoft Q&A!!
    If I understand correctly, you want to provide access to managed identity of your ADF to ADLS Gen2 based storage linked service.
    In order to do so, you need to either use PowerShell cmdlet -New-AzRoleAssignment or CLI cmdlet - az role assignment create. You can either provide "Storage Blob Data Reader" or "Storage Blob Data Contributor" role to grant access as per the documentation Storage Gen2 - System-assigned managed identity authentication for source or sink purpose.
    Your PowerShell/CLI command will look like below -
    New-AzRoleAssignment -ObjectId "{ADF-Managed-Identity-Id}" -RoleDefinitionName "Storage Blob Data Contributor" -Scope "/subscriptions/{Subscription Id}/resourceGroups/{Resource group Name}/providers/Microsoft.Storage/storageAccounts/{Storage Account Name}"
    OR
    az role assignment create --assignee "{ADF-Managed-Identity-Id}" --role "Storage Blob Data Contributor" --scope "/subscriptions/{Subscription Id}/resourceGroups/{Resource group Name}/providers/Microsoft.Storage/storageAccounts/{Storage Account Name}"

    Here, you can get the managed identity of your ADF from linked service popup blade from ADF UI.
    You can get the resource scope of the storage account by going to Azure Portal > ADLS Gen2 Storage Account Name > Endpoints
    186190-image.png

    Once proper permissions are granted, you should be able to validate the Linked Services -
    186266-image.png

    Please refer to below documents for additional details -

    Please let me know if you have any questions.

    Thanks
    Saurabh

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest