@Mahadev, Rakesh [HAEA] Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
I assume you using in SAS token in Storage explorer for connect azure storage account? (A 403 error in Azure Storage Explorer can be caused by authorization or authentication issues, or if the storage account firewall blocks requests. Storage Explorer needs both management and data layer permissions to access resources. To access storage accounts, containers, and data, users need Microsoft Entra permissions.)
May I know how have you generated the SAS token with access key or without access key?
Please cross verify all the necessary permission has been provided?
The error message you are seeing ("AuthorizationFailure: This request is not authorized to perform this operation") indicates that the SAS token you are using to access the Azure Storage account does not have the necessary permissions to view the blob containers, file shares, or tables.
Grant limited access to Azure Storage resources using shared access signatures (SAS)
Create SAS tokens for your storage containers
To resolve this issue, you can try the following steps:
- Check the permissions on the SAS token: Make sure that the SAS token has the necessary permissions to view the blob containers, file shares, or tables. You can check the permissions on the SAS token by reviewing the SAS token string or by generating a new SAS token with the necessary permissions.
Please Allow whaat all persmission and resource type need access to your Storage account.
- Check the access policy on the Azure Storage account: Make sure that the access policy on the Azure Storage account allows access to the blob containers, file shares, or tables. You can check the access policy on the Azure Storage account by logging into the Azure portal and reviewing the access policies for the storage account.
- Check the firewall and virtual network settings: Make sure that the firewall and virtual network settings on the Azure Storage account allow access from your client IP address or virtual network. You can check the firewall and virtual network settings on the Azure Storage account by logging into the Azure portal and reviewing the firewall and virtual network settings for the storage account.
Steps: - Azure Portal -> Storage Account -> Networking -> Check Allow Access From (All Networks / Selected Networks) If it is "Selected Networks" - It means the storage account is firewall enabled.
Check the storage account key: Make sure that the storage account key is correct and has not expired. You can regenerate the storage account key by logging into the Azure portal and selecting the storage account.
To fix this, check the permissions at the account level and ensure that the necessary permissions are granted. Users with Management plane roles, such as creating accounts and managing settings, do not have access to data operations. Conversely, data plane roles, like Storage Blob Data Owner, allow access to data operations such as uploading and downloading data but not management operations.
For more information on RBAC roles and their functionalities, refer to this documentation: Azure Built-in Role Descriptions.
Additional information:
- Create SAS tokens for storage containers
- Create a user delegation SAS for a container or blob with the Azure CLI
- Grant limited access to Azure Storage resources using shared access signatures (SAS)
- Get the SAS for a blob container using Storage Explorer
- Download and install Storage Explorer
- Generate SAS token
How 403 error is occurred https://learn.microsoft.com/en-us/rest/api/storageservices/blob-service-error-codes
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.