Share via

How to fix "MSIForBiddenForFileShareStorage" error

Veeti Rajaniemi 0 Reputation points
2024-07-04T05:43:41.6666667+00:00

On Azure AI Studio, in chat playground, when choosing my own data source and then trying to create a prompt flow, there's an error: "Unable to create flow. MSIForbiddenForFileShareStorage: Unable to authenticate data access to storage account with workspace MSI, please refer the doc link (which I can't do as another window opens and I am not able to click on "more details") to setup workspace MSI correctly.

Which settings does this error refer to?

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
707 questions
Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,301 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,220 questions
Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
2,897 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ramya Harinarthini_MSFT 5,351 Reputation points Microsoft Employee
    2024-07-04T07:36:45.54+00:00

    @Veeti Rajaniemi

    Welcome to Microsoft Q&A Forum, Thanks for posting here!!

    From the below error message, it looks like a RBAC permission Issue.

    "Unable to create flow. MSIForbiddenForFileShareStorage: Unable to authenticate data access to storage account with workspace MSI,

    If you are using user identity or managed identity to authenticate the Storage

    credential-less datastore in prompt flow, you need to grant enough permissions to user identity or managed identity to access the datastore.

    • Make sure workspace system assigned managed identity have Storage Blob Data Contributor and Storage File Data Privileged Contributor on the storage account, at least need read/write (better also include delete) permission.
    • If you're using user identity this default option in prompt flow, you need to make sure the user identity has following role on the storage account:
      • Storage Blob Data Contributor on the storage account, at least need read/write (better also include delete) permission.
        • Storage File Data Privileged Contributor on the storage account, at least need read/write (better also include delete) permission.
        • If you're using user assigned managed identity, you need to make sure the managed identity has following role on the storage account:
          • Storage Blob Data Contributor on the storage account, at least need read/write (better also include delete) permission.
            • Storage File Data Privileged Contributor on the storage account, at least need read/write (better also include delete) permission.
              • Meanwhile, you need to assign user identity Storage Blob Data Read role to storage account at least, if you want to use prompt flow to authoring and test flow.
    • If you still can't view the flow detail page and the first time you using prompt flow is earlier than 2024-01-01, you need to grant workspace MSI as Storage Table Data Contributor to storage account linked with workspace.

    Reference Link: https://learn.microsoft.com/en-us/azure/machine-learning/prompt-flow/troubleshoot-guidance?view=azureml-api-2#grant-permission-to-user-identity-or-managed-identity

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  4. Nehruji R 8,146 Reputation points Microsoft Vendor
    2024-07-05T06:33:23.1966667+00:00

    Hello Veeti Rajaniemi,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you are encountering a permissions issue with the Managed Service Identity (MSI) when trying to access the storage account in Azure AI Studio and getting the error "Unable to create flow. MSIForbiddenForFileShareStorage: Unable to authenticate data access to storage account with workspace MSI. Please consider checking the below following factors to resolve the issue.

    1.Ensure you have the system assigned managed identity principal enabled for your Azure AI Search resources.

    • Using the Azure portal, navigate to your resource, and select Identity from the navigation menu on the left side of the screen.
    • Set Status to On.
    • Perform these steps for both of your Azure OpenAI and Azure AI Search resources.

    2.Navigate back to your storage account. Select Access Control (IAM) for your resource. Select Add, then Add role assignment. In the window that appears, add the Storage Data Contributor role to the storage resource for your Azure OpenAI and search resource's managed identity.

    • Assign access to Managed Identity.
    • If you have multiple search resources, Perform this step for each search resource.

    User's image

    3.If your storage account hasn't already been network restricted, go to networking tab and select Enabled from selected virtual networks and IP addresses.enter image description here

    refer this Ms. doc for more detailed guidance -https://learn.microsoft.com/en-us/azure/ai-studio/Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  5. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.