This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
I’m working on building an agent to migrate Lens jobs to Azure Data Factory by deploying ARM templates through Azure DevOps pipelines.
The deployment works successfully for Kusto-type Lens jobs, but for Cosmos-type Lens jobs, I encounter this error:
ClientIPNotAuthorized: Client IP not authorized to access the API.
Please ensure you are on corpnet, or that your IP is on an allowlist for the activities in your pipeline.
To address this, I am set up a self-hosted agent VM (with a static public IP) to run my pipelines so that I can allowlist that IP in my ADLS Gen2 Account.
I also followed the steps provided on the Q&A platform: ClientIPNotAuthorized error when deploying Cosmos Lens jobs to ADF via ARM template - Microsoft Q&A. However, this did not help resolve the issue.
Could you please help me identify what might be missing or incorrectly configured?
An Azure service for ingesting, preparing, and transforming data at scale.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Rithika Shankar
Thank you for reaching out to Microsoft Q&A. We’ll review your question and get back to you with a solution.
Thanks,
Vrishabh
We set up a self-hosted agent VM (with a static public IP) to run my pipelines. The static IP was allowlisted in all data centers in Azure Public and this resolved the issue.
Hello Rithika Shankar, I am assuming that this cosmos-type lens jobs contains scope activities which eventually being called via ADF and the same pipeline is failing? Also, have you tried connecting MSFT_AzVPN first, before running the pipeline?
The core issue which I think is, your self-hosted agent, even with a static public IP, is running on the public internet, not on Corpnet. Therefore, when your Azure DevOps pipeline attempts to deploy the ARM template, the ADF management endpoint correctly identifies the call as non-Corpnet and blocks it, returning the ClientIPNotAuthorized error.
To resolve this, your deployment agent must run from a machine that is on the Microsoft corporate network.
Whitelisting the IP in other services like Cosmos DB or ADLS Gen2 will not help because the block is happening at the Azure Data Factory control plane before any connection to those data services is even attempted.
Please note that VPN connections are NOT considered to be within Corpnet. If you need to access IP restricted data factories remotely, you may be able to route traffic to management.azure.com over your corpnet VPN connection. Keep in mind this can fix ADF access but cause other issues so proceed with caution: Open an administrative command prompt Run 'nslookup management.azure.com ' and make note of the IP address listed Run 'ipconfig' to get your MSFTVPN IP address Add a route rule to force all traffic to management.azure.com via VPN with 'route -p add <<nslookupip>> mask 255.255.255.255 <<Your MSFTVP IPv4 address>>' Test access to Data Factory in an InPrivate window to avoid caching issues If this causes any issues, you can undo this by running 'route -p delete <<nslookupip>>' Alternatively, you can get reliable access to ADF via a Remote Desktop. You can request one here: https://microsoft.sharepoint.com/sites/Security_Tools_Services/SitePages/WindowsVirtualDesktop/CSEO-Windows-Virtual-Desktop-Pilot.aspx
Let me know if this works for you.
Thanks again for reaching us out.
-Pratyush
Hi Pratyush,
Yes, I did try connecting through the MSFT_AzVPN, but that didn’t resolve the issue. I also reviewed the available documentation, but could you please point me to the exact resource or documentation that explains how to set up an Azure DevOps agent on a Corpnet virtual machine for CI/CD purposes?
Hey Rithika, thanks for your prompt response. There is no such specific documentation on "how to set up an Azure DevOps agent on a Corpnet virtual machine for CI/CD purposes" instead I have tailored my response as per the internal documentation I have researched for this issue. However, from my past experiences, I can share the steps to set up an Azure DevOps agent for your CI/CD purposes. You first need to provision a Windows Virtual Machine within a designated Microsoft Corpnet-connected Virtual Network in Azure. Once the VM is running, you will connect to it, download the self-hosted agent software from your Azure DevOps organization settings, and run the configuration script. During configuration, you will connect the agent to your specific agent pool using a Personal Access Token (PAT) for authentication. Finally, update your pipeline's YAML file to target this new agent pool, ensuring all deployment tasks now run from a compliant Corpnet environment.
Meanwhile you try this, I am looking for more resources that can help in fixing this issue.
Thanks - Pratyush
Hi Rithika, Just wanted to check in and share a quick suggestion. Have you tried using MVDs? If not, consider connecting to the MVD closest to your region and then deploy your pipelines from there. Based on internal documentation, it’s essential to be on the corpnet to run cosmos-type lens jobs.
Also, please update the comments if you’ve resolved the issue so we can close the thread and help others in the community benefit from your solution. If our guidance was helpful, kindly mark your feedback as “Yes.”
Thanks again—hope this helps!