Does Synapse Link for Dataverse use access key to authenticate and push data to the Storage Account?

Question

Does Synapse Link for Dataverse use access key to authenticate and push data to the Storage Account?

Abhishek Sarkar 21

For a customer, the Synapse Link for Dataverse fails whenever storage account access key is disabled. So, wanted to check if Synapse Link for Dataverse uses access key to authenticate and push data to the Storage Account.

Also, another question is whether Synapse link for DV will fail if the storage access key is rotated.

BhargavaGunnam-MSFT 14,091 Reputation points Microsoft Employee

2022-11-01T21:31:55.35+00:00

Hello @Abhishek Sarkar ,
Welcome to the MS Q&A platform.
As per my understanding Synapse link for Dataverse doesn't use access key to authenticate and push data to the Gen2 account. But I can double-check and get back to you on this.

The prerequisites are, the user must have owner and storage blob data contributor role access. Your storage account must enable Hierarchical namespace and it is recommended that replication is set to read-access geo-redundant storage (RA-GRS).

Synapse workspace: You must have a Synapse workspace and the Synapse Administrator role access within the Synapse Studio. The Synapse workspace must be in the same region as your Azure Data Lake Storage Gen2 account with public network access enabled. The storage account must be added as a linked service within Synapse Studio.

Reference document: https://learn.microsoft.com/en-us/power-apps/maker/data-platform/azure-synapse-link-synapse

Are you seeing any error messages when disabling the access key?
Abhishek Sarkar 21 Reputation points

2022-11-02T02:23:37.693+00:00

Thanks @BhargavaGunnam-MSFT !

The pre-requisites mentioned by you are already documented and followed for the customer.

I can't find anything related to storage account key access, but according to the customer the synapse link for dataverse fails when the key access is disabled.

BhargavaGunnam-MSFT 14,091 Reputation points Microsoft Employee

2022-11-01T21:31:55.35+00:00

Hello @Abhishek Sarkar ,
Welcome to the MS Q&A platform.
As per my understanding Synapse link for Dataverse doesn't use access key to authenticate and push data to the Gen2 account. But I can double-check and get back to you on this.

The prerequisites are, the user must have owner and storage blob data contributor role access. Your storage account must enable Hierarchical namespace and it is recommended that replication is set to read-access geo-redundant storage (RA-GRS).

Synapse workspace: You must have a Synapse workspace and the Synapse Administrator role access within the Synapse Studio. The Synapse workspace must be in the same region as your Azure Data Lake Storage Gen2 account with public network access enabled. The storage account must be added as a linked service within Synapse Studio.

Reference document: https://learn.microsoft.com/en-us/power-apps/maker/data-platform/azure-synapse-link-synapse

Are you seeing any error messages when disabling the access key?
Abhishek Sarkar 21 Reputation points

2022-11-02T02:23:37.693+00:00

Thanks @BhargavaGunnam-MSFT !

The pre-requisites mentioned by you are already documented and followed for the customer.

I can't find anything related to storage account key access, but according to the customer the synapse link for dataverse fails when the key access is disabled.

Answer 1

Hello @Abhishek Sarkar ,

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key.

When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Azure AD will succeed.

The default setting on the storage account is

Enabled- Allow storage account key access

Disabled- Default to Azure Active Directory authorization in the Azure portal

When you disable Allow storage account key access, You should enable AAD. I believe this is the reason for the failure.

I hope this clarifies you.

Reference document: https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal#remediate-authorization-via-shared-key

------------------------------

Please don't forget to click on and upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

Abhishek Sarkar 21 Reputation points

2022-11-03T16:38:08.197+00:00

Thanks @BhargavaGunnam-MSFT for the additional details!

Back to my original question - how Synapse link for Dataverse authorizes the Storage account.

If the storage account key access is disable and AAD is enabled, will the Synapse link for DV automatically authorize the Storage account using AAD?
BhargavaGunnam-MSFT 14,091 Reputation points Microsoft Employee

2022-11-03T16:43:58.01+00:00

Hello @Abhishek Sarkar ,
Yes, your understanding is correct. When storage account key access is disabled and AAD is enabled, then the Synapse link for DV automatically authorizes the Storage account using AAD.
BhargavaGunnam-MSFT 14,091 Reputation points Microsoft Employee

2022-11-04T20:48:00.157+00:00

Hello @Abhishek Sarkar ,
I am just checking to see if you have any further questions.

-----------

If this answers your question, please consider accepting the answer by hitting the Accept answer button, as it helps the community.

Does Synapse Link for Dataverse use access key to authenticate and push data to the Storage Account?

1 answer

Activity