Role Assignment "New-AzRoleAssignment" for Azure Blob Storage is failing using powershell script

sachin gupta 376 Reputation points

Below is my scenario for which I have created a power shell task in Azure DevOps pipeline

Scenario= I am trying to query the files from ADLS blob storage in azure synapse workspace. To do this I need to grant "Storage Blob Data Reader" Role to my ADLS blob storage to run/query the data(csv/parquet) files in synapse Workspace. I have run the below script in power shell task in azure Devops pipeline and getting below error.


New-AzRoleAssignment -ObjectID "xxxxxxxxxxxxxxxx" -RoleDefinitionName "Storage Blob DataReader"
-Scope "/subscriptions/AAAAA/resourceGroups/BBBBBB/providers/Microsoft.Storage/storageAccounts/XXXXXXXX"

I have passed Object ID (tried both App ID, Object ID of the service principal ),Subscription id, resource group name and storage account.


operation returned an invalid status code 'Forbidden' . Power shell exited with code '1'

PFA screenshot.


I am not really sure what I am missing here. Please share your valuable suggestions.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,599 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,653 questions
{count} votes

1 answer

Sort by: Most helpful
  1. BhargavaGunnam-MSFT 28,931 Reputation points Microsoft Employee

    Hello @sachin gupta ,
    Looks like the issue is with the syntax. Can you please update the -Roledefinitionname to below? (with space between Data and Reader)

    -RoleDefinitionName "Storage Blob Data Reader"  

    Please see the below screenshot. I was able to create a new role assignment with the below syntax:

    New-AzRoleAssignment -ObjectId 'XXX-XX-XX-XXX-XXXX' -RoleDefinitionName  'Storage Blob Data Reader' -Scope /subscriptions/XX-XX-XXX-XXX-XXX/