ADF does not allow MI based auth for Azure table storage. Are there any alternatives for this?

Akshita Arora 20 Reputation points Microsoft Employee
2024-05-29T12:15:25.3933333+00:00

I am trying to move away from key-based access for an azure table storage in ADF, but the only auth options I get are account key and SAS URI. Is there no way to use MI/SP for this?
Blob storage has MI based auth but not table, why is this so?

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,929 questions
{count} votes

Accepted answer
  1. Amira Bedhiafi 18,106 Reputation points
    2024-05-29T14:50:40.8066667+00:00

    ADF currently does not support MI or SP based authentication directly for Azure Table Storage. This limitation is due to how Azure Table Storage authentication mechanisms are implemented, which differ from those for Blob Storage and other Azure services.

    Based on this old thread :

    Note: If you disable account access keys, you will not be able to access Azure Files or Table storage as they do not support (yet?) Azure AD authentication.

    Azure Storage supports Azure AD authorization for requests to Blob and Queue storage only. **

    If you disallow authorization with Shared Key for a storage account, requests to Azure Files or Table storage that use Shared Key authorization will fail.

    ** Because the Azure portal always uses Shared Key authorization to access file and table data, if you disallow authorization with Shared Key for the storage account, you will not be able to access file or table data in the Azure portal.

    Microsoft recommends that you either migrate any Azure Files or Table storage data to a separate storage account before you disallow access to the account via Shared Key, or that you do not apply this setting to storage accounts that support Azure Files or Table storage workloads.

    Disallowing Shared Key access for a storage account does not affect SMB connections to Azure Files.

    If you are looking for this specific feature, you can leave your feedback here, Please take a few minutes to submit your idea in the one of the forums available on the right or vote up an idea submitted by another Azure customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    Workarounds :

    • Create an Azure Function that acts as a proxy between ADF and Azure Table Storage. The Azure Function can use a MI or SP to authenticate to Azure Table Storage.
    • Use Azure API Management to expose the Azure Table Storage operations as APIs. ADF can call these APIs using a Managed Identity or Service Principal, thus indirectly accessing Azure Table Storage securely.
    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful