PME Azure Datafactory Linked service fails to access MSIT Gen2 storage using MSIT SPN Certificate

Pavan Kumar Kurella 0 Reputation points Microsoft Employee
2024-06-04T18:02:13.4466667+00:00

Our PME/Data factory/Azure Data Lake Storage Gen2 Linked service is unable to access MSIT/Gen2 Storage account using MSIT/Service Principal/Certificate. It is failing with the error message "ADLS Gen2 operation failed for: Failed to get access token by using service principal. Error: invalid_client, Error Message: A configuration issue is preventing authentication - check the error message from the server for details." However, the linked service connection is functioning correctly with MSIT/Service Principal/Key.

The certificate is created in PME/Key Vault with a subject name and issuer. This certificate is uploaded into MSIT/Service Principal.

I would like to know if there is any known issue or gap with this approach. Could you please suggest a better solution for accessing corp gen2 storage account from PME using a single tenant, without using Service Principal Key?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,813 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,873 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anand Prakash Yadav 7,400 Reputation points Microsoft Vendor
    2024-06-05T09:26:41.2933333+00:00

    Hello Pavan Kumar Kurella,

    Thank you for posting your query here!

    The issue is likely due to a misconfiguration in how the certificate is set up or associated with the Service Principal or in how the linked service is configured.

    Please make sure to grant at least Execute permission for all upstream folders and the file system, along with Read permission for the files to copy.

    Check if the following resource providers are registered in your Azure Active Directory tenant:

    Microsoft.DataLakeStore

    Microsoft.DataLakeAnalytics

    Microsoft.DataFactory.

    If any of these providers are missing, register them to ensure proper connectivity.

    Also. confirm that the certificate uploaded to MSIT/Service Principal matches the one created in PME/Key Vault. Verify the subject name and issuer and ensure that the certificate is correctly associated with the service principal.

    Alternative Approach:

    If you’d like to avoid using the Service Principal Key, consider using Managed Identity. Managed Identity provides a secure way to authenticate without exposing secrets.

    Assign the managed identity to your PME/Data Factory/Azure Data Lake Storage Gen2 Linked service. Ensure that the managed identity has the necessary permissions in Azure Data Lake Storage Gen2.

    Do let us know if you have any further queries. I’m happy to assist you further.

    0 comments No comments