Does Airflow on ADF (Managed Workflow Orchestration) require Data Factory Contributor role with AAD?

Question

Does Airflow on ADF (Managed Workflow Orchestration) require Data Factory Contributor role with AAD?

Alex Kwan 20

I want to use Airflow on ADF (Managed Workflow Orchestration), but when I try to add a user, they do not get access even though they have been given "Viewer", "User", and "Op" roles in the Airflow UI. I integrated AAD during setup and am wondering if they also need to have "Data Factory Contributor" role for the Azure Data Factory resource or if there other specific permissions they need. I found information on custom roles and scenarios here: https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions#custom-scenarios-and-custom-roles

{
  "type": "https://tools.ietf.org/html/rfc7235#section-3.1",
  "title": "Unauthorized",
  "status": 401,
  "traceId": "00-d5c6cbb2c2312393b21c8649321e218c-8294edb61ad97bfb-00"
}

phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-06-27T05:53:44.2+00:00

@Alex Kwan

Thanks for reaching out to Microsoft Q&A.

The error message you’re seeing indicates an “Unauthorized” status, which suggests that the user might not have the necessary permissions to access the resource.

In terms of roles and permissions for Azure Data Factory (ADF), the “Data Factory Contributor” role does grant users the ability to create, edit, and delete data factories and child resources including datasets, linked services, pipelines, triggers, and integration runtimes1. If you’ve already assigned the “Contributor” role at the Resource Group level or above, you do not need the “Data Factory Contributor” role as the “Contributor” role is a superset role that includes all permissions granted to the “Data Factory Contributor” role.

However, if the user is still unable to access the resources, there could be other issues at play.

For instance, there could be issues with the configuration of the Airflow instance, or the user might be redirected to a different Azure tenant they have no access to. In some cases, deleting and re-registering the user might resolve the issue.

if you still face the issue, please do let us know.
phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-06-28T11:45:17.06+00:00

@Alex Kwan We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-07-01T04:49:26.0166667+00:00

@Alex Kwan was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Alex Kwan 20

I don't want to assign Data Factory Contributor to the desired group. That has too many privileges. I'd like to use the below. Would it work?

{
    "Name": "${ROLE_NAME}",
    "IsCustom": true,
    "Description": "Allows monitoring and managing of integration runtimes",
    "Actions": [
        "Microsoft.DataFactory/factories/integrationruntimes/read",
        "Microsoft.DataFactory/factories/integrationruntimes/start/action",
        "Microsoft.DataFactory/factories/integrationruntimes/stop/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getconnectioninfo/action",
        "Microsoft.DataFactory/factories/integrationruntimes/synccredentials/action",
        "Microsoft.DataFactory/factories/integrationruntimes/upgrade/action",
        "Microsoft.DataFactory/factories/integrationruntimes/createexpressshirinstalllink/action",
        "Microsoft.DataFactory/factories/integrationruntimes/removelinks/action",
        "Microsoft.DataFactory/factories/integrationruntimes/linkedIntegrationRuntime/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getObjectMetadata/action",
        "Microsoft.DataFactory/factories/integrationruntimes/refreshObjectMetadata/action",
        "Microsoft.DataFactory/factories/integrationruntimes/enableInteractiveQuery/action",
        "Microsoft.DataFactory/factories/integrationruntimes/disableInteractiveQuery/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getstatus/read",
        "Microsoft.DataFactory/factories/integrationruntimes/monitoringdata/read",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/read",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/ipAddress/action"
    ],
    "NotActions": [
        "Microsoft.DataFactory/factories/integrationruntimes/write",
        "Microsoft.DataFactory/factories/integrationruntimes/delete",
        "Microsoft.DataFactory/factories/integrationruntimes/listauthkeys/action",
        "Microsoft.DataFactory/factories/integrationruntimes/regenerateauthkey/action",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/delete",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/write",
    ],
    "AssignableScopes": ["/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP"]
}

Alex Kwan 20 Reputation points

2024-07-01T13:59:41.58+00:00

I only want users to be able to authenticate via Entra to access teh Airflow instance I set up in adf. Since it is a runtime, i think the solution involves permissions related to integrated runtime.
Alex Kwan 20 Reputation points

2024-07-02T00:09:24.2366667+00:00

The json I posted above worked for me.
phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-07-02T04:19:56.53+00:00

@Alex Kwan Glad to know your issue has been resolved. Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.

Answer accepted by question author

0 additional answers

Your answer

phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-06-27T05:53:44.2+00:00

@Alex Kwan

Thanks for reaching out to Microsoft Q&A.

The error message you’re seeing indicates an “Unauthorized” status, which suggests that the user might not have the necessary permissions to access the resource.

In terms of roles and permissions for Azure Data Factory (ADF), the “Data Factory Contributor” role does grant users the ability to create, edit, and delete data factories and child resources including datasets, linked services, pipelines, triggers, and integration runtimes1. If you’ve already assigned the “Contributor” role at the Resource Group level or above, you do not need the “Data Factory Contributor” role as the “Contributor” role is a superset role that includes all permissions granted to the “Data Factory Contributor” role.

However, if the user is still unable to access the resources, there could be other issues at play.

For instance, there could be issues with the configuration of the Airflow instance, or the user might be redirected to a different Azure tenant they have no access to. In some cases, deleting and re-registering the user might resolve the issue.

if you still face the issue, please do let us know.
phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-06-28T11:45:17.06+00:00

@Alex Kwan We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-07-01T04:49:26.0166667+00:00

@Alex Kwan was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Alex Kwan 20 Reputation points

2024-07-01T13:59:41.58+00:00

I only want users to be able to authenticate via Entra to access teh Airflow instance I set up in adf. Since it is a runtime, i think the solution involves permissions related to integrated runtime.
Alex Kwan 20 Reputation points

2024-07-02T00:09:24.2366667+00:00

The json I posted above worked for me.
phemanth 15,775 Reputation points Microsoft External Staff Moderator

2024-07-02T04:19:56.53+00:00

@Alex Kwan Glad to know your issue has been resolved. Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.

Answer 1

@Alex Kwan I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer .

AskI want to use Airflow on ADF (Managed Workflow Orchestration), but when I try to add a user, they do not get access even though they have been given "Viewer", "User", and "Op" roles in the Airflow UI. I integrated AAD during setup and am wondering if they also need to have "Data Factory Contributor" role for the Azure Data Factory resource or if there other specific permissions they need. I found information on custom roles and scenarios here: https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions#custom-scenarios-and-custom-roles

{
  "type": "https://tools.ietf.org/html/rfc7235#section-3.1",
  "title": "Unauthorized",
  "status": 401,
  "traceId": "00-d5c6cbb2c2312393b21c8649321e218c-8294edb61ad97bfb-00"
}

Solution:

{
    "Name": "${ROLE_NAME}",
    "IsCustom": true,
    "Description": "Allows monitoring and managing of integration runtimes",
    "Actions": [
        "Microsoft.DataFactory/factories/integrationruntimes/read",
        "Microsoft.DataFactory/factories/integrationruntimes/start/action",
        "Microsoft.DataFactory/factories/integrationruntimes/stop/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getconnectioninfo/action",
        "Microsoft.DataFactory/factories/integrationruntimes/synccredentials/action",
        "Microsoft.DataFactory/factories/integrationruntimes/upgrade/action",
        "Microsoft.DataFactory/factories/integrationruntimes/createexpressshirinstalllink/action",
        "Microsoft.DataFactory/factories/integrationruntimes/removelinks/action",
        "Microsoft.DataFactory/factories/integrationruntimes/linkedIntegrationRuntime/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getObjectMetadata/action",
        "Microsoft.DataFactory/factories/integrationruntimes/refreshObjectMetadata/action",
        "Microsoft.DataFactory/factories/integrationruntimes/enableInteractiveQuery/action",
        "Microsoft.DataFactory/factories/integrationruntimes/disableInteractiveQuery/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getstatus/read",
        "Microsoft.DataFactory/factories/integrationruntimes/monitoringdata/read",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/read",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/ipAddress/action"
    ],
    "NotActions": [
        "Microsoft.DataFactory/factories/integrationruntimes/write",
        "Microsoft.DataFactory/factories/integrationruntimes/delete",
        "Microsoft.DataFactory/factories/integrationruntimes/listauthkeys/action",
        "Microsoft.DataFactory/factories/integrationruntimes/regenerateauthkey/action",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/delete",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/write",
    ],
    "AssignableScopes": ["/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP"]
}

The json I posted above worked for me.

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

Share via

Does Airflow on ADF (Managed Workflow Orchestration) require Data Factory Contributor role with AAD?

0 additional answers

Your answer