Share via

Does Airflow on ADF (Managed Workflow Orchestration) require Data Factory Contributor role with AAD?

Alex Kwan 20 Reputation points
2024-06-26T15:14:23.48+00:00

I want to use Airflow on ADF (Managed Workflow Orchestration), but when I try to add a user, they do not get access even though they have been given "Viewer", "User", and "Op" roles in the Airflow UI. I integrated AAD during setup and am wondering if they also need to have "Data Factory Contributor" role for the Azure Data Factory resource or if there other specific permissions they need. I found information on custom roles and scenarios here: https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions#custom-scenarios-and-custom-roles

{
  "type": "https://tools.ietf.org/html/rfc7235#section-3.1",
  "title": "Unauthorized",
  "status": 401,
  "traceId": "00-d5c6cbb2c2312393b21c8649321e218c-8294edb61ad97bfb-00"
}
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,418 questions
Accepted answer
  1. phemanth 9,365 Reputation points Microsoft Vendor
    2024-07-02T04:19:20.46+00:00

    @Alex Kwan I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer .

    AskI want to use Airflow on ADF (Managed Workflow Orchestration), but when I try to add a user, they do not get access even though they have been given "Viewer", "User", and "Op" roles in the Airflow UI. I integrated AAD during setup and am wondering if they also need to have "Data Factory Contributor" role for the Azure Data Factory resource or if there other specific permissions they need. I found information on custom roles and scenarios here: https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions#custom-scenarios-and-custom-roles

    {
  "type": "https://tools.ietf.org/html/rfc7235#section-3.1",
  "title": "Unauthorized",
  "status": 401,
  "traceId": "00-d5c6cbb2c2312393b21c8649321e218c-8294edb61ad97bfb-00"
}

    Solution: 

    {
    "Name": "${ROLE_NAME}",
    "IsCustom": true,
    "Description": "Allows monitoring and managing of integration runtimes",
    "Actions": [
        "Microsoft.DataFactory/factories/integrationruntimes/read",
        "Microsoft.DataFactory/factories/integrationruntimes/start/action",
        "Microsoft.DataFactory/factories/integrationruntimes/stop/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getconnectioninfo/action",
        "Microsoft.DataFactory/factories/integrationruntimes/synccredentials/action",
        "Microsoft.DataFactory/factories/integrationruntimes/upgrade/action",
        "Microsoft.DataFactory/factories/integrationruntimes/createexpressshirinstalllink/action",
        "Microsoft.DataFactory/factories/integrationruntimes/removelinks/action",
        "Microsoft.DataFactory/factories/integrationruntimes/linkedIntegrationRuntime/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getObjectMetadata/action",
        "Microsoft.DataFactory/factories/integrationruntimes/refreshObjectMetadata/action",
        "Microsoft.DataFactory/factories/integrationruntimes/enableInteractiveQuery/action",
        "Microsoft.DataFactory/factories/integrationruntimes/disableInteractiveQuery/action",
        "Microsoft.DataFactory/factories/integrationruntimes/getstatus/read",
        "Microsoft.DataFactory/factories/integrationruntimes/monitoringdata/read",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/read",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/ipAddress/action"
    ],
    "NotActions": [
        "Microsoft.DataFactory/factories/integrationruntimes/write",
        "Microsoft.DataFactory/factories/integrationruntimes/delete",
        "Microsoft.DataFactory/factories/integrationruntimes/listauthkeys/action",
        "Microsoft.DataFactory/factories/integrationruntimes/regenerateauthkey/action",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/delete",
        "Microsoft.DataFactory/factories/integrationruntimes/nodes/write",
    ],
    "AssignableScopes": ["/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP"]
}

    The json I posted above worked for me.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.