Azure Storage Mover Error - AZSM1024

James-99978 0 Reputation points
2024-09-09T15:35:35.1166667+00:00

Hiya, I'm currently running into a problem with an Azure Storage Mover project and would super appreciate some advice.

  • Migrating 15TB of SMB shares from on-prem to Azure Files.
  • Agent is setup, passes built in connectivity tests
  • SMB share is accessible from the VLAN Agent is on.
  • Admin User account is Owner of the subscription, Resource group and all 3 services (Key Vault, Storage Mover, Storage Account)
  • Permissions for the Storage Mover Identity has been granted to Azure Key vault (Key Vault Secrets User) and Storage Account + File Share (Storage Data Privileged Contributor) as stated in the documentation

Everything frankly looks fine, but I'm getting error AZSM1024 "Authorization failure accessing the target location".

More specifically, the error output is :

Job failed state transition: (Started,Claimed -> Failed,Claimed). Message: Timed out while claiming target container %FILESHARE% in %STORAGEACCOUNT%: Authorization failure

xdatamoved.log from the agent, the error >IS< definitely an authentication error:

Aug 28 21:05:03 xdm32039 xdatamoved[205]: time="2024-08-28T21:05:03.864710491Z" level=error msg="[CLAIM TARGET FAILURE] Authorization failure occurred while attempting claim on https://%STORAGEACCOUNT%.file.core.windows.net/projectdata by Agent fec32df9-0edb-6043-b2fe-39c4719485b5 and Job(f56088ad-72c3-4133-aff3-c39eb16852e6, 4bccdcba-f7da-4a66-b66c-abd637937775): PUT https://%STORAGEACCOUNT%.file.core.windows.net/projectdata/__AZURE_STORAGE_MOVER_MARKER\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation.\nERROR CODE: AuthorizationFailure\n--------------------------------------------------------------------------------\n\ufeff\n--------------------------------------------------------------------------------\n" ActivityId=74fa5a3d-5cde-44af-8c75-9118bf7f2ad0

Aug 28 21:05:08 xdm32039 xdatamoved[205]: time="2024-08-28T21:05:08.955936646Z" level=error msg="Error while uploading azure file: PUT https://%STORAGEACCOUNT%.file.core.windows.net/projectdata/__AZURE_STORAGE_MOVER_MARKER\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 This request is not authorized to perform this operation.\nERROR CODE: AuthorizationFailure\n--------------------------------------------------------------------------------\n\ufeff\n--------------------------------------------------------------------------------\n (*exported.ResponseError)" ActivityId=74fa5a3d-5cde-44af-8c75-9118bf7f2ad0

Storage Mover has all the relevant RBAC permissions applied to it according to documentation...

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,289 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Nehruji R 7,811 Reputation points Microsoft Vendor
    2024-09-10T11:06:04.55+00:00

    Hello James-99978,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you are encountering an error - AZSM1024 with Azure Storage Mover while performing the migration from on prem to Azure file share.

    Please check the below considerations to resolve the issue,

    Try creating a new local user, which has the same name, as is the value of the Key-Vault-User-Secret (had to shorten the secret to match the maximum allowed characters for user names) and configure the password to be the same as the Key-Vault-Password-Secret and assign the SMB permissions to this newly created local user account then try to migrate the files.

    Ensure you have met the Prerequisites for the SMB Share:

    1. Ensure you have an active Azure subscription and a resource group.
    2. You need at least one SMB Azure file share in your storage account.
    3. Your local network must allow the Storage Mover agent to communicate with Azure. Ensure that port 443 (TLS) is open outbound, and your firewall rules do not limit traffic to Azure.

    The permissions on the files and folders will remain when you migrate the data, the share permissions have to be configured using the RBAC roles. there are three Azure built-in roles for granting share-level permissions to users:

    Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.

    Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.

    Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable#2-assign-access-permissions-to-an-identity

    Check if you have assigned the appropriate permission to your resources on target location.

    A 403-status code typically signifies that the request was understood by the server, but the server is refusing to authorize, and it suggests that the authorization configuration might be inconsistent or that there are intermittent issues with the Azure service or on your network.

    If your application is using tokens for authorization, the tokens may be expiring or not being refreshed properly, leading to occasional failures.

    If the issue is related to a storage account which I presume, try regenerating the storage account access keys and updating your application with the new keys.

    Also, verify that no network or firewall rules are blocking the connection. You might need to allow access from all networks temporarily to test if this resolves the issue.

    If the issue continues to occur and you are unable to resolve it with the above steps, it might require deep investigation and i would request you to raise a support ticket to investigate further.

    Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.