connection failed - Trying to add File storage account for scanning in Purview

Question

connection failed - Trying to add File storage account for scanning in Purview

Niharika Ch 170

Hi - I've added File storage for scanning under data map in purview. But there are two errors I'm facing and I'm not sure if both are related,

Managed PE connection to key vault is not yet established - It's showing this error under credential column (I've added the secret of file storage in the selected key Vault)
seeing the below error when i tried to click on 'test connection'. I've created a private endpoint and approved it in Storage account. Also, have the public network access is disabled. But not sure why the connection is failing in purview. Any idea or experienced this situation, thanks?

Failed to TestConnection: Exception when processing request: Fail to connect to htts://XXXX.file.core.windows.net/XXX. This request is not authorized to perform this operation. (ErrorCode:403) 1: Please check storage network setting whether public network access is disabled. If disabled, use Managed Virtual Network IR and create Private Endpoint to access

Smaran Thoomu 24,095 Reputation points Microsoft External Staff Moderator

2025-05-30T08:46:45.8133333+00:00

@Niharika Ch Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

1 answer

Your answer

Smaran Thoomu 24,095 Reputation points Microsoft External Staff Moderator

2025-05-30T08:46:45.8133333+00:00

@Niharika Ch Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Smaran Thoomu 24,095 Microsoft External Staff Moderator

Hi @Niharika Ch
Thanks for your question.

The two issues you're seeing are likely related:

"Managed PE connection to key vault is not yet established"

This usually means Purview’s managed identity doesn't have access to the Key Vault. Please ensure:

The Key Vault has the correct access policy or RBAC role assigned (like Key Vault Secrets User) for the Purview managed identity.
If you're using a private endpoint for the Key Vault, make sure it’s reachable from the Purview managed network.

403 error during test connection

Since public access is disabled for the storage account, make sure:

You’re using a Managed VNet IR in Purview.
A Private Endpoint is created and approved for the File storage, not just the Key Vault.
DNS resolution is set up correctly, so Purview resolves the storage account over the private endpoint.

Let me know if you've already done all this - happy to help check further!

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Niharika Ch 170 Reputation points

2025-05-28T21:35:13.98+00:00
thanks for your response.

The Key Vault has the correct access policy or RBAC role assigned (like Key Vault Secrets User) for the Purview managed identity. - Yes, it have KeyVault Secrets user role assigned.

If you're using a private endpoint for the Key Vault, make sure it’s reachable from the Purview managed network. -i've created private endpoint for storage account but do i need to create private endpoint for keyvault too? (Also, one question here as we are talking about keyvault - what networking configurations should be there for keyvault to make things work here? Since public access is disabled for the storage account, make sure:

You’re using a Managed VNet IR in Purview. - yes

A Private Endpoint is created and approved for the File storage, not just the Key Vault. - Private endpoint created and approved for storage account.

DNS resolution is set up correctly, so Purview resolves the storage account over the private endpoint. - what things we need to consider to measure that DNS resolution is setup correctly here please? Also, you mean the DNS from the private endpoint right when you mentioned about DNS resolution?
Smaran Thoomu 24,095 Reputation points Microsoft External Staff Moderator

2025-05-29T08:11:04.0933333+00:00
Niharika Ch Thanks for the detailed follow-up - you're on the right track!

Key Vault Private Endpoint: Yes, since public access to the Key Vault is likely restricted, you also need to create and approve a private endpoint for the Key Vault so Purview's Managed VNet IR can access it securely.

Key Vault Networking Configuration: In the Key Vault’s networking settings: Public access should be disabled (as you already have), and Under Private endpoint connections, ensure the private endpoint is approved. Confirm that the Purview managed VNet IR has access to this private endpoint (same VNet or peered if different).

DNS Resolution Check: Yes, I meant the private DNS resolution associated with your private endpoint.

To verify it's working:

Go to your private endpoint (in the resource group).

Under DNS configuration, ensure its linked to the correct private DNS zone (e.g., privatelink.file.core.windows.net or privatelink.vaultcore.azure.net).

In your Purview VNet (via NSG or custom DNS), make sure it can resolve the private endpoint name to a private IP, not a public IP.

Let me know if you need help checking this in your setup - happy to walk through it!

If this helps, please click Accept Answer so others facing similar issues can benefit too.

Share via

connection failed - Trying to add File storage account for scanning in Purview

1 answer

Your answer