Unable to upload file to File Share from Virtual Machine using user assigned managed identity.

Question

Unable to upload file to File Share from Virtual Machine using user assigned managed identity.

Gianpaolo Tessitore 10

I'm trying to upload a file to a File Share in a Storage Account using a Managed Idenity from a Azure Virtual Machine.
The identity has the folliwing roles assigned
User's image

and is assigned to the Virtual Machine
User's image

I wrote a small console app to test the connectivity and uploaded it to the VM. This is the code used to initialize the client

            ShareUriBuilder uriBuilder = new(new Uri(resourceUri))
            {
                ShareName = shareName,
                AccountName = accountName
            };
            var credential = new ManagedIdentityCredential(clientId);
            ShareClientOptions clientOptions = new()
            {
                ShareTokenIntent = ShareTokenIntent.Backup
            };
            return new ShareClient(uriBuilder.ToUri(), credential, clientOptions);

when i try to create a folder to store the file using the following code

            await shareClient.GetRootDirectoryClient()
                .GetSubdirectoryClient(path)
                .CreateIfNotExistsAsync(cancellationToken: ct);

i get the following error

Unexpected Exception thrown in : Azure.RequestFailedException: This request is not authorized to perform this operation using this permission.
RequestId:d23dac29-a01a-0035-6abc-defc0e000000
Time:2025-06-16T12:45:41.9240737Z
Status: 403 (This request is not authorized to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionMismatch

Content:


Headers:
Server: Windows-Azure-File/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: d23dac29-a01a-0035-6abc-defc0e000000
x-ms-client-request-id: 686235b7-a108-435e-9b4e-2c2c072c429e
x-ms-version: 2025-05-05
x-ms-error-code: AuthorizationPermissionMismatch
Date: Mon, 16 Jun 2025 12:45:41 GMT
Content-Length: 279
Content-Type: application/xml

What am i missing?

Thanks.

Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-16T15:22:49.0433333+00:00

Hi Gianpaolo Tessitore,

I understand that error you are encountering, AuthorizationPermissionMismatch, indicates that the Managed Identity (MI) you're using doesn't have the necessary permissions to perform the requested operation

Verify the Managed Identity Assignment,User-assigned Managed Identity is enabled.

Check Role Assignments in Azure Storage

In the storage account Assign this role to the Managed Identity of the VM.

This allows for read/write permissions on Azure File Share

Storage File Data SMB Share Contributor

Storage Account Contributor

Storage File Data Contributor

check the vm is Correctly authenticated using the Managed Identity and has network access to the Storage Account.

After assigning the role, sometimes it takes a few minutes for the changes to propagate. If you just assigned permissions, try waiting a bit before testing again.

If you have any queries, please do let us know, we will help you.

Thanks,
Gianpaolo Tessitore 10 Reputation points

2025-06-17T07:48:47.26+00:00

Thanks Aslam, i don't see Storage File Data Contributor but Storage File Data Privileged Contributor did it, i guess it's needed to be able to create folders?
Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator

2025-06-17T08:15:41.9266667+00:00

Hi Gianpaolo Tessitore

Could you please provide me with details on where you are running the above code? Is it in a local environment or an Azure environment?

Also, Could you also provide the complete code for how you are uploading the file to the VM?

Refer this : Tutorial - Use a Windows VM/VMSS to access Azure resources - Managed identities for Azure resources | Microsoft Learn
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-17T09:39:16.5966667+00:00

Hello Gianpaolo Tessitore,

I think the Storage File Data Privileged Contributor is actually designed for managing NTFS permissions on file shares via REST (e.g. setting ACLs). However, it may not grant full data path access such as creating directories or uploading files via the Azure SDK. If you see this document, to perform read/write operations using the REST API or SDK, the identity must be assigned the Storage File Data Contributor role. In your case, you're using the Azure.Storage.Files.Shares SDK which goes through the REST API. Also, could you kindly provide the complete code for how you are uploading the file to the VM?
Gianpaolo Tessitore 10 Reputation points

2025-06-17T10:27:00.4366667+00:00
I can't share all the code but it's basically what i included in my first post, then after the folder is created I create a file and write a test string to it using ShareClient sdk which i wrapped in this function

public async Task<Stream> OpenWriteAsync(string path, bool overwrite, long position, long newSize, CancellationToken cancellationToken) { ShareFileClient fileClient = shareClient.Value.GetRootDirectoryClient().GetFileClient(path); await fileClient.SetHttpHeadersAsync(new() { NewSize = newSize }, cancellationToken: cancellationToken); return await fileClient.OpenWriteAsync(overwrite, position, new() { MaxSize = newSize }, cancellationToken: cancellationToken); }

I build the app locally and upload it to the VM via VS Code and run it from there.

There is no Storage File Data Contributor role i can select, only Storage File Data Privileged Contributor role

Arko 4,150 Microsoft External Staff Moderator

Hello Gianpaolo Tessitore,

Could you kindly try using the role Storage File Data SMB Share Contributor Role ID. This should grant read, write, and delete permissions over SMB and via the SDK.

Create a storage account and file share

$resourceGroup = "arkorg"
$location = "eastus"
$storageAccount = "arkfilestorage9300"
$fileShare = "testshare"
az storage account create `
  --name $storageAccount `
  --resource-group $resourceGroup `
  --location $location `
  --sku Standard_LRS `
  --kind StorageV2 `
  --enable-large-file-share
az storage share-rm create `
  --resource-group $resourceGroup `
  --storage-account $storageAccount `
  --name $fileShare

gian1

Create a user-assigned managed identity

$uamiName = "vmfileuami"
az identity create `
  --name $uamiName `
  --resource-group $resourceGroup `
  --location $location
$uamiClientId = az identity show --name $uamiName --resource-group $resourceGroup --query clientId -o tsv
$uamiPrincipalId = az identity show --name $uamiName --resource-group $resourceGroup --query principalId -o tsv
$uamiResourceId = az identity show --name $uamiName --resource-group $resourceGroup --query id -o tsv

gian3

Create an Ubuntu VM with the UAMI attached

$vmName = "filevm"
az vm create `
  --name $vmName `
  --resource-group $resourceGroup `
  --image Ubuntu2204 `
  --admin-username azureuser `
  --generate-ssh-keys `
  --assign-identity $uamiResourceId `
  --location $location
az vm open-port --resource-group $resourceGroup --name $vmName --port 22

gian2

Assign the correct role

$storageId = az storage account show `
  --name $storageAccount `
  --resource-group $resourceGroup `
  --query id -o tsv
az role assignment create `
  --assignee-object-id $uamiPrincipalId `
  --assignee-principal-type ServicePrincipal `
  --role "123456-987651-12345-87654-860001c3d" `
  --scope $storageId

From the Ubuntu VM: Use Azure SDK to access the file share
Install .NET 8.0 SDK

sudo apt update
sudo apt install -y dotnet-sdk-8.0

Create and run the test app

mkdir azfilesdk && cd azfilesdk
dotnet new console

Replace Program.cs with

using System;
using System.IO;
using System.Threading.Tasks;
using Azure.Identity;
using Azure.Storage.Files.Shares;
class Program
{
    static async Task Main()
    {
        string storageAccount = "arkfilestorage9300";
        string shareName = "testshare";
        string fileName = "test.txt";
        var uri = new Uri($"https://{storageAccount}.file.core.windows.net/{shareName}");
        var credential = new ManagedIdentityCredential("12345-6788-4231-abcd-efgh");
        var shareClient = new ShareClient(uri, credential);
        var rootDir = shareClient.GetRootDirectoryClient();
        await rootDir.CreateIfNotExistsAsync();
        var fileClient = rootDir.GetFileClient(fileName);
        byte[] content = System.Text.Encoding.UTF8.GetBytes("Hello from UAMI!");
        using var stream = new MemoryStream(content);
        await fileClient.CreateAsync(content.Length);
        await fileClient.UploadAsync(stream);
        Console.WriteLine("File uploaded successfully.");
    }
}

Add NuGet packages

dotnet add package Azure.Identity
dotnet add package Azure.Storage.Files.Shares

Now run the app, it should show- File uploaded successfully. Try it out and let me know how it goes. Thanks

Gianpaolo Tessitore 10

I'm not able to create the vm with the command provided, I tried to change the location from eastus to centralus but the error is the same.

{"error":{"code":"InvalidTemplateDeployment","message":"The template deployment 'vm_deploy_lpftdRwdxLhb0gQJO60kyVkqGmV1WiZ7' is not valid according to the validation procedure. The tracking id is '264e757e-f3d9-48ef-899a-110fd8c7af4d'. See inner errors for details.","details":[{"code":"SkuNotAvailable","message":"The requested VM size for resource 'Following SKUs have failed for Capacity Restrictions: Standard_DS1_v2' is currently not available in location 'centralus'. Please try another size or deploy to a different location or different zone. See https://aka.ms/azureskunotavailable for details."}]}}

I wanted to use the vm i already created from Azure portal, but I get this error trying to assign the role to the uai
Role '123456-987651-12345-87654-860001c3d' doesn't exist.

User's image

Thanks for your help.

Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-18T11:07:31.94+00:00
Hello Gianpaolo Tessitore, you have to use your own id for the role. That 1234... id is my id which I edited little bit since posting in public forum.

Don't use that. Use your own id. You're seeing Role '123456-987651-12345-87654-860001c3d' doesn't exist. That ID is not valid. For SDK-based access to Azure File Shares using user-assigned managed identity, the correct role is your Storage File Data SMB Share Contributor role ID. Use that.

az role assignment create \ --assignee-object-id <uamiPrincipalId> \ --assignee-principal-type ServicePrincipal \ --role "This Should be your role ID" \ --scope <storageAccountResourceId>

You're seeing SkuNotAvailable: Standard_DS1_v2 not available in centralus

That VM size is at capacity in centralus. You have two options -

Either use another size like Standard_B2s, Standard_D2s_v3, or Standard_F2 Or use your existing VM and attach the UAMI to it

az vm identity assign \ --resource-group <your-rg> \ --name <your-vm> \ --identities <your-uami-resource-id>

Once that's done, the .NET SDK with ManagedIdentityCredential should work correctly to upload to the File Share.

MS doc- https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-file-data-smb-share-contributor
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-19T07:27:12.1+00:00

Hello Gianpaolo Tessitore, following up on this. Hope I was able to clear your query here. Thanks
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-23T03:54:29.81+00:00

Hello Gianpaolo Tessitore, following up on this. Hope your issue is resolved

1 answer

Your answer

Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-16T15:22:49.0433333+00:00

Hi Gianpaolo Tessitore,

I understand that error you are encountering, AuthorizationPermissionMismatch, indicates that the Managed Identity (MI) you're using doesn't have the necessary permissions to perform the requested operation

Verify the Managed Identity Assignment,User-assigned Managed Identity is enabled.

Check Role Assignments in Azure Storage

In the storage account Assign this role to the Managed Identity of the VM.

This allows for read/write permissions on Azure File Share

Storage File Data SMB Share Contributor

Storage Account Contributor

Storage File Data Contributor

check the vm is Correctly authenticated using the Managed Identity and has network access to the Storage Account.

After assigning the role, sometimes it takes a few minutes for the changes to propagate. If you just assigned permissions, try waiting a bit before testing again.

If you have any queries, please do let us know, we will help you.

Thanks,
Gianpaolo Tessitore 10 Reputation points

2025-06-17T07:48:47.26+00:00

Thanks Aslam, i don't see Storage File Data Contributor but Storage File Data Privileged Contributor did it, i guess it's needed to be able to create folders?
Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator

2025-06-17T08:15:41.9266667+00:00

Hi Gianpaolo Tessitore

Could you please provide me with details on where you are running the above code? Is it in a local environment or an Azure environment?

Also, Could you also provide the complete code for how you are uploading the file to the VM?

Refer this : Tutorial - Use a Windows VM/VMSS to access Azure resources - Managed identities for Azure resources | Microsoft Learn
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-17T09:39:16.5966667+00:00

Hello Gianpaolo Tessitore,

I think the Storage File Data Privileged Contributor is actually designed for managing NTFS permissions on file shares via REST (e.g. setting ACLs). However, it may not grant full data path access such as creating directories or uploading files via the Azure SDK. If you see this document, to perform read/write operations using the REST API or SDK, the identity must be assigned the Storage File Data Contributor role. In your case, you're using the Azure.Storage.Files.Shares SDK which goes through the REST API. Also, could you kindly provide the complete code for how you are uploading the file to the VM?
Gianpaolo Tessitore 10 Reputation points

2025-06-17T10:27:00.4366667+00:00

I can't share all the code but it's basically what i included in my first post, then after the folder is created I create a file and write a test string to it using ShareClient sdk which i wrapped in this function

public async Task<Stream> OpenWriteAsync(string path, bool overwrite, long position, long newSize, CancellationToken cancellationToken) { ShareFileClient fileClient = shareClient.Value.GetRootDirectoryClient().GetFileClient(path); await fileClient.SetHttpHeadersAsync(new() { NewSize = newSize }, cancellationToken: cancellationToken); return await fileClient.OpenWriteAsync(overwrite, position, new() { MaxSize = newSize }, cancellationToken: cancellationToken); }

I build the app locally and upload it to the VM via VS Code and run it from there.

There is no Storage File Data Contributor role i can select, only Storage File Data Privileged Contributor role
Gianpaolo Tessitore 10 Reputation points

2025-06-17T13:22:24.1066667+00:00

I'm not able to create the vm with the command provided, I tried to change the location from eastus to centralus but the error is the same.

{"error":{"code":"InvalidTemplateDeployment","message":"The template deployment 'vm_deploy_lpftdRwdxLhb0gQJO60kyVkqGmV1WiZ7' is not valid according to the validation procedure. The tracking id is '264e757e-f3d9-48ef-899a-110fd8c7af4d'. See inner errors for details.","details":[{"code":"SkuNotAvailable","message":"The requested VM size for resource 'Following SKUs have failed for Capacity Restrictions: Standard_DS1_v2' is currently not available in location 'centralus'. Please try another size or deploy to a different location or different zone. See https://aka.ms/azureskunotavailable for details."}]}}

I wanted to use the vm i already created from Azure portal, but I get this error trying to assign the role to the uai
Role '123456-987651-12345-87654-860001c3d' doesn't exist.

Thanks for your help.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-18T11:07:31.94+00:00

Hello Gianpaolo Tessitore, you have to use your own id for the role. That 1234... id is my id which I edited little bit since posting in public forum.

Don't use that. Use your own id. You're seeing Role '123456-987651-12345-87654-860001c3d' doesn't exist. That ID is not valid. For SDK-based access to Azure File Shares using user-assigned managed identity, the correct role is your Storage File Data SMB Share Contributor role ID. Use that.

az role assignment create \ --assignee-object-id <uamiPrincipalId> \ --assignee-principal-type ServicePrincipal \ --role "This Should be your role ID" \ --scope <storageAccountResourceId>

You're seeing SkuNotAvailable: Standard_DS1_v2 not available in centralus

That VM size is at capacity in centralus. You have two options -

Either use another size like Standard_B2s, Standard_D2s_v3, or Standard_F2 Or use your existing VM and attach the UAMI to it

az vm identity assign \ --resource-group <your-rg> \ --name <your-vm> \ --identities <your-uami-resource-id>

Once that's done, the .NET SDK with ManagedIdentityCredential should work correctly to upload to the File Share.

MS doc- https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-file-data-smb-share-contributor
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-19T07:27:12.1+00:00

Hello Gianpaolo Tessitore, following up on this. Hope I was able to clear your query here. Thanks
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-06-23T03:54:29.81+00:00

Hello Gianpaolo Tessitore, following up on this. Hope your issue is resolved

Answer 1

hi gianpaolo! thanks for posting this,

u got the 'storage file data smb share contributor' role assigned to ur managed identity, which is good. but that error screams 'permissions mismatch', so something's off with how ur code talks to azure files.

u need to tweak ur code a bit. the 'sharetokenintent.backup' is usually for backup scenarios, not regular file ops. try switching it to 'sharetokenintent.file' instead.

var clientOptions = new ShareClientOptions()
{
    ShareTokenIntent = ShareTokenIntent.File // not backup!
};

check if ur storage account has 'azure files identity-based auth' enabled. without this, managed identities wont work right. u can find it under 'file shares' in the storage account settings.

always verify the clientid in ur managedidentitycredential matches the uai1 identity. sometimes copy-paste fails and u auth as the wrong thing. also, storage accounts love network rules - if u blocked public access, make sure the vm's ip or vnet is whitelisted.

smb shares need port 445 open. azure blocks it by default, so u might need a nat gateway or vnet service endpoint. worth looking into if u still hit walls.

hope this unsticks u

rgds,

Alex

Gianpaolo Tessitore 10 Reputation points

2025-06-23T07:39:10.6+00:00

Hi Alex, first thanks for your help. There is no ShareTokenIntent.File available in the latest verison of the SDK (12.22.0), that's why i'm using the only available option ShareTokenIntent.Backup. Without it i get a 400 Missing Header error. The Storage is reachable from the VM and i was able to successfully upload files using the role Storage File Data Privileged Contributor (Storage File Data Contributor role does not exists).

Thaks all for your help.

Share via

Unable to upload file to File Share from Virtual Machine using user assigned managed identity.

1 answer

Your answer