Share via

I'm getting Error Message: Key based authentication is not permitted on this storage account.

Will Hasey 26 Reputation points
2021-05-19T20:14:11.103+00:00

I have this command in a powerShell script 

$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccountName -SkuName Premium_LRS -location $location -Kind "FileStorage" -enableLargeFileShare -AllowBlobPublicAccess $false -AllowSharedKeyAccess $false -EnableAzureActiveDirectoryDomainServicesForFile $true

For whatever reason, this storage account causes an error message when I try to create a file share using 

$storageContext = $storageAccount.context
New-AzStorageShare -name $storageShareName -context $storageContext

This is the error message: 

New-AzStorageShare : Key based authentication is not permitted on this storage account. HTTP Status Code: 403 - HTTP
Error Message: Key based authentication is not permitted on this storage account.
ErrorCode: KeyBasedAuthenticationNotPermitted
ErrorMessage: Key based authentication is not permitted on this storage account.
RequestId:f9294db8-301a-00e1-3dea-4c825b000000
Time:2021-05-19T20:05:56.8453700Z
At C:\tf\advantage\dev\deploy\scripts\azure-functions.ps1:2179 char:5
+     New-AzStorageShare -name $storageShareName -context $storageConte ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzStorageShare], StorageException
    + FullyQualifiedErrorId : StorageException,Microsoft.WindowsAzure.Commands.Storage.File.Cmdlet.NewAzureStorageShar
   e

I'm 99% sure it has something to do with the -AllowSharedKeyAccess $false because of the error message, and since when I take it out it works fine. But why is it breaking, I want to automate creation of File Shares with that setting toggled.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,186 questions
0 comments
Accepted answer
  1. Sumarigo-MSFT 44,081 Reputation points Microsoft Employee
    2021-06-02T16:15:56.927+00:00

    @Will Hasey Apologies for the delay response!

    Note: If you disable account access keys, you will not be able to access Azure Files or Table storage as they do not support (yet?) Azure AD authentication.

    Azure Storage supports Azure AD authorization for requests to Blob and Queue storage only. **

    If you disallow authorization with Shared Key for a storage account, requests to Azure Files or Table storage that use Shared Key authorization will fail.

    ** Because the Azure portal always uses Shared Key authorization to access file and table data, if you disallow authorization with Shared Key for the storage account, you will not be able to access file or table data in the Azure portal.

    Microsoft recommends that you either migrate any Azure Files or Table storage data to a separate storage account before you disallow access to the account via Shared Key, or that you do not apply this setting to storage accounts that support Azure Files or Table storage workloads.

    Disallowing Shared Key access for a storage account does not affect SMB connections to Azure Files.

    If you are looking for this specific feature, you can leave your feedback here, Please take a few minutes to submit your idea in the one of the forums available on the right or vote up an idea submitted by another Azure customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Richard Orefice 1 Reputation point
    2023-06-05T19:13:26.0033333+00:00

    Came across this post while trying to troubleshoot this myself. I was working in a Blob container and everything I could find about this topic stated that this issue should only be occurring with Files and tables, but here I am. Not sure if there is an outage today causing the issue in the portal but I was able to overcome the issue by reversing the steps found in the following KB article (and the attached screenshot).
    https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal
    Screenshot 2023-06-05 150611.png

    You enable that setting and it should get you around the error.

    I want to also add that I am a global admin (I created the tenant for official labs for the AZ-104). I have also given myself contributor and owner permissions on the storage account from its IAM settings, so if the above setting does not work add in owner/contributor permissions as well.

    0 comments
  2. Rajesh Swarnkar 851 Reputation points
    2024-01-10T10:46:06.6633333+00:00

    I found a workaround here :

    Is it possible to disable storage account access keys?

    Set-AzStorageAccount -ResourceGroupName <resource-group> `
    -AccountName <storage-account> `
    -AllowSharedKeyAccess $true
    0 comments