![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 98%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 33%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)
Hello RayDev,
I understand this is a confusing issue with Prompt Flow storage, and it's not about your Azure RBAC roles (like Owner or Contributor), but about the underlying file-system permissions.
Thank you for that excellent follow-up and for confirming your permissions.
A special thanks to our volunteer, Amira for accurate diagnosis.
However, I will try to provide a deeper explanation of what is happening and I will answer your query "if there is a file or folder level access required and how to achieve it."
The Problem: RBAC vs. POSIX ACLs
Your permissions (Owner, Blob Contributor, File Data Privileged Contributor) are the highest possible. Your test—accessing the files in the Azure portal—confirms that your Azure RBAC (IAM) permissions are working perfectly.
However, Azure Data Lake Storage (ADLS) Gen2, which Prompt Flow uses, has a second, hidden permission model called POSIX ACLs (Access Control Lists).
- Azure Portal (what you used): The portal's Storage Explorer often uses your high-level
File Data Privileged ContributorRBAC role to show you the files, bypassing the ACLs. This gives a false sense of security. - AI Foundry Studio (what is failing): The Prompt Flow backend interacts with the storage as a filesystem. It requires the POSIX ACLs to be correct.
The Authentication Failed error is misleading. It's an Authorization Failure at the file-system (ACL) level because the AI Studio (acting on your behalf or using its own identity) is being denied read or write access by the ACLs on that specific folder.
The Solution: How to Check and Fix the ACLs
You need to manually check and grant permissions at the folder level for both you and your AI Project's Managed Identity.
- In the Azure portal, go to your Storage Account.
- From the left menu, open Storage Explorer (preview).
- Navigate to your blob container, and then drill down to your flow's folder:
/Users/<your-UPN>/promptflow/<flow-name> - Right-click on your
<flow-name>folder and select Manage Access.
Here, you will see the real file-system permissions. You need to ensure the following:
- Your User Account ("Me"): Your user (
******@domain.com) should be listed with Read, Write, and Execute permissions. - AI Project's Managed Identity (Most Likely Fix): The AI Studio often uses the Project's Managed Identity to manage flow files. This identity also needs permission.
- Click Add (or "Add principal").
- Search for the name of your AI Project's Managed Identity.
- Grant it Read, Write, and Execute permissions.
- Crucially: When adding/editing, make sure you also apply this to the "Default" ACLs. This ensures any new files created in the flow inherit the correct permissions.
After you've granted rwx permissions at the folder level to your Project's Managed Identity, go back to the AI Studio and try opening the flow again. This should resolve the authentication failure.
I hope this helps. Please accept and vote for the answer to help other members of the community. Thank you for helping to improve Microsoft Q&A!
