![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 43%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 8%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
The behavior you’re seeing is expected for Databricks managed workspace storage accounts.
The storage accounts that start with db* are created and managed by Azure Databricks in a Microsoft-managed resource group. Because of this:
- Customers don’t have full RBAC permissions on those resources
- Certain operations (like associating a Network Security Perimeter) aren’t allowed
- Attempts to modify networking/security settings can return LinkedAuthorizationFailed (403)
So the 403 isn’t a misconfiguration - it’s happening because the resource is service-managed.
What this means for NSP
At this time, Network Security Perimeter association isn’t supported directly on Databricks-managed storage accounts. Those resources are governed by the Databricks service itself, not by customer-applied network perimeters.
Recommended approach
- Apply NSP to customer-managed storage accounts that your workloads access
- Follow Databricks guidance for serverless connectivity and firewall allow-listing
- If NSP enforcement is a hard requirement, raise a support ticket with Microsoft to confirm current supportability or roadmap, since this is service-level behavior
Hope this helps clarify why you’re hitting that error.