AuthorizationFailed with User-assigned Managed Identity accessing ADF

Jesse Davis 6 Reputation points
2022-04-17T16:33:27.407+00:00

What I'm trying to do

Create and query ADF pipelines from a consumption-tier Logic App by using a User-assigned managed identity

What I've done

  • Created logic app
  • Created User-assigned managed identity

For the identity, I have assigned/verify these roles:

  • Assigned Reader to the Subscription

The above was insufficient, so then I:

  • Added the Identity to the ADF explicitly
  • Assigned Owner to the Data Factory explicitly
  • Assigned Contributor to the Data Factory explicitly

I continue to receive:

{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '<my-managedidentity-objectid-guid>' with object id '<my-managedidentity-objectid-guid>' does not have authorization to perform action 'Microsoft.DataFactory/factories/pipelines/CreateRun/action' over scope '/subscriptions/<my-subscription-guid>/resourcegroups/<my-resourcegroup>/providers/Microsoft.DataFactory/factories/<my-adf>/pipelines/<my-pipeline>' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

Any advice is appreciated.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,934 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,893 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jesse Davis 6 Reputation points
    2022-04-17T18:23:28.38+00:00

    After some more research:
    https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions

    Specifically:

    Set up permissions
    After you create a Data Factory, you may want to let other users work with the data factory. To give this access to other users, you have to add them to the built-in Data Factory Contributor role on the Resource Group that contains the Data Factory.

    This was not intuitive to me, but it resolved the issue.

    The following are NOT sufficient to access ADF resources for a User-assigned Managed Identity

    • Owner of the Data Factory
    • Contributor of the Data Factory
    1 person found this answer helpful.