Cannot delete blob using Storage Explorer or Azure Portal for a Storage Account (StorageV2) with Private Endpoints and disabled public access

Sandra Georgine Marquardt 25 Reputation points
2024-01-30T08:37:02.8033333+00:00

We have recently enabled private endpoints for blob containers in our storage account and disabled public network access. Using our company's VPN we are able to access the blobs in the storage account using Microsoft Azure Storage Explorer. We can download and upload blobs (which seems to use SAS under the hood). When we try to delete or move blobs, we get an authentication error (which seems to use name and key to authenticate). The same behavior is observed when we try to manage blobs using the Azure Portal. However, when we use Azure CLI on our local machine and execute the following command, it works.

az storage blob delete -c <container> --account-name <name> -n <blob>

All of us have the following RBAC for the blob container in questions: Contributor and Storage Blob Data Contributor.

How can we ensure that we are also able to delete/move blobs using Microsoft Azure Storage Explorer or Azure Portal?

Azure Storage Explorer
Azure Storage Explorer
An Azure tool that is used to manage cloud storage resources on Windows, macOS, and Linux.
231 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,436 questions
Accepted answer
  1. KarishmaTiwari-MSFT 18,527 Reputation points Microsoft Employee
    2024-02-07T18:11:44.7966667+00:00

    @Sandra Georgine Marquardt I am glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    Issue: Cannot delete blob using Storage Explorer or Azure Portal for a Storage Account (StorageV2) with Private Endpoints and disabled public access

    Cause & Solution: Customer shared - Turns out that it was all due to the additional step of the Storage Explorer to query GetFileProperties. This tries to access data in Data Lake Storage Gen2 (using privatelink.dfs.core.windows.net). Since we had only set a private endpoint for Blob service, i.e. privatelink.blob.core.windows.net, we couldn't delete the blobs. Adding an additional private endpoint for Data Lake Storage Gen2 resolved the issue.

    If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 2,051 Reputation points Microsoft Vendor
    2024-01-31T13:14:47.7+00:00

    Hello Sandra Georgine Marquardt,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you are trying to delete a blob from Portal & storage explorer and getting authentication error,

     

    1.Please ensure that you have the Storage Blob Data Contributor that allow you to delete records, but you also need to be able to connect to the storage account, which requires the list keys permission, so you also need to be granted the Storage Account Contributor role.  

    When you create an Azure Storage account, you are not automatically assigned permissions to access your data through Microsoft Entra ID. You have to explicitly assign yourself an Azure role for Azure Storage. You can assign it to the level of your subscription, resource group, storage account, or a container.  

    Assign an Azure role to access blob data - Azure Storage | Microsoft Learn  

    2.The blob may be locked due to being in use by another process or application. In this case, you will need to stop the process or application that is using the blob before you can delete.  

    3.Also check if the blob is under lease if yes then please unleased it and try deleting it.   

    Remember to verify your permissions, check for active leases, and use the appropriate authentication method. If the problem persists, feel free to provide additional details or error messages, and we’ll continue troubleshooting!

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

  2. Sandra Georgine Marquardt 25 Reputation points
    2024-02-07T09:15:58.4033333+00:00

    Turns out that it was all due to the additional step of the Storage Explorer to query GetFileProperties. This tries to access data in Data Lake Storage Gen2 (using privatelink.dfs.core.windows.net). Since we had only set a private endpoint for Blob service, i.e. privatelink.blob.core.windows.net, we couldn't delete the blobs. Adding an additional private endpoint for Data Lake Storage Gen2 resolved the issue.

    0 comments