question

JatinSlater-5225 avatar image
0 Votes"
JatinSlater-5225 asked SumanthMarigowda-MSFT answered

We need to secure access with ADLS and ADF access by using Service principle.

Hi Team,

We need to secure access with ADLS and ADF access by using Service principle and Security Groups. Also, access to specific folders in ADLS. Can this be achieved. along with this, if there is any best practices around ADLS that your could share would be great.

Cheers.

azure-storage-accounts
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumanthMarigowda-MSFT avatar image
1 Vote"
SumanthMarigowda-MSFT answered

@JatinSlater-5225 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Adding additional information to the above response!

This article will help you on Data Factory supports service principal and MSI authentication for Data Lake Storage Gen2

You can associate a security principal with an access level for files and directories. These associations are captured in an access control list (ACL). Each file and directory in your storage account has an access control list. When a security principal attempts an operation on a file or directory, An ACL check determines whether that security principal (user, group, service principal, or managed identity) has the correct permission level to perform the operation.

For more information: Access control lists (ACLs) in Azure Data Lake Storage Gen2

Lear more on FAQ

Additional information: We can't use access control lists to provide a level of access that is lower than a level granted by an Azure RABC role assignment. For example, if you assign the Storage Blob Data Contributor role to a service principal, then you can't use access control lists to prevent that service principal from writing to a directory. So I suggest you remove the service principal Azure RABC role assignment when you use the ACL to control access.

The above mentioned operations can be performed using Storage Explorer


Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.


Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VaibhavChaudhari avatar image
1 Vote"
VaibhavChaudhari answered

You can create a new SPN, grant access to it to Storage account and use the SPN credentials in ADF linked service to connect to Storage account

Reference - https://debbiesmspowerbiazureblog.home.blog/2020/01/08/setting-up-a-service-principal-for-azure-data-lake-gen-2-storage-to-use-with-data-factory/



Please don't forget to Accept Answer and Up-vote if the response helped -- Vaibhav

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.