Azure Files
An Azure service that offers file shares in the cloud.
1,162 questions
You can create a managed private endpoint for this file share and access this resource from ADF
ADF Linked Service for Azure File Share can't access Storage Account that does not allow all networks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 5%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Pitawat
331
Reputation points
I'm setting up ADF Azure-SSIS runtime which runs SSIS package on Azure SQL Managed Instance. I'm trying to store SSIS package files on Azure File Share. I would not want to allow access to my Storage Account from all networks.
I came across this post that Managed Identity is a supported authentication method for Blob and Data Lake gen2. Many users are commenting since 2019 that it still lacks support of Azure File Share.
When I set my storage account to allow connection from selected networks + allow trusted Azure services, the "Test Connection" feature will fail when creating ADF Linked Service for Azure File Storage saying "This request is not authorized to perform this operation (ErrorCode 403)". If I set my Storage Account to allow from all networks, the test will succeed.
Is there a plan to support managed identity for Azure File Share? Since running SSIS package is obviously one of the most-used features on ADF and storing SSIS package files on Azure File Share is very common, it is weird that managed identity is not supported here. Does this mean customers are forced to set their Storage Accounts to allow access from all networks? Is there any workaround that I don't have to allow connection to Storage Account from all networks?
Thanks.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Saurabh Sharma 23,671 Reputation points Microsoft Employee2021-08-06T00:15:33.01+00:00 Hi @Pitawat ,
Thanks for using Microsoft Q&A !!
Unfortunately, if you are using Azure File storage in Azure-SSIS IR then it only supports basic authentication as of now. However, I am checking internally on the same if there are any alternatives at all and get back to you as soon as I hear back.Thanks
Saurabh -
Pitawat 331 Reputation points
2021-08-06T02:47:34.803+00:00 Hello @Saurabh Sharma ,
Thanks for your reply. Actually I don't care that much about the authentication method. What I really would like to know is if I can create a Linked Service to Azure File Storage that does not allow access from all networks. Is yes, how?
The reason I mentioned about managed identity authentication is that it seems to be the only option to connect to Blob Storage that does not allow all networks.
Thanks.
-
ميسة عايد 21 Reputation points2021-08-06T13:44:54.117+00:00 Thanks for you
-
Saurabh Sharma 23,671 Reputation points Microsoft Employee
2021-08-06T20:16:39.667+00:00 Hi @Pitawat ,
Here is the update - SSIS IR can only connect to Azure Files using Win Auth, but you can store your credentials in AKV and allow only traffic from its public IP addresses/VNet/subnet on your Azure Storage firewall.
Thanks
Saurabh -
Saurabh Sharma 23,671 Reputation points Microsoft Employee
2021-08-10T20:30:34.067+00:00 -
Pitawat 331 Reputation points
2021-08-11T12:04:19.51+00:00 Hi @Saurabh Sharma ,
Thanks for your reply. Maybe I'm mistaken, but I'm asking about creating a Linked Service that connects to Azure Files. The Linked Service does not use SSIS-IR to connect hence it can't be in the same VNET as Azure Files.
Please see this screenshot as I create a Linked Service and the option "Connect via integration runtime" has only one option which is AutoResolveIntegrationRuntime. My SSIS-IR isn't available to select. If I continue and select the Azure Storage Account that doesn't allow all networks, the "Test connection" will fail.
Let me ask again:
- From my situation, is it possible to create a Linked Service that connects to this Azure Storage Account?
- If I need to specify public IP of AutoResolveIntegrationRuntime, how can I know its IP address?
Thanks.
-
Saurabh Sharma 23,671 Reputation points Microsoft Employee
2021-08-12T19:05:10.097+00:00 Hi @Pitawat ,
I think you may need to go through support case route as some one has to look into your environment and setup.. In case you have any limitation opening a support ticket please let me know and I will help you providing a one-time free support ticket.
Thanks
Saurabh -
madforchili 16 Reputation points2021-12-07T10:44:40.653+00:00 I have exactly the same challenge, have you found the way to resolve this issue?
-
Pitawat 331 Reputation points
2021-12-08T10:22:02.76+00:00 No. After spending an extensive amount of time with Azure support, they confirmed that this is impossible to achieve now.
Sign in to comment
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 14.000000000000002%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Raunak Jhawar 1 Reputation point Microsoft Employee2021-09-30T13:00:08.407+00:00