Hi, this happens because you're passing Document Intelligence/OpenAI a Blob image_url that the service attempts to read from the Storage's public endpoint; with firewalls/PE enabled, that public endpoint is denied (and the service doesn't transit your VNet/Private Endpoint). The "clean" fix is: enable the Allow trusted Microsoft services exception (better yet: a targeted Resource instance rule) on Storage and add your Azure AI/Document Intelligence resource as an origin; maintain RBAC on the AI's managed identity (at least Storage Blob Data Reader, Contributor if it needs to write). Alternatively, avoid "URL" input: send the file bytes (begin_analyze_document) or use batch APIs with Blob and MI origin; don't use begin_analyze_document_from_url/SAS as long as Storage remains closed to the public network. In short: Storage's Private Endpoint alone isn't enough; you need to allow access as a trusted service/resource instance or change the input mode.
Acessing to storage account is failing through private end point
We are trying to accessing open ai, document intelligence, blob storages through private endpoints. Through Document intelligence service it extracts information from documents like PDFs and the data is store under storage account
For other services we are able to access through private endpoint but for blob storage it throwing an error.
If we try to enable the public access and select an option for all networks it is working fine but through private endpoint it is failing
We have enabled managed identity referring to the below document and assigned storage blob data owner to the storage account but still error persists
Create and use managed identities with Document Intelligence - Azure AI services | Microsoft Learn
Below are the error codes
Error code: 400 - {'error': {'code': 'BadRequest', 'message': 'The provided image url can not be accessed. status code: 403.', 'param': None, 'type': None}}"}
Azure Storage
2 answers
Sort by: Most helpful
-
-
Harish Peddapally 240 Reputation points Microsoft External Staff Moderator
2025-08-18T07:49:00.7633333+00:00 Hi Sana Fathima,
Thanks for posting your query on QnA! Let me try to help you with my observations here.
I hope Michele Ariis's response was helpful to you. Additionally, I’d like to highlight the detailed steps Michele shared—they could be useful for troubleshooting your issue
The 400 Bad Request error with a nested 403 Forbidden status code that you're experiencing when trying to access Azure Blob Storage through a private endpoint suggests a permissions or network configuration issue with the private endpoint setup, not a problem with the Document Intelligence service itself. The 403 Forbidden error specifically indicates that the Document Intelligence services not authorized to access the requested resource (the blob storage account).
Please find the below possible root cause and solutions:
1. Networking / Private Endpoint Misconfiguration
even when the managed identity and RBAC roles are set correctly, if the network path isn't properly configured, requests will still fail.
DNS resolution and private endpoint connectivity
Ensure that the Blob Storage endpoint resolves to the private IP via your private DNS zone and that connectivity is confirmed:
- Use
nslookup youraccount.blob.core.windows.net
to verify DNS resolution. - Use
Test-NetConnection -ComputerName youraccount.blob.core.windows.net -Port 443
to ensure connectivity over port 443.
If either fails, the private endpoint or private DNS zone setup might be incomplete or misconfigured.
Virtual network scope
- Ensure your Document Intelligence resource and the private endpoint are in the same VNet, or peer VNets with proper DNS integration. Otherwise, traffic may flow via public endpoints and fail.
2. Firewall / Trusted Services Configuration
On the Storage Account:
- Set Public network access to "Selected networks".
- In Exceptions, enable “Allow Azure services on the trusted services list to access this storage account.”
- This permits Azure service traffic (like Document Intelligence) even when public access is disabled.
- Without this exception, even managed identity access may be blocked when routed internally.
3. Managed Identity Role Assignments
- The Document Intelligence managed identity must be granted at least the Storage Blob Data Reader role to read content—and the Storage Blob Data Contributor if Studio features like auto-labeling or training are used
- For roles to take effect, allow up to 30 minutes for propagation.
Thank you again for your time. I’m happy to continue supporting you—your experience and insights can also benefit others in the community.
Please do not forget to "accept the answer" and “Upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Thanks,
Harish.
- Use