Unable to authenticate storage account

Question

Unable to authenticate storage account

Amol Sharma 0 Microsoft Employee

We have a storage account for which network setting is disabled. Private endpoint is in place from 1ES hosted pool v-net. DNS is resolving. I am getting authentication 403 issue. RBAC is provided to Service principle (FIC).

When i move storage account to less restricted network setting, it works fine but fails when it is moved back to disabled state...

Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-25T20:16:00.9166667+00:00

The 403 issue is not related to DNS but rather to how authentication and network restrictions are configured when the storage account network access is set to Disabled.

When using a Private Endpoint, please ensure the following:

DNS: The storage account resolves to the private IP of the private endpoint.

Private Endpoint: Connection status in the storage account must be Approved.

RBAC: The service principal being used needs the correct Azure RBAC role (e.g., Storage Blob Data Contributor or Reader) assigned at the storage account scope. Without this, authentication will succeed but authorization will be denied (403).

Networking: With public access disabled, only private endpoint traffic is allowed. Verify that the subnet and NSG associated with the private endpoint permit outbound HTTPS (443) traffic.

Authentication method: Confirm the service is using Azure AD (OAuth2) authentication with the service principal, not account keys.

Once these are in place and RBAC assignments have propagated, access via the private endpoint should succeed.

Please let me know if you still face the issue after this check list
Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-26T14:32:30.52+00:00

@Amol Sharma Just following up, Do you need more guidance or assistance ?
Amol Sharma 0 Reputation points Microsoft Employee

2025-08-26T15:06:50.2066667+00:00

Just one thing, PE and storage account are on different region.
I thought it works fine across regions
Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-26T16:09:39.4566667+00:00
Well, Try deploying the Private Endpoint in the same region as the Storage Account. This eliminates cross-region routing complexities and is the most reliable fix.

If cross-region is required, ensure:

VNet peering is correctly configured.

NSGs allow outbound traffic to the storage account region.

RBAC is scoped precisely to the storage account (not just resource group or subscription).

You're using Azure AD authentication, not SAS or account keys.

Is a little bit tricky when is in different region. I hope this help
Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-27T12:40:25.4733333+00:00

@Amol Sharma Just following up, Do you need more guidance or assistance ? Did you get to deploy it?
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-28T18:30:29.3033333+00:00

Hello @Amol Sharma

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.

1 answer

Your answer

Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-25T20:16:00.9166667+00:00

The 403 issue is not related to DNS but rather to how authentication and network restrictions are configured when the storage account network access is set to Disabled.

When using a Private Endpoint, please ensure the following:

DNS: The storage account resolves to the private IP of the private endpoint.

Private Endpoint: Connection status in the storage account must be Approved.

RBAC: The service principal being used needs the correct Azure RBAC role (e.g., Storage Blob Data Contributor or Reader) assigned at the storage account scope. Without this, authentication will succeed but authorization will be denied (403).

Networking: With public access disabled, only private endpoint traffic is allowed. Verify that the subnet and NSG associated with the private endpoint permit outbound HTTPS (443) traffic.

Authentication method: Confirm the service is using Azure AD (OAuth2) authentication with the service principal, not account keys.

Once these are in place and RBAC assignments have propagated, access via the private endpoint should succeed.

Please let me know if you still face the issue after this check list
Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-26T14:32:30.52+00:00

@Amol Sharma Just following up, Do you need more guidance or assistance ?
Amol Sharma 0 Reputation points Microsoft Employee

2025-08-26T15:06:50.2066667+00:00

Just one thing, PE and storage account are on different region.
I thought it works fine across regions
Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-26T16:09:39.4566667+00:00

Well, Try deploying the Private Endpoint in the same region as the Storage Account. This eliminates cross-region routing complexities and is the most reliable fix.

If cross-region is required, ensure:

VNet peering is correctly configured.

NSGs allow outbound traffic to the storage account region.

RBAC is scoped precisely to the storage account (not just resource group or subscription).

You're using Azure AD authentication, not SAS or account keys.

Is a little bit tricky when is in different region. I hope this help
Jose Benjamin Solis Nolasco 5,406 Reputation points

2025-08-27T12:40:25.4733333+00:00

@Amol Sharma Just following up, Do you need more guidance or assistance ? Did you get to deploy it?
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-28T18:30:29.3033333+00:00

Hello @Amol Sharma

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.

Answer 1

Hello Amol Sharma

Along with Jose Benjamin Solis Nolasco findings, I'd like to request that you review the following:

Please double-check the storage account settings:

Public network access is set to Disabled and Private endpoint connection is Approved.
Firewall rules do not block traffic from the private endpoint subnet.

When network access is disabled, only traffic via private endpoints is allowed. Check:

The private endpoint is in the same region as the storage account.
The subnet used by the private endpoint has network policies disabled for private endpoints.
The DNS resolution is pointing to the private endpoint IP, not the public endpoint.

Do let me know if you have further questions, we will be happy to help you.

Share via

Unable to authenticate storage account

1 answer

Your answer