We have an Azure Data Factory pipeline that includes a Web Activity, which writes data directly to an Azure Blob Storage container. This Web Activity is configured to use System-Assigned Managed Identity for authentication against the Blob Storage account, uses PUT method with a body from earlier linked activity, the resource is set to https://storage.azure.com/ and has the headers set as x-ms-blob-type = BlockBlob and x-ms-version = 2017-11-09.
This setup was working successfully until February 21, 2025 (last successful run), and no changes were made on our end to the pipeline, Storage Account, RBAC permissions, or network/firewall configurations. On March 6th, I tried running the Web Activity and it failed with an "AuthorizationFailure: This request is not authorized to perform this operation." error, and has done so since. Our settings for the storage account (which, once again, worked up until Feb 21st) are as follows:
- The ADF instance has Storage Blob Data Contributor role on the Storage Account.
- Networking settings:
- Public network access is enabled for selected virtual networks and IP addresses (specifically, our internal office network and VPN access).
- We have allowed Microsoft.DataFactory/factories as Resource Instances in the current subscription.
- The "Allow Azure services on the trusted services list to access this storage account" exception is enabled.
- Microsoft network routing is used (no Private Endpoints).
Tests Performed
- We confirmed Copy Data Activities and Data Flows in the same ADF instance that link to the same Blob Storage still work with System-Assigned Managed Identity, which suggests RBAC is correctly configured.
- We tested different x-ms-version headers (no change).
- We tested the Web Activity while:
- Enabling all public access to the Blob Storage container (successful).
- Adding Storage Blob Data Owner role to SAMI (no change).
- We implemented an User-Assigned Managed Identity and configured the same Web Activity to authenticate with it. This worked successfully, allowing the Web Activity to write to Blob Storage.
My question specifically at this time is whether there have been any recent changes to the handling of System-Assigned Managed Identities, Trusted Microsoft Services, or firewall/network enforcement for Azure Data Factory and Blob Storage interactions, and whether a shift to using User-Assigned Managed Identities would be the recommended practice for ADF Web/HTTP Activities that interact with network-restricted Storage Accounts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 84%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
