Not able to access the ADLS storage account via Microsoft Purview scanning

Question

Not able to access the ADLS storage account via Microsoft Purview scanning

GS, ANEESHKUMAR 0

I have created an SPN and stored secretes under the KV "abcd". I am trying to Scan the Storage account 'stkordnadlsprod01' from Purview . but I am getting below errors.

Request failed with status code 403 Request ID: 33c332ae-482a-48ca-91e1-663b7fb3fe9e Unable to access secret name: xyz. Grant Purview MSI access to Azure Key Vault: abcd

Below are the setting which I did

-SPN has Storage Blob Data Contributor on the storage account

-Purview MSI has Storage Blob Data Contributor on the storage account

-Purview MSI has Key Vault Secrets User role on the Key Vault

-I am using RBAC-based access control on the Key Vault

Details

I did the similar setup on Dev and Staging and its working

I am using SHIR for scanning and From the SHIR and below is the test connection result from SHIR PS

C:\Users\adminkoredadna> Test-NetConnection -ComputerName abcd.vault.azure.net -port 443 ComputerName :

abcd.vault.azure.net

RemoteAddress : 10.221.139.81

RemotePort : 443

InterfaceAlias : Ethernet

SourceAddress : 10.220.106.167

TcpTestSucceeded : True

Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-01T08:38:21.19+00:00
Hi GS, ANEESHKUMAR,

Thanks for your question on the Microsoft Q&A portal!

As you are trying to scan an Azure Data Lake Storage (ADLS) account using Microsoft Purview. You created a Service Principal (SPN) and stored its credentials in an Azure Key Vault named "abcd". However, when Purview attempts to access the secret from the Key Vault, it fails with a 403 Forbidden error:

Unable to access secret name: xyz. Grant Purview MSI access to Azure Key Vault: abcd

This means that Purview's Managed Identity (MSI) does not have sufficient permissions to read the secret from the Key Vault.

Even though you assigned the Key Vault Secrets User role to Purview MSI using RBAC, this alone might not be sufficient. You also need to ensure the following:

If your Key Vault uses Access Policies, Purview MSI must have explicit Get and List permissions on secrets in the Access Policies.

If your Key Vault uses RBAC, assign the Key Vault Secrets User role on the Key Vault to Purview MSI at the appropriate scope.

The Key Vault firewall allows access from Purview MSI or the Self-Hosted Integration Runtime (SHIR) IP address and enable the setting to allow trusted Microsoft services to bypass the firewall.

The secret name "xyz" referenced in Purview exactly matches the secret name stored in Key Vault (secret names are case-sensitive).

If specifying a secret version, confirm it is correct; if unsure, omit the version to use the latest secret version.

Steps to Fix the Issue:

Step 1: Verify Key Vault Access Configuration

If using RBAC model:

Assign Purview MSI the Key Vault Secrets User role on the Key Vault resource.

If using Access Policies model:

Go to Azure Portal → Key Vault "abcd" → Access Policies

Add a policy granting Purview MSI Get and List permissions on secrets.

Reference: https://free.blessedness.top/en-us/azure/key-vault/general/security-features#access-control

Step 2: Check Key Vault Firewall Settings

Go to Azure Portal → Key Vault "abcd" → Networking

If public network access is disabled, ensure you:

Enable Allow trusted Microsoft services to bypass this firewall (includes Purview MSI)

Add SHIR IP addresses if applicable

Reference: https://free.blessedness.top/en-us/azure/key-vault/general/network-security

Step 3: Validate Secret Name and Version

Validate the secret name "xyz" exists in Key Vault and matches exactly.

Confirm the secret is enabled and accessible.

If you use a specific secret version, verify its correctness.

If unsure, omit the version to always use the latest secret version.

Reference:

https://free.blessedness.top/en-us/azure/key-vault/secrets/quick-create-portal

https://free.blessedness.top/en-us/azure/key-vault/general/about-keys-secrets-certificates

Step 4: Revalidate the Credential Configuration in Purview

Go to Microsoft Purview → Data Map → Credentials

Edit the credential to ensure it references the correct Key Vault and secret name

Test the connection again after saving changes

Reference:https://free.blessedness.top/en-us/purview/troubleshoot-connections

I hope this resolves your issue.

Thanks!
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-03T15:44:33.8133333+00:00

Hi GS, ANEESHKUMAR,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks!
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-06T12:19:24.61+00:00
Hi GS, ANEESHKUMAR,

Thanks for your follow up question

It is possible to configure access to Azure Key Vault through your Palo Alto Firewall without relying on the “Allow trusted Microsoft services to bypass this firewall” setting. This approach involves explicitly permitting outbound traffic from the Self-Hosted Integration Runtime (SHIR) IP addresses and the Microsoft Purview Managed Identity (MSI) to reach the Key Vault and other required Azure endpoints.

Here are the key steps to achieve this:

Allow outbound traffic through Palo Alto Firewall: Configure your Palo Alto Firewall rules to allow communication on port 443 (HTTPS) to the Azure Key Vault endpoint (<yourkeyvault>.vault.azure.net) and other relevant Azure service endpoints.

Allow SHIR IP addresses: Since you are using SHIR for scanning, include the IP addresses of your SHIR in your firewall allowlist so that it can connect to the Key Vault and storage account.

Avoid enabling Trusted Microsoft services bypass: Disabling the "Allow trusted Microsoft services to bypass this firewall" option enhances security by preventing unrestricted Microsoft service access. Instead, rely on precise firewall rules as above.

Validate DNS resolution and network routes: Ensure that firewall configuration does not block DNS resolution or routing to Azure service endpoints.

For more detailed guidance, consider reviewing the Azure Key Vault networking documentation section on firewall settings and trusted services, and Microsoft Purview data scan credential requirements:

https://free.blessedness.top/en-us/azure/key-vault/general/network-security

https://free.blessedness.top/en-us/purview/data-map-data-scan-credentials

This approach provides tighter control of network traffic through your Palo Alto Firewall while allowing necessary access for Microsoft Purview scanning operations.

Hope this clear the issue.

Thanks,

Pranitha
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-09T07:18:09.9033333+00:00

Hi GS, ANEESHKUMAR,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks!
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-10T05:51:08.0133333+00:00

Hi GS, ANEESHKUMAR,

Following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks!

1 answer

Your answer

Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-03T15:44:33.8133333+00:00

Hi GS, ANEESHKUMAR,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks!
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-09T07:18:09.9033333+00:00

Hi GS, ANEESHKUMAR,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks!
Pranitha Maddi 1,195 Reputation points Microsoft External Staff Moderator

2025-10-10T05:51:08.0133333+00:00

Hi GS, ANEESHKUMAR,

Following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks!

Answer 1

Hi Pranitha,

Thanks for the responds.

I have configured all the 4 steps which you have mentioned , but still I was not able to access. I was using Private end points to access all services, including Purview, Key vault etc.

Finally I figured out the issue, since I was using SHIR for scanning, we need to enable "Trusted Microsoft Services option from Key vault networking , if we disable the public access, whihc resolved the issue

User's image

https://free.blessedness.top/en-us/purview/data-map-data-scan-credentials

So I have a query as well, since we are using Palo Alto Firewall , may I know , is there any option to allow traffic via palo alto , rather than enabling this option ?

Thanks,

Aneesh G S

Share via

Not able to access the ADLS storage account via Microsoft Purview scanning

1 answer

Your answer