Azure Databricks PERMISSION_DENIED on ADLS container, seems to require account-level access

Question

Azure Databricks PERMISSION_DENIED on ADLS container, seems to require account-level access

Scott Hietpas 11

In Azure Databricks, I created an External Location and Credentials to access ADLS Gen2 storage container. I have the proper Unity Catalog permissions and the "Storage Blob Data Reader" role on the container. Unity catalog can browse the folders / files in the container, but I get "PERMISSION_DENIED" when attempting to access via compute, including Serverless SQL Warehouse or Serverless in a notebook.

I verified the appropriate Unity Catalog permissions are in place. If I add "Storage Blob Data Reader" role at the ADLS account-level, everything will work as expected. However, Databricks should only have access to specific containers, so I am not able to assign account-level permissions in this case.

I believe this may be a bug in how Databricks attempts to read the external location from compute? Since UC can browse the files without issue, and container-level permissions should be sufficient, this seems like an implementation issue where Databricks attempts some command that requires escalation.

Is this a limitation of Databricks external locations (that it cannot support container-level access)?

Here is example error from Notebook using serverless compute:

User's image

SQL Warehouse with serverless compute just returns "PERMISSION_DENIED: request not authorized"

Here I can browse the external location directly in Unity Catalog:

User's image

Mahesh Kurva 9,650 Reputation points Microsoft External Staff Moderator

2025-10-20T13:41:35.01+00:00
Hi Scott Hietpas ,

Greetings!!

It looks like you're encountering a "PERMISSION_DENIED" issue when trying to access your ADLS Gen2 storage container from Azure Databricks, despite having the "Storage Blob Data Reader" role and the correct Unity Catalog permissions in place.

Here are a few things you can check to troubleshoot the problem:

Role Assignment: While you mentioned you have the "Storage Blob Data Reader" role on the container, ensure that the service principal that Databricks uses is also granted the appropriate permissions. For accessing storage, the "Storage Blob Data Contributor" role could be beneficial. However, since you want to avoid account-level access, check if you can manage permissions at the container level effectively.

Check ACLs: Review the Access Control Lists (ACLs) settings on your ADLS container. Proper ACLs need to be set for the service principal to allow it to read files from that specific container. You can find more information about setting ACLs here.

Network Configuration: Ensure there are no network misconfigurations or firewalls blocking access to your storage account. If you're using a private endpoint, ensure it's correctly configured and that the necessary peering is set up between your Databricks workspace and the private endpoint's virtual network. More on this can be found here.

External Location Configuration: Verify the settings for your external location in Databricks to ensure it’s correctly pointing to the ADLS Gen2 storage endpoint.

Check Compatibility: Since you mentioned this seems to work when you assign account-level permissions, it may be worth noting this could be a limitation or specific behavior within Databricks when leveraging container-level access, which may require further investigation.

I hope this information helps. Please do let us know if you have any further queries.
Scott Hietpas 11 Reputation points

2025-10-20T14:05:09.57+00:00

I am using RBAC permissions on ADLS rather than folder-level ACLs. Network configuration and other Unity Catalog permissions can be ruled out since I am able to read files successfully once account-level permissions are applied. I only need read-level access, so Storage Blob Data Reader is sufficient.

I don't see any documentation suggesting that account-level permissions are required in additional to container-level permissions. This would be a gap in functionality since we should assign least privilege. And it seems like there is sufficient permissions since Unity Catalog can browse the folders and files within explorer...it just cannot read contents of files using compute. So, I do believe this may be a bug in how Databricks is accessing the container on read.
Kalyani Kondavaradala 3,230 Reputation points Microsoft External Staff Moderator

2025-10-20T15:15:21.1066667+00:00

Hi Scott Hietpas,

Thank you for the response!

Have you tested access using a non-serverless cluster (e.g., Single User or Standard) to confirm whether container-level RBAC works there?

Could you please share a screenshot showing whether you’re able to access the storage account from Databricks? Also, have you configured Databricks to access the storage account(Mount)?

Reference:

https://free.blessedness.top/en-us/azure/databricks/connect/storage/azure-storage

Thanks!

Kalyani
Scott Hietpas 11 Reputation points

2025-10-20T16:52:50.1466667+00:00

Yes, I get the same error when running on a non-serverless cluster (single node, 16.4 LTS). I can access the store from Databricks once I enable account-level role of "Storage Blob Data Reader". With only the container-level role in place, I am not able to access from compute. However, as captured in original issue, I can Browse the folders / files metadata on the External Location definition in Catalog Explorer.

The Credentials used by the External Location are the Databricks Access Connector. I was able to reproduce this in a sandbox environment. I was able to confirm that access worked once I added account-level permissions. After I remove, it would continue to work for a few hours - even if I setup a different Credential. However, eventually that will stop working - not sure if it just takes time for the permission to propagate?

So, Catalog Explorer can browse. I can read file contents using compute when account level permission is added. Without account-level role, the exact same notebook / query will fail with PERMISSION_DENIED. I don't believe it should be necessary to have account-level Storage Blob Data Reader role.

By the way, I did add Limit to read-only use on the External Location to help ensure it would not attempt to write (since only read is required). However, this did not make any difference. It works with read-only access once applied at the account level, so I don't believe it is attempting to write...it just has some sort of read request that appears to escalate to the account level.
Kalyani Kondavaradala 3,230 Reputation points Microsoft External Staff Moderator

2025-10-20T17:19:00.47+00:00
Hi Scott Hietpas,

Thank you for the details,

Databricks Runtime Version: Check if you're using the latest version of the Databricks runtime. Occasionally, older versions may have bugs or limitations fixed in newer updates.

Just to clarify, when you assign the Storage Blob Data Reader role at the account level, are you able to successfully access and read the external file location from compute?

Can you provide the specific configuration details of your external location settings in Databricks?

Have you checked the resource logs in Azure to see any details regarding access denials during your attempts?

Thanks!
Scott Hietpas 11 Reputation points

2025-10-20T19:05:27.2633333+00:00

Regarding Databricks Runtime version, Serverless will use latest (managed by Databricks). When I ran using a non-serverless cluster, I used 16.4 LTS (includes Apache Spark 3.5.2, Scala 2.12).

Yes, when I assign Storage Blob Data Reader at the account level, I am able to successfully access and read the external file location from compute.
Here is the External Location config:
Pratyush Vashistha 4,255 Reputation points Microsoft External Staff Moderator

2025-10-21T04:29:26.7466667+00:00
Thanks again for the detailed follow-up — this helps a lot. I see you’re using Databricks Runtime 16.4 LTS (non-serverless) and that assigning Storage Blob Data Reader at the account level does resolve the issue, which confirms the root cause is permission related.

Since your external location uses a managed identity via an access connector (as shown in your screenshot), and you’ve confirmed RBAC works at the account level, the likely culprit is ACLs on the specific ADLS Gen2 path — not the storage account or container-level RBAC. Even if the managed identity has Storage Blob Data Reader role, ADLS Gen2’s hierarchical namespace enforces POSIX-style ACLs that can override RBAC at the directory or file level.

Here’s what I’d suggest: Go into Azure Storage Explorer or use Azure CLI to check the ACLs on the exact folder or file path you’re trying to access — especially the parent directories leading up to it. The managed identity needs “r-x” (read + execute) on all parent folders and “r--” on the files themselves. If any folder in the path has restrictive ACLs (like no execute permission), you’ll get PERMISSION_DENIED even with correct RBAC.

You can verify this using: az storage fs access show --path <your-path> --file-system <container-name> --account-name <storage-account>

Also, since you’re using a managed identity via access connector, double-check that the connector is properly registered and assigned to the workspace — sometimes a misconfigured connector ID can silently fail even if RBAC looks right.

One quick question to help further:

Are you able to list the contents of the external location using dbutils.fs.ls("abfss://...")? Or does the error occur only when reading actual files?

For reference, Microsoft’s guidance on ACLs in ADLS Gen2 is up to date here: https://free.blessedness.top/en-us/azure/storage/blobs/data-lake-storage-access-control

And the integration steps for Databricks access connectors with managed identities: https://free.blessedness.top/en-us/azure/databricks/data/data-sources/azure/adls-gen2/azure-datalake-gen2-sp-access

Thanks

Pratyush
Scott Hietpas 11 Reputation points

2025-10-21T21:24:23.0166667+00:00

Since I am able to access the folders/files once account-level permissions are added, it is not ACL related. I did not need to change any ACL to allow it to work. The real question is why the compute calls require escalated (account-level) permission when being called. If the container has sufficient permissions, then the account-level permissions should not matter.

However, in answer to your question, I get an error when using dbutils.fs.ls to list External Location contents (using any compute type) without the account-level role. Once the account-level role is added, it works as expected.

So, the question is why the exact same code attempting to read an external location pointing to a container ABFSS location requires account-level / escalated permissions. My understanding is that we should be able to grant access to the container level directly without requiring account-level permissions. For example, we currently use Azure Data Factory to read from the same container without issue - it only requires read access at the container level. Furthermore, Databricks can also browse the content in Unity Catalog Explorer, so it has permissions.

I suspect this may be a bug in how Azure Databricks is implementing the read from External Location. This is repeatable, so an engineer should be able to reproduce the exact same scenario.
Kalyani Kondavaradala 3,230 Reputation points Microsoft External Staff Moderator

2025-10-22T08:58:14.14+00:00

Hi Scott Hietpas,

Thank you for your response.

Please allow us some time to reproduce the issue on our end, we’ll get back to you with an update

Thank you for your patience!

Kalyani
Scott Hietpas 11 Reputation points

2025-10-22T15:30:07.72+00:00

ACLs should not be required. Despite that, I did attempt to add ACLs, but this had no effect - as expected since they would be ignored based on already having course-grained RBAC access. See storage access control model: https://free.blessedness.top/en-us/azure/storage/blobs/data-lake-storage-access-control-model#:~:text=you%20cannot%20use%20an%20ACL%20to%20restrict%20access%20that%20has%20already%20been%20granted%20by%20a%20role%20assignment%20and%20its%20conditions.%20That%27s%20because%20the%20system%20evaluates%20Azure%20role%20assignments%20and%20conditions%20first%2C%20and%20if%20the%20assignment%20grants%20sufficient%20access%20permission%2C%20ACLs%20are%20ignored.
Sina Salam 25,926 Reputation points Volunteer Moderator

2025-10-22T16:32:48.4566667+00:00

Do you re-start after your implementation?
Sina Salam 25,926 Reputation points Volunteer Moderator

2025-10-22T16:39:41.35+00:00
Hi Scott Hietpas,

Thanks for your feedback.

For this kind of an issue, I will suggest you keep your current container‑scoped RBAC (Storage Blob Data Reader on the specific container) for data operations and then add a second, minimal account‑scope assignment of the same role but constrained with Azure ABAC conditions so it only authorizes requests for that one container (and optional subpath) this satisfies any account‑level checks compute performs while preserving least privilege. After that, restart the SQL warehouse/cluster or sign out/in to refresh tokens and allow up to 30 minutes for RBAC propagation, if your storage uses firewalls and you’re on Serverless SQL, ensure the serverless compute subnets are allowed. Validate the Unity Catalog objects by describing the external location and showing grants to confirm workspace and principal permissions. - https://free.blessedness.top/en-us/azure/role-based-access-control/troubleshooting.

You can also validate UC permissions (run in a Databricks SQL editor or notebook):

DESCRIBE EXTERNAL LOCATION my_ext_loc; SHOW GRANTS ON EXTERNAL LOCATION my_ext_loc;

https://free.blessedness.top/en-us/azure/databricks/connect/unity-catalog/cloud-storage/external-locations

Also, for an example ABAC condition (attach to a Storage account–scope, Storage Blob Data

Reader assignment, limiting access to one container and prefix):

{ "Version": "1.0", "Condition": { "StringEquals": { "storage:containerName": "my-container" }, "StringLike": { "storage:blobPath": "restricted-prefix/*" } } }

https://free.blessedness.top/en-us/azure/storage/blobs/storage-auth-abac

Then, re-test from compute:

# Python in a notebook (fresh cluster/warehouse session) dbutils.fs.ls("abfss://******@myaccount.dfs.core.windows.net/restricted-prefix/")

If you’re using Serverless SQL with storage firewalls, also follow this link for more details: https://free.blessedness.top/en-us/azure/databricks/admin/sql/serverless.

Success
Scott Hietpas 11 Reputation points

2025-10-22T16:41:41.1866667+00:00

Sina, I have restarted. This does not have any impact.

2 answers

Your answer

Mahesh Kurva 9,650 Reputation points Microsoft External Staff Moderator

2025-10-20T13:41:35.01+00:00

Hi Scott Hietpas ,

Greetings!!

It looks like you're encountering a "PERMISSION_DENIED" issue when trying to access your ADLS Gen2 storage container from Azure Databricks, despite having the "Storage Blob Data Reader" role and the correct Unity Catalog permissions in place.

Here are a few things you can check to troubleshoot the problem:

Role Assignment: While you mentioned you have the "Storage Blob Data Reader" role on the container, ensure that the service principal that Databricks uses is also granted the appropriate permissions. For accessing storage, the "Storage Blob Data Contributor" role could be beneficial. However, since you want to avoid account-level access, check if you can manage permissions at the container level effectively.

Check ACLs: Review the Access Control Lists (ACLs) settings on your ADLS container. Proper ACLs need to be set for the service principal to allow it to read files from that specific container. You can find more information about setting ACLs here.

Network Configuration: Ensure there are no network misconfigurations or firewalls blocking access to your storage account. If you're using a private endpoint, ensure it's correctly configured and that the necessary peering is set up between your Databricks workspace and the private endpoint's virtual network. More on this can be found here.

External Location Configuration: Verify the settings for your external location in Databricks to ensure it’s correctly pointing to the ADLS Gen2 storage endpoint.

Check Compatibility: Since you mentioned this seems to work when you assign account-level permissions, it may be worth noting this could be a limitation or specific behavior within Databricks when leveraging container-level access, which may require further investigation.

I hope this information helps. Please do let us know if you have any further queries.
Scott Hietpas 11 Reputation points

2025-10-20T14:05:09.57+00:00

I am using RBAC permissions on ADLS rather than folder-level ACLs. Network configuration and other Unity Catalog permissions can be ruled out since I am able to read files successfully once account-level permissions are applied. I only need read-level access, so Storage Blob Data Reader is sufficient.

I don't see any documentation suggesting that account-level permissions are required in additional to container-level permissions. This would be a gap in functionality since we should assign least privilege. And it seems like there is sufficient permissions since Unity Catalog can browse the folders and files within explorer...it just cannot read contents of files using compute. So, I do believe this may be a bug in how Databricks is accessing the container on read.
Kalyani Kondavaradala 3,230 Reputation points Microsoft External Staff Moderator

2025-10-20T15:15:21.1066667+00:00

Hi Scott Hietpas,

Thank you for the response!

Have you tested access using a non-serverless cluster (e.g., Single User or Standard) to confirm whether container-level RBAC works there?

Could you please share a screenshot showing whether you’re able to access the storage account from Databricks? Also, have you configured Databricks to access the storage account(Mount)?

Reference:

https://free.blessedness.top/en-us/azure/databricks/connect/storage/azure-storage

Thanks!

Kalyani
Scott Hietpas 11 Reputation points

2025-10-20T16:52:50.1466667+00:00

Yes, I get the same error when running on a non-serverless cluster (single node, 16.4 LTS). I can access the store from Databricks once I enable account-level role of "Storage Blob Data Reader". With only the container-level role in place, I am not able to access from compute. However, as captured in original issue, I can Browse the folders / files metadata on the External Location definition in Catalog Explorer.

The Credentials used by the External Location are the Databricks Access Connector. I was able to reproduce this in a sandbox environment. I was able to confirm that access worked once I added account-level permissions. After I remove, it would continue to work for a few hours - even if I setup a different Credential. However, eventually that will stop working - not sure if it just takes time for the permission to propagate?

So, Catalog Explorer can browse. I can read file contents using compute when account level permission is added. Without account-level role, the exact same notebook / query will fail with PERMISSION_DENIED. I don't believe it should be necessary to have account-level Storage Blob Data Reader role.

By the way, I did add Limit to read-only use on the External Location to help ensure it would not attempt to write (since only read is required). However, this did not make any difference. It works with read-only access once applied at the account level, so I don't believe it is attempting to write...it just has some sort of read request that appears to escalate to the account level.
Kalyani Kondavaradala 3,230 Reputation points Microsoft External Staff Moderator

2025-10-20T17:19:00.47+00:00

Hi Scott Hietpas,

Thank you for the details,

Databricks Runtime Version: Check if you're using the latest version of the Databricks runtime. Occasionally, older versions may have bugs or limitations fixed in newer updates.

Just to clarify, when you assign the Storage Blob Data Reader role at the account level, are you able to successfully access and read the external file location from compute?

Can you provide the specific configuration details of your external location settings in Databricks?

Have you checked the resource logs in Azure to see any details regarding access denials during your attempts?

Thanks!
Scott Hietpas 11 Reputation points

2025-10-20T19:05:27.2633333+00:00

Regarding Databricks Runtime version, Serverless will use latest (managed by Databricks). When I ran using a non-serverless cluster, I used 16.4 LTS (includes Apache Spark 3.5.2, Scala 2.12).

Yes, when I assign Storage Blob Data Reader at the account level, I am able to successfully access and read the external file location from compute.
Here is the External Location config:
Scott Hietpas 11 Reputation points

2025-10-21T21:24:23.0166667+00:00

Since I am able to access the folders/files once account-level permissions are added, it is not ACL related. I did not need to change any ACL to allow it to work. The real question is why the compute calls require escalated (account-level) permission when being called. If the container has sufficient permissions, then the account-level permissions should not matter.

However, in answer to your question, I get an error when using dbutils.fs.ls to list External Location contents (using any compute type) without the account-level role. Once the account-level role is added, it works as expected.

So, the question is why the exact same code attempting to read an external location pointing to a container ABFSS location requires account-level / escalated permissions. My understanding is that we should be able to grant access to the container level directly without requiring account-level permissions. For example, we currently use Azure Data Factory to read from the same container without issue - it only requires read access at the container level. Furthermore, Databricks can also browse the content in Unity Catalog Explorer, so it has permissions.

I suspect this may be a bug in how Azure Databricks is implementing the read from External Location. This is repeatable, so an engineer should be able to reproduce the exact same scenario.
Kalyani Kondavaradala 3,230 Reputation points Microsoft External Staff Moderator

2025-10-22T08:58:14.14+00:00

Hi Scott Hietpas,

Thank you for your response.

Please allow us some time to reproduce the issue on our end, we’ll get back to you with an update

Thank you for your patience!

Kalyani
Scott Hietpas 11 Reputation points

2025-10-22T15:30:07.72+00:00

ACLs should not be required. Despite that, I did attempt to add ACLs, but this had no effect - as expected since they would be ignored based on already having course-grained RBAC access. See storage access control model: https://free.blessedness.top/en-us/azure/storage/blobs/data-lake-storage-access-control-model#:~:text=you%20cannot%20use%20an%20ACL%20to%20restrict%20access%20that%20has%20already%20been%20granted%20by%20a%20role%20assignment%20and%20its%20conditions.%20That%27s%20because%20the%20system%20evaluates%20Azure%20role%20assignments%20and%20conditions%20first%2C%20and%20if%20the%20assignment%20grants%20sufficient%20access%20permission%2C%20ACLs%20are%20ignored.
Sina Salam 25,926 Reputation points Volunteer Moderator

2025-10-22T16:32:48.4566667+00:00

Do you re-start after your implementation?
Scott Hietpas 11 Reputation points

2025-10-22T16:41:41.1866667+00:00

Sina, I have restarted. This does not have any impact.

Answer 1

Hello Scott Hietpas,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are experiencing a PERMISSION_DENIED error in Azure Databricks when accessing files from an Azure Data Lake Storage Gen2 (ADLS) container, even though container-level Storage Blob Data Reader permissions have been granted.

The reason is because ADLS Gen2 enforces both Azure RBAC and POSIX-style Access Control Lists (ACLs). To resolve this without using broad account-level permissions, it’s crucial to configure the correct identity, scope, and ACLs at the container and directory levels.

First, identify the exact principal Databricks compute uses to access ADLS. Unity Catalog’s Explorer and compute workloads might use different identities typically, the Databricks Access Connector’s managed identity or a user-assigned managed identity linked to the storage credential. You can verify this by checking your Databricks External Location > Storage Credential settings or by reviewing storage access logs to confirm which principal ID performs read operations. - Databricks Access Connector Identity

Next, confirm the RBAC assignment at the container level. Use the Azure CLI to ensure the correct principal has the Storage Blob Data Reader role assigned at container scope:

az role assignment create \
  --assignee <principal-object-id> \
  --role "Storage Blob Data Reader" \
  --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storageAccount>/blobServices/default/containers/<containerName>

For a reference - Azure RBAC for Storage Data Access

Then, inspect and configure ADLS ACLs using:

az storage fs access show \
  --account-name <storageAccount> \
  --file-system <containerName> \
  --path "<path/to/directory-or-file>" \
  --auth-mode login

The compute identity must have execute (x) permission on every parent directory, read + execute (r-x) on the directory containing the data, and read (r--) on files. To apply these permissions, use:

az storage fs access set \
  --account-name <storageAccount> \
  --file-system <containerName> \
  --path "path/to/directory" \
  --acl "user:<objId>:r-x" \
  --auth-mode login

For many files or folders, apply ACLs recursively with:

az storage fs access set-recursive \
  --account-name <storageAccount> \
  --file-system <containerName> \
  --path "path/to/directory" \
  --acl "user:<objId>:r-x" \
  --auth-mode login

For a more details - Manage ACLs for ADLS Gen2

After updating permissions, verify access directly from your Databricks notebook:

dbutils.fs.ls("abfss://<container>@<storageAccount>.dfs.core.windows.net/path/to/directory") spark.read.text("abfss://<container>@<storageAccount>.dfs.core.windows.net/path/to/file.csv").show(5)

If the issue persists, check Azure Storage diagnostic logs in Log Analytics to identify the denied principalId and specific path. This confirms whether ACLs are applied to the correct identity. - Monitor and Troubleshoot Azure Storage Access

Lastly, avoid granting account-level permissions as a long-term solution. Instead, maintain least-privilege by aligning RBAC with container scope, ensuring consistent ACL inheritance, and validating permissions on all parent directories. For complex directory structures, automate ACL propagation using scripts. - Azure Data Lake Storage Gen2 Best Practices

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Answer 2

Scott Hietpas 11

Although I don't fully understand the "why", I do have a workaround that will meet my needs.

In short, we are unable to directly query the abfss location (using dbutils.fs, LIST, or other). Although this does seem to leverage the External Location definition (since I get a different error if no external location defined), the direct use of the external location seems to demand account-level permissions.

The workaround is to define an External Volume based on the external location. When accessing using the volume (vs explicit abfss path), then Unity Catalog seems to support access directly to the container level.

Kalyani Kondavaradala 3,230 Reputation points Microsoft External Staff Moderator

2025-10-27T09:23:36.2333333+00:00

Hi Scott Hietpas,

You’re absolutely right that once the external location is defined, Databricks starts using its credentials (via the access connector) for ABFSS paths, which is why the error changes from a config issue to PERMISSION_DENIED. However, raw ABFSS access (like LIST 'abfss://...' or dbutils.fs.ls) doesn’t fully leverage Unity Catalog’s secure credential delegation, even when tied to an external location. That’s why it often still requires account-level RBAC, while External Volumes (which are native Unity Catalog objects) correctly honor container-level permissions.

Since you’ve confirmed Volumes work with just container-level access, matching your Azure Data Factory pattern, you’ve landed on the recommended approach for ingesting raw files like CSVs or ZIPs in a Unity Catalog environment.

This isn’t a workaround, it’s by design. Microsoft and Databricks both advise using Volumes for unstructured data: https://free.blessedness.top/en-us/azure/databricks/volumes/volume-files

Glad you have a working solution, and thanks again for sharing such a clear and detailed Information.

Thanks!

Kalyani

Share via

Azure Databricks PERMISSION_DENIED on ADLS container, seems to require account-level access

2 answers

Your answer