Search code examples
azure-devopsazure-data-factory

Azure Data Factory Unable to AuthorizationFailed Error when trying to access Resource Group During DevOPs pipeline activation

I am executing a pipeline within my CI/CD environment in DevOps. I am trying to push changes from our UAT environment to our Prod environment. Everything appears to working fine our UAT environment but when try to execute the code below in YAML code in adf_publish branch, I get this error in Azure Devops:

HTTP Status Code: Forbidden Error Code: AuthorizationFailed Error
     | Message: The client '5230e451-6413-4625-8638-867930a514ce' with object
     | id '5230e451-6413-4625-8638-86xxxxxa514ce' does not have authorization to
     | perform action 'Microsoft.DataFactory/factories/triggers/read' over
     | scope
     | '/subscriptions/5fa2700d-738a-444e-xxxxxx241a29d08d/resourceGroups/caplogic-warehouse-prod-rg/providers/Microsoft.DataFactory/factories/caplogic-warehouse-prod-df' or the scope is invalid. If access was recently granted, please refresh your credentials. Request Id: 612eedb8-cc4d-4d17-a917-78c09xxxxxefc Timestamp


- task: AzurePowerShell@5
  inputs:
    azureSubscription: 'ConnectionNew2025'
    ScriptType: 'FilePath'
    ScriptPath: '$(System.DefaultWorkingDirectory)/caplogic-warehouse-dev-df/PrePostDeploymentScript.ps1'
    ScriptArguments: '-armTemplate "$(System.DefaultWorkingDirectory)/caplogic-warehouse-dev-df/ARMTemplateForFactory.json" -ResourceGroupName $(ResourceGroupPrd) -DataFactoryName $(DataFactoryPrd) -predeployment $true -deleteDeployment $false'
    azurePowerShellVersion: 'LatestVersion'

This is extremely strange as I'm don't have the same issue with any other the other ADFs

Solution

  • The error message has clearly stated that the Service Principal (or Managed Identity) used by the Azure Resource Manager service connection does not have the Reader role permission on the target ADF.

    To read the child resources for Data Factory (such as datasets, linked services, pipelines, triggers, and integration runtimes) using a Service Principal (or Managed Identity), you need to ensure the Service Principal (or Managed Identity) has any of the following role assigned:

    1. The Reader role assigned at the ADF level.

      enter image description here

    2. The Reader role assigned at the Resource Group level or above. By default, the Reader role will be automatically inherited to the ADF level under the Resource Group.

      enter image description here

    If you want to manage (create, edit, and delete) the child resources for Data Factory using a Service Principal (or Managed Identity) with PowerShell, you can assign the Contributor role to the Service Principal (or Managed Identity) at the ADF level or above.

    enter image description here

    For more details, see "Roles and permissions for Azure Data Factory".