Power BI Refresh Error:
DF-Executor-UnauthorizedStorageAccess

What does this error mean?

The data flow identity does not have permission to access the storage account. The managed identity, service principal, or SAS token used by the linked service is missing the required RBAC role on the storage account or container.

Common causes

• 1The ADF managed identity lacks the 'Storage Blob Data Reader' role on the source storage account or the 'Storage Blob Data Contributor' role on the sink storage account
• 2A SAS token used by the linked service has expired or was revoked — SAS tokens have a hard expiry date and silently stop working after it
• 3The storage account was recently moved to a different resource group or subscription, invalidating the existing RBAC role assignments
• 4A self-hosted integration runtime is used and the machine's local identity or the service account configured in the linked service does not have storage access

How to fix it

1. 1In the Azure portal, go to the storage account's Access Control (IAM) and verify the data flow's managed identity or service principal has 'Storage Blob Data Reader' (for source) or 'Storage Blob Data Contributor' (for sink) role.
2. 2If using a self-hosted IR, the IR host machine's identity or the credentials configured in the linked service must have storage access — check both the linked service authentication settings and the RBAC assignments.
3. 3Verify that the storage account firewall is not blocking the Azure IR IP addresses — if the storage account has 'Selected networks' enabled, add the ADF integration runtime's public IPs or enable 'Allow trusted Microsoft services'.
4. 4If using SAS token authentication, confirm the SAS token has not expired and includes the required permissions (read, write, list) for the relevant containers.
5. 5Test connection the storage linked service after updating permissions — permission changes can take up to 5 minutes to propagate.

Frequently asked questions

Other data flow errors