How do I fix DF-GEN2-InvalidAuthConfiguration?

Open the ADLS Gen2 linked service in ADF Studio and check the authentication method configured (account key, service principal, or managed identity).. If using account key: verify the key is current in the Azure portal under Storage Account > Access keys, and update it in the linked service.. If using service principal: confirm the app registration has 'Storage Blob Data Reader' or 'Contributor' role on the storage account in Azure IAM.. If using managed identity: verify the ADF managed identity has the required Storage Blob Data role on the Gen2 account in Azure IAM.. Test connection the linked service to confirm the credential is accepted.

Medium severitydata source

Power BI Refresh Error:
DF-GEN2-InvalidAuthConfiguration

What does this error mean?

The ADLS Gen2 linked service authentication is misconfigured — the authentication type (managed identity, service principal, or account key) doesn't match the storage account's access policy, or the credentials are invalid.

Common causes

1The authentication type or credentials for the Azure Data Lake Storage Gen2 connector are not correctly configured
2Managed identity, service principal, or account key settings are missing or invalid
3The integration runtime does not have the required permissions to authenticate

How to fix it

1Open the ADLS Gen2 linked service in ADF Studio and check the authentication method configured (account key, service principal, or managed identity).
2If using account key: verify the key is current in the Azure portal under Storage Account > Access keys, and update it in the linked service.
3If using service principal: confirm the app registration has 'Storage Blob Data Reader' or 'Contributor' role on the storage account in Azure IAM.
4If using managed identity: verify the ADF managed identity has the required Storage Blob Data role on the Gen2 account in Azure IAM.
5Test connection the linked service to confirm the credential is accepted.

Frequently asked questions

Which authentication method is recommended for ADLS Gen2 in production ADF?

Managed identity is recommended — it avoids storing credentials. The ADF managed identity needs 'Storage Blob Data Contributor' on the storage account in Azure IAM.

My account key was recently rotated — will that cause this error?

Yes — if the linked service stores the old account key, all runs fail after key rotation. Update the key in the ADF linked service to the new primary or secondary key.

How do I check if the service principal has the required role?

In the Azure portal, go to the storage account > Access Control (IAM) > Role Assignments. Verify the service principal has 'Storage Blob Data Contributor' or 'Storage Blob Data Reader'.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/data-flow-troubleshoot-guide