What causes DF-MSSQL-InvalidFirewallSetting?

The SQL Server firewall does not allow ADF Azure IR's Spark node IP ranges. 'Allow Azure services and resources to access this server' is disabled on the Azure SQL Server firewall. A specific IP rule that was previously covering ADF's IP range was removed or changed. The pipeline uses a Managed VNet IR with a private endpoint, but the private endpoint is not correctly configured for the SQL Server

How do I fix DF-MSSQL-InvalidFirewallSetting?

In the Azure portal, go to Azure SQL Server > Networking > Firewalls and virtual networks.. Enable 'Allow Azure services and resources to access this server' — this covers ADF Azure IR Spark node IPs without needing explicit IP rules.. If the SQL Server is behind a private endpoint: in ADF Studio, open the pipeline's Integration Runtime settings and verify a Managed VNet IR is configured with a private endpoint to the SQL Server.. If using a Self-Hosted IR: ensure the machine running the SHIR can reach the SQL Server on port 1433.. Test connection the SQL linked service and confirm connectivity before re-running the pipeline.

Medium severitydata source

Power BI Refresh Error:
DF-MSSQL-InvalidFirewallSetting

What does this error mean?

The Azure SQL Server or SQL Server firewall is blocking the ADF Mapping Data Flow Spark cluster's connection. Mapping Data Flows run on Azure IR Spark nodes with dynamic outbound IP addresses — if the SQL Server firewall only allows specific IPs, Spark nodes will be blocked unless 'Allow Azure services and resources to access this server' is enabled.

Common causes

1The SQL Server firewall does not allow ADF Azure IR's Spark node IP ranges
2'Allow Azure services and resources to access this server' is disabled on the Azure SQL Server firewall
3A specific IP rule that was previously covering ADF's IP range was removed or changed
4The pipeline uses a Managed VNet IR with a private endpoint, but the private endpoint is not correctly configured for the SQL Server

How to fix it

1In the Azure portal, go to Azure SQL Server > Networking > Firewalls and virtual networks.
2Enable 'Allow Azure services and resources to access this server' — this covers ADF Azure IR Spark node IPs without needing explicit IP rules.
3If the SQL Server is behind a private endpoint: in ADF Studio, open the pipeline's Integration Runtime settings and verify a Managed VNet IR is configured with a private endpoint to the SQL Server.
4If using a Self-Hosted IR: ensure the machine running the SHIR can reach the SQL Server on port 1433.
5Test connection the SQL linked service and confirm connectivity before re-running the pipeline.

Frequently asked questions

Does this error affect all pipeline runs or just the current one?

Depends on the root cause. A persistent misconfiguration fails every run; a transient issue may resolve on retry. Check the run history.

Can this error appear in Azure Data Factory and Microsoft Fabric pipelines?

Yes — the same connector errors appear in both ADF and Fabric Data Factory pipelines.

How do I see the full error detail for an ADF pipeline failure?

In ADF Monitor, click the failed run, then the failed activity. The detail pane shows the error code, message, and sub-error codes.

Will downstream Power BI datasets be affected when an ADF pipeline fails?

Yes — a dataset refreshing after the pipeline will use stale data or fail if the target table was cleared. The Power BI refresh may succeed while serving wrong data.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/data-flow-troubleshoot-guide