What causes DF-SQLDW-InternalErrorUsingMSI?

The ADF managed identity has not been added as a user in the Synapse dedicated SQL pool database. The ADF managed identity has the correct Azure role (Contributor) on the Synapse workspace but is missing the SQL-level database user. A transient Azure AD token issuance issue caused a one-time failure. The Synapse workspace was configured for SQL authentication only and does not allow managed identity connections

How do I fix DF-SQLDW-InternalErrorUsingMSI?

In the Azure portal, open the Synapse workspace and go to Synapse Studio > Manage > SQL pools.. Connect to the dedicated SQL pool using a SQL admin account and run: CREATE USER [ ] FROM EXTERNAL PROVIDER; ALTER ROLE db_datareader ADD MEMBER [ ]; ALTER ROLE db_datawriter ADD MEMBER [ ];.. Replace with the exact name of the ADF instance as shown in the Azure portal under the ADF resource overview (not the resource group name).. Verify the ADF managed identity also has the 'Storage Blob Data Contributor' role on the Synapse workspace's ADLS Gen2 storage account if using PolyBase staging.. After adding the database user, re-run Test connection on the linked service to confirm MSI auth works, then retry the pipeline.

Medium severitydata source

Power BI Refresh Error:
DF-SQLDW-InternalErrorUsingMSI

What does this error mean?

ADF failed to authenticate to Synapse Analytics using managed identity. The ADF instance or data flow cluster could not obtain a token or was rejected by Synapse.

Common causes

1The ADF managed identity has not been added as a user in the Synapse dedicated SQL pool database
2The ADF managed identity has the correct Azure role (Contributor) on the Synapse workspace but is missing the SQL-level database user
3A transient Azure AD token issuance issue caused a one-time failure
4The Synapse workspace was configured for SQL authentication only and does not allow managed identity connections

How to fix it

1In the Azure portal, open the Synapse workspace and go to Synapse Studio > Manage > SQL pools.
2Connect to the dedicated SQL pool using a SQL admin account and run: CREATE USER [<adf-instance-name>] FROM EXTERNAL PROVIDER; ALTER ROLE db_datareader ADD MEMBER [<adf-instance-name>]; ALTER ROLE db_datawriter ADD MEMBER [<adf-instance-name>];.
3Replace <adf-instance-name> with the exact name of the ADF instance as shown in the Azure portal under the ADF resource overview (not the resource group name).
4Verify the ADF managed identity also has the 'Storage Blob Data Contributor' role on the Synapse workspace's ADLS Gen2 storage account if using PolyBase staging.
5After adding the database user, re-run Test connection on the linked service to confirm MSI auth works, then retry the pipeline.

Frequently asked questions

What is the difference between the Azure RBAC role and the SQL database user for managed identity?

Azure RBAC roles control resource management. SQL users (via CREATE USER FROM EXTERNAL PROVIDER) control SQL-level access. Managed identity to Synapse requires both: an RBAC role for workspace access and a SQL user for query execution.

How do I find the correct name for the ADF managed identity?

The managed identity name matches the ADF instance name (e.g. my-data-factory). Use it in the CREATE USER statement. Find it in ADF Studio under Manage > Azure resources > Managed identity.

Can a transient Azure AD issue cause this error?

Yes — occasional token issuance failures can cause a one-time MSI error. Retry the pipeline once. If it fails consistently, the issue is structural (missing database user) and requires the CREATE USER fix.

Will downstream Power BI datasets be affected?

Yes — the pipeline fails without loading to Synapse. Dependent datasets will show stale data.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/data-flow-troubleshoot-guide