Home / Azure / Fix Azure Storage Account Inaccessible

Azure

Fix Azure Storage Account Inaccessible

Resolve Azure storage account access issues by checking firewall rules, network configuration, and authentication settings.

Published: Apr 3, 20268 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

Azure Storage Accounts provide blob, file, queue, and table storage services. When a storage account becomes inaccessible, applications cannot read or write data, causing failures and data unavailability.

Symptoms

Access denied:

json

{
  "error": {
    "code": "AuthorizationFailure",
    "message": "This request is not authorized to perform this operation using this permission"
  }
}

Firewall blocking:

```bash $ curl https://mystorage.blob.core.windows.net/container/blob.txt

<?xml version="1.0" encoding="utf-8"?> <Error> <Code>PublicAccessNotPermitted</Code> <Message>Public access is not permitted on this storage account.</Message> </Error> ```

Connection failed:

```bash $ az storage blob list \ --account-name mystorage \ --container-name mycontainer

The client 'user@example.com' with object id '...' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope ```

Common Causes

1.Firewall blocking - Network rules deny client IP
2.Public access disabled - Anonymous access blocked
3.Missing RBAC permissions - User/service principal lacks access
4.SAS token expired - Shared access signature invalid
5.Account key rotated - Old key no longer works
6.Private endpoint required - Storage uses private link
7.DNS resolution issue - Cannot resolve storage endpoint
8.HTTPS enforcement - HTTP requests blocked

Step-by-Step Fix

Step 1: Check Storage Account Status

```bash # Check storage account exists and is accessible az storage account show \ --name mystorage \ --resource-group my-rg \ --query '{Name:name,Status:provisioningState,Location:location,Kind:kind}'

# Check if account is deleted or disabled az storage account show \ --name mystorage \ --resource-group my-rg \ --query '{AllowBlobPublicAccess:allowBlobPublicAccess,AllowSharedKeyAccess:allowSharedKeyAccess}' ```

Step 2: Check Network Firewall Rules

```bash # Check firewall configuration az storage account show \ --name mystorage \ --resource-group my-rg \ --query 'networkAcls'

# Default action: Allow or Deny # If Deny, check allowed IPs and subnets

# Add client IP to allowed list CLIENT_IP=$(curl -s https://ifconfig.me) az storage account network-rule add \ --account-name mystorage \ --resource-group my-rg \ --ip-address $CLIENT_IP

# Allow Azure services az storage account update \ --name mystorage \ --resource-group my-rg \ --bypass AzureServices ```

Step 3: Check RBAC Permissions

```bash # Check user permissions on storage account az role assignment list \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage \ --query '[].{Role:roleDefinitionName,Principal:principalName}'

# Required roles: # - Storage Blob Data Reader: Read access # - Storage Blob Data Contributor: Read/write # - Storage Blob Data Owner: Full access # - Owner/Contributor: Account management (not data access)

# Assign missing role az role assignment create \ --assignee user@example.com \ --role "Storage Blob Data Contributor" \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage ```

Step 4: Check SAS Token Validity

```bash # If using SAS token, check if expired # SAS token contains expiry time: se=2024-01-15T12:00:00Z

# Generate new SAS token az storage account generate-sas \ --account-name mystorage \ --permissions rwdl \ --resource-types sco \ --services b \ --expiry 2024-12-31T23:59:00Z

# Use with blob operations az storage blob list \ --account-name mystorage \ --container-name mycontainer \ --sas-token "sv=2023-01-01&ss=b&srt=sco&sp=rwdl&se=..."

# Check SAS token error # Common issues: # - Expired (se parameter) # - Invalid permissions (sp parameter) # - Wrong resource type (srt parameter) # - IP restriction (sip parameter) ```

Step 5: Regenerate Account Keys

```bash # If using shared key authentication # Check if key was rotated

# List current keys az storage account keys list \ --account-name mystorage \ --resource-group my-rg \ --query '[].{KeyName:keyName,Permissions:permissions}'

# Regenerate key if compromised az storage account keys renew \ --account-name mystorage \ --resource-group my-rg \ --key key1

# Update applications with new key # CONNECTION_STRING="DefaultEndpointsProtocol=https;AccountName=mystorage;AccountKey=NEW_KEY;EndpointSuffix=core.windows.net" ```

Step 6: Check Private Endpoint Configuration

```bash # If storage uses private endpoints az storage account show \ --name mystorage \ --resource-group my-rg \ --query '{PublicAccess:publicNetworkAccess,PrivateEndpoints:privateEndpointConnections}'

# If publicNetworkAccess is Disabled, must use private endpoint # Check private endpoint exists az network private-endpoint list \ --resource-group my-rg \ --query "[?contains(privateLinkServiceConnections[].privateLinkServiceConnectionState.description, 'mystorage')].{Name:name,ConnectionState:privateLinkServiceConnections[].privateLinkServiceConnectionState.status}"

# Create private endpoint if needed az network private-endpoint create \ --name mystorage-pe \ --resource-group my-rg \ --vnet-name my-vnet \ --subnet my-subnet \ --private-connection-resource-id /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage \ --group-ids blob ```

Step 7: Check DNS Resolution

```bash # Test DNS resolution nslookup mystorage.blob.core.windows.net

# Should return IP address # If using private endpoint, should return private IP

# Check private DNS zone az network private-dns zone show \ --name privatelink.blob.core.windows.net \ --resource-group my-rg \ --query '{Name:name,RecordSets: numberOfRecordSets}'

# Add DNS record if missing az network private-dns record-set a add-record \ --resource-group my-rg \ --zone-name privatelink.blob.core.windows.net \ --record-set-name mystorage \ --ipv4-address 10.0.0.5 # Private endpoint IP ```

Step 8: Check HTTPS Enforcement

```bash # Check if HTTPS required az storage account show \ --name mystorage \ --resource-group my-rg \ --query 'enableHttpsTrafficOnly'

# If true, HTTP requests fail # Must use https:// in connection strings

# Disable HTTPS only for testing (not recommended for production) az storage account update \ --name mystorage \ --resource-group my-rg \ --https-only false ```

Step 9: Check Container/Blob Access Level

```bash # Check container public access az storage container show \ --account-name mystorage \ --name mycontainer \ --query '{Name:name,PublicAccess:publicAccess}'

# None: No anonymous access # Blob: Anonymous read for blobs only # Container: Anonymous read for container and blobs

# Enable anonymous access (if policy allows) az storage container set-permission \ --account-name mystorage \ --name mycontainer \ --public-access blob

# Or disable public access az storage container set-permission \ --account-name mystorage \ --name mycontainer \ --public-access off ```

Step 10: Enable Diagnostic Logging

```bash # Enable diagnostics to troubleshoot access issues az monitor diagnostic-settings create \ --name storage-logs \ --resource /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage \ --workspace /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace \ --logs '[{"category":"StorageRead","enabled":true},{"category":"StorageWrite","enabled":true},{"category":"StorageDelete","enabled":true}]'

Storage Access Methods

Method	Authentication	Use Case
Account Key	Shared key	Admin access
SAS Token	Shared Access Signature	Temp access
RBAC	Azure AD	User/service access
Public Access	Anonymous	Public read
Private Endpoint	VNet only	Secure access

Verification

```bash # After fixing access issues # Test blob operations az storage blob list \ --account-name mystorage \ --container-name mycontainer \ --query '[].name'

# Upload test blob echo "test content" > test.txt az storage blob upload \ --account-name mystorage \ --container-name mycontainer \ --name test.txt \ --file test.txt

# Download test blob az storage blob download \ --account-name mystorage \ --container-name mycontainer \ --name test.txt \ --file downloaded.txt

# Verify content cat downloaded.txt # Should show: test content

# Clean up az storage blob delete \ --account-name mystorage \ --container-name mycontainer \ --name test.txt ```

Prevention

To prevent Azure storage account inaccessible issues from recurring, implement these proactive measures:

1. Monitor Storage Availability

yaml

groups:
- name: azure-storage
  rules:
  - alert: AzureStorageAccountUnavailable
    expr: |
      azure_storage_availability_percentage < 99.9
    for: 5m
    labels:
      severity: critical
    annotations:
      summary: "Azure storage account availability below 99.9%"

2. Use Managed Identities for Access

```bash # Enable managed identity for VM az vm identity assign --name my-vm --resource-group my-rg

# Grant storage access az role assignment create --assignee <principal-id> --role "Storage Blob Data Reader" --scope /subscriptions/.../storageAccounts/mystorage

# Access from VM using managed identity az vm run-command invoke --vm-name my-vm --resource-group my-rg --command-id RunShellScript --scripts "az storage blob list --account-name mystorage --auth-mode login" ```

3. Configure Network Security

```bash # Enable firewall with trusted IPs az storage account network-rule add --account-name mystorage --ip-address 10.0.0.0/24

# Allow trusted subnets az storage account network-rule add --account-name mystorage --subnet /subscriptions/.../subnets/my-subnet

# Enable private endpoint for secure access az network private-endpoint create --name my-pe --resource-group my-rg --vnet-name my-vnet --subnet my-subnet --private-connection-resource-id /subscriptions/.../storageAccounts/mystorage --group-id blob ```

Best Practices Checklist

[ ] Monitor storage availability
[ ] Use managed identities for access
[ ] Configure network security rules
[ ] Enable soft delete for recovery
[ ] Test access regularly
[ ] Document access patterns

[Fix Azure Blob Upload 403 Forbidden](/articles/fix-azure-blob-upload-403-forbidden)
[Fix Azure File Share Mount Failed](/articles/fix-azure-file-share-mount-failed)
[Fix Azure NSG Flow Logs Not Capturing](/articles/fix-azure-nsg-flow-logs-not-capturing)

[Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
[Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
[Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
[Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
[Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

Azure Storage Account Inaccessible Azure Storage Account Inaccessible Azure Azure Storage Account Inaccessible troubleshooting Azure Storage Account Inaccessible fix Resolve Azure storage account access issues by checking firewall rules, network configuration, and authentication settings Azure Resolve Azure storage account access issues by checking firewall rules, network configuration, and authentication settings

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

Azure Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this azure-errors troubleshooting guide applies to my situation?

This guide is designed for azure-errors issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these azure-errors troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of azure-errors issue?

Most azure-errors issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this azure-errors issue from happening again?

Regular maintenance, monitoring, and following best practices for azure-errors configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 3, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation