Share via

AuthorizationPermissionMismatch Error when my Azure WebApp queries a storage account

Sumit Bhardwaj 80 Reputation points
2025-07-21T09:39:06.0666667+00:00

Hi,

I have an Azure WebApp that runs a query against a storage account, but I’m getting this error:

HttpResponseError: This request is not authorized to perform this operation using this permission.
Requestld:9d4d827a-f01e-0086-5812-fad2fb000000 Time:2025-07-21T07:37:18.8024713Z
ErrorCode:AuthorizationPermissionMismatch Content: <?xml version="1.0" encoding="utf-8"?>
«Error<Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission. Requestld:9d4d827a-f01e-0086-5812-fad2fb000000
Time:2025-07-21707:37:18.8024713Z</Message></Error>

I suspect this might be related to the permissions of the Managed Identity/Service Principle used by the WebApp.
How can I determine which permissions are missing for the operation I’m performing? Please help me to diagnose and resolve this issue.
Thanks!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
Accepted answer
  1. Vimal Lalani 15 Reputation points Microsoft External Staff Moderator
    2025-08-08T10:48:36.6033333+00:00

    Hello Sumit Bhardwaj,

    Thank you for posting your question on the Microsoft Q&A forum.

    From your description, I understand that your Azure Web App is running a query against a Storage Account and you are encountering an error that you suspect is related to insufficient permissions for the Managed Identity or Service Principal used by the Web App. You would like to know how to determine and grant the necessary permissions to resolve this issue.

    In similar scenarios, I have been able to reproduce this issue when a .NET Core Web API attempted to access a Storage Account without the Managed Identity being assigned the Storage Blob Data Contributor role.

    1 Once this role was assigned, the error was resolved.2

    Typically, to read and write blobs in Azure Storage, the Managed Identity of the Web App needs the Storage Blob Data Contributor role. You can assign this role as follows:

    Azure Portal:

    1. Go to your Azure Web App in the Azure Portal.
    2. In the left pane, under Settings, select Identity.
    3. Enable System assigned or select a User assigned identity.
    4. Click on Azure role assignments.
    5. Click Add role assignment.
    6. Set Scope to Storage, select the appropriate Subscription and Storage Account, and assign the role Storage Blob Data Contributor.

    3

    Or Using Azure CLI

    az webapp identity assign --name <WEBAPPNAME> --resource-group <RESOURCEGROUP>  az role 

assignment create --assignee $(az webapp identity show --name <WEBAPPNAME> --resource-group <RESOURCEGROUP> --query principalId -o tsv) --role "Storage Blob Data Contributor"   --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGEACCOUNTNAME>

    For more details on role-based access to Azure Storage, you can refer to the official documentation: Assign Azure roles using the Azure portal

    Feel free to post back if you have any further questions or need assistance with the workaround.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.