Forum Discussion

_MoZZa's avatar
_MoZZa
Brass Contributor
Jun 28, 2025

Storage Accounts - Networking

Hi All,

Seems like a basic issue, however, I cannot seem to resolve the issue.
In a nutshell, a number of storage accounts (and other resources) were created with the Public Network Access

set as below:

 

 

 

 

 

I would like to change them all to them all to Enabled from selected virtual networks and IP addresses  or 
even Disabled

However, when I change to Enabled from selected virtual networks and IP addresses, connectivity from, for example,
Power Bi to the Storage Account fails. I have added the VPN IP's my local IP etc.
But all continue to fail connection or authentication. Once it is changed back to Enabled for All networks everything works, i.e. Power Bi can access the Azure Blob Storage  and refresh successfully.

I have also enabled 'Allow Azure services on the trusted services list to access this storage account'.

But PBI fails to have access to the data. data Source Credentials error, whether using Key, Service Principal etc, it fails. As soon as I switch it back to Enable From All Networks, it authenticates straight away.
One more idea I had was to add ALL of the Resource Instances, as this would white list more Azure services, although PBI should be covered by enabling 'Allow Azure services on the trusted services list to access this storage account'. I thought I might give it a try.
Also, I created an NSG and used the ServiceTags file to create an inbound rule to allow Power BI from UK South.

Also, I have created a Private Endpoint.
This should all have worked but still can’t set it to restricted networks. I must be missing something fundamental or there is something fundamentally off with this tenant.

When any of the two restrictive options are selected, do they also block various Microsoft services?
Any help would be gratefully appreciated.

azure
Data + Storage
networking
power bi
Private Endpoints
Storage Account
virtual network

2 Replies

Sort By
  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Jul 01, 2025

    You may consider below:

     

    1. Use an On-Premises Data Gateway
    • This is the most reliable workaround.
    • Install the gateway on a VM (on-prem or in Azure) that has access to the storage account.
    • Power BI Service connects through the gateway, which acts as a Proxy.
    • This avoids the need to open your storage account to the public Internet.
    1. Use a Private Endpoint + DNS Configuration
    • The DNS resolution for the storage account points to the private endpoint.
    • Power BI is accessing the storage via a VNet that has access to the private endpoint.
    • If Power BI is outside the VNet, this won’t help unless you route traffic through a gateway or ExpressRoute.
    1. Add Power BI IP Ranges Manually
    • Microsoft publishes weekly JSON files with IP ranges for all services.
    • You can extract the Power BI Service IPs for your region and add them to your firewall rules.

     

     

    • _MoZZa's avatar
      _MoZZa
      Brass Contributor
      Jul 03, 2025

      Hi Kidd_Ip​,
      Thank you for your reply.
      I had 'partially' implemented option 3, I say partially as I may have sourced the deprecated IP list from an older file. But I have downloaded the latest offering and applied all the PowerBI.UKSouth IP's and even added the PowerBI.UKWest IP ranges too. And still no joy.
      I am going to implement option 1 and see how that goes.
      I will definitely feedback with the outcome.👍

Resources