Home
%3CLINGO-SUB%20id%3D%22lingo-sub-964993%22%20slang%3D%22en-US%22%3EData%20Factory%20is%20now%20a%20'Trusted%20Service'%20in%20Azure%20Storage%20and%20Azure%20Key%20Vault%20firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-964993%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20various%20scenarios%20wherein%20you%20would%20need%20to%20access%20data%20on%20Azure%20Storage%20or%20secrets%20from%20Azure%20Key%20Vault%20from%20a%20Data%20Factory%20pipeline%20or%20your%20applications.%20Often%20there%20is%20a%20security%20requirement%20to%20prevent%20any%20unknown%20sources%20from%20accessing%20the%20Storage%20account%20or%20the%20Azure%20Key%20Vault%20service.%20In%20such%20circumstances%2C%20you%20can%20use%20the%20%E2%80%98Allow%20trusted%20Microsoft%20services...%E2%80%99%20setting%20in%20the%20firewall%26nbsp%3Bto%20enable%20access%20to%20your%20data%20from%20'Trusted%20Services'%20without%20requiring%20you%20to%20allow%20connections%20from%20all%20network.%20For%20more%20details%20on%20'Trusted%20Services'%2C%20please%20refer%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fstorage%2Fcommon%2Fstorage-network-security%23trusted-microsoft-services%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eazure%20storage%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fkey-vault%2Fkey-vault-overview-vnet-service-endpoints%23trusted-services%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eazure%20key%20vault%3C%2FA%3E%26nbsp%3Bdocumentation.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EData%20Factory%3C%2FSTRONG%3E%20is%20now%20part%20of%20%E2%80%98%3CSTRONG%3ETrusted%20Services%E2%80%99%3C%2FSTRONG%3E%20in%20%3CSTRONG%3EAzure%20Key%20Vault%20%3C%2FSTRONG%3Eand%26nbsp%3B%3CSTRONG%3EAzure%20Storage.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fconcepts-integration-runtime%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIntegration%20runtime%3C%2FA%3E%3C%2FSTRONG%3E%20(Azure%20or%20Self-hosted)%20can%20now%20connect%20to%20Storage%2F%20Key%20Vault%20without%20having%20to%20be%20inside%20the%20same%20virtual%20network%20or%20requiring%20you%20to%20allow%20all%20inbound%20connections%20to%20the%20service.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3C%2FEM%3E%3CEM%3E%3A%20Mapping%20Data%20flows%20does%20not%20work%20using%20the%20%E2%80%98Trusted%20Services%E2%80%99%20yet.%20We%20will%20be%20enabling%20this%20functionality%20for%20data%20flows%20soon.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1850676281%22%20id%3D%22toc-hId-1850676281%22%20id%3D%22toc-hId-1850676281%22%20id%3D%22toc-hId-1850676281%22%3E%3CFONT%20color%3D%22%23000000%22%3ECommon%20data%20integration%20security%20requirements%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EUse%20the%20Internet%20to%20connect%20to%20data%20stores%2F%20secrets%20store%20over%20TLS%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3ESecurity%3C%2FEM%3E%3CSPAN%3E%20%E2%80%93%20secure%20data%20using%20all%20supported%20%3CSTRONG%3EAuth%20%3C%2FSTRONG%3Emechanism%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3ERecommendation%3C%2FEM%3E%3CSPAN%3E%20%E2%80%93%20%3CSTRONG%3EUse%20Azure%20IR%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CLI%3E%3CSPAN%3EUse%20the%20Internet%20to%20connect%20to%20data%20stores%2F%20secrets%20store%20over%20TLS%20only%20from%20known%20sources%20using%20%3CSTRONG%3E%E2%80%98Trusted%20Services%E2%80%99%3C%2FSTRONG%3E%20firewall%20exception%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%3E%3CEM%3ESecurity%3C%2FEM%3E%3CSPAN%3E%20%E2%80%93%20secure%20data%20using%20%3CSTRONG%3EMSI%20Auth%3C%2FSTRONG%3E%20%2B%20Service%20%3CSTRONG%3EFirewall%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3ERecommendation%3C%2FEM%3E%3CSPAN%3E%20%E2%80%93%20%3CSTRONG%3EUse%20%E2%80%98Allow%20Trusted%20Services%E2%80%A6%E2%80%99%20in%20Storage%2F%20Key%20Vault%20firewall%20%2B%20Azure%20IR%2F%20Self-hosted%20IR%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20602px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151914iA961B9F18FB1F651%2Fimage-dimensions%2F602x373%3Fv%3D1.0%22%20width%3D%22602%22%20height%3D%22373%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUse%20a%20private%20network%2F%20virtual%20network%20to%20connect%20to%20data%20stores%20over%20TLS%20%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%3E%3CEM%3ESecurity%3C%2FEM%3E%3CSPAN%3E%20%E2%80%93%20secure%20data%20using%20%3CSTRONG%3EAuth%3C%2FSTRONG%3E%20%2B%20%3CSTRONG%3Ecompute%20injection%2F%20peering%3C%2FSTRONG%3E%20with%20the%20private%20network%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3ERecommendation%26nbsp%3B%3C%2FEM%3E%3CSPAN%3E%E2%80%93%20%3CSTRONG%3EUse%20Self-hosted%20integration%20runtime%3C%2FSTRONG%3E%20within%20your%20Virtual%20Network%2F%20Private%20network.%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3E%3CEM%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20We%20are%20actively%20working%20on%20adding%20the%20capability%20to%20add%2F%20peer%20an%20Azure%20IR%20inside%20VNET.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--701480680%22%20id%3D%22toc-hId--701480680%22%20id%3D%22toc-hId--701480680%22%20id%3D%22toc-hId--701480680%22%3ESteps%20to%20connect%20as%20%E2%80%98Trusted%20Service%E2%80%99%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CH3%20id%3D%22toc-hId-844816150%22%20id%3D%22toc-hId-844816150%22%20id%3D%22toc-hId-844816150%22%20id%3D%22toc-hId-844816150%22%3EConnecting%20to%20Azure%20Storage%20(using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fconnector-azure-blob-storage%23linked-service-properties%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20blob%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fconnector-azure-data-lake-storage%23linked-service-properties%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Data%20lake%20Gen2%3C%2FA%3E%26nbsp%3Blinked%20service)%3C%2FH3%3E%0A%3C%2FLI%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EGrant%20Data%20Factory%E2%80%99s%20Managed%20identity%20access%20to%20read%20data%20in%20storage%E2%80%99s%20access%20control.%20For%20more%20detailed%20instructions%2C%20please%20refer%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fconnector-azure-data-lake-storage%23managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ECreate%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-factory%2Fconnector-azure-data-lake-storage%23managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elinked%20service%20using%20Managed%20identities%3C%2FA%3E%20for%20Azure%20resources%20authentication%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CSPAN%3EModify%20the%20firewall%20settings%20in%20Azure%20Storage%20account%20to%20select%20%E2%80%98%3CEM%3EAllow%20trusted%20Microsoft%20Services%E2%80%A6%3C%2FEM%3E%E2%80%99.%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20568px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151915i53182B7C7D3D0133%2Fimage-dimensions%2F568x390%3Fv%3D1.0%22%20width%3D%22568%22%20height%3D%22390%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%3CFONT%20size%3D%222%22%3E%3CEM%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%3C%2FEM%3E%20%3CEM%3EOnly%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fdata-factory-service-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EManaged%20Identity%3C%2FA%3E%20authentication%20is%20supported%20when%20using%20%E2%80%98Trusted%20Service%E2%80%99%20functionality%20in%20storage%20to%20allow%20Azure%20Data%20Factory%20to%20access%20its%20data.%26nbsp%3B%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2060px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CH3%20id%3D%22toc-hId--1707340811%22%20id%3D%22toc-hId--1707340811%22%20id%3D%22toc-hId--1707340811%22%20id%3D%22toc-hId--1707340811%22%3E%3CFONT%20size%3D%224%22%3EConnecting%20to%20Azure%20Key%20Vault%20(using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fstore-credentials-in-key-vault%23azure-key-vault-linked-service%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%3C%2FA%3E%3C%2FFONT%3E%3CSPAN%20style%3D%22color%3A%20inherit%3B%20font-family%3A%20inherit%3B%20font-size%3A%2024px%3B%22%3E%3CFONT%20size%3D%224%22%3E%26nbsp%3Blinked%20service)%3C%2FFONT%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3ECreate%20linked%20service%20with%20managed%20identity%20authentication%20and%20grant%20appropriate%20permissions%20in%20Azure%20Key%20Vault%20Access%20Policies%20as%20mentioned%20in%20the%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fstore-credentials-in-key-vault%23steps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Earticle%3C%2FA%3E%3C%2FSPAN%3E.%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EModify%20the%20firewall%20settings%20in%20the%20Azure%20Key%20Vault%20to%20select%20%E2%80%98Allow%20Trusted%20Microsoft%20Services%E2%80%A6%E2%80%99%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20519px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F151917iD7F885DC447B3054%2Fimage-dimensions%2F519x287%3Fv%3D1.0%22%20width%3D%22519%22%20height%3D%22287%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22padding-left%3A%2090px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-231983029%22%20id%3D%22toc-hId-231983029%22%20id%3D%22toc-hId-231983029%22%20id%3D%22toc-hId-231983029%22%3ENext%20Steps%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3ESee%20the%20following%20related%20articles%20for%20more%20details%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fkey-vault%2Fkey-vault-overview-vnet-service-endpoints%23trusted-services%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Key%20Vault%20%E2%80%98Trusted%20Services%E2%80%99%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-in%2Fazure%2Fstorage%2Fcommon%2Fstorage-network-security%23trusted-microsoft-services%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Storage%20%E2%80%98Trusted%20Microsoft%20Services%E2%80%99%3C%2FA%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fdata-factory%2Fdata-factory-service-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EManaged%20identity%20for%20Data%20Factory%3C%2FA%3E%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-964993%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Data%20Factory%20is%20now%20part%20of%20%E2%80%98%3CSTRONG%3ETrusted%20Services%E2%80%99%3C%2FSTRONG%3E%20in%20%3CEM%3EAzure%20Key%20Vault%3C%2FEM%3E%20and%26nbsp%3B%3CEM%3EAzure%20Storage%3C%2FEM%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3Efirewall.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-964993%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Data%20Factory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Integration%20Runtime%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECopy%20Activity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993986%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Factory%20is%20now%20a%20'Trusted%20Service'%20in%20Azure%20Storage%20and%20Azure%20Key%20Vault%20firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993986%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20post.%20So%2C%20this%20option%20only%20works%20to%20connect%20to%20Azure%20Blob%20storage.%20Still%20getting%20%22Access%20denied%22%20error%20while%20trying%20to%20connect%20to%20Azure%20file%20share.%3C%2FP%3E%3CP%3ESo%2C%20this%20option%20will%20not%20to%20connect%20to%20Azure%20file%20share.%20Please%20correct%20me%20if%20I%20am%20wrong.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1008739%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Factory%20is%20now%20a%20'Trusted%20Service'%20in%20Azure%20Storage%20and%20Azure%20Key%20Vault%20firewall%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1008739%22%20slang%3D%22en-US%22%3EHi%2C%20this%20is%20a%20great%20feature%20in%20addition%20to%20the%20private%20endpoints%20and%20selected%20networks%20capabilities%20of%20Azure%20Storage%20%2F%20ADLS%20Gen2!%20Unfortunately%20it%20even%20does%20not%20work%20yet%20for%20me%20on%20ADF%20V2%20connecting%20to%20ADLS%20with%20the%20option%20%22Selected%20networks%22.%20We%20enabled%20%22trusted%20services%22%20but%20we%20still%20get%20connection%20errors.%20Our%20resources%20are%20in%20the%20regions%20West%20Europe%20and%20North%20Europe.%20Can%20you%20please%20check%20the%20DFS%20protocol%20again%3F%20Thanks.%3C%2FLINGO-BODY%3E
Microsoft

 

There are various scenarios wherein you would need to access data on Azure Storage or secrets from Azure Key Vault from a Data Factory pipeline or your applications. Often there is a security requirement to prevent any unknown sources from accessing the Storage account or the Azure Key Vault service. In such circumstances, you can use the ‘Allow trusted Microsoft services...’ setting in the firewall to enable access to your data from 'Trusted Services' without requiring you to allow connections from all network. For more details on 'Trusted Services', please refer azure storage and azure key vault documentation. 

 

Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure or Self-hosted) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. 

 

Note: Mapping Data flows does not work using the ‘Trusted Services’ yet. We will be enabling this functionality for data flows soon.

 

Common data integration security requirements

 

  1. Use the Internet to connect to data stores/ secrets store over TLS
    • Security – secure data using all supported Auth mechanism
    • RecommendationUse Azure IR
  2. Use the Internet to connect to data stores/ secrets store over TLS only from known sources using ‘Trusted Services’ firewall exception
    • Security – secure data using MSI Auth + Service Firewall
    • RecommendationUse ‘Allow Trusted Services…’ in Storage/ Key Vault firewall + Azure IR/ Self-hosted IR

      clipboard_image_0.png

  3. Use a private network/ virtual network to connect to data stores over TLS
    • Security – secure data using Auth + compute injection/ peering with the private network
    • Recommendation Use Self-hosted integration runtime within your Virtual Network/ Private network.

Note: We are actively working on adding the capability to add/ peer an Azure IR inside VNET. 

 

Steps to connect as ‘Trusted Service’

 

  • Connecting to Azure Storage (using Azure blob or Azure Data lake Gen2 linked service)

    1. Grant Data Factory’s Managed identity access to read data in storage’s access control. For more detailed instructions, please refer this.
    2. Create the linked service using Managed identities for Azure resources authentication
    3. Modify the firewall settings in Azure Storage account to select ‘Allow trusted Microsoft Services…’. 
      clipboard_image_1.png

Note: Only Managed Identity authentication is supported when using ‘Trusted Service’ functionality in storage to allow Azure Data Factory to access its data. 

 

  • Connecting to Azure Key Vault (using Azure Key Vault linked service) 

    1. Create linked service with managed identity authentication and grant appropriate permissions in Azure Key Vault Access Policies as mentioned in the article.
    2. Modify the firewall settings in the Azure Key Vault to select ‘Allow Trusted Microsoft Services…’

clipboard_image_2.png

 

Next Steps

See the following related articles for more details:

 

2 Comments
Visitor

Hi,

 

Thanks for post. So, this option only works to connect to Azure Blob storage. Still getting "Access denied" error while trying to connect to Azure file share.

So, this option will not to connect to Azure file share. Please correct me if I am wrong.

Occasional Visitor
Hi, this is a great feature in addition to the private endpoints and selected networks capabilities of Azure Storage / ADLS Gen2! Unfortunately it even does not work yet for me on ADF V2 connecting to ADLS with the option "Selected networks". We enabled "trusted services" but we still get connection errors. Our resources are in the regions West Europe and North Europe. Can you please check the DFS protocol again? Thanks.