Data Factory is now a 'Trusted Service' in Azure Storage and Azure Key Vault firewall

Published Oct 30 2019 01:25 AM 21.5K Views


There are various scenarios wherein you would need to access data on Azure Storage or secrets from Azure Key Vault from a Data Factory pipeline or your applications. Often there is a security requirement to prevent any unknown sources from accessing the Storage account or the Azure Key Vault service. In such circumstances, you can use the ‘Allow trusted Microsoft services...’ setting in the firewall to enable access to your data from 'Trusted Services' without requiring you to allow connections from all network. For more details on 'Trusted Services', please refer azure storage and azure key vault documentation. 


Data Factory is now part of ‘Trusted Services’ in Azure Key Vault and Azure Storage. Integration runtime (Azure, Self-hosted, and SSIS) can now connect to Storage/ Key Vault without having to be inside the same virtual network or requiring you to allow all inbound connections to the service. 


Note: Both Data Movement and Mapping Data flows are also supported as ‘Trusted Services’.  


Common data integration security requirements


  1. Use the Internet to connect to data stores/ secrets store over TLS
    • Security – secure data using all supported Auth mechanism
    • RecommendationUse Azure IR/ SSIS IR
  2. Use the Internet to connect to data stores/ secrets store over TLS only from known sources using ‘Trusted Services’ firewall exception
    • Security – secure data using MSI Auth + Service Firewall
    • RecommendationUse ‘Allow Trusted Services…’ in Storage/ Key Vault firewall + Azure IR/ Self-hosted IR/ SSIS IR


  3. Use a private network/ virtual network to connect to data stores over TLS
    • Security – secure data using Auth + compute injection/ peering with the private network
    • Recommendation Use Self-hosted IR/ SSIS IR within your Virtual Network/ Private network.

Note: We are actively working on adding the capability to add/ peer an Azure IR inside VNET. 


Steps to connect as ‘Trusted Service’


  • Connecting to Azure Storage (using Azure blob or Azure Data lake Gen2 linked service)

    1. Grant Data Factory’s Managed identity access to read data in storage’s access control. For more detailed instructions, please refer this.
    2. Create the linked service using Managed identities for Azure resources authentication
    3. Modify the firewall settings in Azure Storage account to select ‘Allow trusted Microsoft Services…’. 

Note: Only Managed Identity authentication is supported when using ‘Trusted Service’ functionality in storage to allow Azure Data Factory to access its data. 


  • Connecting to Azure Key Vault (using Azure Key Vault linked service) 

    1. Create linked service with managed identity authentication and grant appropriate permissions in Azure Key Vault Access Policies as mentioned in the article.
    2. Modify the firewall settings in the Azure Key Vault to select ‘Allow Trusted Microsoft Services…’



Next Steps

See the following related articles for more details:


Senior Member



Thanks for post. So, this option only works to connect to Azure Blob storage. Still getting "Access denied" error while trying to connect to Azure file share.

So, this option will not to connect to Azure file share. Please correct me if I am wrong.

Occasional Visitor
Hi, this is a great feature in addition to the private endpoints and selected networks capabilities of Azure Storage / ADLS Gen2! Unfortunately it even does not work yet for me on ADF V2 connecting to ADLS with the option "Selected networks". We enabled "trusted services" but we still get connection errors. Our resources are in the regions West Europe and North Europe. Can you please check the DFS protocol again? Thanks.

@Shafiul_Alam It does not apply to Azure File Share. It works only with Blob and BlobFS (ADLSGen2). 


@Marco_Fischer_inovex I did verify it and it works in West Europe. Please make sure you are using MSI/ Managed Identity authentication in the linked service. 

Regular Visitor

@Abhishek Narain - Any news on when you will be adding support for accessing Azure Files?

Occasional Visitor

Try in the last two days, when firewall is enabled with "allow trusted services", test connection fails in datafactory v2. 

Storage account and datafactory v2 are both in Australia east region. Could you please update us on this ? thanks

Senior Member
Occasional Visitor

Hi @Abhishek Narain ,

I was unable to connect to blob storage as well as adls2 with private end points and both has allow trusted ms services. I made a successful connection from adf to sql database(private endpoint) using self hosted ir ,however i was unable to connect to storage blob or adls. Could you please help me on this issue please. I tried authentication type account key as well as managed identity,however the connection is failing. I have a contributor role at subscription level.


Thank You



Version history
Last update:
‎May 31 2020 09:00 PM
Updated by: