Troubleshooting BULK INSERT and OPENROWSET issues on Azure SQL Database

Published Jun 03 2019 06:20 AM 5,003 Views

Azure SQL Database (single database and Managed Instance) enables you to load files from Azure Blob Storage. If you experience issues while you are loading files from Azure blob storage, below are some suggestions on steps you can take to troubleshoot and mitigate the issue.


  • If you are noticing that a syntax error is returned by BULK INSERT or BULK INSERT check that you are using supported syntax in this statement. As an example, if you are trying to load data via network share path note that this option is not supported in Managed Instance.
  • Make sure that you are using SAS key to access storage. Azure AD identities and managed identities are currently not supported.
  • Make sure that you are reading data from a public blob storage protected with SAS credential. Private IPs for blob storage and service endpoints are currently not supported.
  • If you are getting an error 5 (Access Denied), make sure that you have not denied access to your Azure Blob Storage account using the firewall:Storage firewall.png


  • Verify that you have created the EXTERNAL DATA SOURCE with type BLOB_STORAGE targeting the URL of the blob storage where you placed the files that should be restored to your database.
  • Make sure that you are targeting an existing file on Azure blob storage.
  • Script the CREDENTIAL to SQL Server 2017 and try to load the files. If you are troubleshooting the issue on Managed Instance make sure that SQL Server is in the subnet that is within the same VNet as the Managed Instance.
  • Check if your SAS credential placed in the SECRET option of the CREATE DATABASE SCOPED CREDENTIAL statement valid. The most common errors in SAS token parameters are:
    • ? is not removed from the beginning of the SAS token because the Azure portal generates SAS token with the leading ?. Remove this character if you see it.
    • se (expiry date) property is set to some value in the past (note that this is UTC time).
    • st (start date) property is not in the past (note that this is UTC time).
    • sp (permission) property should allow reading the file on the storage account.
    • sip (ip range) remove this parameter if it is present in SAS token.
Senior Member

I would like to add an update on the Bulk Insert Method. With recent enhancements related to Managed Identity now it is possible to do a Bulk Insert from firewall protected (VNET Service Endpoint) Azure Blob Storage to Azure SQL Database. I have documented the design in detail here -




@isr2020 Azure SQL do not support Managed Identity see - Microsoft Docs


This was not properly blocked in past and worked in some cases, but in general this scenario is not officially supported. Please update your article because people why try this will get the access error. 

Senior Member

Ok, thanks for letting me know that it was not properly blocked, I will add a big note at the top of the article. I am wondering if this explicit call out that Managed Identity will not work got added recently. This just means that there is no way to use Bulk Insert from a Blob which has Selected Networks setting rather than All Networks. I am on the Regulated Industry and none of my customers let that Storage Account Network setting to be All Networks. You have already mentioned this but SAS Signature will not work either so folks will need to find other methods to load.

Occasional Visitor

I resolved my issue from advice on this page:




The SAS key value might begin with a '?' (question mark). When you use the SAS key, you must remove the leading '?'. Otherwise your efforts might be blocked.


Version history
Last update:
‎Jan 29 2021 07:56 AM
Updated by: