Synapse Workspace Permission Error

Published May 18 2020 06:55 AM 5,299 Views

With the release of Synapse Workspaces we have a new set of permissions to deal with allowing users access to the Synapse Workspace as well as the resources within the workspace.  


Following the step by step instructions which are provided here  users still have problems accessing the workspace and receive the following exception "You need permission to access workspace" 



Resolution :

Confirm that your client breakout IP address has been granted access to the Workspace in the firewall blade of the Workspace in the Azure Portal. Firewall rules govern access to the workspace and will be reported as Permission Error while attempting to access the workspace.   


WorkspaceFW Rules.PNG

In the event that you created the workspace via ARM template please follow the guidelines as documented here. The instructions will guide you through granting Storage Blob permissions for the Managed Identity.


In Powershell or Cloudshell Execute the following. 

$identity=$(az synapse workspace show --name {workspace name} --resource-group {resource group name} --query "identity.principalId").
az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id {identity } --scope {storage account resource id}.
az synapse firewall-rule create --name allowAll --start-ip-address --end-ip-address


Occasional Contributor

Thanks @CharlRoux , Just giving some additional insights here. If you create the synapses workspace in portal all will work perfect. However if you create using ARM with SPN Accounts then you need to add yourself as the workspace admin . You can do this by calling data plan API listed below. As of today (08/14/2020) the api is getting ready to publish to the docs.



MicrosoftTeams-image (1).png



Until that you can use the above API's . (Just make sure to set audience claim "") 

Regular Visitor

This could be one of the issues but not always. IMHO if we allowing  to then adding the client IP is not always the case for you to get error message "Permission Error while attempting to access the workspace.

To access the Synape studio, We need to make sure that the user who is trying to access should be added as workspace Admin as per Secure your Synapse workspace.



If you read the article, you will notice that I say once you have performed the permissions configuration which include workspace admin, "Following the step by step instructions which are provided here  "

Therefore the article is intended for users who have completed the permissions setup and verified them already who still run into the issue. 


Regular Visitor

Yes I understand. It could be client IP issue but I dont think so after allowing  to AllowAll), I beleive AllowAll passthrough all the ips so  we do not need to add specifically Client IP address.





Regular Visitor

Hi @Jayendran thanks for sharing your insight, this is exacly what is happening on my workspace after deploying a Synapse Workspace with an ARM template (through a DevOps pipeline)

Can you elaborate your solution because I don't know how to apply it.

Do you know of a solution where you can do this assignment in the arm template itself some how?


Occasional Contributor

Hi @pepijnkummel ,

Since the synapse is still in preview a lots of docs are still not published . To address this I actually wrote a detailed blog post which you can refer 


Hope this helps 


Regular Visitor

Thanks @Jayendran  , worked like a charm

Version history
Last update:
‎Sep 25 2020 10:32 AM
Updated by: