Introduction Azure Storage accounts with restricted network access return 403 errors when requests originate from unauthorized networks. This commonly happens after enabling firewall rules, migrating to private endpoints, or when trusted Azure services lose access.
Symptoms - Storage Explorer returns: "This request is not authorized to perform this operation" - `az storage blob list` returns: "AuthorizationFailure" - Application cannot read/write blobs from Azure VMs or App Services - Diagnostic settings fail to write to storage account
Common Causes - "Selected networks" mode enabled without adding the client IP/subnet - Service endpoint not configured on the VNet subnet - Private endpoint connection not approved - Azure services bypass not enabled - Storage account firewall blocking the App Service outbound IP
Step-by-Step Fix 1. **Check current network rules**: ```bash az storage account show --name mystorage --resource-group myrg --query networkRuleSet ```
- 1.Add the virtual network subnet:
- 2.```bash
- 3.az network vnet subnet update --name app-subnet --vnet-name myvnet --resource-group myrg \
- 4.--service-endpoints Microsoft.Storage
- 5.az storage account network-rule add --account-name mystorage --resource-group myrg \
- 6.--subnet /subscriptions/<sub>/resourceGroups/myrg/providers/Microsoft.Network/.../app-subnet
- 7.
` - 8.Allow Azure services to bypass firewall:
- 9.```bash
- 10.az storage account update --name mystorage --resource-group myrg --bypass AzureServices
- 11.
` - 12.Check private endpoint status:
- 13.```bash
- 14.az network private-endpoint list --resource-group myrg
- 15.
` - 16.If status is "Pending", approve the connection.