Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token

I found it's not enough for the app and account to be added as owners. I would go into your storage account > IAM > Add role assignment, and add the special permissions for this type of request:

  • Storage Blob Data Contributor
  • Storage Queue Data Contributor

Be aware that if you want to apply "STORAGE BLOB DATA XXXX" role at the subscription level it will not work if your subscription has Azure DataBricks namespaces:

If your subscription includes an Azure DataBricks namespace, roles assigned at the subscription scope will be blocked from granting access to blob and queue data.

Source: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal#determine-resource-scope


I've just solved this by changing the resource requested in the GetAccessTokenAsync method from "https://storage.azure.com" to the url of my storage blob as in this snippet:

    public async Task<StorageCredentials> CreateStorageCredentialsAsync()
    {
        var provider = new AzureServiceTokenProvider();
        var token = await provider.GetAccessTokenAsync(AzureStorageContainerUrl);
        var tokenCredential = new TokenCredential(token);
        var storageCredentials = new StorageCredentials(tokenCredential);
        return storageCredentials;
    }

where AzureStorageContainerUrl is set to https://xxxxxxxxx.blob.core.windows.net/