A short one for today! I stumbled upon this while configuring the new Azure Synapse Link for Dataverse feature for an environment.
Most of the time, when I’m configuring resources on Azure, I do it as a subscription or resource group owner. This means I’m working in god-mode all the time, and I won’t be finding out some issues that users with less access rights do.
What’s Azure Synapse Link for Dataverse?
If you’re currently using the Export to Data Lake feature using the add-in in LCS, you must know that it’s been deprecated since October 15, 2023, and that after November 1, 2024, it will stop working. Azure Synapse Link for Dataverse is replacing it, and you can learn how to migrate in the Synapse Link transition guide.
The new Synapse Link feature is configured from Power Platform’s maker portal, and it still supports standard and custom data entities and tables. But if you can learn more about it, and how to configure it, you can read:
- Aurélien Clere’s blog post One Dynamics One Platform : Analytics – Delta Lake Synapse Link.
- Chapter 8 of my book “Extending Dynamics 365 Finance and Operations Apps with Power Platform“.
The issue: blob access rights
When we configure Synapse Link with a Synapse workspace, we have the following resources:
- Storage account: here’s where data from the ERP is stored in data/delta lake format, depending on how you configure Synapse Link.
- Synapse Analytics workspace: here we can explore data thanks to the built-in serverless SQL instance.
- Spark pool: used for data processing and transformation.
One of the requisites to configure all of this is that we need to add the Synapse Analytics workspace as a “Storage Blob Data Contributor” on the storage account so it’s able to read data.
When you do all of this and access the serverless SQL pool in the Synapse Analytics workspace, you can query data without issues. And the same if you try accessing it from SQL Server Management Studio (SSMS) with your user that’s an owner on Azure.
But what if you create a Microsoft Entra ID app registration that will be used as a service principal to access the serverless SQL instance? We create the app registration, add it as a service principal with the role “Synapse SQL Administrator” inside the workspace, then access the SQL instance with SSMS, try to query the CustTable and…
Content of directory on path 'https://your_storage_account_name.dfs.core.windows.net/dataverse-instance-name/deltalake/custtable_partitioned/_delta_log/*.*' cannot be listed.Why is that!? Remember you added the Synapse Analytics workspace as a “Storage Blob Data Contributor” to the storage account? Well, we need to do the same with the service principal we’ve created and that will be using to read data.
So go to your storage account, and then add the role assignment:
We can use “Storage Blob Data Contributor” or “Storage Blob Data Reader” which has less access rights but will be enough to query data.
Now just wait for a few minutes and try running the query again. And problem solved!
