![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 21%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,257 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 64%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Hello Keagan Kennedy,
Greetings! Welcome to Microsoft Q&A Platform.
A 403-status code typically signifies that the request was understood by the server, but the server is refusing to authorize it. It suggests that the authorization configuration might be inconsistent or that there are intermittent issues with the Azure service or your network.
If your application is using tokens for authorization, the tokens may be expiring or not being refreshed properly, leading to occasional failures.
- If the issue is related to a storage account which I presume, try regenerating the storage account access keys and updating your application with the new keys.
- Ensure that the service principal or managed identity running the automation script has the Storage Blob Data Contributor role assigned.
- Ensure that any access policies set on the storage account or specific containers allow the necessary operations.
- Make sure your script is using the correct API version that supports the operations you’re trying to perform.
Also, it will occur if the Azure Automation account is unable to access the storage account due to network restrictions. When network access is limited to selected virtual networks and IP addresses, we need to add the public IP of the Automation Account to the storage account’s network settings.
If the Automation account has a static IP address, you can add this IP to the list of allowed IP addresses in the storage account’s network settings.
If the IP address is not static, you may need to allow the entire IP range for the Azure region where your Automation account is located. This not always ideal, but is a potential solution to the issue.
Also, to verify that no network or firewall rules are blocking the connection. You might need to allow access from all networks temporarily to test if this resolves the issue.
when restricting network access to storage account, you will not be able to access if Azure Automation service isn't part of your trusted services registered within Azure subscription.
In order to achieve your requirement, I would suggest you use Hybrid Worker to execute the runbook so that you can restrict the access to the storage account.
refer https://video2.skills-academy.com/en-us/troubleshoot/azure/azure-storage/blobs/alerts/troubleshoot-storage-client-application-errors?tabs=dotnet ,https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-the-403-error-for-user-delegation-sas-in-azure/ba-p/3294999 for more troubleshooting.
Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.