Share via

Azure Machine Learning compute instances in workspace fail to provision due to a storage mount permissions error.

Mark Simpson 50 Reputation points Microsoft Employee
2026-02-23T23:51:35.24+00:00

Issue Summary

Azure Machine Learning compute instances in workspace fail to provision due to a storage mount permissions error.

Details
I get the following error message when starting Compute Instance within AML:
Failed to mount storage. Failed to mount due to permissions issue. Make sure the identity has the right permissions like 'Storage File Privileged Contributor' on the storage account. If you have recently updated the role, please try after sometime

Additional Details

  • This doesn’t appear to be compute‑specific: I’ve created multiple brand‑new computes, and they all fail with the same mount error.
  • I identified the correct workspace storage account and confirmed the compute’s user‑assigned managed identity has all required RBAC on it: Storage Blob Data Contributor, Storage File Data Privileged Contributor, and Storage File Data SMB Share Contributor.
  • The workspace is configured with systemDatastoresAuthMode = identity.
  • I also tested storage‑side configuration changes: enabling Managed Identity for SMB and re‑enabling storage account key access (fallback path), recreating computes after each change — the error persists in all cases.
Azure Machine Learning
Answer accepted by question author
  1. Manish Deshpande 5,420 Reputation points Microsoft External Staff Moderator
    2026-03-04T16:03:43.3833333+00:00

    The customer is facing a storage mount failure with the error:

    Failed to mount storage due to permissions issue Make sure the identity has the right permissions like Storage File Privileged Contributor

    This error occurs during compute/container creation and leads to repeated retries, even though the service returns HTTP 500 errors.

    Findings:

    The storage mount failure initially appeared to be an RBAC permission issue.

    1. The identity is a Managed Identity (MSI).
    2. The required role Storage File Privileged Contributor is a data‑plane role, which is often not granted by default to customer user identities.
    3. Customers typically only have control‑plane roles, so both of the following must be verified:
      • The workspace Managed Identity (MSI) has the data‑plane role.
      • The customer’s user identity also has the same role assigned on the storage account (via IAM).

    Further investigation revealed the actual blocking factor was Network Security Perimeter (NSP) restrictions on the storage account.

    • Error observed: Microsoft.Azure.Storage.StorageException: This request is not authorized by network security perimeter to perform this operation
    • Even with correct RBAC permissions, NSP rules were denying access from the workspace Managed Identity.
    • As a result, container creation kept retrying continuously, amplifying the issue.

    Customer Actionability

    • The customer can fully self‑serve:
      • Verify RBAC (data‑plane roles) on the storage account.
      • Review and adjust NSP rules using diagnostics.

    NSP creation link :
    Quickstart - Create a network security perimeter - Azure portal - Azure Private Link | Microsoft Le…

    Diagnostic logs :
    Diagnostic logs for Network Security Perimeter - Azure Private Link | Microsoft Learn.

    Thanks,
    Manish.

    1 person found this answer helpful.
    0 comments
Answer accepted by question author
  1. Anshika Varshney 9,740 Reputation points Microsoft External Staff Moderator
    2026-02-24T00:16:43.61+00:00

    Hi Mark Simpson,

    Thanks for sharing the detailed symptoms.

    This doesn’t look compute‑instance specific. Since multiple newly created compute instances fail with the same storage mount error, and the managed identity already has the required RBAC roles on the workspace storage account, it points more toward a workspace‑level or backend issue rather than a misconfiguration on an individual compute.

    A few observations based on the details you shared:

    The error consistently occurs during storage mount, even after recreating compute instances.

    Required roles such as Storage Blob Data Contributor and Storage File Data Privileged Contributor are already assigned.

    The workspace is using systemDatastoresAuthMode = identity, and switching storage‑side settings (including key‑based access) didn’t change the behavior.

    Please let me know if the issue persists after these checks. If you have any remaining questions or need additional details, I’ll be glad to provide further clarification or guidance. If the above steps resolve your issue, kindly confirm.

    Thankyou!

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-23T23:51:46.4866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error you are encountering when provisioning Azure Machine Learning compute instances appears to be related to permissions associated with the managed identity configured for your workspace's storage account. Here are some steps and considerations to help resolve the issue:

    1. Verify Permissions: Ensure that the user-assigned managed identity has the following roles assigned on the storage account:
      • Storage File Data Privileged Contributor
      • Storage Blob Data Contributor
      • Storage File Data SMB Share Contributor These roles are necessary for the compute instance to mount the storage correctly.
    2. Check Identity Configuration: Since your workspace is configured with systemDatastoresAuthMode = identity, make sure that the managed identity is correctly set up and that there are no issues with its configuration.
    3. Role Propagation Delay: If you have recently updated the roles, there might be a delay in the propagation of permissions. It is advisable to wait for some time and then try provisioning the compute instance again.
    4. Testing with Different Configurations: Since you have already tested enabling Managed Identity for SMB and re-enabling storage account key access, ensure that these configurations are correctly applied and that there are no conflicting settings.
    5. Consult Documentation: For further troubleshooting, refer to the Azure documentation on authentication and identity-related issues in Azure Machine Learning, which may provide additional insights or updates regarding known issues.

    If the problem persists after checking these aspects, consider reaching out to Azure support for more detailed assistance regarding your specific setup.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.