Azure Blob Storage: Fix Common Errors & Setup Problems
Why This Is Happening
I've seen this exact situation play out on dozens of Azure projects: you spin up an Azure Blob Storage account, paste in your connection string, hit upload , and nothing works. Or worse, it worked yesterday and now it doesn't. The error message from Azure is either cryptically vague (AuthorizationFailure, BlobNotFound, InvalidResourceName) or it points you at a wall of documentation that doesn't quite match what you're seeing in your portal.
Azure Blob Storage is Microsoft's object storage solution for the cloud, designed specifically to handle massive amounts of unstructured data , think images, videos, log files, backups, documents, and binary blobs of all kinds. It's built to serve files directly to browsers, stream audio and video, power distributed file access, and sit under big data analytics pipelines. That breadth is exactly what makes it so useful. It's also exactly what makes misconfiguration so easy.
The most common Azure Blob Storage errors I see break into four buckets. First, authentication and authorization failures, your app or script doesn't have the right permissions, the shared access signature (SAS) token expired, or the connection string is pointing at the wrong endpoint. Second, container and blob naming errors, Azure has strict naming rules and violations return InvalidResourceName or OutOfRangeInput without telling you exactly which character is the problem. Third, network and firewall issues, storage account firewalls, virtual network service endpoints, and private endpoint configurations silently block traffic in ways that look identical to auth failures. Fourth, access tier and lifecycle policy problems, blobs in the archive tier return BlobArchived errors when you try to read them directly, which surprises a lot of developers who don't realize the data needs to be rehydrated first.
Microsoft's error messages genuinely don't help here. AuthorizationFailure could mean a wrong key, an expired SAS token, a missing RBAC role, a firewall block, or a mismatched resource URL. The portal gives you the same error for all of them. That's what I'm here to untangle.
Whether you're a developer calling the Azure Storage REST API from a Node.js app, an IT admin uploading backups via Azure CLI, or a data engineer wiring up an Azure Data Lake Storage Gen2 pipeline, the fixes below apply. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If your Azure Blob Storage connection is failing right now and you need it working fast, start here. In my experience, roughly 60% of all Azure Blob Storage errors trace back to one of two things: an expired or malformed SAS token, or a storage account firewall that was quietly enabled by someone on your team.
Check your connection string first. Open the Azure portal, navigate to your storage account, then go to Security + networking > Access keys. You'll see two keys, Key1 and Key2, along with their corresponding connection strings. Copy the full connection string for Key1. It should look exactly like this:
DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=YOUR_KEY_HERE==;EndpointSuffix=core.windows.netPaste that directly into your app config or environment variable and retry. If you were using a SAS token instead of an account key, check the expiry date. In the portal, go to Security + networking > Shared access signature, scroll down to the End date/time field, and compare it to today's date in UTC. SAS tokens expire silently, there's no notification, your requests just start returning AuthorizationFailure (403).
Then check the firewall. In the Azure portal, open your storage account and go to Security + networking > Networking. If Enabled from selected virtual networks and IP addresses is selected instead of Enabled from all networks, that firewall is active. Scroll down to the Firewall section and check whether your current public IP is listed under Address ranges. If it's not there, add it temporarily to confirm whether the firewall is the culprit.
If neither of those resolves it, move on to the full step-by-step below.
AuthenticationFailed: Server failed to authenticate the request error. Before spending an hour debugging permissions, run w32tm /query /status in Command Prompt and confirm your local time is synced. It sounds trivial, I've personally watched it eat 90 minutes of a senior engineer's afternoon.
This sounds obvious, but Azure Blob Storage errors can occur simply because a script or app is targeting the wrong storage account name, the wrong subscription, or the wrong region endpoint. I've seen developers spend hours debugging permissions on a storage account that was accidentally created in a different subscription entirely.
Open the Azure portal and go to Home > Storage accounts. Make sure you're in the correct subscription, check the subscription selector in the top navigation bar. Find your storage account in the list and click it. On the Overview blade, confirm:
- The Status field shows Available
- The Location matches what your app expects
- The Subscription matches your billing context
Now cross-reference the account name. Azure Blob Storage account names must be between 3 and 24 characters, lowercase letters and numbers only, no hyphens, no underscores, no uppercase. The blob endpoint will follow the pattern:
https://<your-storage-account-name>.blob.core.windows.netIf you're using Azure CLI, you can quickly list all accessible storage accounts with:
az storage account list --output tableThis gives you account name, resource group, location, and SKU in a readable format. If your target account isn't in the output, it either doesn't exist in your active subscription or your account doesn't have permission to list it. Switch subscriptions with az account set --subscription "Your Subscription Name" and run the list command again.
Once you've confirmed the account is there and reachable, move to checking authentication.
Azure Blob Storage supports several authentication methods: account keys, SAS tokens, Microsoft Entra ID (formerly Azure Active Directory), and anonymous public access. Each one fails differently, and the portal's error messages don't always tell you which method is actually being used under the hood.
The clearest way to test raw connectivity is with Azure CLI using your account key directly. Run this command, replacing the placeholders:
az storage blob list \
--account-name <your-storage-account> \
--container-name <your-container> \
--account-key <your-account-key> \
--output tableIf this returns a list of blobs (or an empty table), your account key is valid and the container exists. If it returns AuthorizationFailure, the key itself is wrong or has been rotated. Go back to Security + networking > Access keys in the portal, click Show keys, and recopy Key1 exactly, no trailing spaces.
If you're using Microsoft Entra ID authentication (the recommended approach for production), the user or service principal needs the correct Azure RBAC role assigned on the storage account. The three relevant built-in roles are:
- Storage Blob Data Owner, full read, write, delete, and POSIX ACL management
- Storage Blob Data Contributor, read, write, and delete blobs
- Storage Blob Data Reader, read-only access to blobs and containers
To check role assignments, go to your storage account > Access control (IAM) > Role assignments tab. Search for your user principal name or app registration. If the role is assigned at the resource group level instead of the storage account level, it still applies, but confirm it's there. Missing RBAC assignments are the single most common cause of AuthorizationPermissionMismatch errors when using Entra ID.
Once the right role is confirmed and roles have propagated (allow up to 15 minutes in some tenants), retry your operation. You should see successful blob listing or upload.
Azure Blob Storage naming rules are strict and the error messages when you break them are genuinely unhelpful. InvalidResourceName doesn't tell you which character is invalid or which naming rule you violated. Here's what you need to know.
Container naming rules:
- Must be 3–63 characters long
- Lowercase letters, numbers, and hyphens only
- Must start with a letter or number
- Cannot have consecutive hyphens
- Cannot end with a hyphen
Blob naming rules:
- 1–1,024 characters long
- Can include any character, but certain characters (
\,/used as virtual directory separators) need care - No trailing dots or slashes on the final segment
- Avoid control characters (
U+0000throughU+001F,U+007FthroughU+009F)
A quick way to validate a container name before creating it via Azure CLI:
az storage container create \
--name "my-container-name" \
--account-name <your-storage-account> \
--account-key <your-account-key>If this returns "created": true, the name is valid. If it returns an error with ContainerAlreadyExists, the container is already there (which is fine, you can just use it). If it returns InvalidResourceName, the container name violates one of the rules above.
For blob names, a common gotcha is programmatically generated names that include spaces, angle brackets, or percent signs from URL encoding mismatches. If you're building blob names from user input or file paths, sanitize them first. Replace spaces with hyphens, strip special characters, and lowercase everything before passing to the SDK or REST API.
After fixing the name and re-running the create command, you should see a successful JSON response with "created": true and the container URL.
Network-level blocks are the sneakiest Azure Blob Storage issue. They produce auth-looking errors, they're invisible from inside your app, and they're frequently enabled by Azure Security Center recommendations or by IT policies without the developer being notified.
In the Azure portal, navigate to your storage account and click Security + networking > Networking. You'll see three public network access options:
- Enabled from all networks, open to all public IPs
- Enabled from selected virtual networks and IP addresses, firewall is active
- Disabled, only private endpoints can connect
If you're on a corporate network with a NAT gateway or a dynamic IP, your IP address may have changed since the firewall rule was last updated. To find your current external IP, you can run:
curl -s https://api.ipify.orgThen add that IP under Firewall > Address ranges in the format 203.0.113.0/32 (use /32 for a single IP). Click Save and wait 30–60 seconds for the change to propagate before retesting.
For apps running in Azure (App Service, Azure Functions, Azure Kubernetes Service, etc.), the cleanest fix is to add those services' outbound IPs to the allowlist, or better, configure a Virtual Network service endpoint. In the Virtual networks section of the Networking blade, click + Add existing virtual network and select the VNet your Azure service lives in. Make sure the Microsoft.Storage service endpoint is enabled on the subnet, Azure will prompt you to enable it if it isn't.
For Azure Data Lake Storage Gen2 scenarios (hierarchical namespace enabled), the same networking rules apply. If you're seeing 403 AuthorizationFailure specifically from HDInsight or Databricks clusters, check that the cluster's subnet has the Storage service endpoint enabled and is listed in the storage account's VNet rules.
After saving your network changes and allowing propagation, retry the failing operation. A successful blob upload response confirms the networking fix worked.
Azure Blob Storage has three access tiers: Hot, Cool, and Archive. Hot is for data you access frequently. Cool is for data you access less often but still need available immediately. Archive is for data you almost never read, and this is where a lot of people get caught out.
When a blob is in the Archive tier, it's essentially offline. Trying to read it returns:
BlobArchived: This operation is not permitted on an archived blob.To read an archived blob, you need to rehydrate it first. There are two ways to do this. The first is to change the blob's tier to Hot or Cool, which triggers rehydration. Do this in the portal by navigating to the blob in Storage account > Containers > [container name], clicking the blob name, going to the Change tier option, and selecting Hot or Cool. Or via Azure CLI:
az storage blob set-tier \
--account-name <your-storage-account> \
--container-name <your-container> \
--name <your-blob-name> \
--tier Hot \
--account-key <your-account-key>Rehydration from Archive to Hot or Cool takes between 1 and 15 hours depending on blob size and current demand. There's no notification when it completes, you need to poll the blob's status. Check rehydration status with:
az storage blob show \
--account-name <your-storage-account> \
--container-name <your-container> \
--name <your-blob-name> \
--account-key <your-account-key> \
--query "properties.rehydrationStatus"Once this returns "rehydrate-complete" (or the property disappears entirely), the blob is readable again.
If blobs are unexpectedly ending up in Archive tier, check your lifecycle management policies. In the portal, go to Data management > Lifecycle management. If there's a rule moving blobs to Archive after N days of no access, it may be catching blobs you expected to remain in Hot or Cool. Either modify the rule's filter (target only specific containers or blob prefixes) or adjust the day threshold.
Advanced Troubleshooting
When the standard fixes don't resolve your Azure Blob Storage issue, it's time to go deeper. These approaches apply to enterprise environments, domain-joined setups, or situations where the error is intermittent or environment-specific.
Analyzing Azure Storage Diagnostics and Metrics
Azure Blob Storage logs every request, but logging has to be enabled first. In the Azure portal, go to your storage account > Monitoring > Diagnostic settings. Add a diagnostic setting that sends StorageRead, StorageWrite, and StorageDelete logs to a Log Analytics workspace or a storage account. Once enabled (changes take effect within a few minutes), you can query request logs directly.
In Log Analytics, use this KQL query to find failed requests in the last hour:
StorageBlobLogs
| where TimeGenerated > ago(1h)
| where StatusCode >= 400
| project TimeGenerated, CallerIpAddress, OperationName, StatusCode, StatusText, Uri
| order by TimeGenerated descThe StatusText field will tell you exactly which error code triggered, AuthorizationFailure, BlobNotFound, ContainerNotFound, InvalidRange, etc. The CallerIpAddress tells you which client made the request. This is gold for diagnosing firewall-blocked requests or expired SAS tokens hitting production from a specific service.
Diagnosing CORS Errors for Browser-Based Access
If you're serving images or files from Azure Blob Storage directly to a browser (for example, a static website or a JavaScript app calling the blob endpoint), you'll hit CORS errors unless you explicitly configure allowed origins. These show up in browser DevTools as a red Access to XMLHttpRequest has been blocked by CORS policy error, not as an Azure error code.
Fix this in the portal under Settings > Resource sharing (CORS) for the Blob service. Add a rule with your origin (e.g., https://yourapp.com), allowed methods (GET, HEAD for read-only), allowed headers (*), and a max age of 3600. For local development, add http://localhost:3000 as a separate rule.
Azure Policy and Subscription-Level Restrictions
In enterprise environments, Azure Policy assignments at the subscription or management group level can prevent storage account creation, block public network access, or enforce specific SKUs. If you're getting errors during storage account provisioning, not during blob operations, run this Azure CLI command to see which policies apply to your subscription:
az policy assignment list --scope /subscriptions/<your-subscription-id> --output tableLook for policies with names like Deny public blob access, Require secure transfer, or Allowed storage account SKUs. These need to be addressed at the policy level by your Azure administrator, you can't work around them with app-level changes.
NFS 3.0 and SFTP Protocol Issues
Azure Blob Storage supports both NFS 3.0 mounting and SSH File Transfer Protocol (SFTP) for direct filesystem-style access. Both require a storage account with hierarchical namespace enabled (i.e., Azure Data Lake Storage Gen2 mode). If you're trying to mount a Blob container via NFS 3.0 and getting mount: wrong fs type or connection refused errors, confirm that NFS 3.0 support is explicitly enabled on the storage account (it's off by default), and that your mounting VM is on the same virtual network as the storage account's private endpoint or service endpoint.
If you've worked through all the steps above and you're still seeing failures, especially if they're intermittent, regional, or started after a specific date, it may be a platform-level issue. Check the Azure Status page first for active incidents in your region. If there's no active incident and your issue is production-impacting, open a support ticket through Microsoft Support. Have your storage account resource ID, the failing request's correlation ID (found in the x-ms-request-id response header), and a timestamp of the failure ready, that information cuts diagnostic time in half.
Prevention & Best Practices
Most Azure Blob Storage problems I see are entirely avoidable. They happen because storage accounts get created quickly for a proof-of-concept, the proof-of-concept becomes production, and the configuration never gets hardened. Here's how to set things up right from the start.
Always enable secure transfer. In the portal, the Secure transfer required setting under Configuration forces all connections to use HTTPS. If you're seeing The account being accessed does not support http errors, it's because something in your stack is trying HTTP. Enable secure transfer and fix any HTTP connection strings to use HTTPS. This setting should be on for every storage account, full stop.
Use Microsoft Entra ID authentication, not account keys, for production. Account keys give whoever holds them complete access to every blob in the account. If a key leaks, an attacker can download, overwrite, or delete everything. RBAC roles scoped to specific containers or operations are far safer. Assign the minimum necessary role, if an app only needs to read blobs, give it Storage Blob Data Reader, not Storage Blob Data Contributor.
Set SAS token expiry windows deliberately. A common pattern is to generate SAS tokens once and reuse them indefinitely. SAS tokens have an expiry date. When that date passes, every request fails with AuthorizationFailure. Instead, build SAS token generation into your app with a short validity window (1–24 hours) and regenerate on demand. Store the token generation logic, not the token itself.
Tag your storage accounts by environment. Use Azure resource tags to distinguish between dev, staging, and production storage accounts. A tag like environment: production makes it obvious in the portal which account matters, and Azure Policy can use tags to enforce stricter rules on production accounts (like requiring private endpoints).
Review lifecycle policies before they delete your data. Azure Blob Storage lifecycle management is powerful but unforgiving. A rule that moves blobs to Archive after 30 days of no access, and then deletes them after 90 days, will silently destroy data that wasn't accessed during a quiet period. Always add a container prefix filter to lifecycle rules so they only apply to the blobs you intend, never to everything in the account.
- Enable Secure transfer required on every new storage account before adding any data
- Rotate account keys on a schedule (every 90 days) and use Azure Key Vault to store them, never in code or environment variables checked into source control
- Set up Azure Monitor alerts on Availability and Egress metrics so you know about failures before your users do
- Enable soft delete for blobs and containers (under Data management > Data protection), it gives you a 7–365 day recovery window for accidentally deleted data at near-zero cost
Frequently Asked Questions
What exactly is Azure Blob Storage and what kinds of files can I store in it?
Azure Blob Storage is Microsoft's cloud-based object storage service, built for storing massive amounts of unstructured data, meaning any data that doesn't fit a rigid schema. That includes images, videos, audio files, PDFs, log files, database backups, virtual machine disk images, and raw binary data. It's designed for scenarios like serving images directly to a web browser, streaming audio and video content, distributing files to users anywhere in the world over HTTP or HTTPS, and storing data for backup, disaster recovery, and archiving. It also underpins Azure Data Lake Storage Gen2 for big data analytics workloads. If it's a file and it doesn't need a relational database structure, Blob Storage can hold it.
Why am I getting a 403 AuthorizationFailure error even though I'm using the right account key?
A 403 with AuthorizationFailure when using an account key almost always means one of three things. First, the key you're using was rotated, go to Security + networking > Access keys in the portal and recopy the current Key1 or Key2 value. Second, your storage account firewall is blocking your IP, check Security + networking > Networking and confirm your IP address is in the allowed ranges. Third, your request URL is malformed, the account name in the connection string doesn't match the actual storage account. Check all three before assuming anything more exotic is wrong. In most cases it's one of these.
How do I access a blob that's stuck in the Archive access tier?
You can't read an archived blob directly, it needs to be rehydrated first. Run az storage blob set-tier --tier Hot (or Cool) via Azure CLI, or change the tier in the Azure portal by clicking the blob name and selecting Change tier. Rehydration takes 1–15 hours depending on blob size. You can check progress with az storage blob show --query "properties.rehydrationStatus". The blob is readable once that property returns rehydrate-complete or disappears from the response. Plan ahead for archival workloads, if you need fast restores, keep blobs in Cool tier rather than Archive.
What's the difference between Azure Blob Storage and Azure Data Lake Storage Gen2?
Azure Data Lake Storage Gen2 is built on top of Azure Blob Storage, it's the same underlying object storage with a hierarchical file system layer added on top. When you enable the hierarchical namespace on a storage account, you get Azure Data Lake Storage Gen2 with true directory semantics, atomic rename operations, and POSIX-compatible access control lists (ACLs). Regular Blob Storage uses a flat namespace where "folders" are just naming conventions using forward slashes. For most web app and backup scenarios, standard Blob Storage is sufficient. For big data analytics with Azure Databricks, HDInsight, or Apache Hive, you want Data Lake Storage Gen2, the directory structure and fine-grained ACLs make a real difference in performance and security management at scale.
Can I host a static website directly from Azure Blob Storage?
Yes, and it works well for simple sites or SPAs (single-page apps). In the Azure portal, go to your storage account > Data management > Static website and enable it. You'll get a primary endpoint URL in the format https://<accountname>.z13.web.core.windows.net. Azure creates a special $web container where you upload your HTML, CSS, and JavaScript files. You can set the index document name (typically index.html) and the error document path (typically 404.html). For custom domains and HTTPS, pair this with Azure CDN or Azure Front Door, the static website feature itself doesn't support custom TLS certificates directly.
How do I connect to Azure Blob Storage from my application code?
Microsoft provides official client libraries for .NET, Java, Python, JavaScript (Node.js and browser), Go, and C++. For Node.js, install the @azure/storage-blob package and initialize a BlobServiceClient using either a connection string or a DefaultAzureCredential for Entra ID auth. For Python, use azure-storage-blob and the BlobServiceClient class similarly. For quick scripting, Azure CLI and Azure PowerShell both support blob operations without writing any code. The Azure Storage REST API is also available for any language or platform that can make HTTP requests, all you need is an authenticated request with the correct headers. The x-ms-version header must be set to a supported API version date string.