Snippets

KQL snippet: isolate Azure Storage 403 on a private endpoint

A short query to separate identity, firewall, public endpoint and wrong subresource when private Azure Storage access is denied.

13 Jun 2026 azurestorageprivate-endpointdnskqllogsidentityrunbook

When private Storage access returns 403, first check whether the account actually sees the request and which identity or source is attached to the denial.

kusto storage-private-403.kql

let Window = 2h;
let Account = "stprodorders";
StorageBlobLogs
| where TimeGenerated > ago(Window)
| where AccountName == Account
| where StatusCode == 403 or StatusText has_any ("Authorization", "Authentication", "Firewall")
| project TimeGenerated, OperationName, StatusCode, StatusText, AuthenticationType, RequesterObjectId, CallerIpAddress, Uri, UserAgentHeader, ClientRequestId
| order by TimeGenerated desc

Quick read:

no line for the test: go back to DNS, Private Endpoint, routing or subresource (blob, dfs, queue);
visible identity with denial: check RBAC, scope and propagation delay;
unexpected IP or source: check firewall, selected networks and whether the public endpoint is still used.