Copy-AzStorageBlob could not run when using the UseConnectedAccount authentication

[leoliudan]

Description

Below sample could not be run when using the -UseConnectedAccount to construct the $ctx

https://learn.microsoft.com/en-us/powershell/module/az.storage/copy-azstorageblob?view=azps-13.4.0#example-2-copy-blob-from-a-blob-object
$srcBlob = Get-AzStorageBlob -Container $containerName -Blob $blobName -Context $ctx
$destBlob = $srcBlob | Copy-AzStorageBlob -DestContainer "destcontainername" -DestBlob "destblobname"

the same script is working in the cloud shell, but not from the windows 11 as below log.

Issue script & Debug output

C:\Users\danliu1>pwsh
PowerShell 7.5.1
PS C:\Users\danliu1> $ctx = New-AzStorageContext -StorageAccountName danpwsa  -UseConnectedAccount 
PS C:\Users\danliu1> $srcBlob = Get-AzStorageBlob -Container costtestcontainer -Blob blob1 -Context $ctx
PS C:\Users\danliu1> $DebugPreference = "Continue"
PS C:\Users\danliu1> $srcBlob | Copy-AzStorageBlob  -DestContainer "costtestcontainer" -DestBlob blob1  
DEBUG: 2:46:12 PM - Init Operation Context for 'CopyAzureStorageBlob' with client request id  Azure-Storage-PowerShell-a0bc0a0c-393a-4a3f-9e4c-12f00392d2e6. If you want to get more details, please add "-Debug" to your command.
DEBUG: 2:46:12 PM - CopyAzureStorageBlob begin processing without ParameterSet.
DEBUG: 2:46:12 PM - Use storage account 'danpwsa' from storage context.
DEBUG: Request [4fd165a9-02c1-4827-9ffc-d24aa759eb60] POST https://danpwsa.blob.core.windows.net/?restype=service&comp=userdelegationkey
x-ms-version:2025-05-05
Accept:application/xml
Content-Type:application/xml
x-ms-client-request-id:4fd165a9-02c1-4827-9ffc-d24aa759eb60
x-ms-return-client-request-id:true
User-Agent:azsdk-net-Storage.Blobs/12.24.0 (.NET 9.0.4; Microsoft Windows 10.0.26100)
Authorization:REDACTED
client assembly: Azure.Storage.Blobs
DEBUG: Response [4fd165a9-02c1-4827-9ffc-d24aa759eb60] 200 OK (00.3s)
Transfer-Encoding:chunked
Server:Windows-Azure-Blob/1.0,Microsoft-HTTPAPI/2.0
x-ms-request-id:7d63536c-101e-0018-5d93-b961e0000000
x-ms-client-request-id:4fd165a9-02c1-4827-9ffc-d24aa759eb60
x-ms-version:2025-05-05
Date:Wed, 30 Apr 2025 05:46:08 GMT
Content-Type:application/xml

DEBUG: Request [ad38a828-6bf5-4d32-9ec0-e73c3f99175b] HEAD https://danpwsa.blob.core.windows.net/costtestcontainer/blob1?skoid=f417f36f-6dd9-47ea-b4a5-9bf12a7fec99&sktid=16b3c013-d300-468d-ac64-7eda0820b6d3&skt=2025-04-30T05%3A46%3A12Z&ske=2025-05-07T03%3A46%3A12Z&sks=b&skv=2025-05-05&sv=2025-05-05&se=2025-05-07T03%3A46%3A12Z&sr=b&sp=rt&sig=REDACTED
x-ms-version:2025-05-05
Accept:application/xml
User-Agent:AzurePowershell/v1.0.0,azsdk-net-Storage.Blobs/12.24.0 (.NET 9.0.4; Microsoft Windows 10.0.26100)
x-ms-client-request-id:ad38a828-6bf5-4d32-9ec0-e73c3f99175b
x-ms-return-client-request-id:true
client assembly: Azure.Storage.Blobs
DEBUG: Error response [ad38a828-6bf5-4d32-9ec0-e73c3f99175b] 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. (00.1s)
Transfer-Encoding:chunked
Server:Microsoft-HTTPAPI/2.0
x-ms-request-id:7d6353fb-101e-0018-5a93-b961e0000000
x-ms-error-code:AuthenticationFailed
Date:Wed, 30 Apr 2025 05:46:08 GMT

Copy-AzStorageBlob: Service request failed.
Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)
ErrorCode: AuthenticationFailed                                                                                         
                                                                                                                        
Headers:                                                                                                                
Transfer-Encoding: chunked                                                                                              
Server: Microsoft-HTTPAPI/2.0                                                                                           
x-ms-request-id: 7d6353fb-101e-0018-5a93-b961e0000000                                                                   
x-ms-error-code: AuthenticationFailed                                                                                   
Date: Wed, 30 Apr 2025 05:46:08 GMT                                                                                     
DEBUG: 2:46:13 PM - CopyAzureStorageBlob end processing, Start 0 remote calls. Finish 0 remote calls. Elapsed time 4486.14 ms. Client operation id: Azure-Storage-PowerShell-a0bc0a0c-393a-4a3f-9e4c-12f00392d2e6.
DEBUG: AzureQoSEvent:  Module: Az.Storage:8.3.0; CommandName: Copy-AzStorageBlob; PSVersion: 7.5.1; IsSuccess: False; Duration: 00:00:00.6009590; Exception: Service request failed.
Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)
ErrorCode: AuthenticationFailed

Headers:
Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 7d6353fb-101e-0018-5a93-b961e0000000
x-ms-error-code: AuthenticationFailed
Date: Wed, 30 Apr 2025 05:46:08 GMT
;
DEBUG: 2:46:13 PM - CopyAzureStorageBlob end processing.

Environment data

PS C:\Users\danliu1> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.5.1
PSEdition                      Core
GitCommitId                    7.5.1
OS                             Microsoft Windows 10.0.26100
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

PS C:\Users\danliu1> Get-Module Az*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     4.1.0                 Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     8.3.0                 Az.Storage                          {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStora…

Error output

PS C:\Users\danliu1> Resolve-AzError                                                                                                                              
DEBUG: 3:53:46 PM - [ConfigManager] Got [False] from [DisplaySecretsWarning], Module = [], Cmdlet = [].
DEBUG: 3:53:46 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 3:53:46 PM - using account id 'danliu1@microsoft.com'...
DEBUG: 3:53:46 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [Az.Accounts], Cmdlet = [Resolve-AzError]. Returning default value [True].
DEBUG: 3:53:46 PM - [ConfigManager] Got [False] from [DisplaySecretsWarning], Module = [], Cmdlet = [].

   HistoryId: 4

Message        : Service request failed.
                 Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the
                 signature.)
                 ErrorCode: AuthenticationFailed

                 Headers:
                 Transfer-Encoding: chunked
                 Server: Microsoft-HTTPAPI/2.0
                 x-ms-request-id: 7d6353fb-101e-0018-5a93-b961e0000000
                 x-ms-error-code: AuthenticationFailed
                 Date: Wed, 30 Apr 2025 05:46:08 GMT

StackTrace     :    at Azure.Core.HttpPipelineExtensions.ProcessMessage(HttpPipeline pipeline, HttpMessage message, RequestContext requestContext,
                 CancellationToken cancellationToken)
                    at Azure.Storage.Blobs.BlobRestClient.GetProperties(String snapshot, String versionId, Nullable`1 timeout, String leaseId, String
                 encryptionKey, String encryptionKeySha256, String encryptionAlgorithm, String ifTags, RequestConditions requestConditions, RequestContext        
                 context)
                    at Azure.Storage.Blobs.Specialized.BlobBaseClient.GetPropertiesInternal(BlobRequestConditions conditions, Boolean async, RequestContext       
                 context, String operationName)
                    at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task`1 task)
                    at Azure.Storage.Blobs.Specialized.BlobBaseClient.GetProperties(BlobRequestConditions conditions, CancellationToken cancellationToken)        
                    at Microsoft.WindowsAzure.Commands.Storage.Common.Util.GetBlobType(BlobBaseClient blob, Boolean CheckOnServer)
                    at Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.CopyAzureStorageBlob.CopyFromUri(Int64 taskId, IStorageBlobManagement destChannel,     
                 Uri srcUri, BlobBaseClient destBlob)
                    at Microsoft.WindowsAzure.Commands.Storage.Common.LimitedConcurrencyTaskScheduler.RunConcurrentTask(Int64 taskId, Task task)
Exception      : Azure.RequestFailedException
InvocationInfo : {Copy-AzStorageBlob}
Line           : $srcBlob | Copy-AzStorageBlob  -DestContainer "costtestcontainer" -DestBlob blob1
Position       : At line:1 char:12
                 + $srcBlob | Copy-AzStorageBlob  -DestContainer "costtestcontainer" -De …
                 +            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 4



DEBUG: 3:53:46 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:53:46 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:4.1.0; CommandName: Resolve-AzError; PSVersion: 7.5.1; IsSuccess: True; Duration: 00:00:00.1622039
DEBUG: 3:53:46 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 3:53:46 PM - ResolveError end processing.

[leoliudan]

working in the cloud shell

[leoliudan]

the error is still happening on the windows 11.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Az.Storage: -UseConnectedAccount causes 403 (but without it it works fine) #9946

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

I can't repro this issue. From PSH code, following 2 command will generate same storage context, no matter with or without -UseConnectedAccount.

$context = New-AzStorageContext -StorageAccountName 'sl**' -UseConnectedAccount
$context = New-AzStorageContext -StorageAccountName 'sl**' 

Would you please make sure the success script and the failed script only has the new context command different (with or without -UseConnectedAccount, storage account are same), run in same powershell console, login with same Azure Account, and the script before and after the command are exactly same?

Reference:

• Az.Storage: -UseConnectedAccount causes 403 (but without it it works fine) #9946 (comment)

Solution 2:

Hmm, I can't reproduce it anymore. Very weird since I reproduced it multiple times yesterday, but maybe something else. I also looked at the code and it does seem to be the same either way. So I think this can be closed, thanks! I'll re-raise if I can reproduce later.

Reference:

• Az.Storage: -UseConnectedAccount causes 403 (but without it it works fine) #9946 (comment)

Powered by issue-sentinel

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Az.Storage: -UseConnectedAccount causes 403 (but without it it works fine) #9946

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

I can't repro this issue. From PSH code, following 2 command will generate same storage context, no matter with or without -UseConnectedAccount.

$context = New-AzStorageContext -StorageAccountName 'sl**' -UseConnectedAccount
$context = New-AzStorageContext -StorageAccountName 'sl**' 

Would you please make sure the success script and the failed script only has the new context command different (with or without -UseConnectedAccount, storage account are same), run in same powershell console, login with same Azure Account, and the script before and after the command are exactly same?

Reference:

• Az.Storage: -UseConnectedAccount causes 403 (but without it it works fine) #9946 (comment)

Solution 2:

Hmm, I can't reproduce it anymore. Very weird since I reproduced it multiple times yesterday, but maybe something else. I also looked at the code and it does seem to be the same either way.

So I think this can be closed, thanks!

I'll re-raise if I can reproduce later.

Reference:

• Az.Storage: -UseConnectedAccount causes 403 (but without it it works fine) #9946 (comment)

Powered by issue-sentinel

[leoliudan]

the solution is not helping

[leoliudan]

I uninstalled and installed my powershell and az module again, the issue is not fixed

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

[blueww]

@leoliudan

Would you please share the command how you create the $ctx? (hide credential if any)

And as you can't repro this in cloudshell, but on win11, would you please check:

1. Do you login Azure powershell with same Account (with Add-AzAccount)?
2. Do Cloudshell / win11 have same Az.Storage version (run Get-module after repro the issue).