Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Network TAP Rules can be configured inline or file-based (using a rules file URL). When configured with UAMI, the TAP rule uses identity-based access to dependent Azure services (such as the storage account hosting the rules file). When a UAMI is associated with a Network TAP Rule, the rule uses Azure Managed Identity authentication to access required Azure services (for example, Storage Accounts), aligning TAP workflows with Trusted Microsoft Services.
Once a Network TAP Rule is configured with UAMI:
- Authentication transitions permanently to identity based access.
- IP based allow lists and first party application identities are no longer used.
- Existing traffic behavior remains unchanged, provided the configuration content doesn't change.
- If a UAMI isn't patched to the Network TAP rule resource, the rule continues to use first party app–based access.
- Reverting a Network TAP Rule from UAMI back to first party application access isn't supported.
Prerequisites
- A Network Fabric is provisioned and unlocked.
- You're using the GA API version 2025-07-15 and Nexus Network Fabric (NNF) release 10.1 or later.
- A User Assigned Managed Identity (UAMI) exists.
- The storage account that hosts the rules file has Trusted Microsoft Services enabled, and the UAMI has the required RBAC permissions (for example, Storage Blob Data Reader).
- Azure CLI has the managednetworkfabric extension V9.0.0 available.
Configure a Network TAP Rule with UAMI
Step 1: Create or patch a file-based Network TAP Rule with UAMI
az networkfabric taprule create \
--resource-group myResourceGroup \
--resource-name myTapRuleWithMSI \
--polling-interval-in-seconds 30 \
--configuration-type "File" \
--tap-rules-url "https://mystorage.blob.core.windows.net/config/taprule.json" \
--location eastus \
--user-assigned "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tapRuleIdentity" \
--identity-selector '{"identityType":"UserAssignedIdentity","userAssignedIdentityResourceId":"/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tapRuleIdentity"}'
Output
{
"administrativeState": "Disabled",
"configurationState": "Succeeded",
"configurationType": "File",
"id": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.ManagedNetworkFabric/networkTapRules/myTapRuleWithMSI",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tapRuleIdentity": {
"clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222"
} } },
"identitySelector": {
"identityType": "UserAssignedIdentity",
"userAssignedIdentityResourceId": "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tapRuleIdentity" },
"location": "eastus",
"name": "myTapRuleWithMSI",
"pollingIntervalInSeconds": 30,
"provisioningState": "Succeeded",
"resourceGroup": "myResourceGroup",
"tapRulesUrl": "https://mystorage.blob.core.windows.net/config/taprule.json",
"type": "microsoft.managednetworkfabric/networktaprules"}
Step 2: Apply the change (resync)
az networkfabric taprule resync \
--resource-group "example-rg" \
--resource-name "example-networktaprule"
Step 3: Verify the configuration
az networkfabric taprule show \
--resource-group "example-rg" \
--resource-name "example-networktaprule" \
Troubleshooting
If following issues occur, use provided mitigation steps:
Identity Doesn't Exist in ARM - Referencing a nonexistent User-Assigned Managed Identity
Command:
az networkfabric taprule create \
--resource-group myResourceGroup \
--resource-name myTapRuleWithMSI \
--polling-interval-in-seconds 30 \
--configuration-type "File" \
--tap-rules-url "https://mystorage.blob.core.windows.net/config/taprule.json" \
--location eastus \
--user-assigned "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/nonExistentIdentity" \
--identity-selector '{"identityType":"UserAssignedIdentity","userAssignedIdentityResourceId":"/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/nonExistentIdentity"}'
Error Output:
{
"error": {
"code": "FailedIdentityOperation",
"message": "Identity operation for resource '/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.ManagedNetworkFabric/networktaprules/myTapRule' failed with error 'Failed to perform resource identity operation. Status: 'BadRequest'. Response: '{\"error\":{\"code\":\"BadRequest\",\"message\":\"Resource '/subscriptions/.../nonExistentIdentity' was not found.\"}}''."
}
}
Remedy:
- Verify the UAMI resource ID is correct
- Ensure the UAMI exists in the specified subscription and resource group
- Check that you read access to the UAMI resource
Identity Mismatch in Selector - UAMI in identitySelector differs from identity.userAssignedIdentities
Command:
az networkfabric taprule create \
--resource-group myResourceGroup \
--resource-name myTapRuleWithMSI \
--polling-interval-in-seconds 30 \
--configuration-type "File" \
--tap-rules-url "https://mystorage.blob.core.windows.net/config/taprule.json" \
--location eastus \
--user-assigned "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/existentIdentity1" \
--identity-selector '{"identityType":"UserAssignedIdentity","userAssignedIdentityResourceId":"/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/identityRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/existentIdentity2"}'
Error Output:
{
"error": {
"code": "ResourceCreationValidateFailed",
"message": "UAMI mentioned under identitySelector should be part of UAMIs under identity."
}
}
Remedy:
- Ensure identitySelector.userAssignedIdentityResourceId matches a key in identity.userAssignedIdentities
- Verify the resource ID format and casing are exactly correct
Missing RBAC Permissions- UAMI lacks required permissions on storage account
Error Output:
{
"error": {
"code": "BadRequest",
"message": "Blob Storage URL https://mystorage.blob.core.windows.net/config/taprule.json processing failed for networktaprules due to error : Service request failed. Status: 403 (This request is not authorized to perform this operation using this permission.) ErrorCode: AuthorizationPermissionMismatch"
}
}
Logs:
Headers:
Transfer-Encoding: chunked
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 69f50b64-c01e-0035-0d93-52a9bd000000
x-ms-error-code: AuthorizationPermissionMismatch
Remedy:
- Grant "Storage Blob Data Reader" role to the UAMI on the storage account
- Verify role assignment propagation (can take up to 5 minutes)
- Ensure the storage account allows trusted Microsoft services
Required RBAC Assignment:
az role assignment create \
--assignee "<UAMI-principal-id>" \
--role "Storage Blob Data Reader" \
--scope "/subscriptions/.../resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/mystorage"
Blob Not Found - Referenced blob doesn't exist or incorrect URL
Error Output:
{
"error": {
"code": "BadRequest",
"message": "Blob Storage URL https://mystorage.blob.core.windows.net/config/nonexistent.json processing failed for networktaprules due to error : Blob not found."
}
}
Common Causes:
- Typo in blob name or path
- Case sensitivity issues
- Blob was deleted after URL was configured
- Container doesn't exist
Remedy:
- Verify blob exists using Azure Storage Explorer or CLI
- Check blob name case sensitivity
- Ensure container exists and is accessible
- Validate the complete URL format
Storage Account Network Restrictions - Storage account has network restrictions but trusted services not enabled
Error Output:
{
"error": {
"code": "BadRequest",
"message": "Blob Storage URL processing failed due to network access restrictions."
}
}
Remedy:
- Enable "Allow trusted Microsoft services" in storage account networking settings
- Alternative: Add NNF-RP service endpoints to allowed networks (not recommended)
Storage Account Configuration:
az storage account update \
--name "mystorage" \
--resource-group "storageRG" \
--bypass "AzureServices"
Insufficient User Permissions on Managed Identity - User creating NetworkTapRule lacks "Managed Identity Operator" role on UAMI
Error Output:
{
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client 'user@domain.com' with object id 'aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb' has permission to perform action 'Microsoft.ManagedNetworkFabric/networkTapRules/write' on scope '/subscriptions/.../networkTapRules/myTapRule'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/.../userAssignedIdentities/tapRuleIdentity'."
}
}
Remedy:
- Grant "Managed Identity Operator" role to the user on the UAMI
- Use a service principal with appropriate permissions
Role Assignment:
az role assignment create \
--assignee "user@domain.com" \
--role "Managed Identity Operator" \
--scope "/subscriptions/.../userAssignedIdentities/tapRuleIdentity"