Fix Azure Storage Queue Error 403 from Web App | Quisitive
Fix Azure Storage Queue Error 403 from Web App
August 9, 2017
Matthew Dowst
Read our blog.

I recently ran into a problem uploading to an Azure Storage Queue from an Azure App Services web app. The problem began when I moved the web app from one subscription to another. After the move, I received a (403) Forbidden message when attempting to write to a queue. The storage account for the queue did not move and other deployments of this app were still able to write to it. If I ran it locally, from my computer, it worked.

After trying multiple different combinations of storage locations, connection strings, Nuget package versions, etc. I decided to create a new App Service this time back in the original subscription. I deployed the web app to this new App Service, and it worked. This made me think about Resource Providers.

So, I checked the registered resource providers in both subscriptions, and noticed that the original subscription had over a dozen more resource providers enabled, than the subscription I was moving to App Service to. I started going down the list and registering the ones, that looked like they might play a role in this issue.


After I registered Microsoft.ServiceBus provider, the request worked and the web app was able to write to the queue once again. The other two providers I enabled before the Microsoft.ServiceBus were Microsoft.ApiManagement and Microsoft.AppService. I’m not sure it was just the Microsoft.ServiceBus or a combination of the three, but it is working now!

Below is a list of things I tried prior to enabling the Resource Providers. These are thing you might want to consider as well, if you run into a similar situation.

  1. Confirmed the storage name and key are correct.
  2. Created a new storage account in the same subscription
  3. Updated the Microsoft.WindowsAzure.Storage package to the latest version
  4. Confirmed that the web.config is being updated on publish
  5. Logged the connection string and ensured it was passing the right value
  6. Confirmed that the time on the App Service server is correct
  7. Set the time zone on the App Service to Central Standard Time. (The storage account is in South Central US)

Also, I have included a sample script below that you can use to compare the resource providers between two different subscriptions. It will output the providers names, which you can then use with the Register-AzureRmResourceProvider cmdlet to quickly enable in your new subscription.

$creds = Get-Credential
$sourceSubscription = 'GUID of the source subscription'
$destinationSubscription = 'GUID of the destination subscription'
# Get the resource providers from the source subscription
Add-AzureRmAccount -Credential $creds -SubscriptionId $sourceSubscription 
$source = Get-AzureRmResourceProvider 
# Get the resource providers from the source subscription
Add-AzureRmAccount -Credential $creds -SubscriptionId $destinationSubscription 
$destination = Get-AzureRmResourceProvider
# Check each enabled resource providers from the source against the destination
Foreach($resource in $source)
    # Check if the resource is enabled in the destination and display if not
    if(!($destination | ?{$_.ProviderNamespace -eq $resource.ProviderNamespace}))
        Write-Output $resource.ProviderNamespace