Share via

Roles required for ADF in Azure portal

Kevin Burke 0 Reputation points
2026-04-09T08:46:34.4666667+00:00

what ADF roles are needed in Azure to run a hybrid worker job for the onprem execution of a .bat file?

Azure Data Factory
Azure Data Factory

An Azure service for ingesting, preparing, and transforming data at scale.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pilladi Padma Sai Manisha 6,580 Reputation points Microsoft External Staff Moderator
    2026-04-09T14:23:48.88+00:00

    Hi Kevin Burke,

    for kicking off a Self-Hosted Integration Runtime job (your “hybrid worker” activity) that runs a .bat file on-prem, you actually only need the ability to execute a pipeline in ADF. The quickest way to get that is:

    • Assign the built-in Data Factory Contributor role (or the general Contributor role) on the resource group (or directly on the Data Factory) where your ADF lives.

    – This role already includes all the Microsoft.DataFactory actions you need (create/run pipelines, list triggers, read linked services/integration runtimes, etc.).

    – If you give it at the RG level, you don’t need to assign anything else at the factory level.

    If you’d rather lock it down so the identity can only run pipelines (and nothing else), you can create a pipeline-level custom role that just grants the “createrun” permission:

    1. Grab the built-in role JSON: Get-AzRoleDefinition -Name "Data Factory Contributor"
    2. Clear out everything except:
      • Microsoft.DataFactory/factories/pipelines/createRun/action
      • (Optionally) Microsoft.DataFactory/factories/read & …/list so it can see the pipelines
    3. Assign that new custom role at your factory’s scope

    Full steps here:

    https://supportability.visualstudio.com/AzureDataFactory/_wiki/wikis/AzureDataFactory/576542/Azure%20Data%20Factory%20TSGs%20(CSS)/Security%20(Permission,%20Firewall,%20and%20etc.)/Roles%20and%20Permissions%20for%20Data%20Factory/Create%20a%20Data%20Factory%20Pipeline%20Level%20custom%20role

    And general reader on built-in roles for ADF here:

    https://dori-uw-1.kuma-moon.com/azure/data-factory/concepts-roles-permissions?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider

    Hope that helps! If you need to tighten permissions further or if you’re seeing access-denied errors, let me know:

    • Which identity is actually running the pipeline (SPN, managed identity)?

    • Where have you assigned your current roles (subscription, RG, factory)?

    • Are you seeing any specific error messages when you trigger the job?

    Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

    0 comments
  2. Q&A Assist
    2026-04-09T08:46:56.51+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To run a hybrid worker job that executes an on-premises .bat file, the required roles are tied to Azure Automation and Hybrid Runbook Workers, not to Azure Data Factory–specific roles.

    From the provided information:

    1. Azure role to manage/run Automation jobs
      • Members of the Automation Job Operator role (or higher) can create and run runbook jobs.
      • To enforce that jobs run only on Hybrid Runbook Workers (and not in the Azure sandbox), an Owner at the subscription level is required to configure Azure Policy.
    2. Permissions for Hybrid Runbook Worker setup and credentials
      • Hybrid Worker must be deployed and running before executing a runbook.
      • If using Hybrid Worker Credentials (custom credentials instead of the default System account), a credential asset must be created in the Automation account, and the Hybrid Worker group must be configured to use it.
      • For extension-based Hybrid Workers using custom credentials, the custom user must have file system permissions on the Hybrid Worker host:
        • Azure VM: C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows (read and execute)
        • Arc-enabled Server: C:\ProgramData\AzureConnectedMachineAgent\Tokens (read) and C:\Packages\Plugins\Microsoft.Azure.Automation.HybridWorker.HybridWorkerForWindows (read and execute)
    3. Data Factory roles
      • To create Data Factory instances, a user must be Contributor, Owner, or subscription Administrator.
      • There is a Data Factory Contributor role for managing Data Factory resources.
      • However, the context does not specify any ADF-specific role requirement for simply triggering a pipeline that calls a Hybrid Runbook Worker job; the critical permissions are on the Automation account and Hybrid Worker side.

    In practice, for running the on-prem .bat via Hybrid Worker from ADF:

    • Ensure the identity that configures and manages the Automation account and Hybrid Runbook Worker has at least Contributor/Owner on the Automation account and Automation Job Operator or higher to create/run jobs.
    • Ensure Hybrid Worker credentials and file system permissions are correctly configured on the on-prem/Arc/VM host.
    • Use standard ADF roles (e.g., Data Factory Contributor) only for authoring and running pipelines; the actual execution rights on the Hybrid Worker are governed by the Automation and OS-level permissions above.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.